Title | Replies (including bot) | Last reply |
---|---|---|
[syzbot] KASAN: use-after-free Write in null_skcipher_crypt | 3 (4) | 2021/08/24 10:48 |
syzbot |
sign-in | mailing list | source | docs |
Title | Replies (including bot) | Last reply |
---|---|---|
[syzbot] KASAN: use-after-free Write in null_skcipher_crypt | 3 (4) | 2021/08/24 10:48 |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
android-5-10 | KASAN: use-after-free Write in null_skcipher_crypt | 1 | 1069d | 1069d | 2/2 | fixed on 2022/03/23 23:19 |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2022/03/16 23:44 | 8m | tadeusz.struk@linaro.org | upstream | OK | |
2021/08/21 08:10 | 10m | chouhan.shreyansh630@gmail.com | upstream | report log |
Created | Duration | User | Patch | Repo | Result |
---|---|---|---|---|---|
2022/02/11 11:54 | 19m | bisect fix | upstream | OK (0) job log log | |
2022/01/12 11:32 | 21m | bisect fix | upstream | OK (0) job log log | |
2021/12/13 11:13 | 19m | bisect fix | upstream | OK (0) job log log | |
2021/11/11 18:51 | 20m | bisect fix | upstream | OK (0) job log log | |
2021/10/12 18:24 | 27m | bisect fix | upstream | OK (0) job log log |
================================================================== BUG: KASAN: use-after-free in memcpy include/linux/fortify-string.h:225 [inline] BUG: KASAN: use-after-free in null_skcipher_crypt+0xa8/0x120 crypto/crypto_null.c:85 Write of size 4096 at addr ffff888074df8000 by task syz-executor157/3589 CPU: 1 PID: 3589 Comm: syz-executor157 Not tainted 5.17.0-rc6-syzkaller-00066-g5859a2b19911 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106 print_address_description.constprop.0.cold+0x8d/0x336 mm/kasan/report.c:255 __kasan_report mm/kasan/report.c:442 [inline] kasan_report.cold+0x83/0xdf mm/kasan/report.c:459 check_region_inline mm/kasan/generic.c:183 [inline] kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189 memcpy+0x39/0x60 mm/kasan/shadow.c:66 memcpy include/linux/fortify-string.h:225 [inline] null_skcipher_crypt+0xa8/0x120 crypto/crypto_null.c:85 crypto_skcipher_encrypt+0xaa/0xf0 crypto/skcipher.c:630 crypto_authenc_encrypt+0x3b4/0x510 crypto/authenc.c:222 crypto_aead_encrypt+0xaa/0xf0 crypto/aead.c:94 esp6_output_tail+0x777/0x1a90 net/ipv6/esp6.c:658 esp6_output+0x4af/0x8a0 net/ipv6/esp6.c:734 xfrm_output_one net/xfrm/xfrm_output.c:553 [inline] xfrm_output_resume+0x2a92/0x5ca0 net/xfrm/xfrm_output.c:588 xfrm_output2 net/xfrm/xfrm_output.c:615 [inline] xfrm_output+0x2eb/0x1290 net/xfrm/xfrm_output.c:765 __xfrm6_output+0x4bf/0x1080 net/ipv6/xfrm6_output.c:87 NF_HOOK_COND include/linux/netfilter.h:296 [inline] xfrm6_output+0x117/0x550 net/ipv6/xfrm6_output.c:92 dst_output include/net/dst.h:451 [inline] ip6_local_out+0xaf/0x1a0 net/ipv6/output_core.c:161 ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1912 ip6_push_pending_frames+0xdd/0x100 net/ipv6/ip6_output.c:1932 rawv6_push_pending_frames net/ipv6/raw.c:613 [inline] rawv6_sendmsg+0x2b89/0x3b30 net/ipv6/raw.c:956 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819 sock_sendmsg_nosec net/socket.c:705 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:725 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2413 ___sys_sendmsg+0xf3/0x170 net/socket.c:2467 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2496 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f255dfc6559 Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffe53f07168 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f255dfc6559 RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000004 RBP: 00007f255df8a540 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000000e8 R11: 0000000000000246 R12: 00007f255df8a5d0 R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 </TASK> Allocated by task 3589: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track mm/kasan/common.c:45 [inline] set_alloc_info mm/kasan/common.c:436 [inline] ____kasan_kmalloc mm/kasan/common.c:515 [inline] ____kasan_kmalloc mm/kasan/common.c:474 [inline] __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:524 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x272/0x380 security/tomoyo/file.c:771 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline] tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306 security_file_open+0x45/0xb0 security/security.c:1638 do_dentry_open+0x358/0x1250 fs/open.c:811 do_open fs/namei.c:3476 [inline] path_openat+0x1c9e/0x2940 fs/namei.c:3609 do_filp_open+0x1aa/0x400 fs/namei.c:3636 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214 do_sys_open fs/open.c:1230 [inline] __do_sys_openat fs/open.c:1246 [inline] __se_sys_openat fs/open.c:1241 [inline] __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 3589: kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38 kasan_set_track+0x21/0x30 mm/kasan/common.c:45 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370 ____kasan_slab_free mm/kasan/common.c:366 [inline] ____kasan_slab_free+0x126/0x160 mm/kasan/common.c:328 kasan_slab_free include/linux/kasan.h:236 [inline] slab_free_hook mm/slub.c:1728 [inline] slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1754 slab_free mm/slub.c:3509 [inline] kfree+0xd0/0x390 mm/slub.c:4562 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_check_open_permission+0x272/0x380 security/tomoyo/file.c:771 tomoyo_file_open security/tomoyo/tomoyo.c:311 [inline] tomoyo_file_open+0xa3/0xd0 security/tomoyo/tomoyo.c:306 security_file_open+0x45/0xb0 security/security.c:1638 do_dentry_open+0x358/0x1250 fs/open.c:811 do_open fs/namei.c:3476 [inline] path_openat+0x1c9e/0x2940 fs/namei.c:3609 do_filp_open+0x1aa/0x400 fs/namei.c:3636 do_sys_openat2+0x16d/0x4d0 fs/open.c:1214 do_sys_open fs/open.c:1230 [inline] __do_sys_openat fs/open.c:1246 [inline] __se_sys_openat fs/open.c:1241 [inline] __x64_sys_openat+0x13f/0x1f0 fs/open.c:1241 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff888074df8000 which belongs to the cache kmalloc-4k of size 4096 The buggy address is located 0 bytes inside of 4096-byte region [ffff888074df8000, ffff888074df9000) The buggy address belongs to the page: page:ffffea0001d37e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x74df8 head:ffffea0001d37e00 order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfff00000010200(slab|head|node=0|zone=1|lastcpupid=0x7ff) raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010c42140 raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected page_owner tracks the page as allocated page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd2040(__GFP_IO|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2967, ts 17149793924, free_ts 17109961066 prep_new_page mm/page_alloc.c:2434 [inline] get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4165 __alloc_pages+0x1b2/0x500 mm/page_alloc.c:5389 alloc_pages+0x1aa/0x310 mm/mempolicy.c:2271 alloc_slab_page mm/slub.c:1799 [inline] allocate_slab+0x27f/0x3c0 mm/slub.c:1944 new_slab mm/slub.c:2004 [inline] ___slab_alloc+0xbe1/0x12b0 mm/slub.c:3018 __slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3105 slab_alloc_node mm/slub.c:3196 [inline] slab_alloc mm/slub.c:3238 [inline] __kmalloc+0x372/0x450 mm/slub.c:4420 kmalloc include/linux/slab.h:586 [inline] tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254 tomoyo_get_realpath security/tomoyo/file.c:151 [inline] tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822 security_inode_getattr+0xcf/0x140 security/security.c:1337 vfs_getattr fs/stat.c:157 [inline] vfs_statx+0x164/0x390 fs/stat.c:225 vfs_fstatat fs/stat.c:243 [inline] __do_sys_newfstatat+0x96/0x120 fs/stat.c:412 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae page last free stack trace: reset_page_owner include/linux/page_owner.h:24 [inline] free_pages_prepare mm/page_alloc.c:1352 [inline] free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1404 free_unref_page_prepare mm/page_alloc.c:3325 [inline] free_unref_page+0x19/0x690 mm/page_alloc.c:3404 __unfreeze_partials+0x320/0x340 mm/slub.c:2536 qlink_free mm/kasan/quarantine.c:157 [inline] qlist_free_all+0x6d/0x160 mm/kasan/quarantine.c:176 kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:283 __kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:446 kasan_slab_alloc include/linux/kasan.h:260 [inline] slab_post_alloc_hook mm/slab.h:732 [inline] slab_alloc_node mm/slub.c:3230 [inline] slab_alloc mm/slub.c:3238 [inline] kmem_cache_alloc+0x1b1/0x4b0 mm/slub.c:3243 anon_vma_alloc mm/rmap.c:90 [inline] anon_vma_fork+0xed/0x630 mm/rmap.c:355 dup_mmap kernel/fork.c:571 [inline] dup_mm+0xa07/0x13e0 kernel/fork.c:1451 copy_mm kernel/fork.c:1503 [inline] copy_process+0x3cf7/0x7250 kernel/fork.c:2164 kernel_clone+0xe7/0xab0 kernel/fork.c:2565 __do_sys_clone+0xc8/0x110 kernel/fork.c:2682 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae Memory state around the buggy address: ffff888074df7f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff888074df7f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff888074df8000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888074df8080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888074df8100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2022/03/03 23:23 | upstream | 5859a2b19911 | 45a13a73 | .config | console log | report | syz | C | ci-upstream-kasan-gce-root | KASAN: use-after-free Write in null_skcipher_crypt | ||
2021/09/12 16:04 | upstream | 78e709522d2c | 5ae8508a | .config | console log | report | syz | C | ci-upstream-kasan-gce | KASAN: use-after-free Write in null_skcipher_crypt | ||
2021/08/13 17:19 | net-old | a9a507013a6f | 3fd2ea69 | .config | console log | report | syz | C | ci-upstream-net-this-kasan-gce | KASAN: use-after-free Write in null_skcipher_crypt |