syzbot

 sign-in | mailing list | source | docs
🐞 Open [1156] 🐞 Fixed [4318] 🐞 Invalid [9656] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: wild-memory-access Read in skb_copy_ubufs

Status: fixed on 2017/10/24 06:54
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 0bbd7dad34f8 tun: make tun_build_skb() thread safe
First crash: 1997d, last: 1995d

Sample crash report:
BUG: KASAN: wild-memory-access in memcpy include/linux/string.h:339 [inline]
BUG: KASAN: wild-memory-access in skb_copy_ubufs+0xc51/0x1940 net/core/skbuff.c:1229
Read of size 4096 at addr 29f997dd42ad3b56 by task syzkaller656520/25772

CPU: 1 PID: 25772 Comm: syzkaller656520 Not tainted 4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 kasan_report_error mm/kasan/report.c:349 [inline]
 kasan_report+0x12e/0x340 mm/kasan/report.c:409
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:339 [inline]
 skb_copy_ubufs+0xc51/0x1940 net/core/skbuff.c:1229
 skb_orphan_frags_rx include/linux/skbuff.h:2548 [inline]
 deliver_skb net/core/dev.c:1856 [inline]
 __netif_receive_skb_core+0x24a2/0x33d0 net/core/dev.c:4329
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4456
 netif_receive_skb_internal+0x10b/0x5e0 net/core/dev.c:4527
 netif_receive_skb+0xae/0x390 net/core/dev.c:4551
 tun_rx_batched.isra.43+0x5e7/0x860 drivers/net/tun.c:1221
 tun_get_user+0x11dd/0x2150 drivers/net/tun.c:1542
 tun_chr_write_iter+0xd8/0x190 drivers/net/tun.c:1568
 call_write_iter include/linux/fs.h:1742 [inline]
 new_sync_write fs/read_write.c:457 [inline]
 __vfs_write+0x684/0x970 fs/read_write.c:470
 vfs_write+0x189/0x510 fs/read_write.c:518
 SYSC_write fs/read_write.c:565 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:557
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x406811
RSP: 002b:00007fbe734f8dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000406811
RDX: 000000000000002e RSI: 00000000209cbfd2 RDI: 0000000000000003
RBP: 0000000000000086 R08: 00007fbe734f9700 R09: 00007fbe734f9700
R10: 00007fbe734f99d0 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffe2760349f R14: 00007fbe734f99c0 R15: 0000000000000000
==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 25772 Comm: syzkaller656520 Tainted: G    B           4.13.0-rc5-next-20170816+ #4
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:16 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:52
 panic+0x1e4/0x417 kernel/panic.c:180
 kasan_end_report+0x50/0x50 mm/kasan/report.c:176
 kasan_report_error mm/kasan/report.c:356 [inline]
 kasan_report+0x137/0x340 mm/kasan/report.c:409
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
 memcpy+0x23/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:339 [inline]
 skb_copy_ubufs+0xc51/0x1940 net/core/skbuff.c:1229
 skb_orphan_frags_rx include/linux/skbuff.h:2548 [inline]
 deliver_skb net/core/dev.c:1856 [inline]
 __netif_receive_skb_core+0x24a2/0x33d0 net/core/dev.c:4329
 __netif_receive_skb+0x2c/0x1b0 net/core/dev.c:4456
 netif_receive_skb_internal+0x10b/0x5e0 net/core/dev.c:4527
 netif_receive_skb+0xae/0x390 net/core/dev.c:4551
 tun_rx_batched.isra.43+0x5e7/0x860 drivers/net/tun.c:1221
 tun_get_user+0x11dd/0x2150 drivers/net/tun.c:1542
 tun_chr_write_iter+0xd8/0x190 drivers/net/tun.c:1568
 call_write_iter include/linux/fs.h:1742 [inline]
 new_sync_write fs/read_write.c:457 [inline]
 __vfs_write+0x684/0x970 fs/read_write.c:470
 vfs_write+0x189/0x510 fs/read_write.c:518
 SYSC_write fs/read_write.c:565 [inline]
 SyS_write+0xef/0x220 fs/read_write.c:557
 entry_SYSCALL_64_fastpath+0x1f/0xbe
RIP: 0033:0x406811
RSP: 002b:00007fbe734f8dc0 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000406811
RDX: 000000000000002e RSI: 00000000209cbfd2 RDI: 0000000000000003
RBP: 0000000000000086 R08: 00007fbe734f9700 R09: 00007fbe734f9700
R10: 00007fbe734f99d0 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffe2760349f R14: 00007fbe734f99c0 R15: 0000000000000000
Dumping ftrace buffer:
   (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Crashes (23):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
skylake-linux-next-kasan-qemu 2017/08/16 13:15 linux-next 5d51332f20b2 f93be584 .config console log report syz C
skylake-linux-next-kasan-qemu 2017/08/16 21:09 linux-next 5d51332f20b2 f93be584 .config console log report syz
skylake-linux-next-kasan-qemu 2017/08/16 01:47 linux-next 497247033eb1 6a0246bf .config console log report syz
ci-upstream-net-kasan-gce 2017/08/16 12:04 net-next 869cec99b4f7 f93be584 .config console log report
ci-upstream-net-kasan-gce 2017/08/15 22:14 net-next 2587b52a7b5a 6a0246bf .config console log report
skylake-linux-next-kasan-qemu 2017/08/17 06:11 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/17 02:38 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/17 01:12 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/17 00:05 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 23:15 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 22:42 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 18:30 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 18:06 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 16:08 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 15:50 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 14:04 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 12:22 linux-next 5d51332f20b2 f93be584 .config console log report
ci-upstream-next-kasan-gce 2017/08/16 11:13 linux-next 5d51332f20b2 f93be584 .config console log report
skylake-linux-next-kasan-qemu 2017/08/16 01:39 linux-next 497247033eb1 6a0246bf .config console log report
skylake-linux-next-kasan-qemu 2017/08/15 19:02 linux-next 497247033eb1 6a0246bf .config console log report
skylake-linux-next-kasan-qemu 2017/08/15 17:16 linux-next 497247033eb1 6a0246bf .config console log report
skylake-linux-next-kasan-qemu 2017/08/15 13:57 linux-next 497247033eb1 6a0246bf .config console log report
skylake-linux-next-kasan-qemu 2017/08/15 11:19 linux-next 497247033eb1 6a0246bf .config console log report
* Struck through repros no longer work on HEAD.