syzbot


KASAN: use-after-free Read in bpf_skb_change_proto

Status: auto-closed as invalid on 2019/12/31 10:54
Reported-by: syzbot+38b78ff7dc6245aeb264@syzkaller.appspotmail.com
First crash: 1932d, last: 1909d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in bpf_skb_change_proto bpf net 1 2358d 2357d 8/28 fixed on 2018/07/09 18:05

Sample crash report:
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2816 sclass=netlink_route_socket pig=13425 comm=syz-executor.1
==================================================================
BUG: KASAN: use-after-free in bpf_skb_proto_xlat net/core/filter.c:2151 [inline]
BUG: KASAN: use-after-free in ____bpf_skb_change_proto net/core/filter.c:2189 [inline]
BUG: KASAN: use-after-free in bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164
SELinux: unrecognized netlink message: protocol=0 nlmsg_type=2816 sclass=netlink_route_socket pig=13425 comm=syz-executor.1
Read of size 2 at addr ffff88808c4058c0 by task syz-executor.3/13429

CPU: 0 PID: 13429 Comm: syz-executor.3 Not tainted 4.14.141 #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
 bpf_skb_proto_xlat net/core/filter.c:2151 [inline]
 ____bpf_skb_change_proto net/core/filter.c:2189 [inline]
 bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164
 bpf_prog_4b4d9be662d00a7e+0x526/0x1000

Allocated by task 10286:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 kasan_slab_alloc+0xf/0x20 mm/kasan/kasan.c:489
 kmem_cache_alloc+0x12e/0x780 mm/slab.c:3552
 skb_clone+0x129/0x320 net/core/skbuff.c:1282
 dev_queue_xmit_nit+0x2d8/0x940 net/core/dev.c:1943
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0xa7/0x8b0 net/core/dev.c:3025
 sch_direct_xmit+0x27a/0x550 net/sched/sch_generic.c:186
 __dev_xmit_skb net/core/dev.c:3218 [inline]
 __dev_queue_xmit+0x1b6e/0x25e0 net/core/dev.c:3493
 dev_queue_xmit+0x18/0x20 net/core/dev.c:3558
 neigh_hh_output include/net/neighbour.h:490 [inline]
 neigh_output include/net/neighbour.h:498 [inline]
 ip_finish_output2+0xddc/0x14a0 net/ipv4/ip_output.c:229
 ip_finish_output+0x56d/0xc60 net/ipv4/ip_output.c:317
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_mc_output+0x24a/0xd40 net/ipv4/ip_output.c:390
 dst_output include/net/dst.h:462 [inline]
 ip_local_out+0x97/0x170 net/ipv4/ip_output.c:124
 ip_send_skb+0x3e/0xc0 net/ipv4/ip_output.c:1418
 udp_send_skb+0x53f/0xb90 net/ipv4/udp.c:833
 udp_sendmsg+0x16df/0x1da0 net/ipv4/udp.c:1057
 inet_sendmsg+0x122/0x500 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xce/0x110 net/socket.c:656
 ___sys_sendmsg+0x349/0x840 net/socket.c:2062
 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
 SYSC_sendmmsg net/socket.c:2183 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2178
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 10283:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kmem_cache_free+0x83/0x2b0 mm/slab.c:3758
 kfree_skbmem net/core/skbuff.c:586 [inline]
 kfree_skbmem+0xac/0x120 net/core/skbuff.c:580
 __kfree_skb net/core/skbuff.c:646 [inline]
 kfree_skb+0xbd/0x340 net/core/skbuff.c:663
 skb_queue_purge+0x19/0x40 net/core/skbuff.c:2855
 packet_release+0x871/0xb50 net/packet/af_packet.c:3089
 __sock_release+0xce/0x2b0 net/socket.c:602
 sock_close+0x1b/0x30 net/socket.c:1139
 __fput+0x275/0x7a0 fs/file_table.c:210
 ____fput+0x16/0x20 fs/file_table.c:244
 task_work_run+0x114/0x190 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 exit_to_usermode_loop+0x1da/0x220 arch/x86/entry/common.c:164
 prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:270 [inline]
 do_syscall_64+0x4bc/0x640 arch/x86/entry/common.c:297
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff88808c4058c0
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
 232-byte region [ffff88808c4058c0, ffff88808c4059a8)
The buggy address belongs to the page:
page:ffffea0002310140 count:1 mapcount:0 mapping:ffff88808c405000 index:0xffff88808c4058c0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88808c405000 ffff88808c4058c0 0000000100000007
raw: ffffea0002421920 ffffea0002a6aba0 ffff8880a9e1aa80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808c405780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808c405800: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
>ffff88808c405880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                           ^
 ffff88808c405900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88808c405980: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/09/02 10:53 linux-4.14.y 01fd1694b93c db7c31ca .config console log report ci2-linux-4-14
2019/08/09 21:17 linux-4.14.y 3ffe1e79c174 aff9e255 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.