syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find (5)

Status: fixed on 2019/11/11 16:48
Reported-by: syzbot+d90468452f685a0b28eb@syzkaller.appspotmail.com
Fix commit: 32bf94fb5c2e xfrm: validate template mode
First crash: 1640d, last: 1338d

Fix bisection: fixed by (bisect log) :
commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa
Author: Sean Tranchetti <stranche@codeaurora.org>
Date: Wed Sep 19 19:54:56 2018 +0000

  xfrm: validate template mode

similar bugs (10):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) C 10353 1705d 1773d 4/24 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1033d 1265d 0/2 public: reported C repro on 2019/04/12 00:00
upstream KMSAN: uninit-value in xfrm_state_find C 189 27d 1566d 0/24 upstream: reported C repro on 2018/06/15 07:30
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find C 365 1801d 1874d 0/24 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 325d 325d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 1366d 1877d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 1339d 1266d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 93 1783d 1792d 3/24 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1030d 1266d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (4) C 102 1650d 1701d 4/24 fixed on 2018/03/23 18:14

Sample crash report:
audit: type=1400 audit(1546412134.760:36): avc:  denied  { map } for  pid=8209 comm="syz-executor753" path="/root/syz-executor753487859" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in jhash2 include/linux/jhash.h:137 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
BUG: KASAN: stack-out-of-bounds in __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_dst_hash net/xfrm/xfrm_state.c:61 [inline]
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x396a/0x3f00 net/xfrm/xfrm_state.c:958
Read of size 4 at addr ffff888096def3d0 by task syz-executor753/8209

CPU: 0 PID: 8209 Comm: syz-executor753 Not tainted 4.20.0+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1db/0x2d0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
 kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
 jhash2 include/linux/jhash.h:137 [inline]
 __xfrm6_addr_hash net/xfrm/xfrm_hash.h:16 [inline]
 __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
 __xfrm_dst_hash net/xfrm/xfrm_hash.h:95 [inline]
 xfrm_dst_hash net/xfrm/xfrm_state.c:61 [inline]
 xfrm_state_find+0x396a/0x3f00 net/xfrm/xfrm_state.c:958
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:2385 [inline]
 xfrm_tmpl_resolve+0x385/0xe00 net/xfrm/xfrm_policy.c:2430
 xfrm_resolve_and_create_bundle+0x145/0x27f0 net/xfrm/xfrm_policy.c:2725
 xfrm_lookup_with_ifid+0x340/0x2a90 net/xfrm/xfrm_policy.c:3048
 xfrm_lookup net/xfrm/xfrm_policy.c:3172 [inline]
 xfrm_lookup_route+0x3b/0x1f0 net/xfrm/xfrm_policy.c:3183
 ip_route_output_flow+0xad/0xc0 net/ipv4/route.c:2582
 udp_sendmsg+0x24cb/0x3a40 net/ipv4/udp.c:1144
 udpv6_sendmsg+0x1843/0x3550 net/ipv6/udp.c:1279
 inet_sendmsg+0x1af/0x740 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xdd/0x130 net/socket.c:631
 ___sys_sendmsg+0x409/0x910 net/socket.c:2116
 __sys_sendmmsg+0x246/0x6f0 net/socket.c:2211
 __do_sys_sendmmsg net/socket.c:2240 [inline]
 __se_sys_sendmmsg net/socket.c:2237 [inline]
 __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2237
 do_syscall_64+0x1a3/0x800 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440349
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd9cac43d8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440349
RDX: 0000000000000001 RSI: 0000000020000a80 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401bd0
R13: 0000000000401c60 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00025b7bc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x1fffc0000000000()
raw: 01fffc0000000000 0000000000000000 ffffffff025b0101 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096def280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888096def300: f1 f1 f1 f1 00 00 00 f2 f2 f2 00 00 00 00 00 f2
>ffff888096def380: f2 f2 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 00 00
                                                 ^
 ffff888096def400: 00 00 00 00 f2 f2 f2 f2 00 00 f8 f2 f2 f2 00 00
 ffff888096def480: 00 00 00 00 00 00 00 f3 f3 f3 f3 f3 00 00 00 00
==================================================================

