syzbot

 sign-in | mailing list | source | docs
🐞 Open [712]
🐞 Fixed [297]
🐞 Invalid [838]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
💬 Send us feedback

KASAN: use-after-free Read in pneigh_get_next

Status: fixed on 2019/12/16 09:09
Reported-by: syzbot+2ee344c4db7923647627@syzkaller.appspotmail.com
Fix commit: 103835df6821 neigh: fix use-after-free read in pneigh_get_next
First crash: 2221d, last: 2221d
Fix bisection: fixed by (bisect log) :
commit 103835df6821a57edf1ec5e0b33b379fa37dd35f
Author: Eric Dumazet <edumazet@google.com>
Date: Sat Jun 15 23:28:48 2019 +0000

  neigh: fix use-after-free read in pneigh_get_next

  
Similar bugs (2)
Kernel Title Rank 🛈 Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-49 KASAN: use-after-free Read in pneigh_get_next 19 syz 9 2189d 2222d 0/3 public: reported syz repro on 2019/06/14 20:21
upstream KASAN: use-after-free Read in pneigh_get_next net 19 syz done 2 2221d 2221d 12/29 fixed on 2019/07/10 21:40

Sample crash report:
8021q: adding VLAN 0 to HW filter on device batadv0
audit: type=1400 audit(1560618351.404:38): avc:  denied  { associate } for  pid=7666 comm="syz-executor.0" name="syz0" scontext=unconfined_u:object_r:unlabeled_t:s0 tcontext=system_u:object_r:unlabeled_t:s0 tclass=filesystem permissive=1
==================================================================
BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:2706
Read of size 8 at addr ffff8880a4b27c00 by task syz-executor.0/8554

CPU: 1 PID: 8554 Comm: syz-executor.0 Not tainted 4.19.51 #23
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x8c/0x2ba mm/kasan/report.c:396
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
 pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:2706
 neigh_seq_next+0xdb/0x210 net/core/neighbour.c:2788
 seq_read+0x9cf/0x1110 fs/seq_file.c:258
 proc_reg_read+0x1f8/0x2b0 fs/proc/inode.c:231
 do_loop_readv_writev fs/read_write.c:701 [inline]
 do_loop_readv_writev fs/read_write.c:688 [inline]
 do_iter_read+0x490/0x640 fs/read_write.c:925
 vfs_readv+0xf0/0x160 fs/read_write.c:987
 kernel_readv fs/splice.c:362 [inline]
 default_file_splice_read+0x478/0x890 fs/splice.c:417
 do_splice_to+0x127/0x180 fs/splice.c:881
 splice_direct_to_actor+0x256/0x890 fs/splice.c:953
 do_splice_direct+0x1da/0x2a0 fs/splice.c:1062
 do_sendfile+0x597/0xce0 fs/read_write.c:1447
 __do_sys_sendfile64 fs/read_write.c:1508 [inline]
 __se_sys_sendfile64 fs/read_write.c:1494 [inline]
 __x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1494
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4592c9
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f3a8ac31c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000246 R12: 00007f3a8ac326d4
R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff

Allocated by task 8555:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc mm/kasan/kasan.c:553 [inline]
 kasan_kmalloc+0xce/0xf0 mm/kasan/kasan.c:531
 __do_kmalloc mm/slab.c:3727 [inline]
 __kmalloc+0x15d/0x750 mm/slab.c:3736
 kmalloc include/linux/slab.h:520 [inline]
 pneigh_lookup+0x19c/0x460 net/core/neighbour.c:633
 arp_req_set_public net/ipv4/arp.c:1014 [inline]
 arp_req_set+0x613/0x720 net/ipv4/arp.c:1030
 arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1230
 inet_ioctl+0x2a0/0x370 net/ipv4/af_inet.c:932
 sock_do_ioctl+0xd8/0x2f0 net/socket.c:950
 sock_ioctl+0x325/0x610 net/socket.c:1074
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:501 [inline]
 do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:688
 ksys_ioctl+0xab/0xd0 fs/ioctl.c:705
 __do_sys_ioctl fs/ioctl.c:712 [inline]
 __se_sys_ioctl fs/ioctl.c:710 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:710
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8552:
 save_stack+0x45/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3503 [inline]
 kfree+0xcf/0x220 mm/slab.c:3822
 pneigh_ifdown_and_unlock net/core/neighbour.c:713 [inline]
 neigh_ifdown+0x22f/0x2f0 net/core/neighbour.c:298
 arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1276
 inetdev_destroy net/ipv4/devinet.c:313 [inline]
 inetdev_event+0xa42/0x1230 net/ipv4/devinet.c:1536
 notifier_call_chain+0xc2/0x230 kernel/notifier.c:93
 __raw_notifier_call_chain kernel/notifier.c:394 [inline]
 raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:401
 call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1747
 call_netdevice_notifiers net/core/dev.c:1765 [inline]
 rollback_registered_many+0x993/0xf90 net/core/dev.c:8005
 rollback_registered+0x109/0x1d0 net/core/dev.c:8047
 unregister_netdevice_queue net/core/dev.c:9094 [inline]
 unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9087
 unregister_netdevice include/linux/netdevice.h:2605 [inline]
 __tun_detach+0xd8a/0x1040 drivers/net/tun.c:737
 tun_detach drivers/net/tun.c:754 [inline]
 tun_chr_close+0xe0/0x180 drivers/net/tun.c:3260
 __fput+0x2dd/0x8b0 fs/file_table.c:278
 ____fput+0x16/0x20 fs/file_table.c:309
 task_work_run+0x145/0x1c0 kernel/task_work.c:113
 tracehook_notify_resume include/linux/tracehook.h:193 [inline]
 exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:167
 prepare_exit_to_usermode arch/x86/entry/common.c:198 [inline]
 syscall_return_slowpath arch/x86/entry/common.c:271 [inline]
 do_syscall_64+0x53d/0x620 arch/x86/entry/common.c:296
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a4b27c00
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
 64-byte region [ffff8880a4b27c00, ffff8880a4b27c40)
The buggy address belongs to the page:
page:ffffea000292c9c0 count:1 mapcount:0 mapping:ffff88812c3f0340 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffffea0002613c08 ffff88812c3f1348 ffff88812c3f0340
raw: 0000000000000000 ffff8880a4b27000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4b27b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a4b27b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a4b27c00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                   ^
 ffff8880a4b27c80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff8880a4b27d00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/06/15 17:18 linux-4.19.y 7aa823a959e1 442206d7 .config console log report syz ci2-linux-4-19
* Struck through repros no longer work on HEAD.