syzbot


UBSAN: shift-out-of-bounds in tcf_police_init

Status: fixed on 2021/03/11 07:37
Subsystems: net
[Documentation on labels]
Fix commit: e4bedf48aaa5 net_sched: reject silly cell_log in qdisc_get_rtab()
First crash: 1456d, last: 1419d
Cause bisection: introduced by (bisect log) [merge commit]:
commit 345464fb760d1b772e891538b498e111c588b692
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Mon Sep 2 01:45:28 2019 +0000

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

Crash: general protection fault in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
  

Sample crash report:
netlink: 12 bytes leftover after parsing attributes in process `syz-executor213'.
================================================================================
UBSAN: shift-out-of-bounds in net/sched/act_police.c:157:24
shift exponent 185 is too large for 32-bit type 'int'
CPU: 1 PID: 8528 Comm: syz-executor213 Not tainted 5.10.0-rc7-next-20201210-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 tcf_police_init.cold+0x96/0x14d net/sched/act_police.c:157
 tcf_action_init_1+0x63b/0x990 net/sched/act_api.c:1010
 tcf_action_init+0x265/0x4b0 net/sched/act_api.c:1063
 tcf_action_add+0xd9/0x360 net/sched/act_api.c:1476
 tc_ctl_action+0x33a/0x440 net/sched/act_api.c:1530
 rtnetlink_rcv_msg+0x498/0xb80 net/core/rtnetlink.c:5562
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x440299
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff732b2638 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440299
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401aa0
R13: 0000000000401b30 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/14 05:59 linux-next 14240d4c5b25 b22a7ec3 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2021/01/19 21:30 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in tcf_police_init
2021/01/19 19:13 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-root UBSAN: shift-out-of-bounds in tcf_police_init
2021/01/19 18:10 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-selinux-root UBSAN: shift-out-of-bounds in tcf_police_init
2021/01/19 18:24 net-next-old 99d518970c5a 63631df1 .config console log report info ci-upstream-net-kasan-gce UBSAN: shift-out-of-bounds in tcf_police_init
2020/12/14 06:09 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 06:01 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
2020/12/14 05:43 linux-next 14240d4c5b25 b22a7ec3 .config console log report info ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.