syzbot


general protection fault in nft_tunnel_get_init

Status: fixed on 2020/02/18 14:31
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+76d0b80493ac881ff77b@syzkaller.appspotmail.com
Fix commit: 1c702bf902bd netfilter: nft_tunnel: fix null-attribute check
First crash: 1533d, last: 1533d
Cause bisection: the cause commit could be any of (bisect log):
  9e619d87b277 netfilter: nf_tables: flow event notifier must use transaction mutex
  1974d2453fa7 netfilter: nf_tables: remove unused variable
  ddba40be59c9 netfilter: nfnetlink_osf: rename nf_osf header file to nfnetlink_osf
  7cca1ed0bb24 netfilter: nf_osf: move nf_osf_fingers to non-uapi header file
  c75303269009 netfilter: cttimeout: Make NF_CT_NETLINK_TIMEOUT depend on NF_CONNTRACK_TIMEOUT
  033eab53fff7 netfilter: nft_tproxy: Add missing config check
  285189c78eeb netfilter: use kvmalloc_array to allocate memory for hashtable
  4ed8eb6570a4 netfilter: nf_tables: Add native tproxy support
  af308b94a2a4 netfilter: nf_tables: add tunnel support
  aaecfdb5c5dd netfilter: nf_tables: match on tunnel metadata
  b96af92d6eaf netfilter: nf_tables: implement Passive OS fingerprint module in nft_osf
  94276fa8a2a4 netfilter: bridge: Expose nf_tables bridge hook priorities through uapi
  f9324952088f netfilter: nfnetlink_osf: extract nfnetlink_subsystem code from xt_osf.c
  445509eb9b00 netfilter: nf_tables: simplify NLM_F_CREATE handling
  f6b7b5f4f3bc netfilter: nf_osf: rename nf_osf.c to nfnetlink_osf.c
  33b78aaa4457 netfilter: use PTR_ERR_OR_ZERO()
  7bdfcea875ad netfilter: kconfig: remove ct zone/label dependencies
  020f6cc5f755 netfilter: conntrack: avoid use-after free on rmmod
  51c23b47e6b8 netfilter: nf_osf: add nf_osf_find()
  222440b4e832 netfilter: nf_tables: handle meta/lookup with direct call
  483f3fdcc70b netfilter: nft_tunnel: fix sparse errors
  074fb8801667 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
  
Discussions (7)
Title Replies (including bot) Last reply
[PATCH 5.4 000/222] 5.4.14-stable review 238 (238) 2020/01/26 16:57
[PATCH AUTOSEL 5.4 001/107] batman-adv: Fix DAT candidate selection on little endian systems 97 (97) 2020/01/24 21:08
[PATCH AUTOSEL 4.19 01/56] batman-adv: Fix DAT candidate selection on little endian systems 56 (56) 2020/01/24 14:20
[PATCH 4.19 000/103] 4.19.98-stable review 108 (108) 2020/01/22 20:53
[PATCH 0/9] Netfilter updates for net 11 (11) 2020/01/17 09:37
[PATCH nf] netfilter: nft_tunnel: fix null-attribute check 2 (2) 2020/01/16 14:00
general protection fault in nft_tunnel_get_init 0 (1) 2020/01/16 00:25
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in nft_tunnel_get_init C done 1 1533d 1533d 1/1 fixed on 2020/02/16 09:59

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 10575 Comm: syz-executor673 Not tainted 5.5.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:nla_get_be32 include/net/netlink.h:1483 [inline]
RIP: 0010:nft_tunnel_get_init+0x65/0x2b0 net/netfilter/nft_tunnel.c:83
Code: 02 00 00 4c 8b 6b 08 4d 85 ed 0f 84 ba 01 00 00 e8 a0 8d 08 fb 49 8d 7d 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 df
RSP: 0018:ffffc90001d7f398 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff88809e9f0008 RCX: ffffffff866720af
RDX: 0000000000000000 RSI: ffffffff866c67e0 RDI: 0000000000000004
RBP: ffffc90001d7f3c8 R08: ffff88809d4f65c0 R09: ffffed1015d2703d
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: ffff88809eb72a98
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90001d7f498
FS:  00000000022e1880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200009c6 CR3: 00000000a7b7d000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 nf_tables_newexpr net/netfilter/nf_tables_api.c:2466 [inline]
 nf_tables_newrule+0xd96/0x2400 net/netfilter/nf_tables_api.c:3074
 nfnetlink_rcv_batch+0xf42/0x17a0 net/netfilter/nfnetlink.c:433
 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:543 [inline]
 nfnetlink_rcv+0x3e7/0x460 net/netfilter/nfnetlink.c:561
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 ____sys_sendmsg+0x753/0x880 net/socket.c:2330
 ___sys_sendmsg+0x100/0x170 net/socket.c:2384
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4407b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc087a19e8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004407b9
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 0000000000000001 R09: 00000000004002c8
R10: 0000000000000011 R11: 0000000000000246 R12: 0000000000402040
R13: 00000000004020d0 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace efcdc0a5d046b964 ]---
RIP: 0010:nla_get_be32 include/net/netlink.h:1483 [inline]
RIP: 0010:nft_tunnel_get_init+0x65/0x2b0 net/netfilter/nft_tunnel.c:83
Code: 02 00 00 4c 8b 6b 08 4d 85 ed 0f 84 ba 01 00 00 e8 a0 8d 08 fb 49 8d 7d 04 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 df
RSP: 0018:ffffc90001d7f398 EFLAGS: 00010247
RAX: dffffc0000000000 RBX: ffff88809e9f0008 RCX: ffffffff866720af
RDX: 0000000000000000 RSI: ffffffff866c67e0 RDI: 0000000000000004
RBP: ffffc90001d7f3c8 R08: ffff88809d4f65c0 R09: ffffed1015d2703d
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: ffff88809eb72a98
R13: 0000000000000000 R14: 0000000000000000 R15: ffffc90001d7f498
FS:  00000000022e1880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055966f2b1140 CR3: 00000000a7b7d000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/16 03:27 upstream 51d69817519f f9b69507 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/16 01:53 upstream 51d69817519f f9b69507 .config console log report syz C ci-upstream-kasan-gce-root
2020/01/15 23:47 upstream 51d69817519f f9b69507 .config console log report syz C ci-upstream-kasan-gce
2020/01/15 23:20 upstream 51d69817519f f9b69507 .config console log report syz C ci-upstream-kasan-gce-smack-root
2020/01/16 03:37 upstream 51d69817519f f9b69507 .config console log report syz C ci-upstream-kasan-gce-386
2020/01/15 22:44 net-old 8b792f84c637 f9b69507 .config console log report syz C ci-upstream-net-this-kasan-gce
2020/01/15 21:21 net-next-old 4e2fa6b90275 f9b69507 .config console log report syz C ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.