syzbot

 sign-in | mailing list | source | docs
🐞 Open [717] 🐞 Fixed [181] 🐞 Invalid [640] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in h5_rx_3wire_hdr

Status: upstream: reported syz repro on 2019/07/20 02:11
Reported-by: syzbot+bf94ac32a8e5416ca057@syzkaller.appspotmail.com
First crash: 1735d, last: 1406d
Fix bisection the fix commit could be any of (bisect log):
  aea8526edf59 Linux 4.14.133
  56dfe6252c68 Linux 4.14.188
   
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in h5_rx_3wire_hdr bluetooth syz error 3 967d 1733d 0/26 auto-obsoleted due to no activity on 2023/04/15 21:58
linux-4.19 KASAN: use-after-free Read in h5_rx_3wire_hdr (2) 1 1022d 1022d 0/1 auto-closed as invalid on 2021/10/29 20:15
linux-4.19 KASAN: use-after-free Read in h5_rx_3wire_hdr 2 1470d 1512d 0/1 auto-closed as invalid on 2020/08/08 17:48
Last patch testing requests (2)
Created Duration User Patch Repo Result
2023/01/25 14:32 9m retest repro linux-4.14.y report log
2022/09/07 19:27 8m retest repro linux-4.14.y report log
Fix bisection attempts (8)
Created Duration User Patch Repo Result
2020/07/13 14:30 35m bisect fix linux-4.14.y job log (2)
2020/06/13 10:06 33m bisect fix linux-4.14.y job log (0) log
2020/05/14 08:12 35m bisect fix linux-4.14.y job log (0) log
2020/04/14 07:35 31m bisect fix linux-4.14.y job log (0) log
2020/03/15 07:02 32m bisect fix linux-4.14.y job log (0) log
2020/02/14 06:25 36m bisect fix linux-4.14.y job log (0) log
2020/01/15 05:51 34m bisect fix linux-4.14.y job log (0) log
2019/12/16 05:19 32m bisect fix linux-4.14.y job log (0) log

Sample crash report:
Bluetooth: Invalid header checksum
Bluetooth: Invalid header checksum
Bluetooth: Invalid header checksum
Bluetooth: Invalid header checksum
==================================================================
BUG: KASAN: use-after-free in h5_rx_3wire_hdr+0x349/0x370 /drivers/bluetooth/hci_h5.c:400
Read of size 8 at addr ffff888099a7f498 by task syz-executor.4/10076
Bluetooth: Invalid header checksum

CPU: 0 PID: 10076 Comm: syz-executor.4 Not tainted 4.14.133 #28
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack /lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c /lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc /mm/kasan/report.c:252
 kasan_report_error /mm/kasan/report.c:351 [inline]
 kasan_report /mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af /mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 /mm/kasan/report.c:430
 h5_rx_3wire_hdr+0x349/0x370 /drivers/bluetooth/hci_h5.c:400
 h5_recv+0x25c/0x3f0 /drivers/bluetooth/hci_h5.c:532
Bluetooth: Invalid header checksum
 hci_uart_tty_receive+0x1f4/0x4d0 /drivers/bluetooth/hci_ldisc.c:603
Bluetooth: Invalid header checksum
 tiocsti /drivers/tty/tty_io.c:2186 [inline]
 tty_ioctl+0xded/0x1320 /drivers/tty/tty_io.c:2572
Bluetooth: Invalid header checksum
 vfs_ioctl /fs/ioctl.c:46 [inline]
 file_ioctl /fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x7ae/0x1060 /fs/ioctl.c:684
Bluetooth: Invalid header checksum
Bluetooth: Invalid header checksum
 SYSC_ioctl /fs/ioctl.c:701 [inline]
 SyS_ioctl+0x8f/0xc0 /fs/ioctl.c:692
 do_syscall_64+0x1e8/0x640 /arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x459819
RSP: 002b:00007f4665930c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459819
Bluetooth: Invalid header checksum
RDX: 0000000020000080 RSI: 0000000000005412 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f46659316d4
R13: 00000000004c408a R14: 00000000004d7ff0 R15: 00000000ffffffff
Bluetooth: Invalid header checksum

