syzbot

 sign-in | mailing list | source | docs
🐞 Open [712] 🐞 Fixed [297] 🐞 Invalid [838] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes 💬 Send us feedback

KASAN: null-ptr-deref Read in llcp_sock_getname

Status: fixed on 2021/06/10 12:07
Reported-by: syzbot+80fb126e7f7d8b1a5914@syzkaller.appspotmail.com
Fix commit: 93e4ac2a9979 nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect
First crash: 1631d, last: 1072d
Discussions (8)
Title Replies (including bot) Last reply
[PATCH 5.4 00/78] 5.4.125-rc1 review 86 (86) 2021/06/16 15:01
[PATCH 4.19 00/58] 4.19.194-rc1 review 69 (69) 2021/06/11 07:28
[PATCH 5.10 000/137] 5.10.43-rc1 review 144 (144) 2021/06/10 09:02
[PATCH 5.12 000/161] 5.12.10-rc1 review 171 (171) 2021/06/09 20:47
[PATCH 4.14 00/47] 4.14.236-rc1 review 50 (50) 2021/06/09 18:48
[PATCH 4.9 00/29] 4.9.272-rc1 review 34 (34) 2021/06/09 18:47
[PATCH 4.4 00/23] 4.4.272-rc1 review 28 (28) 2021/06/09 18:47
[RESEND PATCH] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect 2 (2) 2021/06/01 05:50
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Read in llcp_sock_getname C done error 242 990d 1650d 0/26 closed as invalid on 2021/12/14 20:22
linux-4.14 KASAN: null-ptr-deref Read in llcp_sock_getname C error 58 798d 1648d 0/1 upstream: reported C repro on 2019/10/14 09:43
Fix bisection attempts (7)
Created Duration User Patch Repo Result
2021/05/13 01:07 30m bisect fix linux-4.19.y job log (0) log
2021/03/06 04:48 31m bisect fix linux-4.19.y job log (0) log
2021/01/19 08:29 24m bisect fix linux-4.19.y job log (0) log
2020/12/01 00:17 25m bisect fix linux-4.19.y job log (0) log
2020/09/18 08:07 23m bisect fix linux-4.19.y job log (0) log
2020/08/19 05:06 32m bisect fix linux-4.19.y job log (0) log
2020/07/03 20:50 24m bisect fix linux-4.19.y job log (0) log

Sample crash report:
audit: type=1400 audit(1575835857.214:35): avc:  denied  { map } for  pid=7641 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1575835863.834:36): avc:  denied  { map } for  pid=7656 comm="syz-executor943" path="/root/syz-executor943995212" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: null-ptr-deref in memcpy include/linux/string.h:348 [inline]
BUG: KASAN: null-ptr-deref in llcp_sock_getname+0x358/0x460 net/nfc/llcp_sock.c:531
Read of size 43 at addr 0000000000000000 by task syz-executor943/7656

CPU: 1 PID: 7656 Comm: syz-executor943 Not tainted 4.19.88-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x197/0x210 lib/dump_stack.c:118
 kasan_report_error mm/kasan/report.c:352 [inline]
 kasan_report mm/kasan/report.c:412 [inline]
 kasan_report.cold+0x199/0x2ba mm/kasan/report.c:396
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x123/0x190 mm/kasan/kasan.c:267
 memcpy+0x24/0x50 mm/kasan/kasan.c:302
 memcpy include/linux/string.h:348 [inline]
 llcp_sock_getname+0x358/0x460 net/nfc/llcp_sock.c:531
 __sys_getpeername+0x12b/0x290 net/socket.c:1735
 __do_sys_getpeername net/socket.c:1748 [inline]
 __se_sys_getpeername net/socket.c:1745 [inline]
 __x64_sys_getpeername+0x73/0xb0 net/socket.c:1745
 do_syscall_64+0xfd/0x620 arch/x86/entry/common.c:293
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x440349
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fff33e94a18 EFLAGS: 00000246 ORIG_RAX: 0000000000000034
RAX: ffffffffffffffda RBX: fe7f62c7329d9aaa RCX: 0000000000440349
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000004
RBP: 65e500001d7ef6cc R08: 00007fff33e94b88 R09: 00007fff33e94b88
R10: 00007fff33e94b88 R11: 0000000000000246 R12: 211e267fffffffff
R13: ffff000000004d02 R14: aac8030fa4d62b9c R15: d303a55487e71188
==================================================================

