syzbot

 sign-in | mailing list | source | docs
🐞 Open [979] Subsystems 🐞 Fixed [5235] 🐞 Invalid [12492] Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

general protection fault in xt_rateest_tg_checkentry

Status: fixed on 2020/02/18 14:31
Subsystems: netfilter
[Documentation on labels]
Reported-by: syzbot+d7358a458d8a81aee898@syzkaller.appspotmail.com
Fix commit: 1b789577f655 netfilter: arp_tables: init netns pointer in xt_tgchk_param struct
First crash: 1580d, last: 1569d
Cause bisection: introduced by (bisect log) :
commit 3427b2ab63faccafe774ea997fc2da7faf690c5a
Author: Cong Wang <xiyou.wangcong@gmail.com>
Date: Fri Mar 2 02:58:38 2018 +0000

  netfilter: make xt_rateest hash table per net

Crash: general protection fault in xt_rateest_tg_checkentry (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
general protection fault in nf_ct_netns_do_get netfilter C done 7 1566d 1578d 0/26 closed as dup on 2020/01/07 13:55
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/245] 3.16.83-rc1 review 260 (260) 2020/04/24 17:54
[PATCH 5.4 00/78] 5.4.12-stable review 107 (107) 2020/02/11 15:01
[PATCH 4.19 00/46] 4.19.96-stable review 51 (51) 2020/01/15 02:09
[PATCH 4.14 00/39] 4.14.165-stable review 44 (44) 2020/01/15 02:08
[PATCH 4.9 00/31] 4.9.210-stable review 36 (36) 2020/01/15 02:08
[PATCH 4.4 00/28] 4.4.210-stable review 33 (33) 2020/01/15 02:08
[PATCH 0/9] Netfilter fixes for net 11 (11) 2020/01/08 23:22
[PATCH nf] netfilter: arp_tables: init netns pointer in xt_tgchk_param struct 3 (3) 2019/12/30 12:09
general protection fault in xt_rateest_tg_checkentry 1 (3) 2019/12/27 03:50
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 general protection fault in xt_rateest_tg_checkentry C done 12 1563d 1579d 1/1 fixed on 2020/02/11 06:56

Sample crash report:
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 9641 Comm: syz-executor116 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:net_generic include/net/netns/generic.h:45 [inline]
RIP: 0010:xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
Code: 29 54 01 fb 45 84 f6 0f 84 08 07 00 00 e8 db 52 01 fb 49 8d bd 68 13 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 08 00 00 4d 8b ad 68 13 00 00 e8 cd 8b ed fa
RSP: 0018:ffffc90001dd7788 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffc90001dd7ae8 RCX: ffffffff8673e16e
RDX: 000000000000026d RSI: ffffffff8673da55 RDI: 0000000000001368
RBP: ffffc90001dd7848 R08: ffff888095520000 R09: ffffed1015d2703d
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: 000000000000002d
R13: 0000000000000000 R14: 0000000000000001 R15: ffffc90001dd7820
FS:  00000000019c0880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000920 CR3: 000000009feb6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 xt_check_target+0x283/0x690 net/netfilter/x_tables.c:1019
 check_target net/ipv4/netfilter/arp_tables.c:399 [inline]
 find_check_entry net/ipv4/netfilter/arp_tables.c:422 [inline]
 translate_table+0x1005/0x1d70 net/ipv4/netfilter/arp_tables.c:572
 do_replace net/ipv4/netfilter/arp_tables.c:977 [inline]
 do_arpt_set_ctl+0x310/0x640 net/ipv4/netfilter/arp_tables.c:1456
 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
 nf_setsockopt+0x77/0xd0 net/netfilter/nf_sockopt.c:115
 ip_setsockopt net/ipv4/ip_sockglue.c:1260 [inline]
 ip_setsockopt+0xdf/0x100 net/ipv4/ip_sockglue.c:1240
 udp_setsockopt+0x68/0xb0 net/ipv4/udp.c:2639
 sock_common_setsockopt+0x94/0xd0 net/core/sock.c:3149
 __sys_setsockopt+0x261/0x4c0 net/socket.c:2117
 __do_sys_setsockopt net/socket.c:2133 [inline]
 __se_sys_setsockopt net/socket.c:2130 [inline]
 __x64_sys_setsockopt+0xbe/0x150 net/socket.c:2130
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4412e9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffc60692f8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004412e9
RDX: 0000000000000060 RSI: 0a02000000000000 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000408 R09: 00000000004002c8
R10: 0000000020000900 R11: 0000000000000246 R12: 0000000000402b70
R13: 0000000000402c00 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 80934a91af76ddeb ]---
RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline]
RIP: 0010:net_generic include/net/netns/generic.h:45 [inline]
RIP: 0010:xt_rateest_tg_checkentry+0x11d/0xb40 net/netfilter/xt_RATEEST.c:109
Code: 29 54 01 fb 45 84 f6 0f 84 08 07 00 00 e8 db 52 01 fb 49 8d bd 68 13 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 f4 08 00 00 4d 8b ad 68 13 00 00 e8 cd 8b ed fa
RSP: 0018:ffffc90001dd7788 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffffc90001dd7ae8 RCX: ffffffff8673e16e
RDX: 000000000000026d RSI: ffffffff8673da55 RDI: 0000000000001368
RBP: ffffc90001dd7848 R08: ffff888095520000 R09: ffffed1015d2703d
R10: ffffed1015d2703c R11: ffff8880ae9381e3 R12: 000000000000002d
R13: 0000000000000000 R14: 0000000000000001 R15: ffffc90001dd7820
FS:  00000000019c0880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000920 CR3: 000000009feb6000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Crashes (12):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/01/06 07:32 upstream c79f46a28239 438e1227 .config console log report syz C ci-upstream-kasan-gce-root
2020/01/06 05:30 upstream c79f46a28239 438e1227 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/06 05:29 upstream c79f46a28239 438e1227 .config console log report syz C ci-upstream-kasan-gce
2019/12/26 19:16 upstream 46cf053efec6 be5c2c81 .config console log report syz C ci-upstream-kasan-gce
2019/12/26 17:48 upstream 46cf053efec6 be5c2c81 .config console log report syz C ci-upstream-kasan-gce-root
2019/12/26 17:33 upstream 46cf053efec6 be5c2c81 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2020/01/05 21:07 net-old b54ef37b1ce8 d646e21f .config console log report syz C ci-upstream-net-this-kasan-gce
2019/12/26 17:48 net-old 095e90e080a5 be5c2c81 .config console log report syz C ci-upstream-net-this-kasan-gce
2020/01/05 21:01 net-next-old 4460985fac06 d646e21f .config console log report syz C ci-upstream-net-kasan-gce
2019/12/26 17:48 net-next-old 9f6cff995e98 be5c2c81 .config console log report syz C ci-upstream-net-kasan-gce
2020/01/02 10:29 linux-next 7ddd09fc4b74 25a0186e .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/12/26 17:16 upstream 46cf053efec6 be5c2c81 .config console log report ci-upstream-kasan-gce-selinux-root
* Struck through repros no longer work on HEAD.