Allocated by task 22:
 save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447
 set_track /mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc /mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 /mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 /mm/kasan/kasan.c:489
 kmem_cache_alloc_node+0x144/0x780 /mm/slab.c:3642
 __alloc_skb+0x9c/0x500 /net/core/skbuff.c:193
 alloc_skb /./include/linux/skbuff.h:980 [inline]
 bt_skb_alloc /./include/net/bluetooth/bluetooth.h:336 [inline]
 h5_rx_pkt_start+0xc2/0x260 /drivers/bluetooth/hci_h5.c:443
 h5_recv+0x25c/0x3f0 /drivers/bluetooth/hci_h5.c:532
Bluetooth: Invalid header checksum
 hci_uart_tty_receive+0x1f4/0x4d0 /drivers/bluetooth/hci_ldisc.c:603
 tty_ldisc_receive_buf+0x14d/0x1a0 /drivers/tty/tty_buffer.c:459
 tty_port_default_receive_buf+0x73/0xa0 /drivers/tty/tty_port.c:37
 receive_buf /drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 /drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 /kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 /kernel/workqueue.c:2248
 kthread+0x319/0x430 /kernel/kthread.c:232
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:404

Freed by task 22:
 save_stack_trace+0x16/0x20 /arch/x86/kernel/stacktrace.c:59
Bluetooth: Invalid header checksum
 save_stack+0x45/0xd0 /mm/kasan/kasan.c:447
 set_track /mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 /mm/kasan/kasan.c:524
 __cache_free /mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 /mm/slab.c:3758
 kfree_skbmem /net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xac/0x120 /net/core/skbuff.c:580
 __kfree_skb /net/core/skbuff.c:646 [inline]
 kfree_skb+0xbd/0x340 /net/core/skbuff.c:663
 h5_reset_rx+0x4c/0x100 /drivers/bluetooth/hci_h5.c:499
 h5_rx_3wire_hdr+0x2af/0x370 /drivers/bluetooth/hci_h5.c:409
 h5_recv+0x25c/0x3f0 /drivers/bluetooth/hci_h5.c:532
 hci_uart_tty_receive+0x1f4/0x4d0 /drivers/bluetooth/hci_ldisc.c:603
 tty_ldisc_receive_buf+0x14d/0x1a0 /drivers/tty/tty_buffer.c:459
Bluetooth: Invalid header checksum
 tty_port_default_receive_buf+0x73/0xa0 /drivers/tty/tty_port.c:37
Bluetooth: Invalid header checksum
 receive_buf /drivers/tty/tty_buffer.c:475 [inline]
 flush_to_ldisc+0x1ec/0x400 /drivers/tty/tty_buffer.c:527
 process_one_work+0x863/0x1600 /kernel/workqueue.c:2114
 worker_thread+0x5d9/0x1050 /kernel/workqueue.c:2248
 kthread+0x319/0x430 /kernel/kthread.c:232
 ret_from_fork+0x24/0x30 /arch/x86/entry/entry_64.S:404

The buggy address belongs to the object at ffff888099a7f3c0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 216 bytes inside of
 232-byte region [ffff888099a7f3c0, ffff888099a7f4a8)
The buggy address belongs to the page:
page:ffffea0002669fc0 count:1 mapcount:0 mapping:ffff888099a7f000 index:0x0
Bluetooth: Invalid header checksum
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888099a7f000 0000000000000000 000000010000000c
raw: ffffea0002a32f60 ffffea0002a42860 ffff88821b757240 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888099a7f380: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
Bluetooth: Invalid header checksum
 ffff888099a7f400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888099a7f480: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
                            ^
 ffff888099a7f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888099a7f580: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================
Bluetooth: Invalid header checksum

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/20 01:10 linux-4.14.y aea8526edf59 1656845f .config console log report syz ci2-linux-4-14
2019/07/22 13:00 linux-4.14.y ff33472c282e b3c615f5 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.