syzbot

 sign-in | mailing list | source | docs
🐞 Open [1118] 🐞 Fixed [4192] 🐞 Invalid [9322] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes

KASAN: slab-out-of-bounds Read in decode_session6

Status: upstream: reported C repro on 2020/06/27 07:18
Reported-by: syzbot+2bcc71839223ec82f056@syzkaller.appspotmail.com
First crash: 889d, last: 12h14m

Cause bisection: failed (bisect log)

Fix bisection: failed (bisect log)
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in decode_session6 C done 152 677d 884d 21/24 fixed on 2021/03/10 01:48
Patch testing requests:
Created Duration User Patch Repo Result
2021/04/15 14:11 15m alaaemadhossney.ae@gmail.com upstream OK

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
Read of size 1 at addr ffff8880247cb8af by task syz-executor222/8528

CPU: 0 PID: 8528 Comm: syz-executor222 Not tainted 5.10.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xae/0x4c8 mm/kasan/report.c:385
 __kasan_report mm/kasan/report.c:545 [inline]
 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:562
 decode_session6+0xe7c/0x1580 net/xfrm/xfrm_policy.c:3393
 __xfrm_decode_session net/xfrm/xfrm_policy.c:3485 [inline]
 __xfrm_policy_check+0x2fa/0x2850 net/xfrm/xfrm_policy.c:3540
 __xfrm_policy_check2 include/net/xfrm.h:1097 [inline]
 xfrm_policy_check include/net/xfrm.h:1106 [inline]
 sctp_rcv+0x12b0/0x2e30 net/sctp/input.c:202
 sctp6_rcv+0x22/0x40 net/sctp/ipv6.c:1078
 ip6_protocol_deliver_rcu+0x2e8/0x1680 net/ipv6/ip6_input.c:433
 ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483
 dst_input include/net/dst.h:449 [inline]
 ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307
 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5315
 __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5429
 process_backlog+0x232/0x6c0 net/core/dev.c:6319
 napi_poll net/core/dev.c:6763 [inline]
 net_rx_action+0x4dc/0x1100 net/core/dev.c:6833
 __do_softirq+0x2a0/0x9f6 kernel/softirq.c:298
 asm_call_irq_on_stack+0xf/0x20
 </IRQ>
 __run_on_irqstack arch/x86/include/asm/irq_stack.h:26 [inline]
 run_on_irqstack_cond arch/x86/include/asm/irq_stack.h:77 [inline]
 do_softirq_own_stack+0xaa/0xd0 arch/x86/kernel/irq_64.c:77
 do_softirq kernel/softirq.c:343 [inline]
 do_softirq+0xb5/0xe0 kernel/softirq.c:330
 __local_bh_enable_ip+0xf0/0x110 kernel/softirq.c:195
 local_bh_enable include/linux/bottom_half.h:32 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:730 [inline]
 ip6_finish_output2+0x71f/0x16c0 net/ipv6/ip6_output.c:118
 __ip6_finish_output net/ipv6/ip6_output.c:143 [inline]
 __ip6_finish_output+0x447/0xab0 net/ipv6/ip6_output.c:128
 ip6_finish_output+0x34/0x1f0 net/ipv6/ip6_output.c:153
 NF_HOOK_COND include/linux/netfilter.h:290 [inline]
 ip6_output+0x1db/0x520 net/ipv6/ip6_output.c:176
 dst_output include/net/dst.h:443 [inline]
 NF_HOOK include/linux/netfilter.h:301 [inline]
 NF_HOOK include/linux/netfilter.h:295 [inline]
 ip6_xmit+0x1258/0x1e80 net/ipv6/ip6_output.c:280
 sctp_v6_xmit+0xbf3/0xfe0 net/sctp/ipv6.c:223
 sctp_packet_transmit+0x1f44/0x32f0 net/sctp/output.c:627
 sctp_packet_singleton net/sctp/outqueue.c:773 [inline]
 sctp_outq_flush_ctrl.constprop.0+0x6d3/0xc40 net/sctp/outqueue.c:904
 sctp_outq_flush+0xf3/0x2580 net/sctp/outqueue.c:1186
 sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1801 [inline]
 sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline]
 sctp_do_sm+0x74e/0x5130 net/sctp/sm_sideeffect.c:1156
 sctp_primitive_ASSOCIATE+0x98/0xc0 net/sctp/primitive.c:73
 sctp_sendmsg_to_asoc+0xb5b/0x2140 net/sctp/socket.c:1823
 sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2013
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:817
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:671
 __sys_sendto+0x21c/0x320 net/socket.c:1992
 __do_sys_sendto net/socket.c:2004 [inline]
 __se_sys_sendto net/socket.c:2000 [inline]
 __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2000
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441759
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc188919d8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007ffc188919f0 RCX: 0000000000441759
RDX: 0000000000034000 RSI: 0000000020847fff RDI: 0000000000000004
RBP: 0000000000000000 R08: 000000002005ffe4 R09: 000000000000001c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402f60
R13: 0000000000402ff0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track mm/kasan/common.c:56 [inline]
 __kasan_kmalloc.constprop.0+0xc2/0xd0 mm/kasan/common.c:461
 kmalloc include/linux/slab.h:557 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1279
 vfs_getattr fs/stat.c:121 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:189
 vfs_fstatat fs/stat.c:207 [inline]
 vfs_lstat include/linux/fs.h:3109 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:362
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

