KASAN: slab-out-of-bounds Read in decode

KASAN: slab-out-of-bounds Read in decode_session6
Status: upstream: reported C repro on 2020/06/27 07:18
Reported-by: syzbot+2bcc71839223ec82f056@syzkaller.appspotmail.com
First crash: 256d, last: 6d17h

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)

Sample crash report:

==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
Read of size 1 at addr ffff8880247cb8af by task syz-executor222/8528

CPU: 0 PID: 8528 Comm: syz-executor222 Not tainted 5.10.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
 __xfrm_decode_session net/xfrm/xfrm_policy.c:3485 [inline]
 __xfrm_policy_check+0x2fa/0x2850 net/xfrm/xfrm_policy.c:3540
 __xfrm_policy_check2 include/net/xfrm.h:1097 [inline]
 xfrm_policy_check include/net/xfrm.h:1106 [inline]
 sctp_rcv+0x12b0/0x2e30 net/sctp/input.c:202
 sctp6_rcv+0x22/0x40 net/sctp/ipv6.c:1078
 ip6_protocol_deliver_rcu+0x2e8/0x1680 net/ipv6/ip6_input.c:433
 ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
 dst_input include/net/dst.h:449 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5315
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5429
 process_backlog+0x232/0x6c0 net/core/dev.c:6319
 napi_poll net/core/dev.c:6763 [inline]
 net_rx_action+0x4dc/0x1100 net/core/dev.c:6833
 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:343 [inline]
 do_softirq+0xb5/0xe0 kernel/softirq.c:330
 __local_bh_enable_ip+0xf0/0x110 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
 ip6_finish_output2+0x71f/0x16c0 net/ipv6/ip6_output.c:118
 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
 __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
 dst_output include/net/dst.h:443 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_xmit+0x1258/0x1e80 net/ipv6/ip6_output.c:280
 sctp_v6_xmit+0xbf3/0xfe0 net/sctp/ipv6.c:223
 sctp_packet_transmit+0x1f44/0x32f0 net/sctp/output.c:627
 sctp_packet_singleton net/sctp/outqueue.c:773 [inline]
 sctp_outq_flush_ctrl.constprop.0+0x6d3/0xc40 net/sctp/outqueue.c:904
 sctp_outq_flush+0xf3/0x2580 net/sctp/outqueue.c:1186
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1801 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x74e/0x5130 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ASSOCIATE+0x98/0xc0 net/sctp/primitive.c:73
 sctp_sendmsg_to_asoc+0xb5b/0x2140 net/sctp/socket.c:1823
 sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2013
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:817
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 __sys_sendto+0x21c/0x320 net/socket.c:1992
 __do_sys_sendto net/socket.c:2004 [inline]
 __se_sys_sendto net/socket.c:2000 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2000
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441759
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc188919d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007ffc188919f0 RCX: 0000000000441759
RDX: 0000000000034000 RSI: 0000000020847fff RDI: 0000000000000004
RBP: 0000000000000000 R08: 000000002005ffe4 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402f60
R13: 0000000000402ff0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
 kmalloc include/linux/slab.h:557 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1279
 vfs_getattr fs/stat.c:121 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:189
 vfs_fstatat fs/stat.c:207 [inline]
 vfs_lstat include/linux/fs.h:3109 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:362
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
 slab_free mm/slub.c:3142 [inline]
 kfree+0xdb/0x360 mm/slub.c:4124
 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1279
 vfs_getattr fs/stat.c:121 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:189
 vfs_fstatat fs/stat.c:207 [inline]
 vfs_lstat include/linux/fs.h:3109 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:362
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880247ca000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2223 bytes to the right of
 4096-byte region [ffff8880247ca000, ffff8880247cb000)
The buggy address belongs to the page:
page:00000000ecac6d17 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x247c8
head:00000000ecac6d17 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010042140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880247cb780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880247cb800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880247cb880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff8880247cb900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880247cb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (97):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-net-kasan-gce	2020/11/01 14:29	net-next	c43fd36f	8bc4594f	.config	log	report	syz	C
