syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find

Status: closed as invalid on 2017/10/23 16:19
Subsystems: net
[Documentation on labels]
First crash: 2681d, last: 2596d
Similar bugs (13)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) net C 10353 2500d 2568d 4/28 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1828d 2060d 0/2 public: reported C repro on 2019/04/12 00:00
android-54 KASAN: stack-out-of-bounds Read in xfrm_state_find C 1 700d 700d 0/2 upstream: reported C repro on 2023/01/01 01:05
android-5-15 KASAN: stack-out-of-bounds Read in xfrm_state_find origin:upstream missing-backport C error error 2 215d 700d 0/2 upstream: reported C repro on 2023/01/01 00:40
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) net C done 654 2133d 2435d 13/28 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find net C error done 215 562d 2361d 22/28 fixed on 2023/07/01 16:05
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) syz error error 1 700d 700d 0/2 auto-obsoleted due to no activity on 2023/05/14 02:28
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 1120d 1120d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 2161d 2672d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 2135d 2061d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) net C 93 2578d 2587d 3/28 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1825d 2061d 0/3 public: reported C repro on 2019/04/11 08:44
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (4) net C 102 2445d 2496d 4/28 fixed on 2018/03/23 18:14

Sample crash report:
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x305b/0x3190 net/xfrm/xfrm_state.c:1051
Read of size 4 at addr ffff8801cc89e708 by task syzkaller225926/3020

CPU: 0 PID: 3020 Comm: syzkaller225926 Not tainted 4.14.0-rc2+ #10
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 xfrm_state_find+0x305b/0x3190 net/xfrm/xfrm_state.c:1051
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1388 [inline]
 xfrm_tmpl_resolve+0x2fb/0xbd0 net/xfrm/xfrm_policy.c:1432
 xfrm_resolve_and_create_bundle+0x186/0x24b0 net/xfrm/xfrm_policy.c:1830
 xfrm_lookup+0xf0a/0x2540 net/xfrm/xfrm_policy.c:2141
 xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2259
 ip_route_output_flow+0x7c/0xa0 net/ipv4/route.c:2549
 inet_csk_route_req+0x5d8/0x990 net/ipv4/inet_connection_sock.c:552
 tcp_v4_send_synack+0x1e4/0x270 net/ipv4/tcp_ipv4.c:870
 tcp_rtx_synack+0x119/0x2e0 net/ipv4/tcp_output.c:3695
 inet_rtx_syn_ack+0x64/0xd0 net/ipv4/inet_connection_sock.c:636
 tcp_check_req+0xaf5/0x1630 net/ipv4/tcp_minisocks.c:614
 tcp_v4_rcv+0x17b0/0x2f20 net/ipv4/tcp_ipv4.c:1674
 ip_local_deliver_finish+0x2e2/0xba0 net/ipv4/ip_input.c:216
 NF_HOOK include/linux/netfilter.h:249 [inline]
 ip_local_deliver+0x1ce/0x6e0 net/ipv4/ip_input.c:257
 dst_input include/net/dst.h:464 [inline]
 ip_rcv_finish+0x8db/0x19c0 net/ipv4/ip_input.c:397
 NF_HOOK include/linux/netfilter.h:249 [inline]
 ip_rcv+0xc3f/0x17d0 net/ipv4/ip_input.c:488
 __netif_receive_skb_core+0x19af/0x33d0 net/core/dev.c:4428
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4466
 netif_receive_skb_internal+0x10b/0x670 net/core/dev.c:4539
 netif_receive_skb+0xae/0x390 net/core/dev.c:4563
 tun_rx_batched.isra.43+0x5ed/0x860 drivers/net/tun.c:1218
 tun_get_user+0x11dd/0x2150 drivers/net/tun.c:1553
 tun_chr_write_iter+0xde/0x190 drivers/net/tun.c:1579
 call_write_iter include/linux/fs.h:1770 [inline]
 new_sync_write fs/read_write.c:468 [inline]
 __vfs_write+0x68a/0x970 fs/read_write.c:481
 vfs_write+0x18f/0x510 fs/read_write.c:543
 SYSC_write fs/read_write.c:588 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:580
 do_syscall_32_irqs_on arch/x86/entry/common.c:329 [inline]
 do_fast_syscall_32+0x3f2/0xf05 arch/x86/entry/common.c:391
 entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:124
RIP: 0023:0xf7f42c79
RSP: 002b:00000000f2f341f4 EFLAGS: 00000292 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000020002000
RDX: 0000000000000046 RSI: 0000000000000000 RDI: 00000000003d0f00
RBP: 00000000f2f342e8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0007322780 count:0 mapcount:0 mapping:          (null) index:0xffff8801cc89ee80
flags: 0x200000000000000()
raw: 0200000000000000 0000000000000000 ffff8801cc89ee80 00000000ffffffff
raw: dead000000000100 dead000000000200 ffff8801dac00dc0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cc89e600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801cc89e680: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00
