syzbot


KASAN: use-after-free Read in ccid2_hc_tx_packet_recv

Status: upstream: reported C repro on 2018/04/02 09:20
Reported-by: syzbot+554ccde221001ab5479a@syzkaller.appspotmail.com
First crash: 1773d, last: 37d

Cause bisection: introduced by (bisect log) :
commit 3fa6f616a7a4d0bdf4d877d530456d8a5c3b109b
Author: David Ahern <dsahern@gmail.com>
Date: Mon Aug 7 15:44:17 2017 +0000

  net: ipv4: add second dif to inet socket lookups

Crash: KASAN: use-after-free Read in ccid2_hc_tx_packet_recv (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv (2) C done inconclusive 3 978d 1186d 0/1 upstream: reported C repro on 2019/11/09 21:41
linux-4.14 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv 1 1337d 1337d 0/1 auto-closed as invalid on 2019/10/25 08:37
linux-4.19 KASAN: use-after-free Read in ccid2_hc_tx_packet_recv C done error 2 971d 1191d 0/1 upstream: reported C repro on 2019/11/04 11:20
Last patch testing requests:
Created Duration User Patch Repo Result
2022/09/17 00:29 11m retest repro upstream error
2021/06/23 19:42 9m rajatasthana4@gmail.com upstream report log

Sample crash report:
RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000
 </TASK>
dccp_parse_options: DCCP(ffff88814a3c8ac0): Option 32 (len=7) error=9
==================================================================
BUG: KASAN: use-after-free in dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline]
BUG: KASAN: use-after-free in ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592
Read of size 1 at addr ffff888078b25494 by task syz-executor226/5057

CPU: 1 PID: 5057 Comm: syz-executor226 Not tainted 6.2.0-rc1-syzkaller-00095-ge4cf7c25bae5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x1e3/0x2d0 lib/dump_stack.c:106
 print_address_description+0x74/0x340 mm/kasan/report.c:306
 print_report+0x107/0x220 mm/kasan/report.c:417
 kasan_report+0x139/0x170 mm/kasan/report.c:517
 dccp_ackvec_runlen net/dccp/ccids/../ackvec.h:43 [inline]
 ccid2_hc_tx_packet_recv+0x2042/0x2a50 net/dccp/ccids/ccid2.c:592
 ccid_hc_tx_packet_recv net/dccp/ccid.h:189 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:182 [inline]
 dccp_rcv_established+0x284/0x310 net/dccp/input.c:374
 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x1d8/0x4c0 net/core/sock.c:2928
 release_sock+0x5d/0x1c0 net/core/sock.c:3485
 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476
 ___sys_sendmsg net/socket.c:2530 [inline]
 __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616
 __do_sys_sendmmsg net/socket.c:2645 [inline]
 __se_sys_sendmmsg net/socket.c:2642 [inline]
 __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7ffad54edd09
Code: 46 01 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd8bea4868 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007ffad54edd09
RDX: 04000000000001e6 RSI: 0000000020000c00 RDI: 0000000000000005
RBP: 00007ffd8bea4880 R08: 0000000000000001 R09: 00007ffd8bea4910
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000006
R13: 00007ffd8bea48b0 R14: 00007ffd8bea4880 R15: 0000000000000000
 </TASK>

Allocated by task 5057:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
 ____kasan_kmalloc mm/kasan/common.c:371 [inline]
 __kasan_kmalloc+0x97/0xb0 mm/kasan/common.c:380
 kasan_kmalloc include/linux/kasan.h:211 [inline]
 __do_kmalloc_node mm/slab_common.c:968 [inline]
 __kmalloc_node_track_caller+0xad/0x190 mm/slab_common.c:988
 kmalloc_reserve net/core/skbuff.c:492 [inline]
 __alloc_skb+0x12c/0x2c0 net/core/skbuff.c:565
 alloc_skb include/linux/skbuff.h:1270 [inline]
 dccp_send_ack+0xa0/0x300 net/dccp/output.c:585
 ccid2_hc_rx_packet_recv+0xf1/0x180 net/dccp/ccids/ccid2.c:771
 ccid_hc_rx_packet_recv net/dccp/ccid.h:182 [inline]
 dccp_deliver_input_to_ccids net/dccp/input.c:176 [inline]
 dccp_rcv_established+0x1b2/0x310 net/dccp/input.c:374
 dccp_v4_do_rcv+0xfc/0x1f0 net/dccp/ipv4.c:674
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __sk_receive_skb+0x43f/0x9e0 net/core/sock.c:565
 ip_protocol_deliver_rcu+0x5d5/0xd40 net/ipv4/ip_input.c:205
 ip_local_deliver_finish+0x269/0x480 net/ipv4/ip_input.c:233
 __netif_receive_skb_one_core net/core/dev.c:5482 [inline]
 __netif_receive_skb+0x1c5/0x500 net/core/dev.c:5596
 process_backlog+0x568/0x920 net/core/dev.c:5924
 __napi_poll+0xbe/0x4b0 net/core/dev.c:6485
 napi_poll net/core/dev.c:6552 [inline]
 net_rx_action+0x76c/0x1100 net/core/dev.c:6663
 __do_softirq+0x277/0x75b kernel/softirq.c:571

