syzbot


KASAN: slab-out-of-bounds Read in ip6_xmit (3)

Status: fixed on 2018/07/09 18:05
Subsystems: net
[Documentation on labels]
Fix commit: 9901c5d77e96 bpf: sockmap, fix crash when ipv6 sock is added
First crash: 2327d, last: 2285d
Discussions (11)
Title Replies (including bot) Last reply
[PATCH 4.17 000/101] 4.17.9-stable review 100 (101) 2018/07/22 11:42
[bpf PATCH v5 0/4] BPF fixes for sockhash 6 (6) 2018/06/30 23:58
[bpf PATCH v4 0/4] BPF fixes for sockhash 8 (8) 2018/06/29 14:41
[bpf PATCH v3 0/4] BPF fixes for sockhash 8 (8) 2018/06/23 07:45
[bpf PATCH v2 0/6] BPF fixes for sockhash 19 (19) 2018/06/20 22:15
[bpf PATCH 0/6] BPF fixes for sockhash 10 (10) 2018/06/14 16:47
[bpf PATCH v2 0/2] bpf, sockmap IPv6/TCP state fixes 7 (7) 2018/06/12 13:57
[bpf-next PATCH] bpf: sockmap, fix crash when ipv6 sock is added 4 (4) 2018/06/04 23:20
[bpf PATCH v2] bpf: sockmap, fix crash when ipv6 sock is added 6 (6) 2018/06/04 14:55
[PATCH bpf-next] bpf: prevent non-IPv4 socket to be added into sock hash 5 (5) 2018/06/01 18:40
[bpf PATCH] bpf: sockmap, fix crash when ipv6 sock is added 1 (1) 2018/06/01 08:21
Similar bugs (4)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in ip6_xmit net C 156 2406d 2456d 4/28 fixed on 2018/03/06 13:29
android-44 KASAN: slab-out-of-bounds Read in ip6_xmit C 404 2228d 2004d 0/2 public: reported C repro on 2019/04/11 08:44
android-49 KASAN: slab-out-of-bounds Read in ip6_xmit C 388 2228d 2003d 0/3 public: reported C repro on 2019/04/12 00:00
upstream KASAN: slab-out-of-bounds Read in ip6_xmit (2) net C 259 2390d 2404d 4/28 fixed on 2018/03/23 18:14

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:203 [inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x2002/0x23f0 net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801b300edb0 by task syz-executor888/4522

CPU: 0 PID: 4522 Comm: syz-executor888 Not tainted 4.17.0-rc4+ #17
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1b9/0x294 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 ip6_dst_idev include/net/ip6_fib.h:203 [inline]
 ip6_xmit+0x2002/0x23f0 net/ipv6/ip6_output.c:264
 inet6_csk_xmit+0x377/0x630 net/ipv6/inet6_connection_sock.c:139
 tcp_transmit_skb+0x1be0/0x3e40 net/ipv4/tcp_output.c:1159
 tcp_send_syn_data net/ipv4/tcp_output.c:3441 [inline]
 tcp_connect+0x2207/0x45a0 net/ipv4/tcp_output.c:3480
 tcp_v4_connect+0x1934/0x1d50 net/ipv4/tcp_ipv4.c:272
 __inet_stream_connect+0x943/0x1120 net/ipv4/af_inet.c:655
 tcp_sendmsg_fastopen net/ipv4/tcp.c:1162 [inline]
 tcp_sendmsg_locked+0x2859/0x3ee0 net/ipv4/tcp.c:1209
 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1447
 inet_sendmsg+0x19f/0x690 net/ipv4/af_inet.c:798
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:639
 ___sys_sendmsg+0x805/0x940 net/socket.c:2117
 __sys_sendmsg+0x115/0x270 net/socket.c:2155
 __do_sys_sendmsg net/socket.c:2164 [inline]
 __se_sys_sendmsg net/socket.c:2162 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2162
 do_syscall_64+0x1b1/0x800 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43ff99
RSP: 002b:00007ffc00bd1cf8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043ff99
RDX: 0000000020000000 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000217 R12: 00000000004018c0
R13: 0000000000401950 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 0:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490
 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554
 dst_alloc+0xbb/0x1d0 net/core/dst.c:105
 rt_dst_alloc+0xfa/0x500 net/ipv4/route.c:1556
 __mkroute_output net/ipv4/route.c:2246 [inline]
 ip_route_output_key_hash_rcu+0xa45/0x3380 net/ipv4/route.c:2473
 ip_route_output_key_hash+0x23a/0x390 net/ipv4/route.c:2302
 __ip_route_output_key include/net/route.h:124 [inline]
 ip_route_output_flow+0x28/0xc0 net/ipv4/route.c:2557
 ip_route_output_key include/net/route.h:134 [inline]
 ip_send_unicast_reply+0x97f/0x1800 net/ipv4/ip_output.c:1572
 tcp_v4_send_reset+0x1253/0x2900 net/ipv4/tcp_ipv4.c:731
 tcp_v4_rcv+0x1f0b/0x38d0 net/ipv4/tcp_ipv4.c:1801
 ip_local_deliver_finish+0x2e3/0xd80 net/ipv4/ip_input.c:215
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_local_deliver+0x1e1/0x720 net/ipv4/ip_input.c:256
 dst_input include/net/dst.h:450 [inline]
 ip_rcv_finish+0x81b/0x2200 net/ipv4/ip_input.c:396
 NF_HOOK include/linux/netfilter.h:288 [inline]
 ip_rcv+0x9fe/0x125c net/ipv4/ip_input.c:492
 __netif_receive_skb_core+0x2468/0x3650 net/core/dev.c:4646
 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4711
 netif_receive_skb_internal+0x126/0x7b0 net/core/dev.c:4785
 napi_skb_finish net/core/dev.c:5147 [inline]
 napi_gro_receive+0x44d/0x5a0 net/core/dev.c:5178
 receive_buf+0xc64/0x2b90 drivers/net/virtio_net.c:959
 virtnet_receive drivers/net/virtio_net.c:1214 [inline]
 virtnet_poll+0x3c8/0xdb5 drivers/net/virtio_net.c:1296
 napi_poll net/core/dev.c:5789 [inline]
 net_rx_action+0x7b7/0x1930 net/core/dev.c:5855
 __do_softirq+0x2e0/0xaf5 kernel/softirq.c:285

