syzbot


KASAN: use-after-free Read in hooks_validate

Status: auto-closed as invalid on 2022/09/19 14:29
Reported-by: syzbot+@syzkaller.appspotmail.com
First crash: 556d, last: 358d

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)
similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in hooks_validate 1 572d 572d 0/1 auto-closed as invalid on 2021/09/07 00:40
linux-4.19 KASAN: use-after-free Read in hooks_validate (2) C error 1 278d 278d 0/1 upstream: reported C repro on 2022/02/27 11:03
Patch testing requests:
Created Duration User Patch Repo Result
2022/09/19 12:29 16m retest repro upstream OK log

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in nf_hook_entries_get_hook_ops include/linux/netfilter.h:124 [inline]
BUG: KASAN: use-after-free in hooks_validate+0x106/0x120 net/netfilter/core.c:171
Read of size 2 at addr ffff8880384df600 by task syz-executor.4/15915

CPU: 1 PID: 15915 Comm: syz-executor.4 Not tainted 5.13.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:233
 __kasan_report mm/kasan/report.c:419 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:436
 nf_hook_entries_get_hook_ops include/linux/netfilter.h:124 [inline]
 hooks_validate+0x106/0x120 net/netfilter/core.c:171
 __nf_register_net_hook+0x18c/0x610 net/netfilter/core.c:416
 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:541
 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:557
 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1214
 synproxy_tg6_check+0x35e/0x550 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1024
 check_target net/ipv6/netfilter/ip6_tables.c:529 [inline]
 find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:572
 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:734
 do_replace net/ipv6/netfilter/ip6_tables.c:1152 [inline]
 do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1638
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
 rawv6_setsockopt+0xd8/0x690 net/ipv6/raw.c:1081
 __sys_setsockopt+0x2db/0x610 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x4665d9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fd42c624188 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665d9
RDX: 0000000000000040 RSI: 0000000000000029 RDI: 0000000000000003
RBP: 00000000004bfcb9 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000020000000 R11: 0000000000000246 R12: 000000000056c038
R13: 0000000000a9fb1f R14: 00007fd42c624300 R15: 0000000000022000

Allocated by task 15915:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:428 [inline]
 ____kasan_kmalloc mm/kasan/common.c:507 [inline]
 ____kasan_kmalloc mm/kasan/common.c:466 [inline]
 __kasan_kmalloc+0x9b/0xd0 mm/kasan/common.c:516
 kmalloc_node include/linux/slab.h:579 [inline]
 kvmalloc_node+0x61/0xf0 mm/util.c:587
 kvmalloc include/linux/mm.h:804 [inline]
 kvzalloc include/linux/mm.h:812 [inline]
 allocate_hook_entries_size net/netfilter/core.c:61 [inline]
 nf_hook_entries_grow+0x140/0x780 net/netfilter/core.c:128
 __nf_register_net_hook+0x135/0x610 net/netfilter/core.c:407
 nf_register_net_hook+0x114/0x170 net/netfilter/core.c:541
 nf_register_net_hooks+0x59/0xc0 net/netfilter/core.c:557
 nf_synproxy_ipv6_init+0x85/0xe0 net/netfilter/nf_synproxy_core.c:1214
 synproxy_tg6_check+0x35e/0x550 net/ipv6/netfilter/ip6t_SYNPROXY.c:81
 xt_check_target+0x26c/0x9e0 net/netfilter/x_tables.c:1024
 check_target net/ipv6/netfilter/ip6_tables.c:529 [inline]
 find_check_entry.constprop.0+0x7f1/0x9e0 net/ipv6/netfilter/ip6_tables.c:572
 translate_table+0xc8b/0x1750 net/ipv6/netfilter/ip6_tables.c:734
 do_replace net/ipv6/netfilter/ip6_tables.c:1152 [inline]
 do_ip6t_set_ctl+0x56e/0xb90 net/ipv6/netfilter/ip6_tables.c:1638
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
 rawv6_setsockopt+0xd8/0x690 net/ipv6/raw.c:1081
 __sys_setsockopt+0x2db/0x610 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 8534:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xfb/0x130 mm/kasan/common.c:368
 kasan_slab_free include/linux/kasan.h:212 [inline]
 slab_free_hook mm/slub.c:1582 [inline]
 slab_free_freelist_hook+0xdf/0x240 mm/slub.c:1607
 slab_free mm/slub.c:3167 [inline]
 kfree+0xe5/0x7f0 mm/slub.c:4217
 kvfree+0x42/0x50 mm/util.c:616
 rcu_do_batch kernel/rcu/tree.c:2558 [inline]
 rcu_core+0x7ab/0x13b0 kernel/rcu/tree.c:2793
 __do_softirq+0x29b/0x9f6 kernel/softirq.c:559

