KASAN: use-after-free Read in __xfrm_decode_session

Status: auto-closed as invalid on 2021/01/03 02:25
Subsystems: net
[Documentation on labels]
First crash: 1715d, last: 1355d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Read in __xfrm_decode_session 0 (1) 2019/09/12 08:02
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in __xfrm_decode_session (2) net 7 899d 1135d 0/26 auto-closed as invalid on 2022/04/04 17:22
linux-5.15 KASAN: slab-out-of-bounds Read in __xfrm_decode_session origin:upstream C error 7 195d 382d 0/3 auto-obsoleted due to no activity on 2024/02/16 23:16
linux-6.1 KASAN: use-after-free Read in __xfrm_decode_session 4 242d 373d 0/3 auto-obsoleted due to no activity on 2024/01/01 21:03

Sample crash report:
BUG: KASAN: use-after-free in decode_session6 net/xfrm/xfrm_policy.c:3393 [inline]
BUG: KASAN: use-after-free in __xfrm_decode_session+0x1b92/0x2710 net/xfrm/xfrm_policy.c:3485
Read of size 1 at addr ffff88802059fc12 by task syz-executor.2/9816

CPU: 1 PID: 9816 Comm: syz-executor.2 Not tainted 5.9.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d6/0x29e lib/dump_stack.c:118
 print_address_description+0x66/0x620 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report+0x132/0x1d0 mm/kasan/report.c:530
 decode_session6 net/xfrm/xfrm_policy.c:3393 [inline]
 __xfrm_decode_session+0x1b92/0x2710 net/xfrm/xfrm_policy.c:3485
 vti_tunnel_xmit+0x1e7/0x1520 net/ipv4/ip_vti.c:293
 __netdev_start_xmit include/linux/netdevice.h:4634 [inline]
 netdev_start_xmit include/linux/netdevice.h:4648 [inline]
 xmit_one net/core/dev.c:3561 [inline]
 dev_hard_start_xmit+0x1bd/0x3d0 net/core/dev.c:3577
 sch_direct_xmit+0x1f0/0xd40 net/sched/sch_generic.c:313
 qdisc_restart net/sched/sch_generic.c:376 [inline]
 __qdisc_run+0x9ed/0x19f0 net/sched/sch_generic.c:384
 __dev_xmit_skb net/core/dev.c:3800 [inline]
 __dev_queue_xmit+0x141b/0x2940 net/core/dev.c:4105
 packet_snd net/packet/af_packet.c:2984 [inline]
 packet_sendmsg+0x4b60/0x6510 net/packet/af_packet.c:3009
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 ____sys_sendmsg+0x519/0x800 net/socket.c:2353
 ___sys_sendmsg net/socket.c:2407 [inline]
 __sys_sendmsg+0x2b1/0x360 net/socket.c:2440
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46
RIP: 0033:0x45d5b9
Code: 5d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f84f7b4fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000027bc0 RCX: 000000000045d5b9
RDX: 0000000000000080 RSI: 0000000020000440 RDI: 0000000000000003
RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c
R13: 00007ffcf13fb73f R14: 00007f84f7b509c0 R15: 000000000118cf4c

Allocated by task 6833:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc+0x100/0x130 mm/kasan/common.c:461
 slab_post_alloc_hook+0x3e/0x290 mm/slab.h:518
 slab_alloc mm/slab.c:3312 [inline]
 kmem_cache_alloc+0x1c1/0x2d0 mm/slab.c:3482
 dup_mm+0x26/0x320 kernel/fork.c:1345
 copy_mm kernel/fork.c:1410 [inline]
 copy_process+0x1fdc/0x5200 kernel/fork.c:2069
 _do_fork+0x1ab/0x6d0 kernel/fork.c:2428
 __do_sys_clone kernel/fork.c:2545 [inline]
 __se_sys_clone kernel/fork.c:2529 [inline]
 __x64_sys_clone+0x1e9/0x230 kernel/fork.c:2529
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46

Freed by task 9604:
 kasan_save_stack mm/kasan/common.c:48 [inline]
 kasan_set_track+0x3d/0x70 mm/kasan/common.c:56
 kasan_set_free_info+0x17/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xdd/0x110 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free+0x82/0xf0 mm/slab.c:3693
 exit_mm+0x4cd/0x550 kernel/exit.c:483
 do_exit+0x576/0x1f20 kernel/exit.c:793
 do_group_exit+0x161/0x2d0 kernel/exit.c:903
 __do_sys_exit_group+0x13/0x20 kernel/exit.c:914
 __ia32_sys_exit_group+0x0/0x40 kernel/exit.c:912
 __x64_sys_exit_group+0x37/0x40 kernel/exit.c:912
 do_syscall_64+0x31/0x70 arch/x86/entry/common.c:46

The buggy address belongs to the object at ffff88802059f700
 which belongs to the cache mm_struct of size 1584
The buggy address is located 1298 bytes inside of
 1584-byte region [ffff88802059f700, ffff88802059fd30)
The buggy address belongs to the page:
page:0000000012185b13 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x2059e
head:0000000012185b13 order:1 compound_mapcount:0
flags: 0xfffe0000010200(slab|head)
raw: 00fffe0000010200 ffffea0002564108 ffffea0001228688 ffff88821bc47700
raw: 0000000000000000 ffff88802059e2c0 0000000100000004 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88802059fb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802059fb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88802059fc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802059fc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88802059fd00: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/09/05 02:24 upstream 59126901f200 abf9ba4f .config console log report ci-upstream-kasan-gce-smack-root
2020/05/13 22:44 upstream 24085f70a6e1 a885920d .config console log report ci-upstream-kasan-gce
2020/01/13 08:17 upstream 040a3c33623b 53faa9fe .config console log report ci-upstream-kasan-gce-selinux-root
2019/11/10 04:34 upstream 00aff6836241 dc438b91 .config console log report ci-upstream-kasan-gce-smack-root
2019/10/10 09:10 upstream 8a8c600de5dc c4b9981b .config console log report ci-upstream-kasan-gce-smack-root
2020/06/13 06:08 upstream 7ae77150d94d f4724dd3 .config console log report ci-upstream-kasan-gce-386
2020/06/14 16:56 net-next-old cb8e59cc8720 2a22c77a .config console log report ci-upstream-net-kasan-gce
2020/05/23 07:21 net-next-old 199671eadd47 9682898d .config console log report ci-upstream-net-kasan-gce
2020/04/03 17:35 net-next-old 1a323ea5356e 5ed396e6 .config console log report ci-upstream-net-kasan-gce
2020/05/13 23:30 linux-next ac935d227366 a885920d .config console log report ci-upstream-linux-next-kasan-gce-root
2019/12/26 20:05 linux-next 7ddd09fc4b74 be5c2c81 .config console log report ci-upstream-linux-next-kasan-gce-root
2019/09/11 13:06 linux-next 6d028043b55e a60cb4cd .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.