Freed by task 5057:
 kasan_save_stack mm/kasan/common.c:45 [inline]
 kasan_set_track+0x4c/0x70 mm/kasan/common.c:52
 kasan_save_free_info+0x27/0x40 mm/kasan/generic.c:518
 ____kasan_slab_free+0xd6/0x120 mm/kasan/common.c:236
 kasan_slab_free include/linux/kasan.h:177 [inline]
 slab_free_hook mm/slub.c:1781 [inline]
 slab_free_freelist_hook+0x12e/0x1a0 mm/slub.c:1807
 slab_free mm/slub.c:3787 [inline]
 __kmem_cache_free+0x71/0x110 mm/slub.c:3800
 skb_free_head net/core/skbuff.c:822 [inline]
 skb_release_data+0x4f6/0x710 net/core/skbuff.c:851
 skb_release_all net/core/skbuff.c:916 [inline]
 __kfree_skb net/core/skbuff.c:930 [inline]
 kfree_skb_reason+0xfa/0x2c0 net/core/skbuff.c:956
 kfree_skb include/linux/skbuff.h:1218 [inline]
 dccp_v4_do_rcv+0x143/0x1f0 net/dccp/ipv4.c:709
 sk_backlog_rcv include/net/sock.h:1113 [inline]
 __release_sock+0x1d8/0x4c0 net/core/sock.c:2928
 release_sock+0x5d/0x1c0 net/core/sock.c:3485
 dccp_sendmsg+0x502/0x820 net/dccp/proto.c:790
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg net/socket.c:734 [inline]
 ____sys_sendmsg+0x597/0x8e0 net/socket.c:2476
 ___sys_sendmsg net/socket.c:2530 [inline]
 __sys_sendmmsg+0x3d7/0x770 net/socket.c:2616
 __do_sys_sendmmsg net/socket.c:2645 [inline]
 __se_sys_sendmmsg net/socket.c:2642 [inline]
 __x64_sys_sendmmsg+0x9c/0xb0 net/socket.c:2642
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

The buggy address belongs to the object at ffff888078b25000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1172 bytes inside of
 2048-byte region [ffff888078b25000, ffff888078b25800)