Last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 nf_hook_entries_free net/netfilter/core.c:88 [inline]
 nf_hook_entries_free net/netfilter/core.c:75 [inline]
 __nf_unregister_net_hook+0x36f/0x610 net/netfilter/core.c:489
 nf_unregister_net_hook net/netfilter/core.c:502 [inline]
 nf_unregister_net_hooks+0x117/0x160 net/netfilter/core.c:576
 nf_synproxy_ipv6_fini net/netfilter/nf_synproxy_core.c:1230 [inline]
 nf_synproxy_ipv6_fini+0x71/0x90 net/netfilter/nf_synproxy_core.c:1226
 synproxy_tg6_destroy+0x1cf/0x360 net/ipv6/netfilter/ip6t_SYNPROXY.c:94
 cleanup_entry+0x245/0x340 net/ipv6/netfilter/ip6_tables.c:670
 do_replace net/ipv6/netfilter/ip6_tables.c:1164 [inline]
 do_ip6t_set_ctl+0x984/0xb90 net/ipv6/netfilter/ip6_tables.c:1638
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
 rawv6_setsockopt+0xd8/0x690 net/ipv6/raw.c:1081
 __sys_setsockopt+0x2db/0x610 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_record_aux_stack+0xe5/0x110 mm/kasan/generic.c:345
 __call_rcu kernel/rcu/tree.c:3038 [inline]
 call_rcu+0xb1/0x750 kernel/rcu/tree.c:3113
 nf_hook_entries_free net/netfilter/core.c:88 [inline]
 nf_hook_entries_free net/netfilter/core.c:75 [inline]
 __nf_unregister_net_hook+0x36f/0x610 net/netfilter/core.c:489
 nf_unregister_net_hook net/netfilter/core.c:502 [inline]
 nf_unregister_net_hooks+0x117/0x160 net/netfilter/core.c:576
 nf_synproxy_ipv6_fini net/netfilter/nf_synproxy_core.c:1230 [inline]
 nf_synproxy_ipv6_fini+0x71/0x90 net/netfilter/nf_synproxy_core.c:1226
 synproxy_tg6_destroy+0x1cf/0x360 net/ipv6/netfilter/ip6t_SYNPROXY.c:94
 cleanup_entry+0x245/0x340 net/ipv6/netfilter/ip6_tables.c:670
 do_replace net/ipv6/netfilter/ip6_tables.c:1164 [inline]
 do_ip6t_set_ctl+0x984/0xb90 net/ipv6/netfilter/ip6_tables.c:1638
 nf_setsockopt+0x83/0xe0 net/netfilter/nf_sockopt.c:101
 ipv6_setsockopt+0x122/0x180 net/ipv6/ipv6_sockglue.c:1008
 rawv6_setsockopt+0xd8/0x690 net/ipv6/raw.c:1081
 __sys_setsockopt+0x2db/0x610 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2128 [inline]
 __se_sys_setsockopt net/socket.c:2125 [inline]
 __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff8880384df600
 which belongs to the cache kmalloc-256 of size 256
The buggy address is located 0 bytes inside of
 256-byte region [ffff8880384df600, ffff8880384df700)
The buggy address belongs to the page:
page:ffffea0000e13780 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x384de
head:ffffea0000e13780 order:1 compound_mapcount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffffea0000750c80 0000000500000005 ffff888011041b40
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 1, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 8480, ts 1013011032958, free_ts 1012965899683
 prep_new_page mm/page_alloc.c:2358 [inline]
 get_page_from_freelist+0x1033/0x2b60 mm/page_alloc.c:3994
 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5200
 alloc_pages+0x18c/0x2a0 mm/mempolicy.c:2272
 alloc_slab_page mm/slub.c:1645 [inline]
 allocate_slab+0x2c5/0x4c0 mm/slub.c:1785
