syzbot

 sign-in | mailing list | source | docs
🐞 Open [717] 🐞 Fixed [181] 🐞 Invalid [640] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: use-after-free Write in ipgre_header

Status: upstream: reported C repro on 2022/08/04 21:58
Reported-by: syzbot+01568647ffd3d8a466a1@syzkaller.appspotmail.com
First crash: 482d, last: 452d
Fix bisection: failed (error log, bisect log)
  
Similar bugs (3)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Write in ipgre_header (2) net 1 127d 127d 0/25 closed as invalid on 2023/10/27 14:39
upstream KASAN: use-after-free Write in ipgre_header net 1 365d 365d 0/25 closed as invalid on 2023/02/17 17:35
android-54 BUG: unable to handle kernel paging request in ipgre_header C 1 10d 482d 0/2 upstream: reported C repro on 2022/08/04 21:53
Fix bisection attempts (2)
Created Duration User Patch Repo Result
2022/10/13 02:15 0m bisect fix linux-4.14.y error job log (0)
2022/09/03 21:58 21m bisect fix linux-4.14.y job log (0) log

Sample crash report:
IPv6: ADDRCONF(NETDEV_CHANGE): bond0: link becomes ready
syz-executor366 (8184) used greatest stack depth: 24576 bytes left
syz-executor366 (8185) used greatest stack depth: 24496 bytes left
==================================================================
BUG: KASAN: use-after-free in ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
Write of size 2 at addr ffff88816b700836 by task syz-executor366/8187

CPU: 1 PID: 8187 Comm: syz-executor366 Not tainted 4.14.290-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/22/2022
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b2/0x281 lib/dump_stack.c:58
 print_address_description.cold+0x54/0x1d3 mm/kasan/report.c:252
 kasan_report_error.cold+0x8a/0x191 mm/kasan/report.c:351
 kasan_report mm/kasan/report.c:409 [inline]
 __asan_report_store_n_noabort+0x6b/0x80 mm/kasan/report.c:446
 ipgre_header+0x32e/0x340 net/ipv4/ip_gre.c:850
 dev_hard_header include/linux/netdevice.h:2723 [inline]
 neigh_connected_output+0x355/0x580 net/core/neighbour.c:1393
 neigh_output include/net/neighbour.h:500 [inline]
 ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
 ipip_tunnel_xmit+0x1ea/0x240 net/ipv4/ipip.c:308
 __netdev_start_xmit include/linux/netdevice.h:4054 [inline]
 netdev_start_xmit include/linux/netdevice.h:4063 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 neigh_output include/net/neighbour.h:500 [inline]
 ip_finish_output2+0xba6/0x1340 net/ipv4/ip_output.c:237
 ip_finish_output+0x37c/0xc50 net/ipv4/ip_output.c:325
 NF_HOOK_COND include/linux/netfilter.h:239 [inline]
 ip_mc_output+0x220/0xcb0 net/ipv4/ip_output.c:398
 dst_output include/net/dst.h:470 [inline]
 ip_local_out+0x93/0x170 net/ipv4/ip_output.c:125
 iptunnel_xmit+0x5cc/0x950 net/ipv4/ip_tunnel_core.c:91
 ip_tunnel_xmit+0xedc/0x33e0 net/ipv4/ip_tunnel.c:799
 ipgre_xmit+0x412/0x780 net/ipv4/ip_gre.c:670
 __netdev_start_xmit include/linux/netdevice.h:4054 [inline]
 netdev_start_xmit include/linux/netdevice.h:4063 [inline]
 xmit_one net/core/dev.c:3005 [inline]
 dev_hard_start_xmit+0x188/0x890 net/core/dev.c:3021
 __dev_queue_xmit+0x1d7f/0x2480 net/core/dev.c:3521
 __bpf_tx_skb net/core/filter.c:1715 [inline]
 __bpf_redirect_common net/core/filter.c:1754 [inline]
 __bpf_redirect+0x5cf/0x9c0 net/core/filter.c:1761
 ____bpf_clone_redirect net/core/filter.c:1794 [inline]
 bpf_clone_redirect+0x1e1/0x2c0 net/core/filter.c:1766
 ___bpf_prog_run+0x2459/0x5630 kernel/bpf/core.c:1133

The buggy address belongs to the page:
page:ffffea0005adc000 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x57ff00000000000()
raw: 057ff00000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: ffffea0005adc020 ffffea0005adc020 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88816b700700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88816b700780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88816b700800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                                     ^
 ffff88816b700880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff88816b700900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/08/04 21:57 linux-4.14.y b641242202ed 1c9013ac .config console log report syz C ci2-linux-4-14 KASAN: use-after-free Write in ipgre_header
* Struck through repros no longer work on HEAD.