syzbot


KASAN: use-after-free Read in tipc_mcast_xmit (2)

Status: fixed on 2020/11/16 12:12
Reported-by: syzbot+e96a7ba46281824cc46a@syzkaller.appspotmail.com
Fix commit: ed42989eab57 tipc: fix the skb_unshare() in tipc_buf_append()
First crash: 847d, last: 833d

Cause bisection: introduced by (bisect log) :
commit ff48b6222e65ebdba5a403ef1deba6214e749193
Author: Xin Long <lucien.xin@gmail.com>
Date: Sun Sep 13 11:37:31 2020 +0000

  tipc: use skb_unshare() instead in tipc_buf_append()

Crash: WARNING: refcount bug in tipc_mcast_xmit (log)
Repro: C syz .config
similar bugs (3):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in tipc_mcast_xmit C 23 829d 849d 0/2 upstream: reported C repro on 2020/09/29 18:19
upstream KASAN: use-after-free Read in tipc_mcast_xmit syz 7 1495d 1502d 12/24 fixed on 2019/01/11 01:22
linux-4.19 KASAN: use-after-free Read in tipc_mcast_xmit C done 3 820d 843d 1/1 fixed on 2020/11/28 11:57
Last patch testing requests:
Created Duration User Patch Repo Result
2020/10/08 03:08 17m xiyou.wangcong@gmail.com https://github.com/congwang/linux.git net OK

Sample crash report:
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004028a0
R13: 0000000000402930 R14: 0000000000000000 R15: 0000000000000000
tipc: Failed do clone local mcast rcv buffer
==================================================================
BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:2063 [inline]
BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:2082 [inline]
BUG: KASAN: use-after-free in __skb_queue_purge include/linux/skbuff.h:2793 [inline]
BUG: KASAN: use-after-free in tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422
Read of size 8 at addr ffff8880a73e2040 by task syz-executor657/6887

CPU: 1 PID: 6887 Comm: syz-executor657 Not tainted 5.9.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x198/0x1fd lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383
 __kasan_report mm/kasan/report.c:513 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
 __skb_unlink include/linux/skbuff.h:2063 [inline]
 __skb_dequeue include/linux/skbuff.h:2082 [inline]
 __skb_queue_purge include/linux/skbuff.h:2793 [inline]
 tipc_mcast_xmit+0xfaa/0x1170 net/tipc/bcast.c:422
 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:865
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4419d9
Code: e8 cc ac 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0a fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffe0cace4c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004419d9
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000004
RBP: 000000000000f0ee R08: 0000000000000001 R09: 0000000000402930
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004028a0
R13: 0000000000402930 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 6887:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461
 slab_post_alloc_hook mm/slab.h:518 [inline]
 slab_alloc_node mm/slab.c:3254 [inline]
 kmem_cache_alloc_node+0x136/0x430 mm/slab.c:3574
 __alloc_skb+0x71/0x550 net/core/skbuff.c:198
 alloc_skb_fclone include/linux/skbuff.h:1144 [inline]
 tipc_buf_acquire+0x28/0xf0 net/tipc/msg.c:76
 tipc_msg_build+0x6b8/0x10c0 net/tipc/msg.c:428
 tipc_sendmcast+0x855/0xef0 net/tipc/socket.c:859
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 6887:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422
 __cache_free mm/slab.c:3418 [inline]
 kmem_cache_free.part.0+0x74/0x1e0 mm/slab.c:3693
 kfree_skbmem+0x166/0x1b0 net/core/skbuff.c:643
 kfree_skb+0x7d/0x100 include/linux/refcount.h:270
 tipc_buf_append+0x6dc/0xcf0 net/tipc/msg.c:198
 tipc_msg_reassemble+0x175/0x4f0 net/tipc/msg.c:790
 tipc_mcast_xmit+0x699/0x1170 net/tipc/bcast.c:386
 tipc_sendmcast+0xaaf/0xef0 net/tipc/socket.c:865
 __tipc_sendmsg+0xee3/0x18a0 net/tipc/socket.c:1454
 tipc_sendmsg+0x4c/0x70 net/tipc/socket.c:1387
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2353
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2407
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2440
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880a73e2040
 which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 0 bytes inside of
 456-byte region [ffff8880a73e2040, ffff8880a73e2208)
The buggy address belongs to the page:
page:000000001368f319 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xa73e2
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffff8880a9050f50 ffffea00028ff188 ffff8880a903dc00
raw: 0000000000000000 ffff8880a73e2040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a73e1f00: fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc
 ffff8880a73e1f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a73e2000: fc fc fc fc fc fc fc fc fa fb fb fb fb fb fb fb
                                           ^
 ffff8880a73e2080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a73e2100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (37):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-bpf-kasan-gce 2020/10/01 23:13 bpf a59cf619787e 9602ddf4 .config console log report syz C
ci-upstream-bpf-kasan-gce 2020/10/16 07:01 bpf 28802e7c0c99 6e262c73 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/16 03:15 bpf 28802e7c0c99 6e262c73 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/16 01:56 bpf 28802e7c0c99 6e262c73 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/15 09:45 bpf 28802e7c0c99 63869021 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/14 20:01 bpf 28802e7c0c99 fc7735a2 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/12 10:36 bpf 28802e7c0c99 4a77ae0b .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/12 08:38 bpf 28802e7c0c99 4a77ae0b .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/10 22:36 bpf 28802e7c0c99 4a77ae0b .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/10 00:51 bpf 28802e7c0c99 d81b165e .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/07 18:53 bpf d82a532a6115 1880b4a9 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/06 13:15 bpf d82a532a6115 1880b4a9 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/06 13:12 bpf d82a532a6115 1880b4a9 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/06 12:35 bpf d82a532a6115 1880b4a9 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/05 23:06 bpf d82a532a6115 1880b4a9 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/05 13:36 bpf d82a532a6115 5ef9c291 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/02 11:49 bpf a59cf619787e 9602ddf4 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/02 07:33 bpf a59cf619787e 9602ddf4 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/02 00:58 bpf a59cf619787e 9602ddf4 .config console log report info
ci-upstream-bpf-kasan-gce 2020/10/01 22:56 bpf a59cf619787e 9602ddf4 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/12 17:40 bpf-next 376dcfe3a4e5 d32b0bbf .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/10 14:30 bpf-next ac53a0d3107c 93817d89 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/10 11:13 bpf-next ac53a0d3107c 93817d89 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/09 04:18 bpf-next 1e9259eca8fd 92390980 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/08 02:50 bpf-next bf88a80a0407 1880b4a9 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/07 11:35 bpf-next 67ed375530e2 1880b4a9 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/07 01:46 bpf-next dca4121cdc48 1880b4a9 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/07 00:58 bpf-next dca4121cdc48 1880b4a9 .config console log report info
ci-upstream-net-kasan-gce 2020/10/06 07:54 net-next c2568c8c9e63 1880b4a9 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/05 15:15 bpf-next 1028ae406999 5ef9c291 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/05 14:35 bpf-next 1028ae406999 5ef9c291 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/03 19:05 bpf-next 1028ae406999 2653fa43 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/03 18:31 bpf-next 1028ae406999 2653fa43 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/03 13:50 bpf-next 1028ae406999 2653fa43 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/02 20:01 bpf-next 360f89874635 4969d6ca .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/02 10:43 bpf-next 6208689fb3e6 9602ddf4 .config console log report info
ci-upstream-bpf-next-kasan-gce 2020/10/02 02:15 bpf-next 6208689fb3e6 9602ddf4 .config console log report info
* Struck through repros no longer work on HEAD.