syzbot


KASAN: use-after-free Read in eth_header_parse_protocol

Status: fixed on 2021/11/10 00:50
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 61431a5907fc net: ensure mac header is set in virtio_net_hdr_to_skb()
First crash: 698d, last: 652d

Cause bisection: introduced by (bisect log) :
commit 924a9bc362a5223cd448ca08c3dde21235adc310
Author: Balazs Nemeth <bnemeth@redhat.com>
Date: Tue Mar 9 11:31:00 2021 +0000

  net: check if protocol extracted by virtio_net_hdr_set_proto is correct

Crash: KASAN: use-after-free Read in eth_header_parse_protocol (log)
Repro: C syz .config
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-54 KASAN: use-after-free Read in eth_header_parse_protocol C 532 661d 691d 1/2 fixed on 2021/10/12 13:38

Sample crash report:
netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0
==================================================================
BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282
Read of size 2 at addr ffff88802732400b by task syz-executor512/8395

CPU: 0 PID: 8395 Comm: syz-executor512 Not tainted 5.12.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x141/0x1d7 lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
 __kasan_report mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
 eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282
 dev_parse_header_protocol include/linux/netdevice.h:3179 [inline]
 virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83
 packet_snd net/packet/af_packet.c:2994 [inline]
 packet_sendmsg+0x2325/0x52b0 net/packet/af_packet.c:3031
 sock_sendmsg_nosec net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2433
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x44a969
Code: 28 c3 e8 3a 18 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffec5a44238 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007ffec5a44268 RCX: 000000000044a969
RDX: 0000000000034000 RSI: 0000000020000440 RDI: 0000000000000003
RBP: 0000000000000003 R08: 0000000000000001 R09: 0000000000000001
R10: 0000000000000004 R11: 0000000000000246 R12: 00007ffec5a44290
R13: 0000000000000003 R14: 00007ffec5a44270 R15: 0000000000000001

