| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Write in tcp_v6_syn_recv_sock net | C | 1063 | 2287d | 2305d | 5/26 | fixed on 2018/04/24 21:47 |
syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [989] ≡ Subsystems 🐞 Fixed [5238] 🐞 Invalid [12509] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Write in tcp_v6_syn_recv_sock net | C | 1063 | 2287d | 2305d | 5/26 | fixed on 2018/04/24 21:47 |
random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. ================================================================== BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline] BUG: KASAN: slab-out-of-bounds in tcp_v6_syn_recv_sock+0x700/0x26b0 net/ipv6/tcp_ipv6.c:1163 Write of size 160 at addr ffff8801b631b5d0 by task syz-executor318/4553 CPU: 0 PID: 4553 Comm: syz-executor318 Not tainted 4.18.0-rc1+ #114 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 memcpy+0x37/0x50 mm/kasan/kasan.c:303 memcpy include/linux/string.h:345 [inline] tcp_v6_syn_recv_sock+0x700/0x26b0 net/ipv6/tcp_ipv6.c:1163 tcp_get_cookie_sock+0x115/0x590 net/ipv4/syncookies.c:213 cookie_v6_check+0x1829/0x26a0 net/ipv6/syncookies.c:257 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1027 [inline] tcp_v6_do_rcv+0x1087/0x13a0 net/ipv6/tcp_ipv6.c:1335 tcp_v6_rcv+0x35bb/0x3a70 net/ipv6/tcp_ipv6.c:1544 ip6_input_finish+0x407/0x1a40 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:287 [inline] ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x2ab/0xa30 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:287 [inline] ipv6_rcv+0xec0/0x2060 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 process_backlog+0x219/0x760 net/core/dev.c:5373 napi_poll net/core/dev.c:5771 [inline] net_rx_action+0x7da/0x1980 net/core/dev.c:5837 __do_softirq+0x2e8/0xb17 kernel/softirq.c:284 do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046 </IRQ> do_softirq.part.17+0x14d/0x190 kernel/softirq.c:328 do_softirq arch/x86/include/asm/preempt.h:23 [inline] __local_bh_enable_ip+0x1ec/0x230 kernel/softirq.c:181 local_bh_enable include/linux/bottom_half.h:32 [inline] rcu_read_unlock_bh include/linux/rcupdate.h:725 [inline] ip6_finish_output2+0xce8/0x2820 net/ipv6/ip6_output.c:121 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:276 [inline] ip6_output+0x234/0x9d0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:287 [inline] ip6_xmit+0xf51/0x23f0 net/ipv6/ip6_output.c:277 inet6_csk_xmit+0x377/0x630 net/ipv6/inet6_connection_sock.c:139 tcp_transmit_skb+0x1bf9/0x3f10 net/ipv4/tcp_output.c:1168 tcp_write_xmit+0x1641/0x5c20 net/ipv4/tcp_output.c:2363 __tcp_push_pending_frames+0xb2/0x290 net/ipv4/tcp_output.c:2536 tcp_push+0x638/0x8c0 net/ipv4/tcp.c:724 tcp_sendmsg_locked+0x188d/0x3f00 net/ipv4/tcp.c:1386 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1436 inet_sendmsg+0x1a1/0x690 net/ipv4/af_inet.c:798 sock_sendmsg_nosec net/socket.c:645 [inline] sock_sendmsg+0xd5/0x120 net/socket.c:655 __sys_sendto+0x3d7/0x670 net/socket.c:1833 __do_sys_sendto net/socket.c:1845 [inline] __se_sys_sendto net/socket.c:1841 [inline] __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1841 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445c99 Code: e8 5c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db 51 00 00 c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007feaf2650da8 EFLAGS: 00000216 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00000000006dac5c RCX: 0000000000445c99 RDX: 00000000fffffdf7 RSI: 0000000020000280 RDI: 0000000000000004 RBP: 00000000006dac58 R08: 0000000020000000 R09: 000000000000001c R10: 0000000020000003 R11: 0000000000000216 R12: 0000000000000000 R13: 00007ffe5aa0339f R14: 00007feaf26519c0 R15: 0000000000000001 Allocated by task 4553: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 sk_prot_alloc+0x69/0x2e0 net/core/sock.c:1475 sk_clone_lock+0x15a/0x17d0 net/core/sock.c:1667 inet_csk_clone_lock+0x99/0x510 net/ipv4/inet_connection_sock.c:775 tcp_create_openreq_child+0x9c/0x2030 net/ipv4/tcp_minisocks.c:451 tcp_v6_syn_recv_sock+0x265/0x26b0 net/ipv6/tcp_ipv6.c:1142 tcp_get_cookie_sock+0x115/0x590 net/ipv4/syncookies.c:213 cookie_v6_check+0x1829/0x26a0 net/ipv6/syncookies.c:257 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1027 [inline] tcp_v6_do_rcv+0x1087/0x13a0 net/ipv6/tcp_ipv6.c:1335 tcp_v6_rcv+0x35bb/0x3a70 net/ipv6/tcp_ipv6.c:1544 ip6_input_finish+0x407/0x1a40 net/ipv6/ip6_input.c:284 NF_HOOK include/linux/netfilter.h:287 [inline] ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:327 dst_input include/net/dst.h:450 [inline] ip6_rcv_finish+0x2ab/0xa30 net/ipv6/ip6_input.c:71 NF_HOOK include/linux/netfilter.h:287 [inline] ipv6_rcv+0xec0/0x2060 net/ipv6/ip6_input.c:208 __netif_receive_skb_core+0x2488/0x3680 net/core/dev.c:4628 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 process_backlog+0x219/0x760 net/core/dev.c:5373 napi_poll net/core/dev.c:5771 [inline] net_rx_action+0x7da/0x1980 net/core/dev.c:5837 __do_softirq+0x2e8/0xb17 kernel/softirq.c:284 Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8801b631ab80 which belongs to the cache TCP of size 2640 The buggy address is located 0 bytes to the right of 2640-byte region [ffff8801b631ab80, ffff8801b631b5d0) The buggy address belongs to the page: page:ffffea0006d8c680 count:1 mapcount:0 mapping:ffff8801d4480e00 index:0xffff8801b631bffe compound_mapcount: 0 flags: 0x2fffc0000008100(slab|head) raw: 02fffc0000008100 ffffea0007338888 ffffea0006b8b088 ffff8801d4480e00 raw: ffff8801b631bffe ffff8801b631a080 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b631b480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801b631b500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801b631b580: 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc ^ ffff8801b631b600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801b631b680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/06/23 21:08 | upstream | 5e2204832b20 | 2064fc5c | .config | console log | report | syz | C | ci-upstream-kasan-gce-root |