>ffff8801cc89e700: 00 f2 f3 f3 f3 f3 00 00 00 00 00 00 00 f1 f1 f1
                      ^
 ffff8801cc89e780: f1 00 00 00 00 00 00 00 00 00 00 00 f2 f3 f3 f3
 ffff8801cc89e800: f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (365):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/09/25 17:18 upstream e19b205be43d c26ea367 .config console log report syz C ci-upstream-kasan-gce
2017/09/25 14:36 upstream e19b205be43d c26ea367 .config console log report syz C ci-upstream-kasan-gce
2017/09/22 22:37 upstream 6e80ecdddf4e c26ea367 .config console log report syz C ci-upstream-kasan-gce
2017/09/22 14:59 upstream 6e80ecdddf4e c26ea367 .config console log report syz C ci-upstream-kasan-gce
2017/08/26 04:31 upstream b3242dba9ff2 9ec49e08 .config console log report syz C ci-upstream-kasan-gce
2017/08/19 19:50 upstream 58d4e450a490 f238fbd4 .config console log report syz C ci-upstream-kasan-gce
2017/08/18 23:10 upstream 04d49f3638d0 41bbf437 .config console log report syz C ci-upstream-kasan-gce
2017/08/18 14:33 upstream 04d49f3638d0 41bbf437 .config console log report syz C ci-upstream-kasan-gce
2017/08/13 08:06 upstream 89a55278dee4 360f0528 .config console log report syz C ci-upstream-kasan-gce
2017/08/13 04:42 upstream 043cd07c555f 360f0528 .config console log report syz C ci-upstream-kasan-gce
2017/08/12 11:17 upstream 216e4a1def29 360f0528 .config console log report syz C ci-upstream-kasan-gce
2017/08/12 07:34 upstream 8001a975f955 a0330c0f .config console log report syz C ci-upstream-kasan-gce
2017/08/12 01:54 upstream 8001a975f955 a0330c0f .config console log report syz C ci-upstream-kasan-gce
2017/08/11 23:06 upstream 8001a975f955 a0330c0f .config console log report syz C ci-upstream-kasan-gce
2017/08/11 20:49 upstream 8001a975f955 a0330c0f .config console log report syz C ci-upstream-kasan-gce
2017/08/11 17:10 upstream 8001a975f955 a0330c0f .config console log report syz C ci-upstream-kasan-gce
2017/08/10 23:12 upstream 26273939ace9 125de3e4 .config console log report syz C ci-upstream-kasan-gce
2017/08/08 06:39 upstream 623ce3456671 ec649f0f .config console log report syz C ci-upstream-kasan-gce
2017/07/30 17:11 upstream 0a07b238e5f4 fe8ced11 .config console log report syz C ci-upstream-kasan-gce
2017/10/20 11:32 upstream ce43f4fd6f10 4d9c0713 .config console log report syz C ci-upstream-kasan-gce-386
2017/10/20 11:31 upstream ce43f4fd6f10 4d9c0713 .config console log report syz C ci-upstream-kasan-gce-386
2017/10/04 00:04 upstream 887c8ba753fb c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/10/03 20:05 upstream 887c8ba753fb c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/29 04:05 upstream 02a2b05395dd c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/29 02:49 upstream 02a2b05395dd c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/28 22:11 upstream 02a2b05395dd c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/28 13:45 upstream 9cd6681cb116 c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/27 16:36 upstream dc972a67cc54 c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/26 02:46 upstream 19240e6b2a6c c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/23 00:58 upstream 0a8abd97dcda c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 09:45 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 07:15 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 05:09 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 03:53 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 02:46 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/22 00:57 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/21 23:06 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/09/21 18:07 upstream 4a704d6db0ee c26ea367 .config console log report syz C ci-upstream-kasan-gce-386
2017/10/20 11:41 net-next-old d18b4b35e310 4d9c0713 .config console log report syz C ci-upstream-net-kasan-gce
2017/09/29 04:06 net-next-old e7614370d6f0 c26ea367 .config console log report syz C ci-upstream-net-kasan-gce
2017/09/06 02:29 net-next-old 96e5ae4e76f1 0ed1da4a .config console log report syz C ci-upstream-net-kasan-gce
2017/08/26 04:27 net-next-old ec15ecdee5eb 4074aed7 .config console log report syz C ci-upstream-net-kasan-gce
2017/08/20 02:50 net-next-old 91558e76c8f1 f238fbd4 .config console log report syz C ci-upstream-net-kasan-gce
2017/08/11 23:16 net-next-old 3b2b69efeca7 a0330c0f .config console log report syz C ci-upstream-net-kasan-gce
