| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim net | C | done | done | 189 | 1931d | 2256d | 0/28 | auto-obsoleted due to no activity on 2022/09/08 19:46 |
syzbot |
sign-in | mailing list | source | docs |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| upstream | KASAN: slab-out-of-bounds Read in ip6_tnl_parse_tlv_enc_lim net | C | done | done | 189 | 1931d | 2256d | 0/28 | auto-obsoleted due to no activity on 2022/09/08 19:46 |
protocol 86dd is buggy, dev ip6tnl1 ================================================================== BUG: KASAN: slab-out-of-bounds in ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449 Read of size 1 at addr ffff8801d07a7887 by task syz-executor1/28543 CPU: 0 PID: 28543 Comm: syz-executor1 Not tainted 4.14.78+ #26 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0xb9/0x11b lib/dump_stack.c:53 print_address_description+0x60/0x22b mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409 ip6_tnl_parse_tlv_enc_lim+0x4b7/0x550 net/ipv6/ip6_tunnel.c:449 ip6ip6_tnl_xmit net/ipv6/ip6_tunnel.c:1339 [inline] ip6_tnl_start_xmit+0xfe5/0x1aa0 net/ipv6/ip6_tunnel.c:1403 __netdev_start_xmit include/linux/netdevice.h:4030 [inline] netdev_start_xmit include/linux/netdevice.h:4039 [inline] xmit_one net/core/dev.c:3009 [inline] dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3025 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3525 __bpf_tx_skb net/core/filter.c:1708 [inline] __bpf_redirect_common net/core/filter.c:1746 [inline] __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753 ____bpf_clone_redirect net/core/filter.c:1786 [inline] bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012 Allocated by task 28543: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc.part.1+0x4f/0xd0 mm/kasan/kasan.c:551 __kmalloc+0x153/0x340 mm/slub.c:3760 kmalloc include/linux/slab.h:493 [inline] kzalloc include/linux/slab.h:661 [inline] bpf_test_init.isra.1+0x52/0xc0 net/bpf/test_run.c:81 bpf_prog_test_run_skb+0xfb/0x8c0 net/bpf/test_run.c:103 bpf_prog_test_run kernel/bpf/syscall.c:1330 [inline] SYSC_bpf kernel/bpf/syscall.c:1602 [inline] SyS_bpf+0x79d/0x3640 kernel/bpf/syscall.c:1547 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 26790: save_stack mm/kasan/kasan.c:447 [inline] set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0xac/0x190 mm/kasan/kasan.c:524 slab_free_hook mm/slub.c:1389 [inline] slab_free_freelist_hook mm/slub.c:1410 [inline] slab_free mm/slub.c:2966 [inline] kfree+0xf5/0x310 mm/slub.c:3897 skb_free_head+0x83/0xa0 net/core/skbuff.c:550 skb_release_data+0x495/0x610 net/core/skbuff.c:570 skb_release_all+0x46/0x60 net/core/skbuff.c:627 __kfree_skb net/core/skbuff.c:641 [inline] consume_skb+0xc1/0x330 net/core/skbuff.c:701 netlink_broadcast_filtered+0x2b7/0xa30 net/netlink/af_netlink.c:1488 kobject_uevent_env+0x793/0xc40 lib/kobject_uevent.c:492 loop_set_fd drivers/block/loop.c:938 [inline] lo_ioctl+0xfd9/0x17d0 drivers/block/loop.c:1376 __blkdev_driver_ioctl block/ioctl.c:297 [inline] blkdev_ioctl+0x57d/0x18c0 block/ioctl.c:594 block_ioctl+0xd9/0x120 fs/block_dev.c:1873 vfs_ioctl fs/ioctl.c:46 [inline] file_ioctl fs/ioctl.c:500 [inline] do_vfs_ioctl+0x1a0/0x1030 fs/ioctl.c:684 SYSC_ioctl fs/ioctl.c:701 [inline] SyS_ioctl+0x7e/0xb0 fs/ioctl.c:692 do_syscall_64+0x19b/0x4b0 arch/x86/entry/common.c:289 entry_SYSCALL_64_after_hwframe+0x42/0xb7 The buggy address belongs to the object at ffff8801d07a7680 which belongs to the cache kmalloc-512 of size 512 The buggy address is located 7 bytes to the right of 512-byte region [ffff8801d07a7680, ffff8801d07a7880) The buggy address belongs to the page: page:ffffea000741e980 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x4000000000008100(slab|head) raw: 4000000000008100 0000000000000000 0000000000000000 00000001000c000c raw: ffffea000719f000 0000000600000006 ffff8801da802c00 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d07a7780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d07a7800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d07a7880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d07a7900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d07a7980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2018/10/28 00:47 | android-4.14 | 4ed22187defd | 8efba39a | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2018/10/27 18:39 | android-4.14 | 4ed22187defd | 8efba39a | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2018/10/24 00:10 | android-4.14 | ff26b00b484b | a8292de9 | .config | console log | report | ci-android-414-kasan-gce-root | |||||
| 2018/10/23 01:05 | android-4.14 | a3ac63b18873 | ecb386fe | .config | console log | report | ci-android-414-kasan-gce-root |