syzbot

 sign-in | mailing list | source | docs
🐞 Open [985] Subsystems 🐞 Fixed [5238] 🐞 Invalid [12509] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in pfkey_add

Status: fixed on 2018/05/17 10:02
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+5022a34ca5a3d49b84223653fab632dfb7b4cf37@syzkaller.appspotmail.com
Fix commit: 4b66af2d6356 af_key: Always verify length of provided sadb_key
First crash: 2327d, last: 2176d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.4 00/24] 4.4.138-stable review 39 (39) 2018/07/05 16:08
[PATCH 3.18 00/85] 3.18.114-stable review 84 (84) 2018/07/03 09:17
[PATCH 4.16 00/43] 4.16.16-stable review 41 (41) 2018/06/15 15:19
[PATCH 4.14 00/36] 4.14.50-stable review 34 (34) 2018/06/15 15:19
[PATCH 4.9 00/30] 4.9.109-stable review 36 (36) 2018/06/15 15:18
[PATCH 1/3] af_key: Always verify length of provided sadb_key 1 (1) 2018/05/07 08:43
[PATCH v2 0/2] af_key: Fix for sadb_key memcpy read overrun 7 (7) 2018/04/10 11:38
[PATCH 0/2] af_key: Fix for sadb_key memcpy read overrun 6 (6) 2018/04/06 04:31
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: slab-out-of-bounds Read in pfkey_add C 3155 2140d 1841d 0/3 public: reported C repro on 2019/04/12 00:00
android-44 KASAN: slab-out-of-bounds Read in pfkey_add C 290 2140d 1841d 0/2 public: reported C repro on 2019/04/12 00:00

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1181 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_add+0x272d/0x3210 net/key/af_key.c:1499
Read of size 8192 at addr ffff8801b34925c0 by task syzkaller440049/4471

CPU: 0 PID: 4471 Comm: syzkaller440049 Not tainted 4.16.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:345 [inline]
 pfkey_msg2xfrm_state net/key/af_key.c:1181 [inline]
 pfkey_add+0x272d/0x3210 net/key/af_key.c:1499
 pfkey_process+0x7cc/0x8a0 net/key/af_key.c:2819
 pfkey_sendmsg+0x5f4/0x1050 net/key/af_key.c:3658
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 SYSC_sendmsg net/socket.c:2164 [inline]
 SyS_sendmsg+0x29/0x30 net/socket.c:2162
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x43fd19
RSP: 002b:00007ffeef8e7678 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd19
RDX: 0000000000000000 RSI: 0000000020196fe4 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401640
R13: 00000000004016d0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 4471:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.38+0x3a/0xe0 net/core/skbuff.c:137
 __alloc_skb+0x14d/0x780 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:987 [inline]
 pfkey_sendmsg+0x250/0x1050 net/key/af_key.c:3645
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 SYSC_sendmsg net/socket.c:2164 [inline]
 SyS_sendmsg+0x29/0x30 net/socket.c:2162
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801b3492580
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 64 bytes inside of
 512-byte region [ffff8801b3492580, ffff8801b3492780)
The buggy address belongs to the page:
page:ffffea0006cd2480 count:1 mapcount:0 mapping:ffff8801b3492080 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801b3492080 0000000000000000 0000000100000006
raw: ffffea00073d9be0 ffff8801dac01748 ffff8801dac00940 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b3492680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b3492700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801b3492780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8801b3492800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801b3492880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (835):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/04/15 03:09 upstream 18b7fd1c93e5 7a67784c .config console log report syz C ci-upstream-kasan-gce-root
2018/04/13 19:51 upstream 16e205cf42da 0a0c5db6 .config console log report syz C ci-upstream-kasan-gce
2018/04/05 17:20 upstream 06dd3dfeea60 5e1ccffc .config console log report syz C ci-upstream-kasan-gce-root
2018/04/05 16:58 upstream 3e968c9f1401 5e1ccffc .config console log report syz C ci-upstream-kasan-gce
2018/03/20 08:58 upstream 1b5f3ba415fe 7e7d7ed2 .config console log report syz C ci-upstream-kasan-gce
2018/03/10 21:51 upstream 3266b5bd97ea 36d1c454 .config console log report syz C ci-upstream-kasan-gce
2018/03/08 20:26 upstream 1b88accf6a65 acd0caa5 .config console log report syz C ci-upstream-kasan-gce
