syzbot


KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock (2)

Status: fixed on 2020/02/18 14:31
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 940ba1498665 net-backports: gtp: make sure only SOCK_DGRAM UDP sockets are accepted
First crash: 887d, last: 885d

Cause bisection: introduced by (bisect log) :
commit 382ae57d5e52a62e77d62e60e5be9a6526d40da0
Author: Ryder Lee <ryder.lee@mediatek.com>
Date: Fri Jan 20 05:41:10 2017 +0000

  crypto: mediatek - make crypto request queue management more generic

Crash: general protection fault in batadv_iv_ogm_queue_add (log)
Repro: C syz .config
similar bugs (4):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock C done 1 885d 885d 1/1 fixed on 2020/02/22 11:44
linux-4.14 KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock C done 1 884d 884d 1/1 fixed on 2020/02/23 20:58
upstream KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock C 4 1573d 1573d 4/22 fixed on 2018/03/23 18:14
upstream KASAN: slab-out-of-bounds Write in setup_udp_tunnel_sock (3) 1 759d 759d 17/22 fixed on 2020/07/17 17:58

Sample crash report:
==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x43d/0x520 net/ipv4/udp_tunnel.c:78
Write of size 1 at addr ffff8880a4952590 by task syz-executor502/10686

CPU: 1 PID: 10686 Comm: syz-executor502 Not tainted 5.5.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
 __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
 kasan_report+0x12/0x20 mm/kasan/common.c:639
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/generic_report.c:137
 setup_udp_tunnel_sock+0x43d/0x520 net/ipv4/udp_tunnel.c:78
 gtp_encap_enable_socket+0x338/0x420 drivers/net/gtp.c:827
 gtp_encap_enable drivers/net/gtp.c:845 [inline]
 gtp_newlink+0x95/0xc60 drivers/net/gtp.c:666
 __rtnl_newlink+0x109e/0x1790 net/core/rtnetlink.c:3305
 rtnl_newlink+0x69/0xa0 net/core/rtnetlink.c:3363
 rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
 netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
 netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
 sock_sendmsg_nosec net/socket.c:639 [inline]
 sock_sendmsg+0xd7/0x130 net/socket.c:659
 ____sys_sendmsg+0x753/0x880 net/socket.c:2330
 ___sys_sendmsg+0x100/0x170 net/socket.c:2384
 __sys_sendmsg+0x105/0x1d0 net/socket.c:2417
 __do_sys_sendmsg net/socket.c:2426 [inline]
 __se_sys_sendmsg net/socket.c:2424 [inline]
 __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4402b9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffc780292f8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402b9
RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000401b40
R13: 0000000000401bd0 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 10686:
 save_stack+0x23/0x90 mm/kasan/common.c:72
 set_track mm/kasan/common.c:80 [inline]
 __kasan_kmalloc mm/kasan/common.c:513 [inline]
 __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
 kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
 slab_post_alloc_hook mm/slab.h:584 [inline]
 slab_alloc mm/slab.c:3320 [inline]
 kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
 sk_prot_alloc+0x67/0x310 net/core/sock.c:1597
 sk_alloc+0x39/0xfd0 net/core/sock.c:1657
 inet_create net/ipv4/af_inet.c:321 [inline]
 inet_create+0x363/0xdf0 net/ipv4/af_inet.c:247
 __sock_create+0x3ce/0x730 net/socket.c:1420
 sock_create net/socket.c:1471 [inline]
 __sys_socket+0x103/0x220 net/socket.c:1513
 __do_sys_socket net/socket.c:1522 [inline]
 __se_sys_socket net/socket.c:1520 [inline]
 __x64_sys_socket+0x73/0xb0 net/socket.c:1520
 do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a4952040
 which belongs to the cache RAW of size 1360
The buggy address is located 0 bytes to the right of
 1360-byte region [ffff8880a4952040, ffff8880a4952590)
The buggy address belongs to the page:
page:ffffea0002925480 refcount:1 mapcount:0 mapping:ffff88821a8abe00 index:0x0 compound_mapcount: 0
raw: 00fffe0000010200 ffff8880a4d7a348 ffff8880a4d7a348 ffff88821a8abe00
raw: 0000000000000000 ffff8880a4952040 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4952480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8880a4952500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffff8880a4952580: 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff8880a4952600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a4952680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (8):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce-selinux-root 2020/01/23 03:09 upstream dbab40bdb42c 3334d684 .config log report syz C
ci-upstream-kasan-gce-root 2020/01/22 20:40 upstream d96d875ef5dd 8eda0b95 .config log report syz C
ci-upstream-kasan-gce-smack-root 2020/01/21 20:15 upstream d96d875ef5dd 8eda0b95 .config log report syz C
ci-upstream-kasan-gce 2020/01/21 18:35 upstream d96d875ef5dd 8eda0b95 .config log report syz C
ci-upstream-net-this-kasan-gce 2020/01/21 04:15 net 7008ee121089 d2557fb5 .config log report syz C
ci-upstream-net-kasan-gce 2020/01/21 03:32 net-next b3f7e3f23a76 d2557fb5 .config log report syz C
ci-upstream-kasan-gce-386 2020/01/21 14:12 upstream d96d875ef5dd 8eda0b95 .config log report syz
ci-upstream-net-kasan-gce 2020/01/21 03:00 net-next b3f7e3f23a76 d2557fb5 .config log report