syzbot

 sign-in | mailing list | source | docs
🐞 Open [41]
🐞 Fixed [469]
🐞 Invalid [348]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

DATA RACE in safemem.Copy

Status: fixed on 2021/01/26 10:37
Fix commit: 76da673a0dda Do not modify IGMP packets when verifying checksum
First crash: 1403d, last: 1403d
Similar bugs (6)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
gvisor DATA RACE in safemem.Copy (3) C 3 1160d 1160d 14/26 fixed on 2021/09/28 10:18
gvisor DATA RACE in safemem.Copy (7) C 4 336d 336d 26/26 fixed on 2023/12/29 10:22
gvisor DATA RACE in safemem.Copy (6) C 121 727d 728d 26/26 fixed on 2023/10/05 23:05
gvisor DATA RACE in safemem.Copy (2) C 9 1208d 1208d 14/26 fixed on 2021/08/16 21:45
gvisor DATA RACE in safemem.Copy (4) C 1019 837d 840d 14/26 fixed on 2022/11/18 03:22
gvisor DATA RACE in safemem.Copy (5) C 3153 728d 738d 14/26 fixed on 2022/11/29 11:04

Sample crash report:
WARNING: DATA RACE
Read at 0x00c0004be200 by goroutine 417:
  runtime.slicecopy()
      GOROOT/src/runtime/slice.go:246 +0x0
  gvisor.dev/gvisor/pkg/safemem.Copy()
      pkg/safemem/block_unsafe.go:199 +0x4e4
  gvisor.dev/gvisor/pkg/safemem.CopySeq()
      pkg/safemem/seq_unsafe.go:281 +0x2a4
  gvisor.dev/gvisor/pkg/sentry/mm.(*MemoryManager).CopyOut.func1()
      pkg/sentry/mm/io.go:120 +0xaf
  gvisor.dev/gvisor/pkg/sentry/mm.(*MemoryManager).withInternalMappings()
      pkg/sentry/mm/io.go:506 +0x8d2
  gvisor.dev/gvisor/pkg/sentry/mm.(*MemoryManager).CopyOut()
      pkg/sentry/mm/io.go:119 +0x264
  gvisor.dev/gvisor/pkg/usermem.CopyOutVec()
      pkg/usermem/usermem.go:262 +0x1f5
  gvisor.dev/gvisor/pkg/usermem.IOSequence.CopyOut()
      pkg/usermem/usermem.go:480 +0x15b
  gvisor.dev/gvisor/pkg/usermem.(*ioSequenceReadWriter).Write()
      pkg/usermem/usermem.go:552 +0x45
  gvisor.dev/gvisor/pkg/tcpip/buffer.(*VectorisedView).ReadTo()
      pkg/tcpip/buffer/view.go:156 +0xe2
  gvisor.dev/gvisor/pkg/tcpip/transport/packet.(*endpoint).Read()
      pkg/tcpip/transport/packet/endpoint.go:202 +0x2ba
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).nonBlockingRead()
      pkg/sentry/socket/netstack/netstack.go:2594 +0x2d5
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*socketOpsCommon).RecvMsg()
      pkg/sentry/socket/netstack/netstack.go:2782 +0x717
  gvisor.dev/gvisor/pkg/sentry/socket/netstack.(*SocketVFS2).RecvMsg()
      <autogenerated>:1 +0x149
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.recvFrom()
      pkg/sentry/syscalls/linux/vfs2/socket.go:867 +0x366
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.RecvFrom()
      pkg/sentry/syscalls/linux/vfs2/socket.go:892 +0x88
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:104 +0x452
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:239 +0xb9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:199 +0x10e
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:174 +0x1e9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:282 +0x12a6
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x397

Previous write at 0x00c0004be205 by goroutine 419:
  encoding/binary.bigEndian.PutUint16()
      GOROOT/src/encoding/binary/binary.go:108 +0x2b3
  gvisor.dev/gvisor/pkg/tcpip/header.IGMP.SetChecksum()
      pkg/tcpip/header/igmp.go:127 +0x25e
  gvisor.dev/gvisor/pkg/tcpip/network/ipv4.(*igmpState).handleIGMP()
      pkg/tcpip/network/ipv4/igmp.go:165 +0x253
  gvisor.dev/gvisor/pkg/tcpip/network/ipv4.(*endpoint).handlePacket()
      pkg/tcpip/network/ipv4/ipv4.go:776 +0xb2e
  gvisor.dev/gvisor/pkg/tcpip/network/ipv4.(*endpoint).HandlePacket()
      pkg/tcpip/network/ipv4/ipv4.go:622 +0x116
  gvisor.dev/gvisor/pkg/tcpip/stack.(*NIC).DeliverNetworkPacket()
      pkg/tcpip/stack/nic.go:747 +0x527
  gvisor.dev/gvisor/pkg/tcpip/link/channel.(*Endpoint).InjectLinkAddr()
      pkg/tcpip/link/channel/channel.go:190 +0x5d9
  gvisor.dev/gvisor/pkg/tcpip/link/tun.(*Device).Write()
      pkg/tcpip/link/tun/device.go:223 +0x2d6
  gvisor.dev/gvisor/pkg/sentry/devices/tundev.(*tunFD).Write()
      pkg/sentry/devices/tundev/tundev.go:146 +0x22a
  gvisor.dev/gvisor/pkg/sentry/vfs.(*FileDescription).Write()
      pkg/sentry/vfs/file_description.go:630 +0x130
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.write()
      pkg/sentry/syscalls/linux/vfs2/read_write.go:364 +0xed
  gvisor.dev/gvisor/pkg/sentry/syscalls/linux/vfs2.Write()
      pkg/sentry/syscalls/linux/vfs2/read_write.go:333 +0x2a4
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).executeSyscall()
      pkg/sentry/kernel/task_syscall.go:104 +0x452
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallInvoke()
      pkg/sentry/kernel/task_syscall.go:239 +0xb9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscallEnter()
      pkg/sentry/kernel/task_syscall.go:199 +0x10e
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).doSyscall()
      pkg/sentry/kernel/task_syscall.go:174 +0x1e9
  gvisor.dev/gvisor/pkg/sentry/kernel.(*runApp).execute()
      pkg/sentry/kernel/task_run.go:282 +0x12a6
  gvisor.dev/gvisor/pkg/sentry/kernel.(*Task).run()
      pkg/sentry/kernel/task_run.go:97 +0x397

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/22 23:47 gvisor e0f4e46e340f 52e37319 .config console log report syz C ci-gvisor-ptrace-1-race DATA RACE in safemem.Copy
2021/01/22 23:45 gvisor e0f4e46e340f 52e37319 .config console log report syz C ci-gvisor-ptrace-2-race DATA RACE in safemem.Copy
2021/01/22 22:37 gvisor e0f4e46e340f 52e37319 .config console log report syz C ci-gvisor-ptrace-2-race DATA RACE in safemem.Copy
2021/01/22 22:10 gvisor e0f4e46e340f 52e37319 .config console log report info ci-gvisor-ptrace-1-race DATA RACE in safemem.Copy
* Struck through repros no longer work on HEAD.