syzbot


UBSAN: shift-out-of-bounds in choke_change (2)

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 3a87571f0ffc sch_red: fix off-by-one checks in red_check_params()
First crash: 676d, last: 660d

Cause bisection: introduced by (bisect log) :
commit 97a61369830ab085df5aed0ff9256f35b07d425a
Author: Roman Gushchin <guro@fb.com>
Date: Thu Sep 12 17:56:45 2019 +0000

  cgroup: freezer: fix frozen state inheritance

Crash: KASAN: use-after-free Read in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream UBSAN: shift-out-of-bounds in choke_change C inconclusive 15 702d 761d 0/24 closed as dup on 2020/12/29 20:08

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:237:23
shift exponent 32 is too large for 32-bit type 'unsigned int'
CPU: 1 PID: 8397 Comm: syz-executor265 Not tainted 5.12.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327
 red_set_parms include/net/red.h:237 [inline]
 choke_change.cold+0x3c/0xc8 net/sched/sch_choke.c:414
 qdisc_create+0x475/0x12f0 net/sched/sch_api.c:1247
 tc_modify_qdisc+0x4c8/0x1a50 net/sched/sch_api.c:1663
 rtnetlink_rcv_msg+0x44e/0xad0 net/core/rtnetlink.c:5553
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2502
 netlink_unicast_kernel net/netlink/af_netlink.c:1312 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1338
 netlink_sendmsg+0x856/0xd90 net/netlink/af_netlink.c:1927
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x43f039
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffceb473ac8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043f039
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 0000000000403020 R08: 0000000000400488 R09: 0000000000400488
R10: 0000000000400488 R11: 0000000000000246 R12: 00000000004030b0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488
================================================================================

Crashes (7):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-this-kasan-gce 2021/03/25 10:27 net 6f235a69e594 607e3baf .config console log report syz C UBSAN: shift-out-of-bounds in choke_change
ci-upstream-linux-next-kasan-gce-root 2021/03/24 20:51 linux-next 20f1b5f9c07c 607e3baf .config console log report syz C UBSAN: shift-out-of-bounds in choke_change
ci-upstream-kasan-gce-root 2021/04/09 05:42 upstream 4fa56ad0d12e 6a81331a .config console log report info UBSAN: shift-out-of-bounds in choke_change
ci-upstream-kasan-gce 2021/04/06 05:10 upstream 0a50438c8436 6a81331a .config console log report info UBSAN: shift-out-of-bounds in choke_change
ci-upstream-kasan-gce 2021/04/01 13:28 upstream d19cc4bfbff1 6a81331a .config console log report info UBSAN: shift-out-of-bounds in choke_change
ci-upstream-linux-next-kasan-gce-root 2021/03/28 06:58 linux-next 931294922e65 a8529b82 .config console log report info UBSAN: shift-out-of-bounds in choke_change
ci-upstream-linux-next-kasan-gce-root 2021/03/24 20:30 linux-next 20f1b5f9c07c 607e3baf .config console log report info UBSAN: shift-out-of-bounds in choke_change
* Struck through repros no longer work on HEAD.