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801b300ed00
 which belongs to the cache ip_dst_cache of size 160
The buggy address is located 16 bytes to the right of
 160-byte region [ffff8801b300ed00, ffff8801b300eda0)
The buggy address belongs to the page:
page:ffffea0006cc0380 count:1 mapcount:0 mapping:ffff8801b300e000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801b300e000 0000000000000000 0000000100000010
raw: ffffea0006b6ec60 ffff8801d65f7748 ffff8801d4400840 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b300ec80: fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8801b300ed00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801b300ed80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
                                     ^
 ffff8801b300ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b300ee80: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (69):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/05/22 19:03 bpf-next fd0bfa8d6e04 f48c20b8 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/07/04 04:39 bpf-next 0b9e3d543f9f 317fc8ea .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/03 19:29 bpf-next 0b9e3d543f9f 317fc8ea .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/03 08:36 bpf-next 0b9e3d543f9f 317fc8ea .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/02 18:03 bpf-next 0b9e3d543f9f 574780b0 .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/02 03:09 bpf-next 0b9e3d543f9f dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/01 11:18 bpf-next 0b9e3d543f9f dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/01 02:55 bpf-next 0b9e3d543f9f dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/07/01 00:10 bpf-next 0b9e3d543f9f dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/29 21:51 bpf-next 509fda105ba8 dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/29 14:17 bpf-next 509fda105ba8 dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/28 21:46 bpf-next a7f7547f5e2b dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/28 20:01 bpf-next a7f7547f5e2b dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/28 16:54 bpf-next a7f7547f5e2b dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/28 13:59 bpf-next a7f7547f5e2b dba0b50e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/28 04:03 bpf-next a7f7547f5e2b 43e60f7e .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/27 02:48 bpf-next 651b4513bdd2 b0294c53 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 12:59 bpf-next 651b4513bdd2 089f1181 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 08:06 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 01:55 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 21:31 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 08:10 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/24 22:32 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/24 08:35 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/23 16:16 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/23 14:05 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/23 12:08 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/23 05:20 bpf-next f0dc7f9c6dd9 89d2e600 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/22 21:29 bpf-next f0dc7f9c6dd9 c97f0d7a .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/22 17:06 bpf-next f0dc7f9c6dd9 c97f0d7a .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/22 08:22 bpf-next f0dc7f9c6dd9 095ef806 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/21 09:55 bpf-next f0dc7f9c6dd9 095ef806 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/20 15:32 bpf-next f0dc7f9c6dd9 095ef806 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/20 00:47 bpf-next f0dc7f9c6dd9 095ef806 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/19 19:57 bpf-next f0dc7f9c6dd9 732e4256 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/18 19:26 bpf-next f0dc7f9c6dd9 45c54f75 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/18 16:44 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/18 08:37 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/18 02:10 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/17 16:27 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/17 03:00 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/16 05:28 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/15 19:31 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/15 19:17 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/15 01:22 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/14 04:18 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/12 09:55 bpf-next 75d4e704fa8d 112eec79 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/11 19:49 bpf-next 75d4e704fa8d ae8bdb50 .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/10 08:28 bpf-next 75d4e704fa8d 866118af .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.