syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12499] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in hash_ipportnet4_uadt

Status: fixed on 2020/02/18 14:31
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com
Fix commit: 22dad713b8a5 netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
First crash: 1569d, last: 1566d
Cause bisection: introduced by (bisect log) :
commit 23c42a403a9cfdbad6004a556c927be7dd61a8ee
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sat Oct 27 13:07:40 2018 +0000

  netfilter: ipset: Introduction of new commands and protocol version 7

Crash: general protection fault in hash_ipportnet4_uadt (log)
Repro: C syz .config
  
Duplicate bugs (11)
duplicates (11):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
general protection fault in hash_ip6_uadt netfilter C 6 1567d 1568d 0/26 closed as dup on 2020/01/08 09:52
general protection fault in hash_netnet4_uadt netfilter C 7 1567d 1568d 0/26 closed as dup on 2020/01/08 09:53
general protection fault in hash_netport4_uadt netfilter C 12 1567d 1568d 0/26 closed as dup on 2020/01/08 09:54
general protection fault in hash_ipportip4_uadt netfilter 2 1567d 1568d 0/26 closed as dup on 2020/01/08 15:53
general protection fault in hash_netport6_uadt netfilter syz 6 1567d 1568d 0/26 closed as dup on 2020/01/08 09:53
general protection fault in hash_ipport4_uadt netfilter syz 6 1567d 1568d 0/26 closed as dup on 2020/01/08 09:52
general protection fault in hash_mac4_uadt netfilter C done 6 1567d 1569d 0/26 closed as dup on 2020/01/08 09:54
general protection fault in hash_ip4_uadt C done 12 1566d 1568d 0/26 closed as dup on 2020/01/08 09:53
general protection fault in hash_ipportip6_uadt netfilter C 6 1566d 1568d 0/26 closed as dup on 2020/01/08 16:06
general protection fault in hash_net4_uadt netfilter C done 5 1567d 1568d 0/26 closed as dup on 2020/01/08 09:53
general protection fault in hash_ipportnet6_uadt netfilter C 6 1567d 1568d 0/26 closed as dup on 2020/01/08 09:53
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/245] 3.16.83-rc1 review 260 (260) 2020/04/24 17:54
[PATCH 5.4 00/78] 5.4.12-stable review 107 (107) 2020/02/11 15:01
[PATCH 4.19 00/46] 4.19.96-stable review 51 (51) 2020/01/15 02:09
[PATCH 4.14 00/39] 4.14.165-stable review 44 (44) 2020/01/15 02:08
[PATCH 4.9 00/31] 4.9.210-stable review 36 (36) 2020/01/15 02:08
[PATCH 4.4 00/28] 4.4.210-stable review 33 (33) 2020/01/15 02:08
[PATCH 0/9] Netfilter fixes for net 11 (11) 2020/01/08 23:22
[PATCH nf] netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present 5 (5) 2020/01/08 22:32
general protection fault in hash_ipportnet4_uadt 0 (3) 2020/01/08 16:53

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10443 Comm: syz-executor905 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:hash_ipportnet4_uadt+0x20b/0x13e0 net/netfilter/ipset/ip_set_hash_ipportnet.c:173
Code: 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 71 0c 00 00 4c 89 e2 45 8b 6d 04 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 2c
RSP: 0018:ffffc90001b9f150 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc90001b9f320 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff867e1e88 RDI: ffff8880a6e720a0
RBP: ffffc90001b9f2b8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: 0000000000000000
R13: 0000000004000000 R14: ffffc90001b9f220 R15: ffff8880a836e600
FS:  0000000002222880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056182b61c150 CR3: 00000000a753b000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867
 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 ____sys_sendmsg+0x753/0x880 net/socket.c:2330
 ___sys_sendmsg+0x100/0x170 net/socket.c:2384
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440899
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffed7d48f48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440899
RDX: 000000000c0000c4 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000015 R09: 00000000004002c8
R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000402120
R13: 00000000004021b0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace a37f28555bb7c406 ]---
RIP: 0010:hash_ipportnet4_uadt+0x20b/0x13e0 net/netfilter/ipset/ip_set_hash_ipportnet.c:173
Code: 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 71 0c 00 00 4c 89 e2 45 8b 6d 04 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <0f> b6 14 02 4c 89 e0 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 2c
RSP: 0018:ffffc90001b9f150 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffc90001b9f320 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff867e1e88 RDI: ffff8880a6e720a0
RBP: ffffc90001b9f2b8 R08: 0000000000000000 R09: 0000000000000000
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: 0000000000000000
R13: 0000000004000000 R14: ffffc90001b9f220 R15: ffff8880a836e600
FS:  0000000002222880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056182b61c150 CR3: 00000000a753b000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (13):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/09 09:35 upstream b07f636fca1c ddc3e859 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/09 02:05 upstream b07f636fca1c ddc3e859 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/08 15:23 upstream ae6088216ce4 ddc3e859 .config console log report syz C ci-upstream-kasan-gce-root
2020/01/08 08:14 upstream ae6088216ce4 6738e0b3 .config console log report syz C ci-upstream-kasan-gce
2020/01/08 05:19 upstream ae6088216ce4 6738e0b3 .config console log report syz C ci-upstream-kasan-gce-root
2020/01/08 09:24 upstream ae6088216ce4 6738e0b3 .config console log report syz C ci-upstream-kasan-gce-386
2020/01/08 03:35 upstream ae6088216ce4 6738e0b3 .config console log report syz C ci-upstream-kasan-gce-386
2020/01/07 23:16 net-old c101fffcd7fa 1bcd407e .config console log report syz C ci-upstream-net-this-kasan-gce
2020/01/07 17:27 net-old c101fffcd7fa 1bcd407e .config console log report syz C ci-upstream-net-this-kasan-gce
2020/01/08 02:34 net-next-old 1ece2fbe9b42 6738e0b3 .config console log report syz C ci-upstream-net-kasan-gce
2020/01/07 19:52 net-next-old 1b935183aeff 1bcd407e .config console log report syz C ci-upstream-net-kasan-gce
2020/01/10 00:44 net-next-old 4a4a52d49d11 4de4e9f0 .config console log report ci-upstream-net-kasan-gce
2020/01/07 13:47 net-next-old 1b935183aeff 1bcd407e .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.