Freed by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
 __kasan_slab_free+0x102/0x140 mm/kasan/common.c:422
 slab_free_hook mm/slub.c:1544 [inline]
 slab_free_freelist_hook+0x5d/0x150 mm/slub.c:1577
 slab_free mm/slub.c:3142 [inline]
 kfree+0xdb/0x360 mm/slub.c:4124
 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1279
 vfs_getattr fs/stat.c:121 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:189
 vfs_fstatat fs/stat.c:207 [inline]
 vfs_lstat include/linux/fs.h:3109 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:362
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9

The buggy address belongs to the object at ffff8880247ca000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 2223 bytes to the right of
 4096-byte region [ffff8880247ca000, ffff8880247cb000)
The buggy address belongs to the page:
page:00000000ecac6d17 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x247c8
head:00000000ecac6d17 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010042140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880247cb780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880247cb800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880247cb880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                  ^
 ffff8880247cb900: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880247cb980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (208):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-net-kasan-gce 2020/11/01 14:29 net-next c43fd36f7fec 8bc4594f .config log report syz C
ci-upstream-kasan-gce-root 2022/09/29 12:11 upstream c3e0e1e23c70 1d385642 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-root 2022/09/21 14:23 upstream 60891ec99e14 380f82fb .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-root 2022/09/13 02:16 upstream 6504d82f4440 f371ed7e .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream 2022/08/25 07:38 upstream c40e8341e3b3 514514f6 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream 2022/08/22 11:42 upstream 1c23f9e627a7 26a13b38 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-root 2022/02/25 14:54 upstream 53ab78cd6d5a 7c337266 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-root 2021/10/24 18:40 upstream 6c62666d8879 282f03fb .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-selinux-root 2021/10/19 01:12 upstream 519d81956ee2 24dc29db .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream-386 2022/11/30 13:02 upstream 01f856ae6d0c 4c2a66e8 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream-386 2022/11/23 05:42 upstream eb7081409f94 75740b3f .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream-386 2022/10/29 21:46 upstream 200204f56f3b 2a71366b .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce-386 2022/09/16 06:43 upstream 3245cb65fd91 dd9a85ff .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-qemu-upstream-386 2021/11/04 22:41 upstream 7ddb58cb0eca 4c1be0be .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2022/10/11 22:20 net 0cf3cae9697b 1353c374 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2022/09/27 14:29 net 49725ffc15fc 87840e00 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2022/01/19 02:01 net 2836615aa22d 731a2d23 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/26 15:14 net 49573ff7830b 63eeac02 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/25 09:07 net ac132852147a 545ab074 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/22 10:29 net f9390b249c90 4eb20a4e .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/11 07:44 net 0315a075f134 75b04091 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/04 06:38 net 92f62485b371 4c1be0be .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/10/20 15:08 net ba69fd9101f2 418a00eb .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/10/09 08:45 net be0499369d63 efe0f24d .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/11/08 07:03 net-next fbeb229a6622 881db35d .