syzbot


KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user
Status: fixed on 2020/04/21 23:14
Reported-by: syzbot+3d7e81b960bbb3a85b54@syzkaller.appspotmail.com
Fix commit: 25106012e91a xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
First crash: 793d, last: 793d

Fix bisection: fixed by (bisect log) :
commit 25106012e91a2399c487f495f81a48186f5a6a73
Author: Xin Long <lucien.xin@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000

  xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user C done 3 800d 805d 1/1 fixed on 2020/04/16 05:11
upstream KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user C done 1 786d 785d 17/22 fixed on 2020/05/10 10:42

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1584907391.239:36): avc:  denied  { map } for  pid=7333 comm="syz-executor381" path="/root/syz-executor381074400" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:347 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888086059374 by task syz-executor381/7333

CPU: 0 PID: 7333 Comm: syz-executor381 Not tainted 4.14.174-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:347 [inline]
 selinux_xfrm_alloc_user+0x1e3/0x3b0 security/selinux/xfrm.c:102
 security_xfrm_policy_alloc+0x76/0xb0 security/security.c:1574
 copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1418 [inline]
 xfrm_policy_construct+0x287/0x570 net/xfrm/xfrm_user.c:1583
 xfrm_add_acquire+0x1f5/0x990 net/xfrm/xfrm_user.c:2218
 xfrm_user_rcv_msg+0x37d/0x5f0 net/xfrm/xfrm_user.c:2613
 netlink_rcv_skb+0x127/0x370 net/netlink/af_netlink.c:2433
 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2621
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x620 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x733/0xbe0 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4405f9
RSP: 002b:00007fff85641518 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004405f9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401e80
R13: 0000000000401f10 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 7333:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3696
 __kmalloc_reserve.isra.0+0x35/0xd0 net/core/skbuff.c:137
 __alloc_skb+0xca/0x4c0 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:980 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1159 [inline]
 netlink_sendmsg+0x7de/0xbe0 net/netlink/af_netlink.c:1853
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xc5/0x100 net/socket.c:656
 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888086059240
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
 1024-byte region [ffff888086059240, ffff888086059640)
The buggy address belongs to the page:
page:ffffea0002181600 count:1 mapcount:0 mapping:ffff888086058040 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffff888086058040 0000000000000000 0000000100000007
raw: ffffea00029880a0 ffffea00025512a0 ffff88812fe56ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888086059500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888086059580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888086059600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                           ^
 ffff888086059680: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff888086059700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2020/03/22 20:05 linux-4.14.y 01364dad1d45 78267cec .config log report syz C