syzbot

 sign-in | mailing list | source | docs
🐞 Open [106] 🐞 Fixed [1] 🐞 Invalid [166] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Read in bpf_skb_change_head

Status: public: reported C repro on 2019/11/25 04:56
Reported-by: syzbot+0b10a314a275d88a6cf6@syzkaller.appspotmail.com
First crash: 1607d, last: 1607d

Sample crash report:
audit: type=1400 audit(1574655995.059:8): avc:  denied  { prog_load } for  pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
==================================================================
audit: type=1400 audit(1574655995.099:9): avc:  denied  { prog_run } for  pid=1784 comm="syz-executor596" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
BUG: KASAN: use-after-free in ____bpf_skb_change_head net/core/filter.c:2423 [inline]
BUG: KASAN: use-after-free in bpf_skb_change_head+0x4ea/0x600 net/core/filter.c:2419
Read of size 4 at addr ffff8881d3a09e78 by task syz-executor596/1784

CPU: 0 PID: 1784 Comm: syz-executor596 Not tainted 4.14.155-syzkaller #0
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xe5/0x154 lib/dump_stack.c:58
 print_address_description+0x60/0x226 mm/kasan/report.c:187
 __kasan_report.cold+0x1a/0x41 mm/kasan/report.c:316
 ____bpf_skb_change_head net/core/filter.c:2423 [inline]
 bpf_skb_change_head+0x4ea/0x600 net/core/filter.c:2419
 ___bpf_prog_run+0x2478/0x5510 kernel/bpf/core.c:1095

Allocated by task 1591:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_kmalloc.part.0+0x53/0xc0 mm/kasan/common.c:501
 slab_post_alloc_hook mm/slab.h:439 [inline]
 slab_alloc_node mm/slub.c:2792 [inline]
 slab_alloc mm/slub.c:2800 [inline]
 kmem_cache_alloc+0xee/0x360 mm/slub.c:2805
 anon_vma_chain_alloc mm/rmap.c:129 [inline]
 anon_vma_fork+0x1d3/0x470 mm/rmap.c:344
 dup_mmap kernel/fork.c:674 [inline]
 dup_mm kernel/fork.c:1213 [inline]
 copy_mm kernel/fork.c:1268 [inline]
 copy_process.part.0+0x2854/0x66c0 kernel/fork.c:1895
 copy_process kernel/fork.c:1679 [inline]
 _do_fork+0x197/0xce0 kernel/fork.c:2220
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

Freed by task 1746:
 save_stack mm/kasan/common.c:76 [inline]
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x164/0x210 mm/kasan/common.c:463
 slab_free_hook mm/slub.c:1407 [inline]
 slab_free_freelist_hook mm/slub.c:1458 [inline]
 slab_free mm/slub.c:3039 [inline]
 kmem_cache_free+0xd7/0x3b0 mm/slub.c:3055
 anon_vma_chain_free mm/rmap.c:134 [inline]
 unlink_anon_vmas+0x45f/0x7e0 mm/rmap.c:419
 free_pgtables+0xab/0x1c0 mm/memory.c:643
 exit_mmap+0x222/0x440 mm/mmap.c:3078
 __mmput kernel/fork.c:940 [inline]
 mmput+0xeb/0x370 kernel/fork.c:961
 exec_mmap fs/exec.c:1039 [inline]
 flush_old_exec+0x80d/0x1a50 fs/exec.c:1271
 load_elf_binary+0x84f/0x46e0 fs/binfmt_elf.c:855
 search_binary_handler fs/exec.c:1638 [inline]
 search_binary_handler+0x13f/0x6d0 fs/exec.c:1616
 load_script+0x566/0x780 fs/binfmt_script.c:148
 search_binary_handler fs/exec.c:1638 [inline]
 search_binary_handler+0x13f/0x6d0 fs/exec.c:1616
 exec_binprm fs/exec.c:1680 [inline]
 do_execveat_common.isra.0+0xf73/0x1bb0 fs/exec.c:1802
 do_execve fs/exec.c:1847 [inline]
 SYSC_execve fs/exec.c:1928 [inline]
 SyS_execve+0x34/0x40 fs/exec.c:1923
 do_syscall_64+0x19b/0x520 arch/x86/entry/common.c:292
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
 0xffffffffffffffff

The buggy address belongs to the object at ffff8881d3a09e40
 which belongs to the cache anon_vma_chain of size 64
The buggy address is located 56 bytes inside of
 64-byte region [ffff8881d3a09e40, ffff8881d3a09e80)
The buggy address belongs to the page:
page:ffffea00074e8240 count:1 mapcount:0 mapping:          (null) index:0x0
flags: 0x4000000000000200(slab)
raw: 4000000000000200 0000000000000000 0000000000000000 00000001002a002a
raw: 0000000000000000 0000000100000001 ffff8881da823000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8881d3a09d00: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8881d3a09d80: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
>ffff8881d3a09e00: fb fb fb fb fc fc fc fc fb fb fb fb fb fb fb fb
                                                                ^
 ffff8881d3a09e80: fc fc fc fc fb fb fb fb fb fb fb fb fc fc fc fc
 ffff8881d3a09f00: fb fb fb fb fb fb fb fb fc fc fc fc fb fb fb fb
==================================================================

Crashes (2):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/11/25 04:29 android-4.14 437a2a739c5f 598ca6c8 .config console log report syz C ci-android-414-kasan-gce-root
2019/11/25 03:55 android-4.14 437a2a739c5f 598ca6c8 .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.