syzbot


KASAN: vmalloc-out-of-bounds Read in htab_free_elems

Status: fixed on 2021/03/10 01:48
Subsystems: bpf
[Documentation on labels]
Fix commit: e1868b9e36d0 bpf: Avoid overflows involving hash elem_size
First crash: 1199d, last: 1198d
Cause bisection: introduced by (bisect log) [no-op commit]:
commit 024cd2cbd1ca2d29e6df538855d52c4e5990cab7
Author: Santucci Pierpaolo <santucci@epigenesys.com>
Date: Mon Nov 16 10:30:37 2020 +0000

  selftest/bpf: Fix IPV6FR handling in flow dissector

Crash: BUG: sleeping function called from invalid context in sta_info_move_state (log)
Repro: C syz .config
  

Sample crash report:
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in htab_elem_get_ptr kernel/bpf/hashtab.c:217 [inline]
BUG: KASAN: vmalloc-out-of-bounds in htab_free_elems+0x25f/0x290 kernel/bpf/hashtab.c:240
Read of size 8 at addr ffffc900025522d0 by task syz-executor333/8484

CPU: 1 PID: 8484 Comm: syz-executor333 Not tainted 5.10.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0x5/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 htab_elem_get_ptr kernel/bpf/hashtab.c:217 [inline]
 htab_free_elems+0x25f/0x290 kernel/bpf/hashtab.c:240
 prealloc_init kernel/bpf/hashtab.c:330 [inline]
 htab_map_alloc+0xe2c/0x1230 kernel/bpf/hashtab.c:507
 find_and_alloc_map kernel/bpf/syscall.c:123 [inline]
 map_create kernel/bpf/syscall.c:829 [inline]
 __do_sys_bpf+0xa81/0x5170 kernel/bpf/syscall.c:4374
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4402d9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd52c7d598 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402d9
RDX: 000000000000001d RSI: 0000000020000180 RDI: 0000000000000000
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401ae0
R13: 0000000000401b70 R14: 0000000000000000 R15: 0000000000000000


Memory state around the buggy address:
 ffffc90002552180: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90002552200: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffc90002552280: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                                                 ^
 ffffc90002552300: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffc90002552380: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================

Crashes (7):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/07 02:02 net-next-old 4054eebf0fb0 c521566d .config console log report syz C ci-upstream-net-kasan-gce
2020/12/07 01:46 bpf-next 34da87213d3d c521566d .config console log report syz C ci-upstream-bpf-next-kasan-gce
2020/12/07 02:53 net-next-old 4054eebf0fb0 c521566d .config console log report info ci-upstream-net-kasan-gce
2020/12/07 02:45 bpf-next 34da87213d3d c521566d .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/07 01:25 bpf-next 34da87213d3d c521566d .config console log report info ci-upstream-bpf-next-kasan-gce
2020/12/05 22:21 net-next-old bcd684aace34 50503117 .config console log report info ci-upstream-net-kasan-gce
2020/12/05 22:16 bpf-next 34da87213d3d 50503117 .config console log report info ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.