syzbot


KASAN: vmalloc-out-of-bounds Read in bpf_jit_free

Status: upstream: reported on 2022/02/14 18:45
Reported-by: syzbot+2f649ec6d2eea1495a8f@syzkaller.appspotmail.com
Fix commit: d24d2a2b0a81 bpf: bpf_prog_pack: Set proper size before freeing ro_header
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 138d, last: 1d01h

Sample crash report:
==================================================================
==================================================================
BUG: KASAN: vmalloc-out-of-bounds in bpf_jit_binary_free kernel/bpf/core.c:1078 [inline]
BUG: KASAN: vmalloc-out-of-bounds in bpf_jit_free+0x26c/0x2b0 kernel/bpf/core.c:1203
Read of size 4 at addr ffffffffa0002000 by task syz-executor.3/4243

CPU: 1 PID: 4243 Comm: syz-executor.3 Not tainted 5.18.0-syzkaller-11793-g8eca6b0a647a #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 print_address_description.constprop.0.cold+0xf/0x495 mm/kasan/report.c:313
 print_report mm/kasan/report.c:429 [inline]
 kasan_report.cold+0xf4/0x1c6 mm/kasan/report.c:491
 bpf_jit_binary_free kernel/bpf/core.c:1078 [inline]
 bpf_jit_free+0x26c/0x2b0 kernel/bpf/core.c:1203
 jit_subprogs kernel/bpf/verifier.c:13683 [inline]
 fixup_call_args kernel/bpf/verifier.c:13712 [inline]
 bpf_check+0x71ab/0xbbc0 kernel/bpf/verifier.c:15063
 bpf_prog_load+0xfb2/0x2250 kernel/bpf/syscall.c:2575
 __sys_bpf+0x11a1/0x5700 kernel/bpf/syscall.c:4917
 __do_sys_bpf kernel/bpf/syscall.c:5021 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5019 [inline]
 __ia32_sys_bpf+0x74/0xc0 kernel/bpf/syscall.c:5019
 do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
 __do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
 do_fast_syscall_32+0x2f/0x70 arch/x86/entry/common.c:203
 entry_SYSENTER_compat_after_hwframe+0x53/0x62
RIP: 0023:0xf7f64549
Code: 03 74 c0 01 10 05 03 74 b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f5f5cc EFLAGS: 00000296 ORIG_RAX: 0000000000000165
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000020000440
RDX: 0000000000000070 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
 </TASK>

Memory state around the buggy address:
 ffffffffa0001f00: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffffffa0001f80: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
>ffffffffa0002000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
                   ^
 ffffffffa0002080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
 ffffffffa0002100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
==================================================================
----------------
Code disassembly (best guess):
   0:	03 74 c0 01          	add    0x1(%rax,%rax,8),%esi
   4:	10 05 03 74 b8 01    	adc    %al,0x1b87403(%rip)        # 0x1b8740d
   a:	10 06                	adc    %al,(%rsi)
   c:	03 74 b4 01          	add    0x1(%rsp,%rsi,4),%esi
  10:	10 07                	adc    %al,(%rdi)
  12:	03 74 b0 01          	add    0x1(%rax,%rsi,4),%esi
  16:	10 08                	adc    %cl,(%rax)
  18:	03 74 d8 01          	add    0x1(%rax,%rbx,8),%esi
  1c:	00 00                	add    %al,(%rax)
  1e:	00 00                	add    %al,(%rax)
  20:	00 51 52             	add    %dl,0x52(%rcx)
  23:	55                   	push   %rbp
  24:	89 e5                	mov    %esp,%ebp
  26:	0f 34                	sysenter
  28:	cd 80                	int    $0x80
* 2a:	5d                   	pop    %rbp <-- trapping instruction
  2b:	5a                   	pop    %rdx
  2c:	59                   	pop    %rcx
  2d:	c3                   	retq
  2e:	90                   	nop
  2f:	90                   	nop
  30:	90                   	nop
  31:	90                   	nop
  32:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi
  39:	8d b4 26 00 00 00 00 	lea    0x0(%rsi,%riz,1),%esi

