KASAN: slab-out-of-bounds Read in tcf_exts

KASAN: slab-out-of-bounds Read in tcf_exts_destroy
Status: fixed on 2020/03/12 12:23
Reported-by: syzbot+ce5af60a6faa9cb4d112@syzkaller.appspotmail.com
Fix commit: 6cb448ee net_sched: fix an OOB access in cls_tcindex
First crash: 223d, last: 110d

Fix bisection: fixed by (bisect log):

commit 6cb448ee493c8a514c9afa0c346f3f5b3227de85
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon Feb 3 05:14:35 2020 +0000

net_sched: fix an OOB access in cls_tcindex

similar bugs (2):
Kernel	Title	Repro	Bisected	Count	Last	Reported	Patched	Status
linux-4.19	KASAN: slab-out-of-bounds Read in tcf_exts_destroy	C	fix	1	111d	227d	1/1	fixed on 2020/03/11 23:02
upstream	KASAN: slab-out-of-bounds Read in tcf_exts_destroy	C	cause+fix	8	226d	128d	16/17	fixed on 2020/02/18 14:31

Sample crash report:

IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1
==================================================================
BUG: KASAN: slab-out-of-bounds in tcf_exts_to_list include/net/pkt_cls.h:150 [inline]
BUG: KASAN: slab-out-of-bounds in tcf_exts_destroy+0x2a3/0x320 net/sched/cls_api.c:897
Read of size 4 at addr ffff888096b8eeb4 by task syz-executor514/6959

CPU: 0 PID: 6959 Comm: syz-executor514 Not tainted 4.14.150 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 tcf_exts_to_list include/net/pkt_cls.h:150 [inline]
 tcf_exts_destroy+0x2a3/0x320 net/sched/cls_api.c:897
 tcindex_free_perfect_hash.isra.0+0x9f/0x120 net/sched/cls_tcindex.c:291
 tcindex_set_parms+0xece/0x1aa0 net/sched/cls_tcindex.c:502
 tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535
 tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
 rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
 netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xce/0x110 net/socket.c:656
 ___sys_sendmsg+0x349/0x840 net/socket.c:2062
 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
 SYSC_sendmmsg net/socket.c:2183 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2178
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x443299
RSP: 002b:00007ffde338f1e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000443299
RDX: 0000000000000332 RSI: 0000000020000140 RDI: 0000000000000008
RBP: 000000000000000c R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0030766461746162
R13: 00000000004041f0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6959:
 save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
 save_stack+0x45/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:529
 __do_kmalloc mm/slab.c:3720 [inline]
 __kmalloc+0x15d/0x7a0 mm/slab.c:3729
 kmalloc_array include/linux/slab.h:607 [inline]
 kcalloc include/linux/slab.h:618 [inline]
 tcindex_alloc_perfect_hash+0x54/0x300 net/sched/cls_tcindex.c:299
 tcindex_set_parms+0x3de/0x1aa0 net/sched/cls_tcindex.c:357
 tcindex_change+0x1cf/0x28d net/sched/cls_tcindex.c:535
 tc_ctl_tfilter+0xff1/0x1aba net/sched/cls_api.c:738
 rtnetlink_rcv_msg+0x3eb/0xb70 net/core/rtnetlink.c:4285
 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:4297
 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline]
 netlink_unicast+0x45d/0x640 net/netlink/af_netlink.c:1312
 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xce/0x110 net/socket.c:656
 ___sys_sendmsg+0x349/0x840 net/socket.c:2062
 __sys_sendmmsg+0x152/0x3a0 net/socket.c:2152
 SYSC_sendmmsg net/socket.c:2183 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2178
 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888096b8ee40
 which belongs to the cache kmalloc-128 of size 128
The buggy address is located 116 bytes inside of
 128-byte region [ffff888096b8ee40, ffff888096b8eec0)
The buggy address belongs to the page:
page:ffffea00025ae380 count:1 mapcount:0 mapping:ffff888096b8e000 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff888096b8e000 0000000000000000 0000000100000015
raw: ffffea0001ffa9e0 ffff8880aa801548 ffff8880aa800640 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888096b8ed80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888096b8ee00: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
>ffff888096b8ee80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff888096b8ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888096b8ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
protocol 88fb is buggy, dev hsr_slave_0
protocol 88fb is buggy, dev hsr_slave_1

Crashes (1):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	Maintainers
ci2-linux-4-14	2019/10/21 06:22	linux-4.14.y	b98aebd2	8c88c9c1	.config	log	report	syz	C	davem@davemloft.net, jhs@mojatatu.com, jiri@resnulli.us, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, xiyou.wangcong@gmail.com