syzbot


KASAN: slab-out-of-bounds Read in memcpy

Status: public: reported C repro on 2019/04/13 00:00
Reported-by: syzbot+6cd4893962034118b585@syzkaller.appspotmail.com
First crash: 2298d, last: 2296d

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read, 103 bits of entropy available)
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8800b80a6988
Read of size 8192 by task syzkaller154846/3310
=============================================================================
BUG kmalloc-512 (Not tainted): kasan: bad access detected
-----------------------------------------------------------------------------

INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1 pid=3310
	___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475
	__slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504
	slab_alloc_node mm/slub.c:2567 [inline]
	slab_alloc mm/slub.c:2609 [inline]
	__kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118
	__kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137
	__alloc_skb+0xf5/0x610 net/core/skbuff.c:230
	alloc_skb include/linux/skbuff.h:815 [inline]
	pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657
	sock_sendmsg_nosec net/socket.c:625 [inline]
	sock_sendmsg+0xb5/0xf0 net/socket.c:635
	___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
	__sys_sendmsg+0xc3/0x160 net/socket.c:1995
	SYSC_sendmsg net/socket.c:2006 [inline]
	SyS_sendmsg+0xd/0x20 net/socket.c:2002
	entry_SYSCALL_64_fastpath+0x16/0x76
INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=11 cpu=1 pid=3310
	__slab_free+0x18c/0x2b0 mm/slub.c:2685
	slab_free mm/slub.c:2840 [inline]
	kfree+0x24f/0x2d0 mm/slub.c:3714
	load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075
	search_binary_handler+0x124/0x610 fs/exec.c:1471
	exec_binprm fs/exec.c:1513 [inline]
	do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635
	do_execve fs/exec.c:1679 [inline]
	SYSC_execve fs/exec.c:1760 [inline]
	SyS_execve+0x35/0x40 fs/exec.c:1755
	return_from_execve+0x0/0x23
INFO: Slab 0xffffea0002e02900 objects=20 used=7 fp=0xffff8800b80a4660 flags=0x4000000000004080
INFO: Object 0xffff8800b80a6970 @offset=10608 fp=0x0000000f00000302

