syzbot


KASAN: use-after-free Read in eth_type_trans
Status: fixed on 2020/12/23 11:40
Reported-by: syzbot+6745e272378d071cac7f@syzkaller.appspotmail.com
Fix commit: 96aa1b22bd6b tun: correct header offsets in napi frags mode
First crash: 883d, last: 737d

Cause bisection: introduced by (bisect log) :
commit 90e33d45940793def6f773b2d528e9f3c84ffdc7
Author: Petar Penkov <peterpenkov96@gmail.com>
Date: Fri Sep 22 20:49:15 2017 +0000

  tun: enable napi_gro_frags() for TUN/TAP driver

Crash: KASAN: use-after-free Read in eth_type_trans (log)
Repro: C syz .config

Fix bisection: failed (bisect log)
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: use-after-free Read in eth_type_trans C error 1 613d 884d 0/1 upstream: reported C repro on 2019/12/19 12:15

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
==================================================================
BUG: KASAN: use-after-free in ether_addr_equal_64bits include/linux/etherdevice.h:348 [inline]
BUG: KASAN: use-after-free in eth_type_trans+0x6ce/0x760 net/ethernet/eth.c:167
Read of size 8 at addr ffff88808abf0040 by task syz-executor315/9208

CPU: 0 PID: 9208 Comm: syz-executor315 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
 ether_addr_equal_64bits include/linux/etherdevice.h:348 [inline]
 eth_type_trans+0x6ce/0x760 net/ethernet/eth.c:167
 napi_frags_finish net/core/dev.c:5924 [inline]
 napi_gro_frags+0x8c2/0xd00 net/core/dev.c:5999
 tun_get_user+0x2e7f/0x3fc0 drivers/net/tun.c:1976
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2022
 call_write_iter include/linux/fs.h:1902 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058
 __do_sys_writev fs/read_write.c:1131 [inline]
 __se_sys_writev fs/read_write.c:1128 [inline]
 __x64_sys_writev+0x75/0xb0 fs/read_write.c:1128
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441800
Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00
RSP: 002b:00007fff3ba99898 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800
RDX: 0000000000000001 RSI: 00007fff3ba998f0 RDI: 00000000000000f0
RBP: 00007fff3ba998c0 R08: 0000000000000000 R09: 0000000000000020
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000004 R14: 00007fff3ba99940 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea00022afc00 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
raw: 00fffe0000000000 ffffea00022afc08 ffffea00022afc08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88808abeff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808abeff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88808abf0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                           ^
 ffff88808abf0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88808abf0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (3):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-root 2019/12/19 23:09 upstream 4a94c4332334 36650b4b .config log report syz C
ci-upstream-kasan-gce-selinux-root 2019/12/19 14:49 upstream 4a94c4332334 79b211f7 .config log report syz C
ci-upstream-linux-next-kasan-gce-root 2019/12/27 20:52 linux-next 7ddd09fc4b74 be5c2c81 .config log report syz C