2018/02/25 17:47 upstream 3664ce2d9309 9fe8aa42 .config console log report syz C ci-upstream-kasan-gce
2017/12/29 00:23 upstream 5f520fc31876 7d240098 .config console log report syz C ci-upstream-kasan-gce
2017/12/20 18:18 upstream 10a7e9d84915 90a46995 .config console log report syz C ci-upstream-kasan-gce
2017/12/18 02:02 upstream b9f5fb1800d8 d5beb42a .config console log report syz C ci-upstream-kasan-gce
2017/12/15 07:43 upstream d455df0bcc00 ac20b98c .config console log report syz C ci-upstream-kasan-gce
2017/12/13 15:22 upstream d39a01eff9af ce7f2399 .config console log report syz C ci-upstream-kasan-gce
2017/12/11 23:10 upstream 50c4c4e268a2 da131727 .config console log report syz C ci-upstream-kasan-gce
2017/12/11 19:51 upstream 50c4c4e268a2 da131727 .config console log report syz C ci-upstream-kasan-gce
2018/02/25 17:54 upstream 3664ce2d9309 9fe8aa42 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/29 00:25 upstream 5f520fc31876 7d240098 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/20 18:04 upstream 10a7e9d84915 90a46995 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/18 02:03 upstream b9f5fb1800d8 d5beb42a .config console log report syz C ci-upstream-kasan-gce-386
2017/12/15 07:41 upstream d455df0bcc00 ac20b98c .config console log report syz C ci-upstream-kasan-gce-386
2017/12/13 12:44 upstream d39a01eff9af ce7f2399 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/11 21:18 upstream 50c4c4e268a2 da131727 .config console log report syz C ci-upstream-kasan-gce-386
2017/12/11 19:51 upstream 50c4c4e268a2 da131727 .config console log report syz C ci-upstream-kasan-gce-386
2018/04/13 16:08 net-next-old 5d1365940a68 0a0c5db6 .config console log report syz C ci-upstream-net-kasan-gce
2018/04/05 16:58 net-next-old 17dec0a94915 5e1ccffc .config console log report syz C ci-upstream-net-kasan-gce
2018/03/20 09:01 net-next-old c314c7ba4038 7e7d7ed2 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/10 21:40 net-next-old f44b1886a5f8 36d1c454 .config console log report syz C ci-upstream-net-kasan-gce
2018/03/08 18:58 net-next-old 67ae686b3e14 acd0caa5 .config console log report syz C ci-upstream-net-kasan-gce
2018/02/25 17:49 net-next-old f74290fdb363 9fe8aa42 .config console log report syz C ci-upstream-net-kasan-gce
2017/12/29 00:23 net-next-old 836df24a7062 7d240098 .config console log report syz C ci-upstream-net-kasan-gce
2017/12/20 16:55 net-next-old f39a5c01c3d2 90a46995 .config console log report syz C ci-upstream-net-kasan-gce
2017/12/18 01:58 net-next-old c30abd5e40dd d5beb42a .config console log report syz C ci-upstream-net-kasan-gce
2017/12/15 07:37 net-next-old 5c13e07580c8 ac20b98c .config console log report syz C ci-upstream-net-kasan-gce
2017/12/11 20:59 net-next-old a0b586fa75a6 da131727 .config console log report syz C ci-upstream-net-kasan-gce
2017/12/11 19:38 net-next-old a0b586fa75a6 da131727 .config console log report syz C ci-upstream-net-kasan-gce
2017/12/29 00:24 linux-next 0e08c463db38 7d240098 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/29 00:24 mmots 37759fa6d0fa 7d240098 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/22 01:20 linux-next 0e08c463db38 81fe66b4 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/21 13:31 mmots 75aa5540627f eaadba98 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/19 08:48 mmots 82bcf1def3b5 1c4160ef .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/17 01:53 mmots 82bcf1def3b5 b6f0c91b .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/15 14:56 mmots 82bcf1def3b5 ac20b98c .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/13 23:51 mmots 82bcf1def3b5 06ea774d .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/13 22:10 mmots 82bcf1def3b5 06ea774d .config console log report syz C ci-upstream-mmots-kasan-gce
2017/12/11 22:21 linux-next 153e8244ebcb da131727 .config console log report syz C ci-upstream-next-kasan-gce
2017/12/11 20:02 linux-next 153e8244ebcb da131727 .config console log report syz C ci-upstream-next-kasan-gce
2018/04/26 20:48 upstream 69bfd470f462 73417389 .config console log report syz ci-upstream-kasan-gce-386
2018/04/05 16:59 upstream f2d285669aae 5e1ccffc .config console log report syz ci-upstream-kasan-gce-386
2018/03/20 08:59 upstream 1b5f3ba415fe 7e7d7ed2 .config console log report syz ci-upstream-kasan-gce-386
2018/03/10 21:38 upstream 3266b5bd97ea 36d1c454 .config console log report syz ci-upstream-kasan-gce-386
