syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in tls_push_record (2)

Status: fixed on 2019/02/26 22:09
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+6c4e6ecbf9a2797be67c@syzkaller.appspotmail.com
Fix commit: d829e9c4112b tls: convert to generic sk_msg interface
First crash: 2112d, last: 2010d
Discussions (1)
Title Replies (including bot) Last reply
KASAN: use-after-free Write in tls_push_record (2) 2 (3) 2019/02/26 07:31
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Write in tls_push_record C error 120 444d 1829d 0/1 upstream: reported C repro on 2019/04/21 15:31
upstream KASAN: use-after-free Write in tls_push_record net C 24 2115d 2160d 8/26 fixed on 2018/07/09 18:05

Sample crash report:
RDX: 0000000000000001 RSI: 0000000020005f00 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000001 R09: 0000000000000035
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000000000000 R14: 00007f9a99afed80 R15: 0000000000000004
==================================================================
BUG: KASAN: use-after-free in tls_fill_prepend include/net/tls.h:368 [inline]
BUG: KASAN: use-after-free in tls_push_record+0x10b9/0x1480 net/tls/tls_sw.c:220
Write of size 1 at addr ffff8801bb268000 by task syz-executor612/5332

CPU: 1 PID: 5332 Comm: syz-executor612 Not tainted 4.19.0-rc8+ #286
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
 print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 tls_fill_prepend include/net/tls.h:368 [inline]
 tls_push_record+0x10b9/0x1480 net/tls/tls_sw.c:220
 tls_sw_push_pending_record+0x22/0x30 net/tls/tls_sw.c:257
 tls_handle_open_record net/tls/tls_main.c:156 [inline]
 tls_sk_proto_close+0x69c/0xbb0 net/tls/tls_main.c:271
 inet_release+0x104/0x1f0 net/ipv4/af_inet.c:428
 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:457
 __sock_release+0xd7/0x250 net/socket.c:579
 sock_close+0x19/0x20 net/socket.c:1141
 __fput+0x385/0xa30 fs/file_table.c:278
 ____fput+0x15/0x20 fs/file_table.c:309
 task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
 exit_task_work include/linux/task_work.h:22 [inline]
 do_exit+0x1ad7/0x2610 kernel/exit.c:867
 do_group_exit+0x177/0x440 kernel/exit.c:970
 get_signal+0x8b0/0x1980 kernel/signal.c:2513
 do_signal+0x9c/0x21e0 arch/x86/kernel/signal.c:816
 exit_to_usermode_loop+0x2e5/0x380 arch/x86/entry/common.c:162
 prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
 do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x445cf9
Code: Bad RIP value.
RSP: 002b:00007f9a99afed78 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: 0000000000000001 RBX: 00000000006dbc28 RCX: 0000000000445cf9
RDX: 0000000000000001 RSI: 0000000020005f00 RDI: 0000000000000003
RBP: 00000000006dbc20 R08: 0000000000000001 R09: 0000000000000035
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dbc2c
R13: 0000000000000000 R14: 00007f9a99afed80 R15: 0000000000000004