The buggy address belongs to the physical page:
page:ffffea0001e2c800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x78b20
head:ffffea0001e2c800 order:3 compound_mapcount:0 subpages_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000010200 ffff888012842000 dead000000000122 0000000000000000
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 5053, tgid 5053 (strace-static-x), ts 53593701360, free_ts 33150100132
 prep_new_page mm/page_alloc.c:2531 [inline]
 get_page_from_freelist+0x72b/0x7a0 mm/page_alloc.c:4283
 __alloc_pages+0x259/0x560 mm/page_alloc.c:5549
 alloc_slab_page+0xbd/0x190 mm/slub.c:1851
 allocate_slab+0x5e/0x3c0 mm/slub.c:1998
 new_slab mm/slub.c:2051 [inline]
 ___slab_alloc+0x7f4/0xeb0 mm/slub.c:3193
 __slab_alloc mm/slub.c:3292 [inline]
 __slab_alloc_node mm/slub.c:3345 [inline]
 slab_alloc_node mm/slub.c:3442 [inline]
 __kmem_cache_alloc_node+0x25b/0x340 mm/slub.c:3491
 __do_kmalloc_node mm/slab_common.c:967 [inline]
 __kmalloc+0x9e/0x190 mm/slab_common.c:981
 kmalloc include/linux/slab.h:584 [inline]
 sk_prot_alloc+0xde/0x200 net/core/sock.c:2038
 sk_alloc+0x34/0x360 net/core/sock.c:2091
 __netlink_create+0x6b/0x2b0 net/netlink/af_netlink.c:647
 netlink_create+0x368/0x530 net/netlink/af_netlink.c:710
 __sock_create+0x3fd/0x850 net/socket.c:1515
 sock_create net/socket.c:1566 [inline]
 __sys_socket_create net/socket.c:1603 [inline]
 __sys_socket+0x137/0x3a0 net/socket.c:1636
 __do_sys_socket net/socket.c:1649 [inline]
 __se_sys_socket net/socket.c:1647 [inline]
 __x64_sys_socket+0x76/0x80 net/socket.c:1647
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
page last free stack trace:
 reset_page_owner include/linux/page_owner.h:24 [inline]
 free_pages_prepare mm/page_alloc.c:1446 [inline]
 free_pcp_prepare+0x751/0x780 mm/page_alloc.c:1496
 free_unref_page_prepare mm/page_alloc.c:3369 [inline]
 free_unref_page+0x19/0x4c0 mm/page_alloc.c:3464
 discard_slab mm/slub.c:2098 [inline]
 __unfreeze_partials+0x1a5/0x1e0 mm/slub.c:2637
 put_cpu_partial+0x116/0x180 mm/slub.c:2713
 qlist_free_all+0x2b/0x70 mm/kasan/quarantine.c:187
 kasan_quarantine_reduce+0x156/0x170 mm/kasan/quarantine.c:294
 __kasan_slab_alloc+0x1f/0x70 mm/kasan/common.c:302
 kasan_slab_alloc include/linux/kasan.h:201 [inline]
 slab_post_alloc_hook mm/slab.h:761 [inline]
 slab_alloc_node mm/slub.c:3452 [inline]
 slab_alloc mm/slub.c:3460 [inline]
 __kmem_cache_alloc_lru mm/slub.c:3467 [inline]
 kmem_cache_alloc+0x1b3/0x350 mm/slub.c:3476
 vm_area_alloc+0x20/0xe0 kernel/fork.c:458
 mmap_region+0xd75/0x1e60 mm/mmap.c:2601
 do_mmap+0x8d9/0xf30 mm/mmap.c:1411
 vm_mmap_pgoff+0x1e5/0x2f0 mm/util.c:520
 ksys_mmap_pgoff+0x48c/0x6d0 mm/mmap.c:1457
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd

