syzbot


UBSAN: array-index-out-of-bounds in nfnetlink_unbind

Status: upstream: reported C repro on 2022/05/17 18:12
Reported-by: syzbot+4903218f7fba0a2d6226@syzkaller.appspotmail.com
Fix commit: ffd219efd9ee netfilter: nfnetlink: fix warn in nfnetlink_unbind
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 43d, last: 25d

Cause bisection: introduced by (bisect log) :
commit 2794cdb0b97bfe62d25c996c8afe4832207e78bc
Author: Florian Westphal <fw@strlen.de>
Date: Mon Apr 25 13:15:41 2022 +0000

  netfilter: nfnetlink: allow to detect if ctnetlink listeners exist

Crash: UBSAN: array-index-out-of-bounds in nfnetlink_unbind (log)
Repro: C syz .config

Sample crash report:
================================================================================
UBSAN: array-index-out-of-bounds in net/netfilter/nfnetlink.c:697:28
index 10 is out of range for type 'int [10]'
CPU: 1 PID: 3610 Comm: syz-executor150 Not tainted 5.18.0-syzkaller-11972-gd1dc87763f40 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 ubsan_epilogue+0xb/0x50 lib/ubsan.c:151
 __ubsan_handle_out_of_bounds.cold+0x62/0x6c lib/ubsan.c:283
 nfnetlink_unbind+0x38c/0x3b0 net/netfilter/nfnetlink.c:697
 netlink_release+0xa8f/0x1db0 net/netlink/af_netlink.c:773
 __sock_release+0xcd/0x280 net/socket.c:650
 sock_close+0x18/0x20 net/socket.c:1365
 __fput+0x277/0x9d0 fs/file_table.c:317
 task_work_run+0xdd/0x1a0 kernel/task_work.c:177
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xaff/0x2a00 kernel/exit.c:795
 do_group_exit+0xd2/0x2f0 kernel/exit.c:925
 __do_sys_exit_group kernel/exit.c:936 [inline]
 __se_sys_exit_group kernel/exit.c:934 [inline]
 __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:934
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f54cbb45639
Code: Unable to access opcode bytes at RIP 0x7f54cbb4560f.
RSP: 002b:00007ffd1204eed8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007f54cbbb9270 RCX: 00007f54cbb45639
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffffc0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007f54cbbb9270
R13: 0000000000000001 R14: 0000000000000000 R15: 0000000000000001
 </TASK>
================================================================================

Crashes (6621):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2022/06/02 20:09 upstream d1dc87763f40 5783034f .config log report syz C UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/05/16 15:57 net-next d887ae3247e0 744a39e2 .config log report syz C UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream 2022/06/03 07:49 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream 2022/06/03 06:04 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream 2022/06/03 02:49 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/03 02:20 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/03 02:11 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/03 01:10 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/03 00:48 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/03 00:40 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/03 00:20 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/02 22:12 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/02 18:26 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream 2022/06/02 17:58 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-selinux-root 2022/06/02 17:40 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/02 15:10 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/02 14:08 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/02 13:16 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/02 07:33 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/02 06:27 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/02 06:15 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream 2022/06/02 03:42 upstream 8eca6b0a647a b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-selinux-root 2022/06/02 03:28 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce 2022/06/02 02:46 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/02 01:49 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-smack-root 2022/06/01 21:10 upstream 700170bf6b4d 3666edfe .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-root 2022/06/01 21:10 upstream 700170bf6b4d 3666edfe .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/03 07:43 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/03 04:41 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/03 03:50 upstream 17d8e3d90b69 02dddea8 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-386 2022/06/02 21:58 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64 2022/06/02 19:40 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64-compat 2022/06/02 17:53 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64-compat 2022/06/02 16:49 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/02 15:28 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/02 13:33 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64-compat 2022/06/02 12:15 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64 2022/06/02 10:34 upstream d1dc87763f40 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-386 2022/06/02 07:55 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-386 2022/06/02 06:08 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-kasan-gce-386 2022/06/02 05:02 upstream 8171acb8bc9b b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu-upstream-386 2022/06/02 03:03 upstream 8eca6b0a647a b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-qemu2-arm64 2022/06/01 22:16 upstream 8eca6b0a647a b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-this-kasan-gce 2022/05/27 01:15 net 6c465408a770 3037caa9 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 23:30 net-next 7e062cda7d90 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 21:42 net-next 7e062cda7d90 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 17:47 net-next 7e062cda7d90 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 11:37 net-next 7e062cda7d90 5783034f .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 09:02 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 08:58 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 04:08 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 00:51 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/02 00:30 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/06/01 23:28 net-next 7e062cda7d90 b4bc6a3d .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/05/16 11:35 net-next d887ae3247e0 744a39e2 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-linux-next-kasan-gce-root 2022/05/30 21:11 linux-next d3fde8ff50ab af70c3a9 .config log report info UBSAN: array-index-out-of-bounds in nfnetlink_unbind
ci-upstream-net-kasan-gce 2022/05/24 20:41 net-next 677fb7525331 fcfad4ff .config log report info KASAN: global-out-of-bounds Read in nfnetlink_unbind