Crashes (654):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2019/01/02 06:58 upstream 28e8c4bc8eb4 3d85f48c .config log report syz C
ci-upstream-kasan-gce-smack-root 2019/01/02 05:16 upstream 28e8c4bc8eb4 3d85f48c .config log report syz C
ci-upstream-kasan-gce-root 2019/01/02 04:50 upstream 28e8c4bc8eb4 3d85f48c .config log report syz C
ci-upstream-kasan-gce 2019/01/02 00:08 upstream e1ef035d272e 3d85f48c .config log report syz C
ci-upstream-kasan-gce-root 2018/12/04 22:04 upstream 0072a0c14d5b 6ad0ae61 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/12/04 21:06 upstream 0072a0c14d5b 6ad0ae61 .config log report syz C
ci-upstream-kasan-gce 2018/12/04 21:05 upstream 0072a0c14d5b 6ad0ae61 .config log report syz C
ci-upstream-kasan-gce-smack-root 2018/12/04 21:05 upstream 0072a0c14d5b 6ad0ae61 .config log report syz C
ci-upstream-kasan-gce-selinux-root 2018/09/29 09:01 upstream e704966c45e4 41e4b329 .config log report syz C
ci-upstream-kasan-gce-root 2018/09/29 08:56 upstream e704966c45e4 41e4b329 .config log report syz C
ci-upstream-kasan-gce-smack-root 2018/09/29 08:48 upstream e704966c45e4 41e4b329 .config log report syz C
ci-upstream-kasan-gce 2018/09/29 08:41 upstream e704966c45e4 41e4b329 .config log report syz C
ci-upstream-kasan-gce 2018/08/30 09:26 upstream ff69279a44e9 6c7e9d3d .config log report syz C
ci-upstream-kasan-gce-root 2018/08/30 06:19 upstream ff69279a44e9 6c7e9d3d .config log report syz C
ci-upstream-kasan-gce 2018/06/16 12:45 upstream 9215310cf13b 27c5f59f .config log report syz C
ci-upstream-kasan-gce-root 2018/06/16 11:29 upstream 9215310cf13b 27c5f59f .config log report syz C
ci-upstream-kasan-gce 2018/05/15 16:24 upstream 67b8d5c70812 661fd7b9 .config log report syz C
ci-upstream-kasan-gce-root 2018/05/15 16:20 upstream 67b8d5c70812 661fd7b9 .config log report syz C
ci-upstream-kasan-gce-root 2018/05/15 14:29 upstream 67b8d5c70812 661fd7b9 .config log report syz C
ci-upstream-kasan-gce 2018/05/15 14:18 upstream 67b8d5c70812 661fd7b9 .config log report syz C
ci-upstream-kasan-gce 2018/04/01 21:21 upstream 10b84daddbec dc889257 .config log report syz C
ci-upstream-kasan-gce-root 2018/04/01 21:07 upstream 10b84daddbec dc889257 .config log report syz C
ci-upstream-net-this-kasan-gce 2019/01/02 00:07 net 4087d2bc0d94 3d85f48c .config log report syz C
ci-upstream-net-this-kasan-gce 2018/12/04 21:05 net a2c741dfe7db 6ad0ae61 .config log report syz C
ci-upstream-net-this-kasan-gce 2018/09/29 09:17 net 05c5e9ff22e3 41e4b329 .config log report syz C
ci-upstream-net-this-kasan-gce 2018/08/30 05:41 net bd583fe30427 6c7e9d3d .config log report syz C
ci-upstream-net-kasan-gce 2019/01/02 09:53 net-next b71acb0e3721 3d85f48c .config log report syz C
ci-upstream-net-kasan-gce 2018/12/04 21:53 net-next d9bbd6a1a56e 6ad0ae61 .config log report syz C
ci-upstream-net-kasan-gce 2018/09/29 08:40 net-next 5362700c942b 41e4b329 .config log report syz C
ci-upstream-net-kasan-gce 2018/08/30 05:34 net-next 817e60a7a2bb 6c7e9d3d .config log report syz C
ci-upstream-net-kasan-gce 2018/06/16 11:31 net-next f0dc7f9c6dd9 27c5f59f .config log report syz C
ci-upstream-net-kasan-gce 2018/05/15 20:39 net-next 961423f9fcbc 68ce85f1 .config log report syz C
ci-upstream-net-kasan-gce 2018/05/15 16:19 net-next 961423f9fcbc 661fd7b9 .config log report syz C
ci-upstream-net-kasan-gce 2018/05/15 14:20 net-next 961423f9fcbc 661fd7b9 .config log report syz C
ci-upstream-net-kasan-gce 2018/04/01 21:20 net-next 06b19fe9a6df dc889257 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/01/02 12:57 linux-next 4cd1b60def51 f0491811 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/12/05 00:57 linux-next 442b8cea2477 f162ad97 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/09/29 08:54 linux-next 4794a36bf08d 41e4b329 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2018/08/30 07:46 linux-next 87b93b43da14 6c7e9d3d .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/01/26 23:22 upstream ba6069759381 c73f090a .config log report
ci-upstream-kasan-gce-root 2019/01/26 20:04 upstream ba6069759381 c73f090a .config log report
ci-upstream-kasan-gce 2019/01/22 17:14 upstream 48b161983ae5 985f75cc .config log report
ci-upstream-kasan-gce-root 2019/01/21 14:15 upstream 49a57857aeea badbbeee .config log report
