syzbot

 sign-in | mailing list | source | docs
🐞 Open [987] Subsystems 🐞 Fixed [5236] 🐞 Invalid [12505] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: slab-out-of-bounds Read in corrupted (2)

Status: fixed on 2019/08/27 17:15
Subsystems: hardening mm
[Documentation on labels]
Reported-by: syzbot+9a901acbc447313bfe3e@syzkaller.appspotmail.com
Fix commit: 95fa145479fb bpf: sockmap/tls, close can race with map free
First crash: 1785d, last: 1735d
Cause bisection: introduced by (bisect log) :
commit d40b0116c94bd8fc2b63aae35ce8e66bb53bba42
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Aug 16 19:49:08 2018 +0000

  bpf, sockmap: fix leakage of smap_psock_map_entry

Crash: KASAN: use-after-free Read in psock_map_pop (log)
Repro: syz .config
  
Discussions (3)
Title Replies (including bot) Last reply
Reminder: 36 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/07/03 06:01
Reminder: 30 open syzbot bugs in "net/bpf" subsystem 1 (1) 2019/06/24 05:01
KASAN: slab-out-of-bounds Read in corrupted (2) 1 (3) 2019/06/06 21:26
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in corrupted kernel C 1 2108d 2108d 8/26 fixed on 2018/08/07 13:43

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in vsnprintf+0x1086/0x1c50 lib/vsprintf.c:2503
Read of size 8 at addr ffff8880895a18b8 by task syz-executor.1/10666

CPU: 0 PID: 10666 Comm: syz-executor.1 Not tainted 5.3.0-rc1+ #50
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:

Allocated by task 0:
(stack is not available)

Freed by task 8:
(stack is not available)

The buggy address belongs to the object at ffff8880895a0580
 which belongs to the cache names_cache of size 4096
The buggy address is located 824 bytes to the right of
 4096-byte region [ffff8880895a0580, ffff8880895a1580)
The buggy address belongs to the page:
page:ffffea0002256800 refcount:1 mapcount:0 mapping:ffff8880aa5918c0 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea000246f288 ffffea000246f888 ffff8880aa5918c0
raw: 0000000000000000 ffff8880895a0580 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880895a1780: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
 ffff8880895a1800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880895a1880: fc fc fc fc fc fc fc fc 00 00 00 00 f1 f1 f1 f1
                                        ^
 ffff8880895a1900: 00 00 00 f3 f3 f3 f3 f3 fc fc fc fc fc fc fc fc
 ffff8880895a1980: fc fc fc fc fc fc fc fc 00 00 00 00 f1 f1 f1 f1
==================================================================

Crashes (3):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/07/26 06:39 upstream 6789f873ed37 732bc5a0 .config console log report syz ci-upstream-kasan-gce-smack-root
2019/06/06 10:38 upstream 156c05917e09 a547defc .config console log report syz ci-upstream-kasan-gce-selinux-root
2019/07/07 21:33 linux-next f9ca7f5a1eb9 f62e1e85 .config console log report syz ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.