Memory state around the buggy address:
 ffff888078b25380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078b25400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff888078b25480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                         ^
 ffff888078b25500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888078b25580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (101):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce-smack-root 2023/01/01 21:34 upstream e4cf7c25bae5 ab32d508 .config strace log report syz C [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-kasan-gce-root 2022/10/21 23:45 upstream e35184f32151 4bfd3c27 .config strace log report syz C [disk image] [vmlinux] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-kasan-gce 2022/10/11 06:31 upstream 55be6084c8e0 2b253ced .config strace log report syz C [disk image] [vmlinux] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-net-this-kasan-gce 2022/10/11 01:06 net af7d23f9d96a aea5da89 .config strace log report syz C [disk image] [vmlinux] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-net-kasan-gce 2022/10/11 01:05 net-next 0326074ff465 aea5da89 .config console log report syz C [disk image] [vmlinux] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-linux-next-kasan-gce-root 2022/11/20 08:34 linux-next 15f3bff12cf6 5bb70014 .config console log report syz C [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-kasan-gce 2018/05/25 13:51 upstream b50694381cfc f48c20b8 .config console log report syz C
ci-upstream-kasan-gce 2021/08/22 04:07 upstream 002c0aef1090 b599f2fc .config console log report info KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-net-kasan-gce 2022/12/16 00:29 net-next 7e68dd7d07a2 6f9c033e .config console log report info [disk image] [vmlinux] [kernel image] KASAN: use-after-free Read in ccid2_hc_tx_packet_recv
ci-upstream-kasan-gce 2020/05/21 09:50 upstream b85051e755b0 c61086ab .config console log report
ci-upstream-kasan-gce 2020/01/28 23:14 upstream c677124e631d c8e81ce4 .config console log report
ci-upstream-kasan-gce 2020/01/25 04:48 upstream 6381b442836e 2e95ab33 .config console log report
ci-upstream-kasan-gce-root 2020/01/15 23:46 upstream 51d69817519f f9b69507 .config console log report
ci-upstream-kasan-gce 2019/09/14 02:20 upstream a7f89616b737 32d59357 .config console log report
ci-upstream-kasan-gce 2019/08/22 00:58 upstream bb7ba8069de9 984250d5 .config console log report
ci-upstream-kasan-gce 2019/08/07 21:39 upstream 33920f1ec5bf e6ebef88 .config console log report
ci-upstream-kasan-gce-root 2019/06/26 03:41 upstream 249155c20f9b 0a8d1a96 .config console log report
ci-upstream-kasan-gce-smack-root 2019/04/28 04:50 upstream 037904a22bf8 b617407b .config console log report
ci-upstream-kasan-gce-selinux-root 2019/03/26 18:38 upstream a3ac7917b730 55684ce1 .config console log report
ci-upstream-kasan-gce 2019/02/14 01:51 upstream 1f947a7a011f 0a49c954 .config console log report
ci-upstream-kasan-gce 2019/02/01 20:00 upstream 5b4746a03199 0c07abcf .config console log report
ci-upstream-kasan-gce 2019/01/27 19:40 upstream ba6069759381 c73f090a .config console log report
ci-upstream-kasan-gce-smack-root 2019/01/25 04:13 upstream c04e2a780caf bfab9cd8 .config console log report
ci-upstream-kasan-gce-386 2019/08/12 05:22 upstream 296d05cb0d3c acb51638 .config console log report
ci-upstream-kasan-gce-386 2018/04/02 00:13 upstream 0adb32858b0b dc889257 .config console log report
ci-upstream-net-this-kasan-gce 2019/10/02 07:01 net 569aad4fcd82 b7a87a83 .config console log report
ci-upstream-net-this-kasan-gce 2019/08/08 02:40 net 33920f1ec5bf e6ebef88 .config console log report
ci-upstream-net-this-kasan-gce 2019/05/02 06:55 net d2f0c961148f 7516d9fa .config console log report
ci-upstream-net-this-kasan-gce 2019/04/29 18:48 net 2ae7a39770c7 b617407b .config console log report
ci-upstream-net-kasan-gce 2020/06/23 16:07 net-next cb8e59cc8720 54566aff .config console log report
ci-upstream-net-kasan-gce 2020/05/20 19:52 net-next 4f65e2f483b6 1255f02a .config console log report
ci-upstream-net-kasan-gce 2020/03/17 17:34 net-next 86e85bf6981c 749688d2 .config console log report
ci-upstream-net-kasan-gce 2019/12/21 21:35 net-next 994baea28957 bc586918 .config console log report
ci-upstream-net-kasan-gce 2019/12/11 00:29 net-next 08cbc75f9602 5a5826a1 .config console log report
ci-upstream-net-kasan-gce 2019/11/15 04:14 net-next abfb228ae642 a24fe792 .config console log report
ci-upstream-net-kasan-gce 2019/10/14 23:41 net-next 7e0d15ee0d8b 05ad7292 .config console log report
ci-upstream-net-kasan-gce 2019/09/02 01:03 net-next 4bc61b0b1695 bad3cce2 .config console log report
ci-upstream-net-kasan-gce 2019/08/10 21:36 net-next 38b9e0f6d981 acb51638 .config console log report
ci-upstream-net-kasan-gce 2019/06/27 09:51 net-next 177d935a1370 7509bf36 .config console log report
ci-upstream-net-kasan-gce 2019/05/11 03:38 net-next b970afcfcabd 46caad94 .config console log report
ci-upstream-net-kasan-gce 2019/04/28 14:10 net-next b1a79360ee86 b617407b .config console log report
ci-upstream-net-kasan-gce 2019/04/26 22:49 net-next 148f025d41a8 b617407b .config console log report
ci-upstream-net-kasan-gce 2019/04/23 23:22 net-next a93f7fe13454 4d3d6a50 .config console log report
ci-upstream-net-kasan-gce 2019/04/21 19:54 net-next 4e54507ab1a9 b0e8efcb .config console log report
ci-upstream-net-kasan-gce 2019/04/19 06:33 net-next 5e42574b022b b0e8efcb .config console log report
ci-upstream-net-kasan-gce 2019/04/17 20:24 net-next 3a6f7892acc1 b0e8efcb .config console log report
ci-upstream-net-kasan-gce 2019/04/15 07:07 net-next 0ed1d3ddedb9 505ab413 .config console log report
ci-upstream-net-kasan-gce 2019/04/07 23:08 net-next f1054c65bca6 c34fde03 .config console log report
ci-upstream-net-kasan-gce 2019/03/29 00:23 net-next 356d71e00d27 14c58f8d .config console log report
ci-upstream-net-kasan-gce 2019/02/02 00:59 net-next 962c382d482a 564f9a4f .config console log report
ci-upstream-net-kasan-gce 2019/01/19 17:26 net-next f04d402f2f00 8aa587b0 .config console log report
ci-upstream-linux-next-kasan-gce-root 2019/09/08 08:29 linux-next 6d028043b55e a60cb4cd .config console log report
* Struck through repros no longer work on HEAD.