syzbot


KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim

Status: auto-closed as invalid on 2019/04/28 00:03
Reported-by: syzbot+d3016cc4c37e33afef3e@syzkaller.appspotmail.com
First crash: 2070d, last: 2065d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim net C done done 189 1780d 2105d 0/27 auto-obsoleted due to no activity on 2022/09/08 19:46

Sample crash report:
protocol 86dd is buggy, dev ip6tnl1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449
Read of size 1 at addr ffff8801d07a7887 by task syz-executor1/28543

CPU: 0 PID: 28543 Comm: syz-executor1 Not tainted 4.14.78+ #26
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449
 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1339 [inline]
 ip6_tnl_start_xmit+0xfe5/0x1aa0 net/ipv6/ip6_tunnel.c:1403
 __netdev_start_xmit include/linux/netdevice.h:4030 [inline]
 netdev_start_xmit include/linux/netdevice.h:4039 [inline]
 xmit_one net/core/dev.c:3009 [inline]
 dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025
 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3525
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1746 [inline]
 __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753
 ____bpf_clone_redirect net/core/filter.c:1786 [inline]
 bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758
 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012

Allocated by task 28543:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551
 __kmalloc+0x153/0x340 mm/slub.c:3760
 kmalloc include/linux/slab.h:493 [inline]
 kzalloc include/linux/slab.h:661 [inline]
 bpf_test_init.isra.1+0x52/0xc0 net/bpf/test_run.c:81
 bpf_prog_test_run_skb+0xfb/0x8c0 net/bpf/test_run.c:103
 bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline]
 SYSC_bpf kernel/bpf/syscall.c:1602 [inline]
 SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Freed by task 26790:
 save_stack mm/kasan/kasan.c:447 [inline]
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524
 slab_free_hook mm/slub.c:1389 [inline]
 slab_free_freelist_hook mm/slub.c:1410 [inline]
 slab_free mm/slub.c:2966 [inline]
 kfree+0xf5/0x310 mm/slub.c:3897
 skb_free_head+0x83/0xa0 net/core/skbuff.c:550
 skb_release_data+0x495/0x610 net/core/skbuff.c:570
 skb_release_all+0x46/0x60 net/core/skbuff.c:627
 __kfree_skb net/core/skbuff.c:641 [inline]
 consume_skb+0xc1/0x330 net/core/skbuff.c:701
 netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488
 kobject_uevent_env+0x793/0xc40 lib/kobject_uevent.c:492
 loop_set_fd drivers/block/loop.c:938 [inline]
 lo_ioctl+0xfd9/0x17d0 drivers/block/loop.c:1376
 __blkdev_driver_ioctl block/ioctl.c:297 [inline]
 blkdev_ioctl+0x57d/0x18c0 block/ioctl.c:594
 block_ioctl+0xd9/0x120 fs/block_dev.c:1873
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684
 SYSC_ioctl fs/ioctl.c:701 [inline]
 SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692
 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

The buggy address belongs to the object at ffff8801d07a7680
 which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
 512-byte region [ffff8801d07a7680, ffff8801d07a7880)
The buggy address belongs to the page:
page:ffffea000741e980 count:1 mapcount:0 mapping:          (null) index:0x0 compound_mapcount: 0
flags: 0x4000000000008100(slab|head)
raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c
raw: ffffea000719f000 0000000600000006 ffff8801da802c00 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801d07a7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d07a7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8801d07a7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                   ^
 ffff8801d07a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801d07a7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (4):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/10/28 00:47 android-4.14 4ed22187defd 8efba39a .config console log report ci-android-414-kasan-gce-root
2018/10/27 18:39 android-4.14 4ed22187defd 8efba39a .config console log report ci-android-414-kasan-gce-root
2018/10/24 00:10 android-4.14 ff26b00b484b a8292de9 .config console log report ci-android-414-kasan-gce-root
2018/10/23 01:05 android-4.14 a3ac63b18873 ecb386fe .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.