syzbot


KASAN: null-ptr-deref Write in choke_reset

Status: fixed on 2020/06/13 11:02
Reported-by: syzbot+836fa5b250d3a82f2152@syzkaller.appspotmail.com
Fix commit: 1733fe42d94c USB: serial: garmin_gps: add sanity checking for data length
First crash: 797d, last: 773d

Fix bisection: fixed by (bisect log) :
commit 1733fe42d94c70d5626854cace6db23674f24ca1
Author: Oliver Neukum <oneukum@suse.com>
Date: Wed Apr 15 14:03:04 2020 +0000

  USB: serial: garmin_gps: add sanity checking for data length

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: null-ptr-deref Write in choke_reset C done 283 767d 796d 1/1 fixed on 2020/06/19 13:29
upstream KASAN: null-ptr-deref Write in choke_reset C done 1441 764d 797d 17/22 fixed on 2020/07/17 17:58

Sample crash report:
audit: type=1400 audit(1589137558.335:8): avc:  denied  { execmem } for  pid=6450 comm="syz-executor869" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1
==================================================================
BUG: KASAN: null-ptr-deref in memset include/linux/string.h:333 [inline]
BUG: KASAN: null-ptr-deref in choke_reset+0x208/0x340 net/sched/sch_choke.c:330
Write of size 8 at addr 0000000000000000 by task syz-executor869/6450

CPU: 0 PID: 6450 Comm: syz-executor869 Not tainted 4.19.122-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x194/0x2b9 mm/kasan/report.c:396
 memset+0x20/0x40 mm/kasan/kasan.c:285
 memset include/linux/string.h:333 [inline]
 choke_reset+0x208/0x340 net/sched/sch_choke.c:330
 qdisc_reset+0x6b/0x4c0 net/sched/sch_generic.c:933
 dev_deactivate_queue.constprop.0+0x138/0x220 net/sched/sch_generic.c:1132
 netdev_for_each_tx_queue include/linux/netdevice.h:2107 [inline]
 dev_deactivate_many+0xe2/0xb30 net/sched/sch_generic.c:1189
 dev_deactivate+0xfe/0x1d0 net/sched/sch_generic.c:1222
 qdisc_graft+0xbf3/0xf90 net/sched/sch_api.c:961
 tc_modify_qdisc+0xb9c/0x1929 net/sched/sch_api.c:1582
 rtnetlink_rcv_msg+0x453/0xaf0 net/core/rtnetlink.c:4777
 netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2153
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440719
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd1c3e99b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000007 RCX: 0000000000440719
RDX: 0000000000000000 RSI: 00000000200007c0 RDI: 0000000000000006
RBP: 0000000000000001 R08: 00000000ffffffff R09: 00000000004002c8
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000007166
R13: 0000000000402030 R14: 0000000000000000 R15: 0000000000000000
==================================================================

