syzbot


KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user

Status: fixed on 2020/04/16 05:11
Reported-by: syzbot+f17ced8a8ca56b539ca2@syzkaller.appspotmail.com
Fix commit: 0a7b397c0133 xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
First crash: 837d, last: 832d

Fix bisection: fixed by (bisect log) :
commit 0a7b397c013322fec975f30012302f694efba2da
Author: Xin Long <lucien.xin@gmail.com>
Date: Sun Feb 9 13:16:38 2020 +0000

  xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.14 KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user C done 1 825d 825d 1/1 fixed on 2020/04/21 23:14
upstream KASAN: slab-out-of-bounds Read in selinux_xfrm_alloc_user C done 1 818d 817d 17/22 fixed on 2020/05/10 10:42

Sample crash report:
kauditd_printk_skb: 3 callbacks suppressed
audit: type=1400 audit(1584298507.132:36): avc:  denied  { map } for  pid=8027 comm="syz-executor559" path="/root/syz-executor559645294" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
Read of size 768 at addr ffff888097bcf334 by task syz-executor559/8027

CPU: 1 PID: 8027 Comm: syz-executor559 Not tainted 4.19.109-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x188/0x20d lib/dump_stack.c:118
 print_address_description.cold+0x7c/0x212 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x88/0x2b9 mm/kasan/report.c:396
 memcpy+0x20/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:348 [inline]
 selinux_xfrm_alloc_user+0x205/0x400 security/selinux/xfrm.c:102
 security_xfrm_policy_alloc+0x6c/0xb0 security/security.c:1631
 copy_from_user_sec_ctx net/xfrm/xfrm_user.c:1461 [inline]
 xfrm_policy_construct+0x2a8/0x660 net/xfrm/xfrm_user.c:1626
 xfrm_add_acquire+0x215/0x9f0 net/xfrm/xfrm_user.c:2279
 xfrm_user_rcv_msg+0x40c/0x6b0 net/xfrm/xfrm_user.c:2677
 netlink_rcv_skb+0x160/0x410 net/netlink/af_netlink.c:2455
 xfrm_netlink_rcv+0x6b/0x90 net/xfrm/xfrm_user.c:2685
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x4d7/0x6a0 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x80b/0xcd0 net/netlink/af_netlink.c:1909
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2153
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4406e9
Code: 23 02 00 85 c0 b8 00 00 00 00 48 0f 44 c3 5b c3 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 9b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff605be978 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004406e9
RDX: 0000000000000000 RSI: 0000000020000080 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000000 R09: 6c616b7a79732f2e
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401f10
R13: 0000000000401fa0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8027:
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:531
 __do_kmalloc_node mm/slab.c:3689 [inline]
 __kmalloc_node_track_caller+0x4c/0x70 mm/slab.c:3703
 __kmalloc_reserve.isra.0+0x39/0xe0 net/core/skbuff.c:137
 __alloc_skb+0xef/0x5b0 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:995 [inline]
 netlink_alloc_large_skb net/netlink/af_netlink.c:1190 [inline]
 netlink_sendmsg+0x8d6/0xcd0 net/netlink/af_netlink.c:1884
 sock_sendmsg_nosec net/socket.c:622 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:632
 ___sys_sendmsg+0x803/0x920 net/socket.c:2115
 __sys_sendmsg+0xec/0x1b0 net/socket.c:2153
 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff888097bcf200
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 308 bytes inside of
 1024-byte region [ffff888097bcf200, ffff888097bcf600)
The buggy address belongs to the page:
page:ffffea00025ef380 count:1 mapcount:0 mapping:ffff88812c3dcac0 index:0x0 compound_mapcount: 0
flags: 0xfffe0000008100(slab|head)
raw: 00fffe0000008100 ffffea0001f7a688 ffffea0002976608 ffff88812c3dcac0
raw: 0000000000000000 ffff888097bce000 0000000100000007 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888097bcf500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff888097bcf580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff888097bcf600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff888097bcf680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888097bcf700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-19 2020/03/15 18:57 linux-4.19.y 569209711609 749688d2 .config log report syz C
ci2-linux-4-19 2020/03/11 03:20 linux-4.19.y 7472c4028e23 35f53e45 .config log report syz C
ci2-linux-4-19 2020/03/11 03:06 linux-4.19.y 7472c4028e23 35f53e45 .config log report