 new_slab mm/slub.c:1848 [inline]
 new_slab_objects mm/slub.c:2594 [inline]
 ___slab_alloc+0x4a1/0x810 mm/slub.c:2757
 __slab_alloc.constprop.0+0xa7/0xf0 mm/slub.c:2797
 slab_alloc_node mm/slub.c:2879 [inline]
 slab_alloc mm/slub.c:2921 [inline]
 kmem_cache_alloc_trace+0x2a3/0x2c0 mm/slub.c:2938
 kmalloc include/linux/slab.h:556 [inline]
 kzalloc include/linux/slab.h:686 [inline]
 fib6_info_alloc+0xbe/0x1d0 net/ipv6/ip6_fib.c:154
 ip6_route_info_create+0x33e/0x19d0 net/ipv6/route.c:3635
 addrconf_f6i_alloc+0x2ff/0x4b0 net/ipv6/route.c:4449
 ipv6_add_addr+0x3a6/0x1ef0 net/ipv6/addrconf.c:1089
 inet6_addr_add+0x410/0xae0 net/ipv6/addrconf.c:2945
 inet6_rtm_newaddr+0xf00/0x1970 net/ipv6/addrconf.c:4871
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1298 [inline]
 __free_pages_ok+0x476/0xce0 mm/page_alloc.c:1572
 unfreeze_partials+0x17c/0x1d0 mm/slub.c:2375
 put_cpu_partial+0x13d/0x230 mm/slub.c:2411
 qlink_free mm/kasan/quarantine.c:146 [inline]
 qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
 __kasan_slab_alloc+0x8e/0xa0 mm/kasan/common.c:438
 kasan_slab_alloc include/linux/kasan.h:236 [inline]
 slab_post_alloc_hook mm/slab.h:524 [inline]
 slab_alloc_node mm/slub.c:2913 [inline]
 slab_alloc mm/slub.c:2921 [inline]
 __kmalloc+0x1f7/0x330 mm/slub.c:4055
 kmalloc include/linux/slab.h:561 [inline]
 tomoyo_add_entry security/tomoyo/common.c:2031 [inline]
 tomoyo_supervisor+0xce8/0xf00 security/tomoyo/common.c:2103
 tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline]
 tomoyo_path_number_perm+0x419/0x590 security/tomoyo/file.c:734
 security_file_ioctl+0x50/0xb0 security/security.c:1539
 __do_sys_ioctl fs/ioctl.c:1063 [inline]
 __se_sys_ioctl fs/ioctl.c:1055 [inline]
 __x64_sys_ioctl+0xb3/0x200 fs/ioctl.c:1055
 do_syscall_64+0x3a/0xb0 arch/x86/entry/common.c:47
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Memory state around the buggy address:
 ffff8880384df500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880384df580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880384df600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                   ^
 ffff8880384df680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880384df700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (5):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2021/05/25 11:47 upstream 1434a3127887 3c7fef33 .config log report syz KASAN: use-after-free Read in hooks_validate
ci-upstream-kasan-gce-selinux-root 2021/12/10 02:14 upstream c741e49150db 4d4ce9bc .config log report info KASAN: use-after-free Read in hooks_validate
ci-upstream-kasan-gce 2021/08/23 18:43 upstream d5ae8d7f85b7 b599f2fc .config log report info KASAN: use-after-free Read in hooks_validate
ci-upstream-kasan-gce 2021/06/25 00:57 upstream 4a09d388f2ab 0edbbe31 .config log report info KASAN: use-after-free Read in hooks_validate
ci-upstream-kasan-gce-selinux-root 2021/06/14 21:00 upstream 009c9aa5be65 1ba81399 .config log report info KASAN: use-after-free Read in hooks_validate
* Struck through repros no longer work on HEAD.