Bytes b4 ffff8800b80a6960: 00 00 00 00 6b 07 00 00 f0 8d ff ff 00 00 00 00  ....k...........
Object ffff8800b80a6970: 02 03 00 00 0f 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6980: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00  ................
Object ffff8800b80a6990: 0a 00 4e 20 00 00 00 00 00 00 00 00 00 00 00 00  ..N ............
Object ffff8800b80a69a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a69b0: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00  ................
Object ffff8800b80a69c0: 05 00 05 00 00 00 00 00 0a 00 4e 20 00 00 00 00  ..........N ....
Object ffff8800b80a69d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a69e0: 00 00 00 00 00 00 00 00 90 01 00 00 00 00 00 00  ................
Object ffff8800b80a69f0: 90 01 40 00 00 00 00 00 90 01 40 00 00 00 00 00  ..@.......@.....
Object ffff8800b80a6a00: 44 00 00 00 00 00 00 00 44 00 00 00 00 00 00 00  D.......D.......
Object ffff8800b80a6a10: 04 00 00 00 00 00 00 00 07 00 00 00 04 00 00 00  ................
Object ffff8800b80a6a20: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00 00  ..........l.....
Object ffff8800b80a6a30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6a40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6a50: 01 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6a60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6a70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6a80: 10 00 00 00 00 00 00 00 52 e5 74 64 04 00 00 00  ........R.td....
Object ffff8800b80a6a90: b8 9e 0c 00 00 00 00 00 b8 9e 6c 00 00 00 00 00  ..........l.....
Object ffff8800b80a6aa0: b8 9e 6c 00 00 00 00 00 48 01 00 00 00 00 00 00  ..l.....H.......
Object ffff8800b80a6ab0: 48 01 00 00 00 00 00 00 01 00 00 00 00 00 00 00  H...............
Object ffff8800b80a6ac0: 50 e5 74 64 04 00 00 00 b0 d1 0c 00 00 00 00 00  P.td............
Object ffff8800b80a6ad0: b0 d1 4c 00 00 00 00 00 b0 d1 4c 00 00 00 00 00  ..L.......L.....
Object ffff8800b80a6ae0: ac 3c 00 00 00 00 00 00 ac 3c 00 00 00 00 00 00  .<.......<......
Object ffff8800b80a6af0: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00  ........Q.td....
Object ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
Object ffff8800b80a6b20: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00  ................
Object ffff8800b80a6b30: 52 e5 74 64 04 00 00 00 c8 4d 0e 00 00 00 00 00  R.td.....M......
Object ffff8800b80a6b40: c8 4d 6e 00 00 00 00 00 c8 4d 6e 00 00 00 00 00  .Mn......Mn.....
Object ffff8800b80a6b50: 38 02 00 00 00 00 00 00 38 02 00 00 00 00 00 00  8.......8.......
Object ffff8800b80a6b60: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
CPU: 1 PID: 3310 Comm: syzkaller154846 Tainted: G    B           4.4.105-ge303a83 #5
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 4bb036a223f67d9f ffff8800b8167708 ffffffff81cc9b4f
 ffff8800b80a4010 ffff8800b80a6970 ffff8800b8167738 ffffffff814d3af4
 ffff8801da402a00 ffffea0002e02900 ffff8800b80a6970 0000000000000000
Call Trace:
 [<ffffffff81cc9b4f>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81cc9b4f>] dump_stack+0x8e/0xcf lib/dump_stack.c:51
 [<ffffffff814d3af4>] print_trailer+0x114/0x1a0 mm/slub.c:682
 [<ffffffff814d945f>] object_err+0x2f/0x40 mm/slub.c:689
 [<ffffffff814db1f7>] print_address_description mm/kasan/report.c:139 [inline]
 [<ffffffff814db1f7>] kasan_report_error mm/kasan/report.c:237 [inline]
 [<ffffffff814db1f7>] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262
 [<ffffffff814db760>] kasan_report+0x20/0x30 mm/kasan/report.c:249
 [<ffffffff814da257>] check_memory_region mm/kasan/kasan.c:284 [inline]
 [<ffffffff814da257>] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532
 [<ffffffff814daa8d>] memcpy+0x1d/0x40 mm/kasan/kasan.c:317
 [<ffffffff8340e624>] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline]
 [<ffffffff8340e624>] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498
 [<ffffffff834134bd>] pfkey_process+0x58d/0x900 net/key/af_key.c:2826
 [<ffffffff83414feb>] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670
 [<ffffffff82d94005>] sock_sendmsg_nosec net/socket.c:625 [inline]
 [<ffffffff82d94005>] sock_sendmsg+0xb5/0xf0 net/socket.c:635
 [<ffffffff82d95add>] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961
 [<ffffffff82d97863>] __sys_sendmsg+0xc3/0x160 net/socket.c:1995
 [<ffffffff82d9790d>] SYSC_sendmsg net/socket.c:2006 [inline]
 [<ffffffff82d9790d>] SyS_sendmsg+0xd/0x20 net/socket.c:2002
 [<ffffffff8374ab36>] entry_SYSCALL_64_fastpath+0x16/0x76
Memory state around the buggy address:
 ffff8800b80a6a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8800b80a6a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8800b80a6b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
                     

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/13 12:32 https://android.googlesource.com/kernel/common android-4.4 e303a832d93e ce7f2399 .config console log report syz C ci-android-44-kasan-gce
2017/12/14 08:17 https://android.googlesource.com/kernel/common android-4.4 b5797f6112c7 ac20b98c .config console log report ci-android-44-kasan-gce
2017/12/13 19:37 https://android.googlesource.com/kernel/common android-4.4 b5797f6112c7 06ea774d .config console log report ci-android-44-kasan-gce
2017/12/13 17:33 https://android.googlesource.com/kernel/common android-4.4 b5797f6112c7 ce7f2399 .config console log report ci-android-44-kasan-gce
2017/12/13 14:31 https://android.googlesource.com/kernel/common android-4.4 e303a832d93e ce7f2399 .config console log report ci-android-44-kasan-gce
2017/12/13 03:38 https://android.googlesource.com/kernel/common android-4.4 e303a832d93e ce7f2399 .config console log report ci-android-44-kasan-gce
2017/12/12 13:12 https://android.googlesource.com/kernel/common android-4.4 36205b7fa963 081721ff .config console log report ci-android-44-kasan-gce
* Struck through repros no longer work on HEAD.