Allocated by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track mm/kasan/common.c:46 [inline]
 set_alloc_info mm/kasan/common.c:427 [inline]
 ____kasan_kmalloc mm/kasan/common.c:506 [inline]
 ____kasan_kmalloc mm/kasan/common.c:465 [inline]
 __kasan_kmalloc+0x99/0xc0 mm/kasan/common.c:515
 kmalloc include/linux/slab.h:559 [inline]
 tomoyo_realpath_from_path+0xc3/0x620 security/tomoyo/realpath.c:254
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1288
 vfs_getattr fs/stat.c:131 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:199
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:372
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Freed by task 1:
 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:38
 kasan_set_track+0x1c/0x30 mm/kasan/common.c:46
 kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:357
 ____kasan_slab_free mm/kasan/common.c:360 [inline]
 ____kasan_slab_free mm/kasan/common.c:325 [inline]
 __kasan_slab_free+0xf5/0x130 mm/kasan/common.c:367
 kasan_slab_free include/linux/kasan.h:199 [inline]
 slab_free_hook mm/slub.c:1562 [inline]
 slab_free_freelist_hook+0x92/0x210 mm/slub.c:1600
 slab_free mm/slub.c:3161 [inline]
 kfree+0xe5/0x7f0 mm/slub.c:4213
 tomoyo_realpath_from_path+0x191/0x620 security/tomoyo/realpath.c:291
 tomoyo_get_realpath security/tomoyo/file.c:151 [inline]
 tomoyo_path_perm+0x21b/0x400 security/tomoyo/file.c:822
 security_inode_getattr+0xcf/0x140 security/security.c:1288
 vfs_getattr fs/stat.c:131 [inline]
 vfs_statx+0x164/0x390 fs/stat.c:199
 vfs_fstatat fs/stat.c:217 [inline]
 vfs_lstat include/linux/fs.h:3240 [inline]
 __do_sys_newlstat+0x91/0x110 fs/stat.c:372
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888027324000
 which belongs to the cache kmalloc-4k of size 4096
The buggy address is located 11 bytes inside of
 4096-byte region [ffff888027324000, ffff888027325000)
The buggy address belongs to the page:
page:ffffea00009cc800 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x27320
head:ffffea00009cc800 order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfff00000010200(slab|head)
raw: 00fff00000010200 dead000000000100 dead000000000122 ffff888010842140
raw: 0000000000000000 0000000000040004 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff888027323f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff888027323f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff888027324000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                      ^
 ffff888027324080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff888027324100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1453):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-kasan-gce 2021/03/26 00:06 upstream e138138003eb 6a383ecf .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-root 2021/03/10 21:55 upstream 05a59d79793d 764067f3 .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-this-kasan-gce 2021/03/31 03:04 net 6e5a03bcba44 6a81331a .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-this-kasan-gce 2021/03/11 00:28 net 05a59d79793d 764067f3 .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/10 14:19 net-next 626b598aa8be bfeda1b1 .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/03/31 04:39 net-next 37f368d8d09d 6a81331a .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/03/12 03:24 net-next ee47ed08d75e 429d8a6b .config console log report syz C KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-this-kasan-gce 2021/03/11 01:46 net 05a59d79793d 764067f3 .config console log report syz C KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/10 15:43 net-next 626b598aa8be bfeda1b1 .config console log report syz C KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/03/31 11:02 net-next 37f368d8d09d 6a81331a .config console log report syz C KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce-smack-root 2021/04/10 06:57 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/10 05:27 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/10 02:21 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/10 01:18 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-selinux-root 2021/04/09 21:35 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-selinux-root 2021/04/09 19:25 upstream 17e7124aad76 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-smack-root 2021/04/09 08:42 upstream 4fa56ad0d12e 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/08 21:16 upstream 454859c552da 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-smack-root 2021/04/07 05:41 upstream 2d743660786e 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-root 2021/04/06 23:32 upstream 0a50438c8436 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-root 2021/04/06 18:52 upstream 0a50438c8436 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-qemu-upstream 2021/03/21 03:51 upstream 812da4d39463 17810eae .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce-386 2021/04/08 04:49 upstream 3a22981230f9 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-kasan-gce 2021/04/03 00:16 bpf 6dcc4e383869 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-this-kasan-gce 2021/03/10 12:37 net 05a59d79793d 26967e35 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/25 15:33 bpf-next 350a62ca065b 36c88236 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/25 05:34 bpf-next 350a62ca065b 17f0b706 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/24 15:43 bpf-next 7d3c10770603 17f0b706 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/23 23:13 bpf-next e7a1c1300891 17f0b706 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/23 13:28 bpf-next e7a1c1300891 17f0b706 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/23 11:11 bpf-next e7a1c1300891 17f0b706 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/20 15:56 bpf-next 69443c47305e c0ced557 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/19 23:51 bpf-next cdf0e80e9fbe 4285c989 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/19 12:06 bpf-next cdf0e80e9fbe 50f523d7 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/18 18:21 bpf-next cdf0e80e9fbe 7e2b734b .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/17 18:14 bpf-next cdf0e80e9fbe 7e2b734b .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/17 00:22 bpf-next cdf0e80e9fbe 7e2b734b .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/15 23:58 bpf-next d3d93e34bd98 c59079a6 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/15 06:10 bpf-next 069904ce318e fcdb12ba .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/10 21:16 bpf-next 92d3bff28aa4 bfeda1b1 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/10 17:48 net-next 626b598aa8be bfeda1b1 .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/10 05:19 net-next 626b598aa8be 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/09 12:15 net-next 4438669eb703 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/09 07:26 net-next 4438669eb703 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/08 19:56 net-next 3cd52c1e32fe 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/08 01:26 bpf-next 957dca3df624 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/07 09:07 net-next be107538c529 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/07 06:50 bpf-next 928dc406802d 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/07 04:17 net-next be107538c529 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/06 17:30 bpf-next 1e1032b0c4af 6a81331a .config console log report info KASAN: use-after-free Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/08 21:39 upstream 454859c552da 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce-root 2021/04/08 20:04 upstream 454859c552da 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce-root 2021/04/08 03:27 upstream 3a22981230f9 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce-selinux-root 2021/04/07 10:14 upstream 2d743660786e 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce 2021/04/07 00:58 upstream 0a50438c8436 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-kasan-gce-selinux-root 2021/04/02 00:44 upstream ffd9fb546d49 6a81331a .config console log report info KFENCE: use-after-free in eth_header_parse_protocol
ci-qemu-upstream-386 2021/03/28 18:08 upstream 0f4498cef9f5 a8529b82 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/25 11:17 bpf-next 350a62ca065b 36c88236 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/22 16:55 bpf-next d044d9fc1380 33c28d03 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/22 13:47 bpf-next d044d9fc1380 33c28d03 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/21 19:52 bpf-next d044d9fc1380 95777977 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/11 00:28 net-next 626b598aa8be bfeda1b1 .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/10 00:27 net-next 4438669eb703 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-bpf-next-kasan-gce 2021/04/08 12:34 bpf-next 957dca3df624 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/08 11:18 net-next 3cd52c1e32fe 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-net-kasan-gce 2021/04/08 06:21 net-next 0b35e0deb5be 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
ci-upstream-linux-next-kasan-gce-root 2021/03/29 21:40 linux-next 931294922e65 6a81331a .config console log report info KASAN: slab-out-of-bounds Read in eth_header_parse_protocol
* Struck through repros no longer work on HEAD.