syzbot


KMSAN: uninit-value in fib_get_nhs

Status: fixed on 2022/03/08 16:11
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+d4b9a2851cc3ce998741@syzkaller.appspotmail.com
Fix commit: 7a3429bace0e ipv4: Check attribute length for RTA_GATEWAY in multipath route
First crash: 842d, last: 769d
Discussions (6)
Title Replies (including bot) Last reply
[PATCH 5.4 00/34] 5.4.171-rc1 review 41 (41) 2022/01/12 01:08
[PATCH 5.15 00/72] 5.15.14-rc1 review 82 (82) 2022/01/11 12:41
[PATCH 5.10 00/43] 5.10.91-rc1 review 53 (53) 2022/01/11 12:37
[PATCH net 0/5] net: Length checks for attributes within multipath routes 10 (10) 2022/01/02 16:45
[PATCH net] ipv4: Check attribute length for RTA_GATEWAY 4 (4) 2021/12/12 08:09
[syzbot] KMSAN: uninit-value in fib_get_nhs 1 (2) 2021/12/10 16:52
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KMSAN: kernel-infoleak in _copy_to_iter (7) net C 138977 398d 750d 22/26 fixed on 2023/02/24 13:50
upstream KMSAN: uninit-value in __tipc_nl_bearer_enable tipc C 1288 399d 1927d 22/26 fixed on 2023/02/24 13:50
upstream KMSAN: uninit-value in tipc_nl_compat_name_table_dump (3) tipc C 65 494d 511d 22/26 fixed on 2023/02/24 13:51

Sample crash report:
=====================================================
BUG: KMSAN: uninit-value in fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
 fib_get_nhs+0xac4/0x1f80 net/ipv4/fib_semantics.c:708
 fib_create_info+0x2411/0x4870 net/ipv4/fib_semantics.c:1453
 fib_table_insert+0x45c/0x3a10 net/ipv4/fib_trie.c:1224
 inet_rtm_newroute+0x289/0x420 net/ipv4/fib_frontend.c:886
 rtnetlink_rcv_msg+0x145d/0x18c0 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x447/0x800 net/netlink/af_netlink.c:2491
 rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5589
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x1095/0x1360 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x16f3/0x1870 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409
 ___sys_sendmsg net/socket.c:2463 [inline]
 __sys_sendmsg+0x4a5/0x640 net/socket.c:2492
 __do_sys_sendmsg net/socket.c:2501 [inline]
 __se_sys_sendmsg net/socket.c:2499 [inline]
 __x64_sys_sendmsg+0xe2/0x120 net/socket.c:2499
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Uninit was created at:
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:3251 [inline]
 __kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4974
 kmalloc_reserve net/core/skbuff.c:354 [inline]
 __alloc_skb+0x545/0xf90 net/core/skbuff.c:426
 alloc_skb include/linux/skbuff.h:1126 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
 netlink_sendmsg+0xe93/0x1870 net/netlink/af_netlink.c:1891
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg net/socket.c:724 [inline]
 ____sys_sendmsg+0xe11/0x12c0 net/socket.c:2409
 ___sys_sendmsg net/socket.c:2463 [inline]
 __sys_sendmsg+0x4a5/0x640 net/socket.c:2492
 __do_sys_sendmsg net/socket.c:2501 [inline]
 __se_sys_sendmsg net/socket.c:2499 [inline]
 __x64_sys_sendmsg+0xe2/0x120 net/socket.c:2499
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x44/0xae

CPU: 0 PID: 6371 Comm: syz-executor193 Not tainted 5.16.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
=====================================================

Crashes (14):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/12/08 16:46 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report syz C ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2022/02/18 12:08 https://github.com/google/kmsan.git master 85cfd6e539bd 3cd800e4 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2022/01/25 13:37 https://github.com/google/kmsan.git master 85cfd6e539bd 2cbffd88 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2021/12/19 12:57 https://github.com/google/kmsan.git master b0a8b5053e8b 44068e19 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2021/12/19 12:39 https://github.com/google/kmsan.git master b0a8b5053e8b 44068e19 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2021/12/10 04:11 https://github.com/google/kmsan.git master 8b936c96768e 4d4ce9bc .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2021/12/08 20:25 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2021/12/08 14:56 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report info ci-upstream-kmsan-gce KMSAN: uninit-value in fib_get_nhs
2022/01/25 13:44 https://github.com/google/kmsan.git master 85cfd6e539bd 2cbffd88 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
2021/12/19 12:31 https://github.com/google/kmsan.git master b0a8b5053e8b 44068e19 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
2021/12/19 12:24 https://github.com/google/kmsan.git master b0a8b5053e8b 44068e19 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
2021/12/09 06:21 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
2021/12/08 20:32 https://github.com/google/kmsan.git master 8b936c96768e a4a2a501 .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
2021/12/07 21:19 https://github.com/google/kmsan.git master 8b936c96768e 0230ba3e .config console log report info ci-upstream-kmsan-gce-386 KMSAN: uninit-value in fib_get_nhs
* Struck through repros no longer work on HEAD.