syzbot


UBSAN: shift-out-of-bounds in sfq_init

Status: fixed on 2021/03/10 01:48
Subsystems: net
[Documentation on labels]
Reported-by: syzbot+97c5bd9cc81eca63d36e@syzkaller.appspotmail.com
Fix commit: bd1248f1ddbc net: sched: prevent invalid Scell_log shift count
First crash: 1186d, last: 1168d
Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

  Linux 5.3

Crash: UBSAN: undefined-behaviour in sfq_init (log)
Repro: C syz .config
  
Duplicate bugs (1)
duplicates (1):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
UBSAN: shift-out-of-bounds in choke_change net C inconclusive 15 1116d 1175d 0/26 closed as dup on 2020/12/29 20:08
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 4.19 00/77] 4.19.167-rc1 review 87 (87) 2021/01/14 01:43
[PATCH 4.4 00/38] 4.4.251-rc1 review 43 (43) 2021/01/12 09:04
[PATCH 4.9 00/45] 4.9.251-rc1 review 49 (49) 2021/01/12 08:16
[PATCH 4.14 00/57] 4.14.215-rc1 review 60 (60) 2021/01/12 07:36
[PATCH 5.4 00/92] 5.4.89-rc1 review 96 (96) 2021/01/12 06:54
[PATCH 5.10 000/145] 5.10.7-rc1 review 152 (152) 2021/01/11 19:59
[PATCH -net] net: sched: prevent invalid Scell_log shift count 2 (2) 2020/12/28 22:54
UBSAN: shift-out-of-bounds in sfq_init 0 (1) 2020/12/23 01:15

Sample crash report:
================================================================================
UBSAN: shift-out-of-bounds in ./include/net/red.h:252:22
shift exponent 72 is too large for 32-bit type 'int'
CPU: 1 PID: 8479 Comm: syz-executor063 Not tainted 5.10.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 lib/dump_stack.c:120
 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148
 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395
 red_set_parms include/net/red.h:252 [inline]
 sfq_change net/sched/sch_sfq.c:674 [inline]
 sfq_init.cold+0x4f/0xd5 net/sched/sch_sfq.c:762
 qdisc_create+0x4ba/0x13a0 net/sched/sch_api.c:1246
 tc_modify_qdisc+0x4c8/0x1a30 net/sched/sch_api.c:1662
 rtnetlink_rcv_msg+0x498/0xb80 net/core/rtnetlink.c:5564
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:672
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345
 ___sys_sendmsg+0xf3/0x170 net/socket.c:2399
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4404f9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fffef145e18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404f9
RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000004
RBP: 00000000006ca018 R08: 00000000ffffffff R09: 00000000004002c8
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401d00
R13: 0000000000401d90 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (8):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2020/12/19 01:25 upstream a409ed156a90 04201c06 .config console log report syz C ci-upstream-kasan-gce
2020/12/19 01:49 net-old d64c6f96ba86 04201c06 .config console log report syz C ci-upstream-net-this-kasan-gce
2020/12/19 01:07 upstream a409ed156a90 04201c06 .config console log report info ci-upstream-kasan-gce
2020/12/25 15:54 net-old 1f45dc220667 b982b3ea .config console log report info ci-upstream-net-this-kasan-gce
2021/01/05 22:18 net-next-old 3db1a3fa9880 a0234d98 .config console log report info ci-upstream-net-kasan-gce
2021/01/02 12:05 net-next-old 3db1a3fa9880 79264ae3 .config console log report info ci-upstream-net-kasan-gce
2020/12/30 08:53 net-next-old 3db1a3fa9880 0fa352f2 .config console log report info ci-upstream-net-kasan-gce
2020/12/29 01:15 net-next-old 3db1a3fa9880 8259d56c .config console log report info ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.