syzbot


KASAN: use-after-free Read in parse_ipsecrequests

Status: fixed on 2017/08/23 10:47
Fix commit: 3c17d418afb0 UPSTREAM: af_key: Fix sadb_x_ipsecrequest parsing
First crash: 2521d, last: 2519d

Sample crash report:
==================================================================
Disabling lock debugging due to kernel taint
==================================================================
BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1909 [inline] at addr ffff8801d1178cb4
BUG: KASAN: use-after-free in parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 at addr ffff8801d1178cb4
Read of size 2 by task syzkaller090727/3351
page:ffffea0007445e00 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x200000000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 3351 Comm: syzkaller090727 Tainted: G    B           4.9.39-g5b07c2d #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9e0f7b0 ffffffff81eacd59 ffffed003a22f196 0000000000000002
 0000000000000000 ffffed003a22f196 ffff8801d1178cb4 ffff8801c9e0f830
 ffffffff81547141 0000000000000010 ffff880100000000 ffffffff8358b4b3
Call Trace:
 [<ffffffff81eacd59>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eacd59>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81547141>] print_address_description mm/kasan/report.c:208 [inline]
 [<ffffffff81547141>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff81547141>] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309
 [<ffffffff81547384>] kasan_report mm/kasan/report.c:341 [inline]
 [<ffffffff81547384>] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340
 [<ffffffff8358b4b3>] parse_ipsecrequest net/key/af_key.c:1909 [inline]
 [<ffffffff8358b4b3>] parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958
 [<ffffffff835a4890>] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250
 [<ffffffff83402532>] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900
 [<ffffffff8323f79e>] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146
 [<ffffffff8324078a>] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235
 [<ffffffff832601b2>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701
 [<ffffffff82f01f55>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705
 [<ffffffff82efefa8>] SYSC_setsockopt net/socket.c:1771 [inline]
 [<ffffffff82efefa8>] SyS_setsockopt+0x158/0x240 net/socket.c:1750
 [<ffffffff839658c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d1178b80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801d1178c00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801d1178c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff8801d1178d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801d1178d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1906 [inline] at addr ffff8801d1178db6
BUG: KASAN: use-after-free in parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958 at addr ffff8801d1178db6
Read of size 1 by task syzkaller090727/3351
page:ffffea0007445e00 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x200000000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 3351 Comm: syzkaller090727 Tainted: G    B           4.9.39-g5b07c2d #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9e0f7b0 ffffffff81eacd59 ffffed003a22f1b6 0000000000000001
 0000000000000000 ffffed003a22f1b6 ffff8801d1178db6 ffff8801c9e0f830
 ffffffff81547141 ffffffffffffffff 000000400000000e ffffffff8358b4bd
Call Trace:
 [<ffffffff81eacd59>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eacd59>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81547141>] print_address_description mm/kasan/report.c:208 [inline]
 [<ffffffff81547141>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff81547141>] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309
 [<ffffffff815471a9>] kasan_report mm/kasan/report.c:327 [inline]
 [<ffffffff815471a9>] __asan_report_load1_noabort+0x29/0x30 mm/kasan/report.c:327
 [<ffffffff8358b4bd>] parse_ipsecrequest net/key/af_key.c:1906 [inline]
 [<ffffffff8358b4bd>] parse_ipsecrequests+0xc7d/0xd00 net/key/af_key.c:1958
 [<ffffffff835a4890>] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250
 [<ffffffff83402532>] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900
 [<ffffffff8323f79e>] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146
 [<ffffffff8324078a>] ip_setsockopt+0x3a/0xb0 net/ipv4/ip_sockglue.c:1235
 [<ffffffff832601b2>] tcp_setsockopt+0x82/0xd0 net/ipv4/tcp.c:2701
 [<ffffffff82f01f55>] sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2705
 [<ffffffff82efefa8>] SYSC_setsockopt net/socket.c:1771 [inline]
 [<ffffffff82efefa8>] SyS_setsockopt+0x158/0x240 net/socket.c:1750
 [<ffffffff839658c5>] entry_SYSCALL_64_fastpath+0x23/0xc6
Memory state around the buggy address:
 ffff8801d1178c80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801d1178d00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801d1178d80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff8801d1178e00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801d1178e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
==================================================================
BUG: KASAN: use-after-free in parse_ipsecrequest net/key/af_key.c:1909 [inline] at addr ffff8801d1178db4
BUG: KASAN: use-after-free in parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958 at addr ffff8801d1178db4
Read of size 2 by task syzkaller090727/3351
page:ffffea0007445e00 count:0 mapcount:-127 mapping:          (null) index:0x0
flags: 0x200000000000000()
page dumped because: kasan: bad access detected
CPU: 1 PID: 3351 Comm: syzkaller090727 Tainted: G    B           4.9.39-g5b07c2d #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 ffff8801c9e0f7b0 ffffffff81eacd59 ffffed003a22f1b6 0000000000000002
 0000000000000000 ffffed003a22f1b6 ffff8801d1178db4 ffff8801c9e0f830
 ffffffff81547141 0000000000000010 0000004000000000 ffffffff8358b4b3
Call Trace:
 [<ffffffff81eacd59>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81eacd59>] dump_stack+0xc1/0x128 lib/dump_stack.c:51
 [<ffffffff81547141>] print_address_description mm/kasan/report.c:208 [inline]
 [<ffffffff81547141>] kasan_report_error mm/kasan/report.c:287 [inline]
 [<ffffffff81547141>] kasan_report.part.1+0x4a1/0x4e0 mm/kasan/report.c:309
 [<ffffffff81547384>] kasan_report mm/kasan/report.c:341 [inline]
 [<ffffffff81547384>] __asan_report_load_n_noabort+0x24/0x30 mm/kasan/report.c:340
 [<ffffffff8358b4b3>] parse_ipsecrequest net/key/af_key.c:1909 [inline]
 [<ffffffff8358b4b3>] parse_ipsecrequests+0xc73/0xd00 net/key/af_key.c:1958
 [<ffffffff835a4890>] pfkey_compile_policy+0xa20/0xd40 net/key/af_key.c:3250
 [<ffffffff83402532>] xfrm_user_policy+0x222/0x370 net/xfrm/xfrm_state.c:1900
 [<ffffffff8323f79e>] do_ip_setsockopt.isra.11+0x193e/0x28f0 net/ipv4/ip_sockglue.c:1146

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/07/22 07:23 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report syz C ci-android-49-kasan-gce
2017/07/24 06:05 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
2017/07/22 21:58 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
2017/07/22 03:56 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
2017/07/22 03:54 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
2017/07/22 03:54 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
2017/07/22 03:53 https://android.googlesource.com/kernel/common android-4.9 5b07c2d25292 b59a95bc .config console log report ci-android-49-kasan-gce
* Struck through repros no longer work on HEAD.