syzbot


KASAN: slab-out-of-bounds Read in batadv_interface_tx

Status: fixed on 2019/03/06 07:43
Subsystems: batman
[Documentation on labels]
Reported-by: syzbot+9d7405c7faa390e60b4e@syzkaller.appspotmail.com
Fix commit: 9114daa825fc batman-adv: Force mac header to start of data on xmit
First crash: 1918d, last: 1875d
Discussions (9)
Title Replies (including bot) Last reply
[PATCH 3.16 000/202] 3.16.66-rc1 review 205 (205) 2019/04/28 15:45
[PATCH 4.20 00/50] 4.20.9-stable review 62 (62) 2019/02/24 18:25
[PATCH 3.18 000/108] 3.18.135-stable review 112 (112) 2019/02/20 00:18
[PATCH 4.4 000/143] 4.4.175-stable review 153 (153) 2019/02/20 00:16
[PATCH 4.19 00/44] 4.19.22-stable review 48 (48) 2019/02/14 22:23
[PATCH 4.9 00/24] 4.9.157-stable review 30 (30) 2019/02/14 22:22
[PATCH 4.14 00/35] 4.14.100-stable review 41 (41) 2019/02/14 22:21
[PATCH 0/3] pull request for net: batman-adv 2019-02-01 5 (5) 2019/02/01 18:19
KASAN: slab-out-of-bounds Read in batadv_interface_tx 0 (1) 2018/12/31 09:41

Sample crash report:
IPv6: ADDRCONF(NETDEV_UP): vxcan1: link is not ready
8021q: adding VLAN 0 to HW filter on device batadv0
==================================================================
BUG: KASAN: slab-out-of-bounds in batadv_interface_tx+0x160a/0x18b0 net/batman-adv/soft-interface.c:226
Read of size 2 at addr ffff8880a662f5cb by task syz-executor922/8142