ci-upstream-kasan-gce 2019/01/17 19:21 upstream 7fbfee7c80de 769e75ed .config log report
ci-upstream-kasan-gce-root 2019/01/08 11:34 upstream 3bd6e94bec12 37dd2683 .config log report
ci-upstream-kasan-gce-selinux-root 2019/01/03 07:01 upstream 85f78456f286 06a2b89f .config log report
ci-upstream-kasan-gce 2018/12/29 10:07 upstream f346b0becb1b e33ad0f1 .config log report
ci-upstream-kasan-gce 2018/12/25 22:42 upstream 8fe28cb58bcb 8a41a0ad .config log report
ci-upstream-kasan-gce 2018/12/21 15:47 upstream 9097a058d49e 588075e6 .config log report
ci-upstream-kasan-gce-root 2018/12/19 02:35 upstream ddfbab46539f 4edaba93 .config log report
ci-upstream-kasan-gce-root 2018/12/17 19:02 upstream 7566ec393f41 def91db3 .config log report
ci-upstream-kasan-gce 2018/12/17 03:49 upstream 7566ec393f41 def91db3 .config log report
ci-upstream-kasan-gce-root 2018/12/16 15:21 upstream 6531e115b7ab def91db3 .config log report
ci-upstream-kasan-gce-smack-root 2018/12/09 06:40 upstream 8214bdf7d3e6 c7918378 .config log report
ci-upstream-kasan-gce 2018/12/06 05:53 upstream d08970904582 764b42c4 .config log report
ci-upstream-kasan-gce-root 2018/04/01 20:29 upstream 10b84daddbec dc889257 .config log report
ci-upstream-net-this-kasan-gce 2019/01/17 05:43 net 0f149c9fec3c c2faf9b2 .config log report
ci-upstream-net-this-kasan-gce 2018/12/29 05:13 net a3c9311f62b4 e33ad0f1 .config log report
ci-upstream-net-this-kasan-gce 2018/12/14 16:38 net c3db8d531045 7624ddd6 .config log report
ci-upstream-net-this-kasan-gce 2018/12/09 12:09 net bd5122cd1e06 979179d6 .config log report
ci-upstream-net-this-kasan-gce 2018/12/08 22:37 net 5b3279e2cba2 60562a1d .config log report
ci-upstream-net-this-kasan-gce 2018/12/08 16:18 net 5b3279e2cba2 60562a1d .config log report
ci-upstream-net-this-kasan-gce 2018/12/07 02:59 net cd9d1a2332b0 dcf836b1 .config log report
ci-upstream-net-this-kasan-gce 2018/12/06 07:32 net 64d47902fea3 764b42c4 .config log report
ci-upstream-net-this-kasan-gce 2018/12/04 01:09 net d2a36971ef59 03f94a45 .config log report
ci-upstream-net-kasan-gce 2019/01/29 09:39 net-next 085c4c7dd2b6 aa432daf .config log report
ci-upstream-net-kasan-gce 2019/01/28 02:24 net-next 085c4c7dd2b6 c73f090a .config log report
ci-upstream-net-kasan-gce 2019/01/20 08:21 net-next 133bbb18ab1a 353f32ea .config log report
ci-upstream-net-kasan-gce 2019/01/12 11:52 net-next b71acb0e3721 c3f3344c .config log report
ci-upstream-net-kasan-gce 2019/01/12 05:34 net-next b71acb0e3721 c3f3344c .config log report
ci-upstream-net-kasan-gce 2019/01/11 22:24 net-next b71acb0e3721 c3f3344c .config log report
ci-upstream-net-kasan-gce 2019/01/10 01:45 net-next b71acb0e3721 45c0c1b1 .config log report
ci-upstream-net-kasan-gce 2019/01/08 06:15 net-next b71acb0e3721 69d69aa9 .config log report
ci-upstream-net-kasan-gce 2019/01/08 03:59 net-next b71acb0e3721 69d69aa9 .config log report
ci-upstream-net-kasan-gce 2019/01/07 14:49 net-next b71acb0e3721 69d69aa9 .config log report
ci-upstream-net-kasan-gce 2019/01/03 17:46 net-next b71acb0e3721 66fcd29b .config log report
ci-upstream-net-kasan-gce 2018/12/21 19:50 net-next fa2323325e8b 588075e6 .config log report
ci-upstream-net-kasan-gce 2018/12/20 02:52 net-next 24894bc6eabc 02e69052 .config log report
ci-upstream-net-kasan-gce 2018/12/16 04:46 net-next e782410ed237 def91db3 .config log report
ci-upstream-net-kasan-gce 2018/12/15 04:03 net-next 2aa55dccf83d 7624ddd6 .config log report
ci-upstream-net-kasan-gce 2018/12/14 16:38 net-next 522185d5cb40 7624ddd6 .config log report
ci-upstream-net-kasan-gce 2018/12/13 15:25 net-next 95302c394c3d f3d9d594 .config log report
ci-upstream-net-kasan-gce 2018/12/11 22:05 net-next addb0679839a 7795ae03 .config log report
ci-upstream-net-kasan-gce 2018/12/08 06:13 net-next 9f4c2cffd08c 65ed2472 .config log report
ci-upstream-net-kasan-gce 2018/12/06 00:03 net-next b255e500c8dc 764b42c4 .config log report
ci-upstream-net-kasan-gce 2018/12/05 15:49 net-next a74f0fa082b7 ac6c0578 .config log report
ci-upstream-net-kasan-gce 2018/12/04 04:28 net-next 6915bf3b002b 03f94a45 .config log report
ci-upstream-linux-next-kasan-gce-root 2018/12/30 04:54 linux-next 6a1d293238c1 35e3f847 .config log report
* Struck through repros no longer work on HEAD.