Crashes (55):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-qemu-upstream-386 2022/06/01 18:32 upstream 8eca6b0a647a b4bc6a3d .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/26 20:08 bpf 179a93f74b29 a371c43c .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-this-kasan-gce 2022/06/24 11:46 net 399bd66e219e a5dbd430 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/13 10:38 bpf 825464e79db4 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/13 07:17 bpf 825464e79db4 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-this-kasan-gce 2022/06/13 03:36 net 6f0e1efc880a 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/09 23:48 bpf 647df0d41b6b 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-this-kasan-gce 2022/06/09 20:02 net 647df0d41b6b 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-this-kasan-gce 2022/06/04 07:23 net 58f9d52ff689 c8857892 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/05/30 11:29 bpf 90343f573252 a46af346 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-this-kasan-gce 2022/05/27 03:21 net 6c465408a770 3037caa9 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/05/23 04:38 bpf f3f19f939c11 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/05/14 01:18 bpf f3f19f939c11 107f6434 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/28 05:12 bpf-next fd75733da2f3 ef82eb2c .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/27 01:33 bpf-next fd75733da2f3 a371c43c .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/23 21:07 bpf-next 9676feccacdb 912f5df7 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-kasan-gce 2022/06/22 00:03 net-next 8720bd951b8e 0fc5c330 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/17 21:34 bpf-next 08c79c9cd67f cb58b3b2 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/16 14:23 bpf-next de5bb43826dd 1719ee24 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/12 02:24 bpf-next d5e9aeda8161 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-kasan-gce 2022/06/10 05:25 net-next 263efe85a4b6 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-kasan-gce 2022/06/09 20:44 net-next 263efe85a4b6 0d5abf15 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/04 06:22 bpf-next f913ad6559e3 c8857892 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/06/02 01:18 bpf-next dafd0f870eae b4bc6a3d .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/31 03:22 bpf-next 1626f57f061c af70c3a9 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/30 01:45 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/28 18:28 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/28 04:51 bpf-next 7e062cda7d90 a46af346 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/24 20:28 bpf-next 677fb7525331 fcfad4ff .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/22 21:22 bpf-next c272e2591169 7268fa62 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-net-kasan-gce 2022/05/21 00:06 net-next b6d261449e6e bd37ad7e .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/19 20:56 bpf-next 834650b50ed2 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/19 04:52 bpf-next 70a1b25326dd 50c53f39 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/18 01:53 bpf-next 68084a136420 744a39e2 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/11 04:22 bpf-next cb411545309e 8d7b3b67 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/04/29 12:18 bpf-next a2c70dbc3407 e9076525 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/04/19 13:30 bpf-next 2324257dbd68 c334415e .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/04/12 22:55 bpf-next 0f8619929c57 dacb3f1c .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/03/20 19:56 bpf-next 08063b4bc158 e2d91b1d .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/03/13 01:59 bpf-next d3b351f65bf4 9e8eaa75 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/03/04 05:15 bpf-next e5313968c41b 45a13a73 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/02/11 03:29 bpf-next e5313968c41b 0b33604d .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-linux-next-kasan-gce-root 2022/05/14 00:28 linux-next 1e1b28b936ae 107f6434 .config log report info KASAN: vmalloc-out-of-bounds Read in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/20 19:50 bpf a2b1a5d40bd1 8d15e28d .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/06 23:07 bpf d08af2c46881 c8857892 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/02 21:10 bpf e0491b11c131 5783034f .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/06/02 06:18 bpf e0491b11c131 b4bc6a3d .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/05/13 18:40 bpf f3f19f939c11 107f6434 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-kasan-gce 2022/04/24 14:01 bpf b02d196c44ea 131df97d .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-net-kasan-gce 2022/06/09 09:24 net-next 5834e72eda0b 0d5abf15 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/30 14:13 bpf-next 7e062cda7d90 a46af346 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/21 10:31 bpf-next 7aa424e02a04 7268fa62 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-net-kasan-gce 2022/05/21 00:17 net-next b6d261449e6e bd37ad7e .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/05/06 19:46 bpf-next 20b87e7c29df e60b1103 .config log report info BUG: unable to handle kernel paging request in bpf_jit_free
ci-upstream-bpf-next-kasan-gce 2022/04/26 14:33 bpf-next 367590b7fccc 1fa34c1b .config log report info BUG: unable to handle kernel paging request in bpf_jit_free