2018/05/11 22:03 upstream 41e3e1082367 12c7428a .config console log report ci-upstream-kasan-gce
2018/05/11 20:53 upstream 41e3e1082367 12c7428a .config console log report ci-upstream-kasan-gce
2018/05/11 09:18 upstream 008464a9360e 12c7428a .config console log report ci-upstream-kasan-gce
2018/05/11 08:15 upstream 008464a9360e 12c7428a .config console log report ci-upstream-kasan-gce
2018/05/09 13:14 upstream 036db8bd9637 12c7428a .config console log report ci-upstream-kasan-gce
2018/05/07 21:21 upstream 75bc37fefc44 9e0846e8 .config console log report ci-upstream-kasan-gce-root
2018/05/05 18:26 upstream c1c07416cdd4 6a0382b5 .config console log report ci-upstream-kasan-gce
2018/05/04 21:47 upstream 150426981426 9ce14f4b .config console log report ci-upstream-kasan-gce-root
2018/05/04 19:20 upstream 150426981426 9ce14f4b .config console log report ci-upstream-kasan-gce
2018/05/04 12:54 upstream 150426981426 9ce14f4b .config console log report ci-upstream-kasan-gce
2018/05/02 04:44 upstream f2125992e7cb d5b114b4 .config console log report ci-upstream-kasan-gce
2018/05/01 22:03 upstream fff75eb2a08c d5b114b4 .config console log report ci-upstream-kasan-gce
2018/05/01 13:44 upstream fff75eb2a08c d5b114b4 .config console log report ci-upstream-kasan-gce
2018/04/30 15:33 upstream 6da6c0db5316 06db3cec .config console log report ci-upstream-kasan-gce
2018/04/29 05:43 upstream a97d8efd9d35 d5a5d045 .config console log report ci-upstream-kasan-gce
2018/04/29 00:28 upstream a97d8efd9d35 d5a5d045 .config console log report ci-upstream-kasan-gce
2018/04/28 17:39 upstream 46dc111dfe47 d5a5d045 .config console log report ci-upstream-kasan-gce-root
2018/05/10 15:48 upstream 008464a9360e 12c7428a .config console log report ci-upstream-kasan-gce-386
2018/05/09 10:49 upstream 036db8bd9637 12c7428a .config console log report ci-upstream-kasan-gce-386
2018/05/09 09:12 upstream 036db8bd9637 12c7428a .config console log report ci-upstream-kasan-gce-386
2018/05/08 15:32 upstream f142f08bf7ec 045bbd4a .config console log report ci-upstream-kasan-gce-386
2018/05/08 11:46 upstream f142f08bf7ec 045bbd4a .config console log report ci-upstream-kasan-gce-386
2018/05/07 23:01 upstream 75bc37fefc44 9e0846e8 .config console log report ci-upstream-kasan-gce-386
2018/05/06 09:06 upstream ee946c36be21 78b251cb .config console log report ci-upstream-kasan-gce-386
2018/05/04 11:17 upstream 150426981426 9ce14f4b .config console log report ci-upstream-kasan-gce-386
2018/05/04 00:23 upstream c15f6d8d4715 9ce14f4b .config console log report ci-upstream-kasan-gce-386
2018/05/03 18:50 upstream f4ef6a438cee 9ce14f4b .config console log report ci-upstream-kasan-gce-386
2018/05/11 11:21 net-next-old db1617a11a86 12c7428a .config console log report ci-upstream-net-kasan-gce
2018/05/10 20:02 net-next-old db1617a11a86 12c7428a .config console log report ci-upstream-net-kasan-gce
2018/05/10 08:55 net-next-old 53a7bdfb2a27 12c7428a .config console log report ci-upstream-net-kasan-gce
2018/05/09 17:31 net-next-old 53a7bdfb2a27 12c7428a .config console log report ci-upstream-net-kasan-gce
2018/05/07 19:00 net-next-old 90278871d4b0 9e0846e8 .config console log report ci-upstream-net-kasan-gce
2018/05/06 21:01 net-next-old 8fb11a9a8d51 6c18ddb0 .config console log report ci-upstream-net-kasan-gce
2018/05/06 13:00 net-next-old 8fb11a9a8d51 6c18ddb0 .config console log report ci-upstream-net-kasan-gce
2018/05/05 16:46 net-next-old 8fb11a9a8d51 6a0382b5 .config console log report ci-upstream-net-kasan-gce
2018/05/03 12:54 net-next-old 5693ee4ba3dc 9ce14f4b .config console log report ci-upstream-net-kasan-gce
2018/05/02 07:32 net-next-old 702353b538f5 d5b114b4 .config console log report ci-upstream-net-kasan-gce
2018/05/02 01:31 net-next-old 90d52d4fd820 d5b114b4 .config console log report ci-upstream-net-kasan-gce
2018/05/01 16:08 net-next-old 90d52d4fd820 d5b114b4 .config console log report ci-upstream-net-kasan-gce
2018/05/01 00:29 net-next-old 8231bee646b7 d5b114b4 .config console log report ci-upstream-net-kasan-gce
2018/04/29 21:03 net-next-old 9e8d438e8ba4 bb79c6ab .config console log report ci-upstream-net-kasan-gce
2018/04/29 10:24 net-next-old 9e8d438e8ba4 d5a5d045 .config console log report ci-upstream-net-kasan-gce
2018/04/29 01:37 net-next-old 9e8d438e8ba4 d5a5d045 .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.