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/10/17 13:43 net-next 0326074ff465 67cb024c .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/10/13 02:09 net-next 0326074ff465 89b5a509 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/09/23 05:57 net-next d05d9eb79d0c 0042f2b4 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/09/21 10:01 net-next c29b06821590 c4b8ccfd .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2022/08/22 14:29 net-next 917edfb98c48 26a13b38 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2021/12/03 08:53 net-next fc993be36f9e 61f86278 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2021/11/22 00:20 net-next 89f971182417 4eb20a4e .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2021/11/05 14:15 net-next cc0356d6a02e 4c1be0be .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-net-kasan-gce 2021/11/03 08:03 net-next cc0356d6a02e 17f3edd2 .config log report info KASAN: slab-out-of-bounds Read in decode_session6
ci-upstream-kasan-gce 2022/09/02 21:42 upstream 0b3acd1cc022 25194605 .config log report info KASAN: use-after-free Read in decode_session6
ci-qemu-upstream 2022/09/01 13:42 upstream c5e4d5e99162 86c46e46 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-kasan-gce 2022/08/28 05:09 upstream 10d4879f9ef0 07177916 .config log report info KASAN: use-after-free Read in decode_session6
ci-qemu-upstream 2022/07/30 20:57 upstream 620725263f42 fef302b1 .config log report info KASAN: use-after-free Read in decode_session6
ci-qemu-upstream 2022/06/23 08:12 upstream de5c208d533a 912f5df7 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-kasan-gce-root 2022/03/29 16:08 upstream 1930a6e739c4 6bdac766 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-kasan-gce-root 2022/03/28 00:23 upstream f82da161ea75 89bc8608 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-kasan-gce-root 2021/11/05 06:13 upstream d4439a1189f9 4c1be0be .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-kasan-gce-selinux-root 2020/12/14 00:06 upstream 6bff9bb8a292 b22a7ec3 .config log report info
ci-upstream-kasan-gce-386 2021/11/12 03:06 upstream ca2ef2d9f2aa 75b04091 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2022/01/06 05:04 net 502a2ce9cdf4 6acc789a .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/29 08:34 net c5c17547b778 63eeac02 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/18 21:43 net c7521d3aa2fa 31a30fc0 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/11/03 14:04 net db2434343b2c 4c1be0be .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/10/31 06:45 net 6de6e46d27ef 098b5d53 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/10/27 14:52 net 440ffcdd9db4 373bf66b .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2021/10/05 23:44 net a56d447f196f 0a63fd36 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-this-kasan-gce 2020/06/24 22:18 net b835a71ef64a 54566aff .config log report
ci-upstream-net-kasan-gce 2022/10/18 15:48 net-next 0326074ff465 b31320fc .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2022/10/16 17:34 net-next 0326074ff465 67cb024c .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2022/06/03 13:29 net-next 58f9d52ff689 eee80d3c .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2022/01/12 21:23 net-next fe8152b38d3a 44d1319a .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2021/12/01 00:28 net-next 72a2ff567fc3 80270552 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2021/11/29 21:33 net-next 2f7ed29f2c54 d0830353 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2021/11/02 01:02 net-next c07c6e8eb4b3 098b5d53 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-net-kasan-gce 2021/10/28 13:15 net-next 911e3a46fb38 be531bb4 .config log report info KASAN: use-after-free Read in decode_session6
ci-upstream-linux-next-kasan-gce-root 2021/09/08 14:09 linux-next 999569d59a0a e2776ee4 .config log report info KASAN: use-after-free Read in decode_session6
* Struck through repros no longer work on HEAD.