Crashes (236):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2020/05/10 19:08 linux-4.19.y 033c4ea49a4b 8742a2b9 .config log report syz C
ci2-linux-4-19 2020/04/20 07:10 linux-4.19.y 8488c3f3bc86 9f7c6d12 .config log report syz C
ci2-linux-4-19 2020/04/19 07:50 linux-4.19.y 8488c3f3bc86 365fba24 .config log report syz C
ci2-linux-4-19 2020/05/14 04:32 linux-4.19.y 033c4ea49a4b a885920d .config log report
ci2-linux-4-19 2020/05/14 00:13 linux-4.19.y 033c4ea49a4b a885920d .config log report
ci2-linux-4-19 2020/05/13 23:11 linux-4.19.y 033c4ea49a4b a885920d .config log report
ci2-linux-4-19 2020/05/13 22:09 linux-4.19.y 033c4ea49a4b a885920d .config log report
ci2-linux-4-19 2020/05/13 16:25 linux-4.19.y 033c4ea49a4b 9a6d42fb .config log report
ci2-linux-4-19 2020/05/13 11:30 linux-4.19.y 033c4ea49a4b 9a6d42fb .config log report
ci2-linux-4-19 2020/05/13 10:18 linux-4.19.y 033c4ea49a4b 9a6d42fb .config log report
ci2-linux-4-19 2020/05/13 09:17 linux-4.19.y 033c4ea49a4b a44eb8f7 .config log report
ci2-linux-4-19 2020/05/13 00:06 linux-4.19.y 033c4ea49a4b a44eb8f7 .config log report
ci2-linux-4-19 2020/05/12 23:42 linux-4.19.y 033c4ea49a4b a44eb8f7 .config log report
ci2-linux-4-19 2020/05/12 19:40 linux-4.19.y 033c4ea49a4b a44eb8f7 .config log report
ci2-linux-4-19 2020/05/12 18:33 linux-4.19.y 033c4ea49a4b a497a5b4 .config log report
ci2-linux-4-19 2020/05/12 16:45 linux-4.19.y 033c4ea49a4b a497a5b4 .config log report
ci2-linux-4-19 2020/05/12 07:56 linux-4.19.y 033c4ea49a4b a497a5b4 .config log report
ci2-linux-4-19 2020/05/12 01:31 linux-4.19.y 033c4ea49a4b 9eb09c40 .config log report
ci2-linux-4-19 2020/05/11 20:07 linux-4.19.y 033c4ea49a4b 9eb09c40 .config log report
ci2-linux-4-19 2020/05/11 19:01 linux-4.19.y 033c4ea49a4b 9eb09c40 .config log report
ci2-linux-4-19 2020/05/11 17:35 linux-4.19.y 033c4ea49a4b f8f57555 .config log report
ci2-linux-4-19 2020/05/11 12:58 linux-4.19.y 033c4ea49a4b f8f57555 .config log report
ci2-linux-4-19 2020/05/11 08:20 linux-4.19.y 033c4ea49a4b f8f57555 .config log report
ci2-linux-4-19 2020/05/11 07:05 linux-4.19.y 033c4ea49a4b f8f57555 .config log report
ci2-linux-4-19 2020/05/10 13:34 linux-4.19.y 033c4ea49a4b 8742a2b9 .config log report
ci2-linux-4-19 2020/05/10 10:11 linux-4.19.y 033c4ea49a4b 8742a2b9 .config log report
ci2-linux-4-19 2020/05/10 09:00 linux-4.19.y 033c4ea49a4b 8742a2b9 .config log report
ci2-linux-4-19 2020/05/10 02:32 linux-4.19.y 84920cc7fbe1 8742a2b9 .config log report
ci2-linux-4-19 2020/05/10 01:27 linux-4.19.y 84920cc7fbe1 88cb3e92 .config log report
ci2-linux-4-19 2020/05/09 20:35 linux-4.19.y 84920cc7fbe1 88cb3e92 .config log report
ci2-linux-4-19 2020/05/09 15:44 linux-4.19.y 84920cc7fbe1 88cb3e92 .config log report
ci2-linux-4-19 2020/05/09 14:35 linux-4.19.y 84920cc7fbe1 88cb3e92 .config log report
ci2-linux-4-19 2020/05/09 13:07 linux-4.19.y 84920cc7fbe1 e97b06d3 .config log report
ci2-linux-4-19 2020/05/08 23:28 linux-4.19.y 84920cc7fbe1 e97b06d3 .config log report
ci2-linux-4-19 2020/05/08 22:05 linux-4.19.y 84920cc7fbe1 e97b06d3 .config log report
ci2-linux-4-19 2020/05/08 19:07 linux-4.19.y 84920cc7fbe1 fe4122c3 .config log report
ci2-linux-4-19 2020/05/08 11:33 linux-4.19.y 84920cc7fbe1 fe4122c3 .config log report
ci2-linux-4-19 2020/05/08 10:31 linux-4.19.y 84920cc7fbe1 fe4122c3 .config log report
ci2-linux-4-19 2020/05/08 08:46 linux-4.19.y 84920cc7fbe1 6c70a1c2 .config log report
ci2-linux-4-19 2020/05/08 01:59 linux-4.19.y 84920cc7fbe1 6c70a1c2 .config log report
ci2-linux-4-19 2020/05/07 23:40 linux-4.19.y 84920cc7fbe1 6c70a1c2 .config log report
ci2-linux-4-19 2020/05/07 22:30 linux-4.19.y 84920cc7fbe1 6c70a1c2 .config log report
ci2-linux-4-19 2020/05/07 20:36 linux-4.19.y 84920cc7fbe1 98cbd87b .config log report
ci2-linux-4-19 2020/05/07 11:57 linux-4.19.y 84920cc7fbe1 98cbd87b .config log report
ci2-linux-4-19 2020/05/07 10:43 linux-4.19.y 84920cc7fbe1 98cbd87b .config log report
ci2-linux-4-19 2020/05/07 05:37 linux-4.19.y 84920cc7fbe1 4618eb2d .config log report
ci2-linux-4-19 2020/05/07 03:24 linux-4.19.y 84920cc7fbe1 4618eb2d .config log report
ci2-linux-4-19 2020/05/06 12:58 linux-4.19.y 84920cc7fbe1 4618eb2d .config log report
ci2-linux-4-19 2020/05/06 08:16 linux-4.19.y 84920cc7fbe1 35b8eb30 .config log report
ci2-linux-4-19 2020/05/06 07:14 linux-4.19.y 84920cc7fbe1 35b8eb30 .config log report
ci2-linux-4-19 2020/05/06 01:19 linux-4.19.y fdc072324f3c 35b8eb30 .config log report
ci2-linux-4-19 2020/05/05 13:56 linux-4.19.y fdc072324f3c 4b76dd25 .config log report
ci2-linux-4-19 2020/04/19 07:32 linux-4.19.y 8488c3f3bc86 365fba24 .config log report