CPU: 0 PID: 8142 Comm: syz-executor922 Not tainted 4.20.0+ #173
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1d3/0x2c6 lib/dump_stack.c:113
 print_address_description.cold.5+0x9/0x1ff mm/kasan/report.c:187
 kasan_report.cold.6+0x1b/0x39 mm/kasan/report.c:317
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:145
 batadv_interface_tx+0x160a/0x18b0 net/batman-adv/soft-interface.c:226
 __netdev_start_xmit include/linux/netdevice.h:4382 [inline]
 netdev_start_xmit include/linux/netdevice.h:4391 [inline]
 dev_direct_xmit+0x36c/0x6a0 net/core/dev.c:3930
 packet_direct_xmit+0xfb/0x170 net/packet/af_packet.c:246
 packet_snd net/packet/af_packet.c:2932 [inline]
 packet_sendmsg+0x298a/0x6ad0 net/packet/af_packet.c:2957
 sock_sendmsg_nosec net/socket.c:621 [inline]
 sock_sendmsg+0xd5/0x120 net/socket.c:631
 __sys_sendto+0x3d7/0x670 net/socket.c:1788
 __do_sys_sendto net/socket.c:1800 [inline]
 __se_sys_sendto net/socket.c:1796 [inline]
 __x64_sys_sendto+0xe1/0x1a0 net/socket.c:1796
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441619
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 0b fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd5c9334f8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000441619
RDX: 000000000000000e RSI: 0000000020000180 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004025e0
R13: 0000000000402670 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 8184:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 kasan_kmalloc+0xcb/0xd0 mm/kasan/common.c:482
 kasan_slab_alloc+0x12/0x20 mm/kasan/common.c:397
 kmem_cache_alloc+0x130/0x730 mm/slab.c:3541
 getname_flags+0xd0/0x590 fs/namei.c:140
 getname+0x19/0x20 fs/namei.c:211
 do_sys_open+0x383/0x780 fs/open.c:1057
 __do_sys_open fs/open.c:1081 [inline]
 __se_sys_open fs/open.c:1076 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1076
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 8184:
 save_stack+0x43/0xd0 mm/kasan/common.c:73
 set_track mm/kasan/common.c:85 [inline]
 __kasan_slab_free+0x102/0x150 mm/kasan/common.c:444
 kasan_slab_free+0xe/0x10 mm/kasan/common.c:452
 __cache_free mm/slab.c:3485 [inline]
 kmem_cache_free+0x83/0x290 mm/slab.c:3747
 putname+0xf2/0x130 fs/namei.c:261
 do_sys_open+0x54d/0x780 fs/open.c:1072
 __do_sys_open fs/open.c:1081 [inline]
 __se_sys_open fs/open.c:1076 [inline]
 __x64_sys_open+0x7e/0xc0 fs/open.c:1076
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8880a662e5c0
 which belongs to the cache names_cache of size 4096
The buggy address is located 11 bytes to the right of
 4096-byte region [ffff8880a662e5c0, ffff8880a662f5c0)
The buggy address belongs to the page:
page:ffffea0002998b80 count:1 mapcount:0 mapping:ffff88821bc48200 index:0x0 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea00029fa208 ffffea00022fd188 ffff88821bc48200
raw: 0000000000000000 ffff8880a662e5c0 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a662f480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8880a662f500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880a662f580: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                              ^
 ffff8880a662f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a662f680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (41):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/12/29 10:16 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/29 05:10 upstream f346b0becb1b e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-selinux-root
2018/12/29 01:43 upstream 00c569b567c7 e33ad0f1 .config console log report syz C ci-upstream-kasan-gce-root
2018/12/28 21:14 upstream 00c569b567c7 fc6ae81a .config console log report syz C ci-upstream-kasan-gce-smack-root
2018/12/29 05:00 net-old a3c9311f62b4 e33ad0f1 .config console log report syz C ci-upstream-net-this-kasan-gce
2018/12/29 05:00 net-next-old b71acb0e3721 e33ad0f1 .config console log report syz C ci-upstream-net-kasan-gce
2018/12/27 08:37 net-next-old 90cadbbf341d e747ec98 .config console log report syz C ci-upstream-net-kasan-gce
2018/12/29 15:38 linux-next 6a1d293238c1 a40793d7 .config console log report syz C ci-upstream-linux-next-kasan-gce-root
2019/02/08 03:23 upstream d47e3da17592 aa4feb03 .config console log report ci-upstream-kasan-gce-selinux-root
2019/02/08 03:22 upstream d47e3da17592 aa4feb03 .config console log report ci-upstream-kasan-gce-root
2019/01/16 12:19 upstream 7939f8beecf1 b47fa78d .config console log report ci-upstream-kasan-gce-root
2019/01/11 05:09 upstream 1bdbe2274920 80dde172 .config console log report ci-upstream-kasan-gce
2019/01/01 00:49 upstream f12e840c819b 3d85f48c .config console log report ci-upstream-kasan-gce-smack-root
2018/12/30 08:09 upstream 195303136f19 35e3f847 .config console log report ci-upstream-kasan-gce-smack-root
2019/01/22 14:32 upstream 48b161983ae5 985f75cc .config console log report ci-upstream-kasan-gce-386
2019/01/21 21:24 upstream 49a57857aeea badbbeee .config console log report ci-upstream-kasan-gce-386
2018/12/28 09:06 upstream b71acb0e3721 af317504 .config console log report ci-upstream-kasan-gce-386
2019/01/28 03:17 net-old abfd04f738c2 c73f090a .config console log report ci-upstream-net-this-kasan-gce
2019/01/14 22:37 net-old 2f960bd05640 ebacf5cb .config console log report ci-upstream-net-this-kasan-gce
2019/01/12 20:36 net-old 8d008e64a2eb c3f3344c .config console log report ci-upstream-net-this-kasan-gce
2019/01/09 23:07 net-old d972f3dce8d1 45c0c1b1 .config console log report ci-upstream-net-this-kasan-gce
2019/01/08 11:58 net-old 26d92e951fe0 37dd2683 .config console log report ci-upstream-net-this-kasan-gce
2019/01/06 20:45 net-old d4a7e9bb74b5 94f8adb5 .config console log report ci-upstream-net-this-kasan-gce
2019/01/04 10:33 net-old c5ee066333eb 7da23925 .config console log report ci-upstream-net-this-kasan-gce
2019/01/01 07:52 net-old 756af9c64232 3d85f48c .config console log report ci-upstream-net-this-kasan-gce
2018/12/30 09:55 net-old 0d9c9a238faf 35e3f847 .config console log report ci-upstream-net-this-kasan-gce
2019/02/05 19:56 net-next-old 5468e82f7034 d672172c .config console log report ci-upstream-net-kasan-gce
2019/02/04 14:40 net-next-old cc7335786f72 d672172c .config console log report ci-upstream-net-kasan-gce
2019/02/04 00:57 net-next-old 682a789516d3 c198d5dd .config console log report ci-upstream-net-kasan-gce
2019/01/27 19:55 net-next-old 085c4c7dd2b6 c73f090a .config console log report ci-upstream-net-kasan-gce
2019/01/25 13:03 net-next-old 556b2710a1ca b5d78bce .config console log report ci-upstream-net-kasan-gce
2019/01/17 20:15 net-next-old 44543f1dd2a3 769e75ed .config console log report ci-upstream-net-kasan-gce
2019/01/16 08:11 net-next-old 9dde6da51297 b47fa78d .config console log report ci-upstream-net-kasan-gce
2019/01/12 20:26 net-next-old b71acb0e3721 c3f3344c .config console log report ci-upstream-net-kasan-gce
2019/01/11 18:41 net-next-old b71acb0e3721 c3f3344c .config console log report ci-upstream-net-kasan-gce
2019/01/08 01:29 net-next-old b71acb0e3721 69d69aa9 .config console log report ci-upstream-net-kasan-gce
2019/01/03 09:00 net-next-old b71acb0e3721 06a2b89f .config console log report ci-upstream-net-kasan-gce
2019/01/02 20:35 net-next-old b71acb0e3721 f0491811 .config console log report ci-upstream-net-kasan-gce
2018/12/30 08:14 net-next-old b71acb0e3721 35e3f847 .config console log report ci-upstream-net-kasan-gce
2019/02/03 06:46 linux-next dc4c89997735 c198d5dd .config console log report ci-upstream-linux-next-kasan-gce-root
2019/01/13 01:51 linux-next b808822a75a3 c3f3344c .config console log report ci-upstream-linux-next-kasan-gce-root
* Struck through repros no longer work on HEAD.