ci-qemu-upstream-386	2021/02/05 10:56	upstream	dd86e7fa	23a562df	.config	log	report			info	KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce	2021/03/01 05:26	net	447621e3	4c37c133	.config	log	report			info	KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce	2021/02/11 14:07	net-next	e4b62cf7	a52ee10a	.config	log	report			info	KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-selinux-root	2020/12/14 00:06	upstream	6bff9bb8	b22a7ec3	.config	log	report			info
ci-upstream-kasan-gce-selinux-root	2020/12/06 08:53	upstream	33256ce1	f12ba0c5	.config	log	report			info
ci-upstream-kasan-gce	2020/10/09 12:33	upstream	583090b1	d81b165e	.config	log	report			info
ci-upstream-kasan-gce-root	2020/09/23 13:59	upstream	805c6d3c	287cd75a	.config	log	report			info
ci-upstream-kasan-gce-386	2020/09/28 22:07	upstream	a1b8638b	6bfdbe89	.config	log	report			info
ci-upstream-net-this-kasan-gce	2020/12/10 08:00	net	323a391a	c090b4da	.config	log	report			info
ci-upstream-net-this-kasan-gce	2020/12/09 19:58	net	72d05c00	c090b4da	.config	log	report			info
ci-upstream-net-this-kasan-gce	2020/10/04 16:59	net	1f7e877c	5ef9c291	.config	log	report			info
ci-upstream-net-this-kasan-gce	2020/06/24 22:18	net	b835a71e	54566aff	.config	log	report
ci-upstream-net-kasan-gce	2020/11/22 13:05	net-next	7609ecb2	0d27f508	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/10 10:48	net-next	8be33ecf	cca87986	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/05 20:09	net-next	b65ca4c3	64069d48	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/05 06:48	net-next	2c24eefb	64069d48	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/05 01:02	net-next	2c24eefb	64069d48	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 21:25	net-next	3fb6928b	64069d48	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 18:57	net-next	3fb6928b	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 17:25	net-next	3fb6928b	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 13:32	net-next	3fb6928b	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 09:18	net-next	3fb6928b	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/04 06:23	net-next	3fb6928b	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/03 18:45	net-next	6d89076e	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/03 09:04	net-next	760b3d61	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/03 07:46	net-next	760b3d61	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/03 05:41	net-next	760b3d61	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/03 01:31	net-next	760b3d61	cba33199	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/02 20:47	net-next	c43fd36f	8bc4594f	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/02 14:40	net-next	c43fd36f	8bc4594f	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/02 07:40	net-next	c43fd36f	8bc4594f	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/01 13:37	net-next	c43fd36f	8bc4594f	.config	log	report			info
ci-upstream-net-kasan-gce	2020/11/01 06:08	net-next	c43fd36f	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/06 04:33	linux-next	0a6f624a	64069d48	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/05 22:41	linux-next	0a6f624a	64069d48	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/05 11:42	linux-next	0a6f624a	64069d48	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/05 09:01	linux-next	0a6f624a	64069d48	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/04 22:56	linux-next	cf7cd542	64069d48	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/04 10:21	linux-next	cf7cd542	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/04 08:17	linux-next	cf7cd542	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/04 01:59	linux-next	c5058516	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/03 12:09	linux-next	c5058516	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/03 11:33	linux-next	c5058516	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/03 10:31	linux-next	c5058516	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/03 03:37	linux-next	b49976d8	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/03 02:36	linux-next	b49976d8	cba33199	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:55	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:48	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:38	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:21	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:14	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 09:08	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 08:32	linux-next	b49976d8	8bc4594f	.config	log	report			info
ci-upstream-linux-next-kasan-gce-root	2020/11/02 08:14	linux-next	b49976d8	8bc4594f	.config	log	report			info