syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Rank 🛈 | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: use-after-free Read in bpf_prog_kallsyms_add bpf | 19 | syz | error | inconclusive | 120 | 2377d | 2612d | 12/29 | fixed on 2019/09/06 20:45 |
| linux-4.14 | KASAN: use-after-free Read in bpf_prog_kallsyms_add | 19 | 1 | 2254d | 2254d | 0/1 | auto-closed as invalid on 2019/12/31 17:26 |
================================================================== BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:193 [inline] BUG: KASAN: use-after-free in list_empty include/linux/list.h:203 [inline] BUG: KASAN: use-after-free in bpf_prog_ksym_node_add kernel/bpf/core.c:458 [inline] BUG: KASAN: use-after-free in bpf_prog_kallsyms_add+0x7c5/0x840 kernel/bpf/core.c:490 Read of size 8 at addr ffff888095157ae0 by task syz-executor.1/2746 CPU: 1 PID: 2746 Comm: syz-executor.1 Not tainted 4.19.73 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report mm/kasan/report.c:412 [inline] kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __read_once_size include/linux/compiler.h:193 [inline] list_empty include/linux/list.h:203 [inline] bpf_prog_ksym_node_add kernel/bpf/core.c:458 [inline] bpf_prog_kallsyms_add+0x7c5/0x840 kernel/bpf/core.c:490 bpf_prog_load+0xf7e/0x1400 kernel/bpf/syscall.c:1469 __do_sys_bpf kernel/bpf/syscall.c:2405 [inline] __se_sys_bpf kernel/bpf/syscall.c:2367 [inline] __x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4598e9 Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007f313f81bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000141 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004598e9 RDX: 0000000000000048 RSI: 000000002000e000 RDI: 0000000000000005 netlink: 8 bytes leftover after parsing attributes in process `syz-executor.4'. RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f313f81c6d4 R13: 00000000004bfd15 R14: 00000000004d1a58 R15: 00000000ffffffff Allocated by task 2746: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc mm/kasan/kasan.c:553 [inline] kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531 kmem_cache_alloc_trace+0x152/0x760 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] bpf_prog_alloc+0x216/0x2a0 kernel/bpf/core.c:90 bpf_prog_load+0x558/0x1400 kernel/bpf/syscall.c:1399 __do_sys_bpf kernel/bpf/syscall.c:2405 [inline] __se_sys_bpf kernel/bpf/syscall.c:2367 [inline] __x64_sys_bpf+0x32b/0x4c0 kernel/bpf/syscall.c:2367 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 19: save_stack+0x45/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3503 [inline] kfree+0xcf/0x220 mm/slab.c:3822 bpf_jit_free+0xa5/0x300 bpf_prog_free_deferred+0x2f6/0x420 kernel/bpf/core.c:1814 process_one_work+0x989/0x1750 kernel/workqueue.c:2153 worker_thread+0x98/0xe40 kernel/workqueue.c:2296 kthread+0x354/0x420 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff888095157a80 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 96 bytes inside of 256-byte region [ffff888095157a80, ffff888095157b80) The buggy address belongs to the page: page:ffffea00025455c0 count:1 mapcount:0 mapping:ffff88812c3f07c0 index:0xffff888095157e40 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffffea0001652f88 ffffea00024ffac8 ffff88812c3f07c0 raw: ffff888095157e40 ffff888095157080 000000010000000a 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888095157980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095157a00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc >ffff888095157a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff888095157b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff888095157b80: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2019/09/16 14:33 | linux-4.19.y | db2d0b7c1dde | 55c50e70 | .config | console log | report | ci2-linux-4-19 | |||||
| 2019/07/16 16:10 | linux-4.19.y | 3bd837bfe431 | 4ec4ea48 | .config | console log | report | ci2-linux-4-19 |