2017/10/20 11:32 mmots 65302eba00ae 4d9c0713 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/10/20 11:31 linux-next 36ef71cae353 e511d9f8 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/29 04:05 linux-next 00d47fc93ae9 c26ea367 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/29 04:05 mmots 8fd0520d9cec c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/28 13:45 mmots da2915ba6bbf c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/28 13:45 linux-next 00d47fc93ae9 c26ea367 .config console log report syz C ci-upstream-next-kasan-gce
2017/09/20 00:29 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/17 18:34 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/17 13:51 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/16 08:49 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/14 02:42 mmots 720bbe532b7c c26ea367 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/13 12:28 mmots 114c278181ca 96b8e399 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/10 03:44 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 16:22 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 12:27 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 10:42 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 07:58 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 06:29 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 05:18 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 03:23 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/09 01:07 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/08 19:59 mmots d95e159cd1da 449b6f15 .config console log report syz C ci-upstream-mmots-kasan-gce
2017/09/06 03:35 linux-next 744c56def809 0ed1da4a .config console log report syz C skylake-linux-next-kasan-qemu
2017/09/06 02:17 linux-next 744c56def809 0ed1da4a .config console log report syz C skylake-linux-next-kasan-qemu
2017/08/26 05:41 linux-next 7159188b70e3 4074aed7 .config console log report syz C ci-upstream-next-kasan-gce
2017/08/26 05:26 linux-next 7159188b70e3 4074aed7 .config console log report syz C ci-upstream-next-kasan-gce
2017/08/25 13:04 linux-next 7159188b70e3 4074aed7 .config console log report syz C skylake-linux-next-kasan-qemu
2017/08/20 07:44 linux-next bb70832dd42b f238fbd4 .config console log report syz C ci-upstream-next-kasan-gce
2017/08/20 05:07 linux-next bb70832dd42b f238fbd4 .config console log report syz C ci-upstream-next-kasan-gce
2017/08/12 09:16 linux-next 91dfed74eabc 360f0528 .config console log report syz C ci-upstream-next-kasan-gce
2017/08/31 11:02 upstream 42ff72cf2702 4ccdd782 .config console log report ci-upstream-kasan-gce
2017/08/31 04:20 upstream 42ff72cf2702 4ccdd782 .config console log report ci-upstream-kasan-gce
2017/08/27 06:44 upstream bab9752480c5 a3857c4e .config console log report ci-upstream-kasan-gce
2017/08/25 13:53 upstream 90a6cd503982 c3631fc7 .config console log report ci-upstream-kasan-gce
2017/08/24 20:42 upstream 143c97cc6529 3f1aca48 .config console log report ci-upstream-kasan-gce
2017/08/14 16:51 upstream ef954844c7ac 6a0246bf .config console log report ci-upstream-kasan-gce
2017/08/14 14:12 upstream ef954844c7ac 6a0246bf .config console log report ci-upstream-kasan-gce
2017/07/31 17:39 upstream 16f73eb02d7e cbf25dd1 .config console log report ci-upstream-kasan-gce
2017/07/30 15:58 upstream 0a07b238e5f4 fe8ced11 .config console log report ci-upstream-kasan-gce
2017/10/01 05:42 upstream a8c964eacb21 c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/09/21 16:40 upstream 4a704d6db0ee c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/09/21 16:36 upstream 4a704d6db0ee c26ea367 .config console log report ci-upstream-kasan-gce-386
2017/10/12 18:57 net-next-old 833e0e2f24fd 441d64d9 .config console log report ci-upstream-net-kasan-gce
2017/10/08 16:49 net-next-old c9f766bc6ee0 c26ea367 .config console log report ci-upstream-net-kasan-gce
2017/09/02 12:18 net-next-old 4cc5b44b29a9 aa51461a .config console log report ci-upstream-net-kasan-gce
2017/08/22 23:49 net-next-old 0580b53f3867 f238fbd4 .config console log report ci-upstream-net-kasan-gce
2017/09/19 10:35 linux-next 840cc455c5f5 92f543f0 .config console log report skylake-linux-next-kasan-qemu
2017/09/18 11:07 linux-next fc2e8b1a47c1 2bab8ad8 .config console log report skylake-linux-next-kasan-qemu
2017/09/15 16:35 linux-next 1f183459b514 da1873aa .config console log report skylake-linux-next-kasan-qemu
2017/08/11 20:04 linux-next 91dfed74eabc 360f0528 .config console log report ci-upstream-next-kasan-gce
* Struck through repros no longer work on HEAD.