syzbot


KASAN: slab-out-of-bounds Read in bpf_skb_change_proto

Status: fixed on 2020/02/05 13:33
Reported-by: syzbot+d8532c325bf5c40a1b85@syzkaller.appspotmail.com
Fix commit: 7fed98f4a1e6 bpf: reject passing modified ctx to helper functions
First crash: 1277d, last: 1130d

Fix bisection: fixed by (bisect log) :
commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Jun 7 15:40:03 2018 +0000

  bpf: reject passing modified ctx to helper functions

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in bpf_skb_change_proto C 2 1703d 1702d 9/24 fixed on 2018/07/09 18:05
android-414 KASAN: slab-out-of-bounds Read in bpf_skb_change_proto C 11 1177d 1397d 0/1 public: reported C repro on 2019/04/12 00:01

Sample crash report:
audit: type=1400 audit(1567423021.113:36): avc:  denied  { map } for  pid=6903 comm="sh" path="/bin/dash" dev="sda1" ino=1473 scontext=system_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1567423025.043:37): avc:  denied  { map } for  pid=6907 comm="syz-executor057" path="/root/syz-executor057000940" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in bpf_skb_proto_xlat net/core/filter.c:2151 [inline]
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_proto net/core/filter.c:2189 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164
Read of size 2 at addr ffff8880a55bc300 by task syz-executor057/6907

CPU: 1 PID: 6907 Comm: syz-executor057 Not tainted 4.14.141 #37
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x197 lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
 bpf_skb_proto_xlat net/core/filter.c:2151 [inline]
 ____bpf_skb_change_proto net/core/filter.c:2189 [inline]
 bpf_skb_change_proto+0xdbc/0x10f0 net/core/filter.c:2164
 bpf_prog_4b4d9be662d00a7e+0xcfd/0x1000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a55bc300
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 0 bytes inside of
 232-byte region [ffff8880a55bc300, ffff8880a55bc3e8)
The buggy address belongs to the page:
page:ffffea0002956f00 count:1 mapcount:0 mapping:ffff8880a55bc080 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880a55bc080 0000000000000000 000000010000000c
raw: ffffea0002829fe0 ffffea0002783ae0 ffff88821b7203c0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a55bc200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a55bc280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a55bc300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8880a55bc380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a55bc400: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci2-linux-4-14 2019/09/02 11:20 linux-4.14.y 01fd1694b93c db7c31ca .config console log report syz C
ci2-linux-4-14 2019/08/09 21:41 linux-4.14.y 3ffe1e79c174 aff9e255 .config console log report syz C
* Struck through repros no longer work on HEAD.