syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in bpf_skb_change_tail

Status: auto-closed as invalid on 2019/05/18 04:13
Reported-by: syzbot+470a78a8e4bedc40d1b1@syzkaller.appspotmail.com
First crash: 2023d, last: 1977d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: use-after-free Read in bpf_skb_change_tail 1 1708d 1708d 0/1 auto-closed as invalid on 2019/12/13 14:45
android-414 KASAN: use-after-free Read in bpf_skb_change_tail (2) C 3 1708d 1713d 0/1 public: reported C repro on 2019/08/10 10:38

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in ____bpf_skb_change_tail net/core/filter.c:2370 [inline]
BUG: KASAN: use-after-free in bpf_skb_change_tail+0xa2c/0xb90 net/core/filter.c:2367
Read of size 8 at addr ffff8801d3c556d0 by task syz-executor1/23888

CPU: 1 PID: 23888 Comm: syz-executor1 Not tainted 4.14.81+ #6
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 ____bpf_skb_change_tail net/core/filter.c:2370 [inline]
 bpf_skb_change_tail+0xa2c/0xb90 net/core/filter.c:2367
 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012

Allocated by task 6176:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
 slab_post_alloc_hook mm/slab.h:442 [inline]
 slab_alloc_node mm/slub.c:2723 [inline]
 slab_alloc mm/slub.c:2731 [inline]
 kmem_cache_alloc+0xe4/0x2b0 mm/slub.c:2736
 kmem_cache_alloc_node include/linux/slab.h:361 [inline]
 __alloc_skb+0xd8/0x550 net/core/skbuff.c:193
 alloc_skb include/linux/skbuff.h:980 [inline]
 nlmsg_new include/net/netlink.h:511 [inline]
 inet6_netconf_notify_devconf+0x6f/0x140 net/ipv6/addrconf.c:591
 __addrconf_sysctl_unregister.isra.17+0x9c/0xd0 net/ipv6/addrconf.c:6471
 addrconf_sysctl_unregister+0x87/0xf0 net/ipv6/addrconf.c:6495
 addrconf_ifdown+0xdd9/0x12e0 net/ipv6/addrconf.c:3755
 addrconf_notify+0x8f1/0x1b30 net/ipv6/addrconf.c:3525
 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93
 call_netdevice_notifiers net/core/dev.c:1687 [inline]
 rollback_registered_many+0x6b5/0xac0 net/core/dev.c:7206
 unregister_netdevice_many+0x43/0x210 net/core/dev.c:8255
 sit_exit_net+0x42a/0x600 net/ipv6/sit.c:1868
 ops_exit_list.isra.3+0xa8/0x150 net/core/net_namespace.c:142
 cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483
 process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
 worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
 kthread+0x348/0x420 kernel/kthread.c:232
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402

Freed by task 6176:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kmem_cache_free+0x12d/0x350 mm/slub.c:2988
 kfree_skbmem+0x9e/0x100 net/core/skbuff.c:582
 __kfree_skb net/core/skbuff.c:642 [inline]
 consume_skb+0xc9/0x330 net/core/skbuff.c:701
 netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488
 netlink_broadcast+0x35/0x40 net/netlink/af_netlink.c:1510
 nlmsg_multicast include/net/netlink.h:591 [inline]
 nlmsg_notify+0x86/0x150 net/netlink/af_netlink.c:2475
 inet6_netconf_notify_devconf+0xc1/0x140 net/ipv6/addrconf.c:603
 __addrconf_sysctl_unregister.isra.17+0x9c/0xd0 net/ipv6/addrconf.c:6471
 addrconf_sysctl_unregister+0x87/0xf0 net/ipv6/addrconf.c:6495
 addrconf_ifdown+0xdd9/0x12e0 net/ipv6/addrconf.c:3755
 addrconf_notify+0x8f1/0x1b30 net/ipv6/addrconf.c:3525
 notifier_call_chain+0x114/0x1b0 kernel/notifier.c:93
 call_netdevice_notifiers net/core/dev.c:1687 [inline]
 rollback_registered_many+0x6b5/0xac0 net/core/dev.c:7206
 unregister_netdevice_many+0x43/0x210 net/core/dev.c:8255
 sit_exit_net+0x42a/0x600 net/ipv6/sit.c:1868
 ops_exit_list.isra.3+0xa8/0x150 net/core/net_namespace.c:142
 cleanup_net+0x3e9/0x880 net/core/net_namespace.c:483
 process_one_work+0x86e/0x1670 kernel/workqueue.c:2114
 worker_thread+0xdc/0x1000 kernel/workqueue.c:2248
 kthread+0x348/0x420 kernel/kthread.c:232
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:402

The buggy address belongs to the object at ffff8801d3c55640
 which belongs to the cache skbuff_head_cache of size 224
The buggy address is located 144 bytes inside of
 224-byte region [ffff8801d3c55640, ffff8801d3c55720)
The buggy address belongs to the page:
page:ffffea00074f1540 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000100(slab)
raw: 4000000000000100 0000000000000000 0000000000000000 00000001800c000c
raw: ffffea00072bf840 0000000700000007 ffff8801dab70200 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d3c55580: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8801d3c55600: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
>ffff8801d3c55680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                 ^
 ffff8801d3c55700: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801d3c55780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/11/19 04:12 android-4.14 4e76528bd48d adf636a8 .config console log report ci-android-414-kasan-gce-root
2018/10/04 12:01 android-4.14 8c958cd74663 8b311eaf .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.