syzbot


KASAN: slab-out-of-bounds Read in bpf_clone_redirect

Status: fixed on 2020/01/28 16:29
Reported-by: syzbot+24bc05f38b3e3dda58ea@syzkaller.appspotmail.com
Fix commit: 7fed98f4a1e6 bpf: reject passing modified ctx to helper functions
First crash: 1299d, last: 1136d

Fix bisection: fixed by (bisect log) :
commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Jun 7 15:40:03 2018 +0000

  bpf: reject passing modified ctx to helper functions

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in bpf_clone_redirect 1 393d 389d 0/24 auto-closed as invalid on 2022/04/09 13:12
android-414 KASAN: slab-out-of-bounds Read in bpf_clone_redirect C 5 1171d 1397d 0/1 public: reported C repro on 2019/04/12 00:01

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1574356902.100:36): avc:  denied  { map } for  pid=6929 comm="syz-executor283" path="/root/syz-executor283383355" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_clone_redirect net/core/filter.c:1768 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_clone_redirect+0x2de/0x2f0 net/core/filter.c:1759
Read of size 8 at addr ffff88809e0c2c10 by task syz-executor283/6929

CPU: 0 PID: 6929 Comm: syz-executor283 Not tainted 4.14.155-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 ____bpf_clone_redirect net/core/filter.c:1768 [inline]
 bpf_clone_redirect+0x2de/0x2f0 net/core/filter.c:1759
 bpf_prog_3c8dfff8b3098609+0x3b0/0x1000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88809e0c2b80
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 144 bytes inside of
 232-byte region [ffff88809e0c2b80, ffff88809e0c2c68)
The buggy address belongs to the page:
page:ffffea0002783080 count:1 mapcount:0 mapping:ffff88809e0c2040 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88809e0c2040 0000000000000000 000000010000000c
raw: ffffea00024b78a0 ffff8880a9e1bf48 ffff8880a9e19a80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809e0c2b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809e0c2b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809e0c2c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88809e0c2c80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809e0c2d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (11):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2019/11/21 17:24 linux-4.14.y f56f3d0e65ad 8098ea0f .config console log report syz C
ci2-linux-4-14 2019/11/01 14:05 linux-4.14.y ddef1e8e3f6e a41ca8fa .config console log report syz C
ci2-linux-4-14 2019/10/25 06:47 linux-4.14.y b98aebd29824 d01bb02a .config console log report syz C
ci2-linux-4-14 2019/08/30 23:38 linux-4.14.y 01fd1694b93c 9adfa876 .config console log report syz C
ci2-linux-4-14 2019/08/28 18:07 linux-4.14.y b5260801526c 1eb076e9 .config console log report syz C
ci2-linux-4-14 2019/08/17 04:17 linux-4.14.y 45f092f9e9cb 8fd428a1 .config console log report syz C
ci2-linux-4-14 2019/07/19 12:26 linux-4.14.y aea8526edf59 8304907d .config console log report syz C
ci2-linux-4-14 2019/12/29 05:34 linux-4.14.y e1f7d50ae3a3 af6b8ef8 .config console log report
ci2-linux-4-14 2019/09/28 23:39 linux-4.14.y f6e27dbb1afa eb6b9855 .config console log report
ci2-linux-4-14 2019/08/06 23:13 linux-4.14.y b19ffe6e7205 da562c0b .config console log report
ci2-linux-4-14 2019/07/19 12:05 linux-4.14.y aea8526edf59 8304907d .config console log report
* Struck through repros no longer work on HEAD.