The buggy address belongs to the page:
page:ffffea0006ec9a00 count:0 mapcount:-128 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 ffffea0006ece208 ffff88021fffaef8 0000000000000000
raw: 0000000000000000 0000000000000003 00000000ffffff7f 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801bb267f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801bb267f80: 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc
>ffff8801bb268000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                   ^
 ffff8801bb268080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801bb268100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (64):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/10/17 04:38 upstream b955a910d7fd 1ba7fd7e .config console log report syz C ci-upstream-kasan-gce
2018/10/07 14:12 upstream fb1c592cf4c9 8b311eaf .config console log report syz C ci-upstream-kasan-gce-root
2018/10/07 12:22 upstream fb1c592cf4c9 8b311eaf .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/10/07 11:10 upstream c1d84a1b42ef 8b311eaf .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/10/07 10:47 upstream c1d84a1b42ef 8b311eaf .config console log report syz C ci-upstream-kasan-gce
2018/08/26 12:32 upstream 2923b27e5424 758cd203 .config console log report syz C ci-upstream-kasan-gce
2018/08/09 20:59 upstream 112cbae26d18 1fb62d58 .config console log report syz C ci-upstream-kasan-gce
2018/08/09 01:29 upstream fedb8da96355 2eeda842 .config console log report syz C ci-upstream-kasan-gce
2018/08/05 14:00 upstream 60f5a2173632 1beb8136 .config console log report syz C ci-upstream-kasan-gce-root
2018/08/01 21:25 upstream 44960f2a7b63 0a7cf4ec .config console log report syz C ci-upstream-kasan-gce
2018/07/11 22:12 upstream 1e09177acae3 2e0e3130 .config console log report syz C ci-upstream-kasan-gce
2018/10/07 14:25 net-old c1d84a1b42ef 8b311eaf .config console log report syz C ci-upstream-net-this-kasan-gce
2018/09/29 23:23 net-old 43955a45dc0b 41e4b329 .config console log report syz C ci-upstream-net-this-kasan-gce
2018/09/20 06:51 net-next-old 18522108d53c 7f125108 .config console log report syz C ci-upstream-net-kasan-gce
2018/10/07 12:04 linux-next 12ffaa1197f5 8b311eaf .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/10/05 21:20 linux-next 12ffaa1197f5 8b311eaf .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/01 13:58 linux-next d9bd94c0bcaa 1477993e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2018/08/24 16:47 upstream 33e17876ea4e 95b5c82b .config console log report syz ci-upstream-kasan-gce
2018/08/24 16:06 net-next-old 2ad0d5269970 95b5c82b .config console log report syz ci-upstream-net-kasan-gce
2018/10/22 07:50 upstream 467e050e9760 ecb386fe .config console log report ci-upstream-kasan-gce
2018/10/20 10:19 upstream 270b77a0f30e ecb386fe .config console log report ci-upstream-kasan-gce-smack-root
2018/10/16 07:10 upstream f0a7d1883d9f 8cd30605 .config console log report ci-upstream-kasan-gce-root
2018/10/13 14:19 upstream bab5c80b2110 caf12900 .config console log report ci-upstream-kasan-gce
2018/09/26 01:57 upstream 846e8dd47c26 b7e11289 .config console log report ci-upstream-kasan-gce
2018/09/22 09:16 upstream 10dc890d4228 37079712 .config console log report ci-upstream-kasan-gce-root
2018/09/07 04:34 upstream ca16eb342ebe e30d3b52 .config console log report ci-upstream-kasan-gce-smack-root
2018/08/15 09:22 upstream d0055f351e64 0e6dcb88 .config console log report ci-upstream-kasan-gce
2018/08/15 03:36 upstream d0055f351e64 0e6dcb88 .config console log report ci-upstream-kasan-gce-root
2018/08/10 14:42 upstream 112cbae26d18 1fb62d58 .config console log report ci-upstream-kasan-gce-root
2018/07/31 22:03 upstream c1d61e7fe376 1477993e .config console log report ci-upstream-kasan-gce
2018/07/27 22:01 upstream 864af0d40cdc ebf656d7 .config console log report ci-upstream-kasan-gce-root
2018/07/11 20:54 upstream 1e09177acae3 2e0e3130 .config console log report ci-upstream-kasan-gce
2018/10/18 14:02 net-old 84258438e8ce d257b2d2 .config console log report ci-upstream-net-this-kasan-gce
2018/10/17 22:39 net-old 0ac1077e3a54 b2695b95 .config console log report ci-upstream-net-this-kasan-gce
2018/10/11 01:37 net-old 52b5d6f5dcf0 5f818b4b .config console log report ci-upstream-net-this-kasan-gce
2018/10/09 19:39 net-old 4cf34c0cf60e 8b311eaf .config console log report ci-upstream-net-this-kasan-gce
2018/10/07 00:58 net-old c1d84a1b42ef 8b311eaf .config console log report ci-upstream-net-this-kasan-gce
2018/10/06 09:26 net-old 35f3625c2185 8b311eaf .config console log report ci-upstream-net-this-kasan-gce
2018/10/03 05:50 net-old 45ec318578c0 0f3e0261 .config console log report ci-upstream-net-this-kasan-gce
2018/10/02 17:16 net-old ad5f97faff42 a316a2af .config console log report ci-upstream-net-this-kasan-gce
2018/09/22 05:53 net-old 652ef42c134d 37079712 .config console log report ci-upstream-net-this-kasan-gce
2018/09/18 10:07 net-old c73480910e96 7f125108 .config console log report ci-upstream-net-this-kasan-gce
2018/09/13 07:11 net-old 7428b2e5d0b1 71907daf .config console log report ci-upstream-net-this-kasan-gce
2018/08/28 22:20 net-old 53ae914d898e b771b17e .config console log report ci-upstream-net-this-kasan-gce
2018/08/20 19:21 net-old 9c86336c15db 95b5c82b .config console log report ci-upstream-net-this-kasan-gce
2018/08/15 21:18 net-old ec0c96714e7d 9ccc1d45 .config console log report ci-upstream-net-this-kasan-gce
2018/08/05 00:02 net-old 5607016cd1bb 3476a2df .config console log report ci-upstream-net-this-kasan-gce
2018/07/29 06:27 net-old 136f55f66019 ebf656d7 .config console log report ci-upstream-net-this-kasan-gce
2018/07/27 22:01 net-old d0fdb366b693 ebf656d7 .config console log report ci-upstream-net-this-kasan-gce
2018/07/19 08:53 net-old 9640ccce3005 49f35839 .config console log report ci-upstream-net-this-kasan-gce
2018/10/15 11:15 net-next-old 921060ccdae9 caf12900 .config console log report ci-upstream-net-kasan-gce
2018/10/15 03:39 net-next-old 921060ccdae9 caf12900 .config console log report ci-upstream-net-kasan-gce
2018/10/10 03:14 net-next-old b18719157762 8b311eaf .config console log report ci-upstream-net-kasan-gce
2018/09/12 22:23 net-next-old 0041195d55bc 71907daf .config console log report ci-upstream-net-kasan-gce
2018/09/01 10:51 net-next-old ee713b6da510 a4718693 .config console log report ci-upstream-net-kasan-gce
2018/08/10 10:55 net-next-old 36d2f761b5aa 1fb62d58 .config console log report ci-upstream-net-kasan-gce
2018/08/09 13:13 net-next-old 82b94f5d6891 2eeda842 .config console log report ci-upstream-net-kasan-gce
2018/08/06 09:57 net-next-old 981467033a37 1beb8136 .config console log report ci-upstream-net-kasan-gce
2018/07/18 05:54 net-next-old 07df5bd874f0 6d5bd5b5 .config console log report ci-upstream-net-kasan-gce
2018/07/15 18:04 net-next-old 2aa4a3378ad0 92a49505 .config console log report ci-upstream-net-kasan-gce
2018/09/06 03:06 linux-next f2b6e66e9885 873745f2 .config console log report ci-upstream-linux-next-kasan-gce-root
2018/07/17 18:35 linux-next 1dcbe5f2c615 6d5bd5b5 .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.