syzbot


KASAN: stack-out-of-bounds Read in tcf_action_destroy

Status: upstream: reported C repro on 2020/10/06 21:53
Reported-by: syzbot+34eb37c79e51c20ea35e@syzkaller.appspotmail.com
First crash: 1269d, last: 762d
Fix bisection: failed (error log, bisect log)
  
Last patch testing requests (4)
Created Duration User Patch Repo Result
2023/02/14 05:32 10m retest repro linux-4.14.y report log
2023/02/14 04:32 9m retest repro linux-4.14.y report log
2022/10/02 22:30 11m retest repro linux-4.14.y report log
2022/10/02 12:30 10m retest repro linux-4.14.y report log
Fix bisection attempts (17)
Created Duration User Patch Repo Result
2022/03/29 15:23 11m bisect fix linux-4.14.y error job log (0)
2022/02/25 17:09 29m bisect fix linux-4.14.y job log (0) log
2022/01/26 16:45 24m bisect fix linux-4.14.y job log (0) log
2021/12/27 16:08 24m bisect fix linux-4.14.y job log (0) log
2021/11/27 15:06 21m bisect fix linux-4.14.y job log (0) log
2021/10/28 14:40 23m bisect fix linux-4.14.y job log (0) log
2021/09/24 07:18 27m bisect fix linux-4.14.y job log (0) log
2021/08/25 06:49 28m bisect fix linux-4.14.y job log (0) log
2021/07/26 06:26 23m bisect fix linux-4.14.y job log (0) log
2021/06/26 06:05 20m bisect fix linux-4.14.y job log (0) log
2021/05/27 05:37 28m bisect fix linux-4.14.y job log (0) log
2021/04/27 02:39 24m bisect fix linux-4.14.y job log (0) log
2021/03/28 02:08 21m bisect fix linux-4.14.y job log (0) log
2021/02/26 01:46 22m bisect fix linux-4.14.y job log (0) log
2021/01/27 01:21 24m bisect fix linux-4.14.y job log (0) log
2020/12/28 00:00 23m bisect fix linux-4.14.y job log (0) log
2020/11/27 23:38 22m bisect fix linux-4.14.y job log (0) log

Sample crash report:
netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'.
netlink: 32 bytes leftover after parsing attributes in process `syz-executor533'.
==================================================================
BUG: KASAN: stack-out-of-bounds in tcf_action_destroy+0x138/0x170 net/sched/act_api.c:526
Read of size 8 at addr ffff8880a241f7a0 by task syz-executor533/7984

CPU: 0 PID: 7984 Comm: syz-executor533 Not tainted 4.14.202-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x283 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430
 tcf_action_destroy+0x138/0x170 net/sched/act_api.c:526
 tcf_action_init+0x294/0x400 net/sched/act_api.c:769
 tcf_action_add net/sched/act_api.c:1079 [inline]
 tc_ctl_action+0x2e3/0x50f net/sched/act_api.c:1131
 rtnetlink_rcv_msg+0x3be/0xb10 net/core/rtnetlink.c:4316
 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433
 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline]
 netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313
 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878
 sock_sendmsg_nosec net/socket.c:646 [inline]
 sock_sendmsg+0xb5/0x100 net/socket.c:656
 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062
 __sys_sendmsg+0xa3/0x120 net/socket.c:2096
 SYSC_sendmsg net/socket.c:2107 [inline]
 SyS_sendmsg+0x27/0x40 net/socket.c:2103
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x46/0xbb
RIP: 0033:0x446c19
RSP: 002b:00007fe1c0732d98 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000006dbc28 RCX: 0000000000446c19
RDX: 0000000000000000 RSI: 0000000020002980 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0001008400000000 R14: 0000000000000000 R15: 053b003000000098

The buggy address belongs to the page:
page:ffffea00028907c0 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0xfff00000000000()
raw: 00fff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea00028907e0 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a241f680: 00 00 00 00 00 00 00 00 00 00 00 f3 f3 f3 f3 f3
 ffff8880a241f700: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a241f780: f1 f1 f1 f1 f1 f1 00 00 f2 f2 00 00 00 00 00 f3
                               ^
 ffff8880a241f800: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a241f880: f1 f1 f1 f1 f1 f1 00 00 00 00 00 00 f3 f3 f3 f3
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/10/28 21:30 linux-4.14.y 5b7a52cd2eef f24824d3 .config console log report syz C ci2-linux-4-14
2020/10/06 21:52 linux-4.14.y cbfa1702aaf6 1880b4a9 .config console log report syz C ci2-linux-4-14
* Struck through repros no longer work on HEAD.