syzbot


KASAN: slab-out-of-bounds Read in __fget_light

Status: auto-closed as invalid on 2020/09/07 00:46
Reported-by: syzbot+46b335932d55c81f96bd@syzkaller.appspotmail.com
First crash: 1658d, last: 1658d

Sample crash report:
alloc_fd: slot 3 not NULL!
==================================================================
BUG: KASAN: slab-out-of-bounds in __read_once_size include/linux/compiler.h:183 [inline]
BUG: KASAN: slab-out-of-bounds in __fcheck_files include/linux/fdtable.h:88 [inline]
BUG: KASAN: slab-out-of-bounds in __fget_light+0x1ea/0x1f0 fs/file.c:739
Read of size 8 at addr ffff88800010a7c0 by task syz-executor.0/20611

CPU: 1 PID: 20611 Comm: syz-executor.0 Not tainted 4.14.179-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x13e/0x194 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1e2 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2ae mm/kasan/report.c:393
 __read_once_size include/linux/compiler.h:183 [inline]
 __fcheck_files include/linux/fdtable.h:88 [inline]
 __fget_light+0x1ea/0x1f0 fs/file.c:739
 __fdget fs/file.c:752 [inline]
 __fdget_pos+0x18/0xc0 fs/file.c:763
 fdget_pos include/linux/file.h:67 [inline]
 SYSC_read fs/read_write.c:569 [inline]
 SyS_read+0x63/0x210 fs/read_write.c:567
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4163a0
RSP: 002b:00007ffd93924528 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004163a0
RDX: 00000000000003e8 RSI: 00007ffd93924540 RDI: 00000000000000f0
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000000075 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd93924970 R14: 0000000000000000 R15: 00007ffd93924980

Allocated by task 6337:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc mm/kasan/kasan.c:551 [inline]
 kasan_kmalloc+0xbf/0xe0 mm/kasan/kasan.c:529
 __do_kmalloc_node mm/slab.c:3682 [inline]
 __kmalloc_node+0x4c/0x70 mm/slab.c:3689
 kmalloc_node include/linux/slab.h:530 [inline]
 kvmalloc_node+0x46/0xd0 mm/util.c:397
 kvmalloc include/linux/mm.h:531 [inline]
 xt_alloc_table_info+0x6a/0xe0 net/netfilter/x_tables.c:1062
 do_replace net/ipv6/netfilter/ip6_tables.c:1146 [inline]
 do_ip6t_set_ctl+0x1b1/0x3a3 net/ipv6/netfilter/ip6_tables.c:1685
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt net/ipv6/ipv6_sockglue.c:935 [inline]
 ipv6_setsockopt+0xfd/0x130 net/ipv6/ipv6_sockglue.c:919
 tcp_setsockopt net/ipv4/tcp.c:2826 [inline]
 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2820
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 6337:
 save_stack+0x32/0xa0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x75/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3496 [inline]
 kfree+0xcb/0x260 mm/slab.c:3815
 kvfree+0x45/0x50 mm/util.c:416
 __do_replace+0x3f6/0x580 net/ipv6/netfilter/ip6_tables.c:1107
 do_replace net/ipv6/netfilter/ip6_tables.c:1161 [inline]
 do_ip6t_set_ctl+0x255/0x3a3 net/ipv6/netfilter/ip6_tables.c:1685
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x5f/0xb0 net/netfilter/nf_sockopt.c:115
 ipv6_setsockopt net/ipv6/ipv6_sockglue.c:935 [inline]
 ipv6_setsockopt+0xfd/0x130 net/ipv6/ipv6_sockglue.c:919
 tcp_setsockopt net/ipv4/tcp.c:2826 [inline]
 tcp_setsockopt+0x7b/0xc0 net/ipv4/tcp.c:2820
 SYSC_setsockopt net/socket.c:1865 [inline]
 SyS_setsockopt+0x110/0x1e0 net/socket.c:1844
 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff88800010a040
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1920 bytes inside of
 2048-byte region [ffff88800010a040, ffff88800010a840)
The buggy address belongs to the page:
page:ffffea0000004280 count:1 mapcount:0 mapping:ffff88800010a040 index:0x0 compound_mapcount: 0
flags: 0x7ffe0000008100(slab|head)
raw: 007ffe0000008100 ffff88800010a040 0000000000000000 0000000100000003
raw: ffffea0002530a20 ffffea000246faa0 ffff88812fe54c40 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88800010a680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff88800010a700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88800010a780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                           ^
 ffff88800010a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff88800010a880: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/05/10 00:45 linux-4.14.y d71f695ce745 88cb3e92 .config console log report ci2-linux-4-14
* Struck through repros no longer work on HEAD.