Crashes (37):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2019/12/08 20:13 linux-4.19.y fb683b5e3f53 1508f453 .config console log report syz C ci2-linux-4-19
2021/04/13 01:02 linux-4.19.y 830a059cbba6 6a81331a .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/04/12 14:17 linux-4.19.y 830a059cbba6 6a81331a .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/04/04 00:47 linux-4.19.y 2034d6f0838e 6a81331a .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/03/30 03:33 linux-4.19.y 78fec1611cbf 6a81331a .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/03/28 16:20 linux-4.19.y 78fec1611cbf a8529b82 .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/03/19 03:22 linux-4.19.y ac3af4beac43 380dcc3e .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/02/04 04:48 linux-4.19.y 811218eceeaa 624dad51 .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/01/27 01:40 linux-4.19.y 2263955bf7e7 55a7d4df .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2021/01/21 16:38 linux-4.19.y 43d555d83c3f d4f4eca5 .config console log report info ci2-linux-4-19 KASAN: null-ptr-deref Read in llcp_sock_getname
2020/12/20 08:17 linux-4.19.y 13d2ce42de8c 04201c06 .config console log report info ci2-linux-4-19
2020/12/08 00:02 linux-4.19.y daefdc9eb24b 51a9082e .config console log report info ci2-linux-4-19
2020/10/31 23:43 linux-4.19.y f5d8eef067ac 8bc4594f .config console log report info ci2-linux-4-19
2020/10/16 02:36 linux-4.19.y a1b977b49b66 6e262c73 .config console log report info ci2-linux-4-19
2020/07/20 05:06 linux-4.19.y 17a87580a885 9c812472 .config console log report ci2-linux-4-19
2020/06/03 20:50 linux-4.19.y 4707d8e57273 a5ce5de0 .config console log report ci2-linux-4-19
2020/05/31 20:01 linux-4.19.y 2d16cf4817bc a0331e89 .config console log report ci2-linux-4-19
2020/05/19 04:06 linux-4.19.y 258f0cf7ac3b 684d3606 .config console log report ci2-linux-4-19
2020/05/09 10:41 linux-4.19.y 84920cc7fbe1 e97b06d3 .config console log report ci2-linux-4-19
2020/05/09 08:20 linux-4.19.y 84920cc7fbe1 e97b06d3 .config console log report ci2-linux-4-19
2020/05/07 19:45 linux-4.19.y 84920cc7fbe1 98cbd87b .config console log report ci2-linux-4-19
2020/04/22 07:23 linux-4.19.y 8e2406c85187 2e44d63e .config console log report ci2-linux-4-19
2020/04/07 14:11 linux-4.19.y dda0e2920330 99a96044 .config console log report ci2-linux-4-19
2020/03/11 01:41 linux-4.19.y 7472c4028e23 35f53e45 .config console log report ci2-linux-4-19
2020/02/29 13:50 linux-4.19.y a083db76118d c88c7b75 .config console log report ci2-linux-4-19
2020/02/06 18:21 linux-4.19.y b499cf4b3a90 5be3a391 .config console log report ci2-linux-4-19
2020/01/31 06:45 linux-4.19.y 7cdefde351b6 5ed23f9a .config console log report ci2-linux-4-19
2020/01/14 18:13 linux-4.19.y dcd888983542 32881205 .config console log report ci2-linux-4-19
2020/01/08 18:24 linux-4.19.y 3d40d7117e35 ddc3e859 .config console log report ci2-linux-4-19
2020/01/08 03:13 linux-4.19.y 3d40d7117e35 6738e0b3 .config console log report ci2-linux-4-19
2019/12/27 19:30 linux-4.19.y 672481c2deff be5c2c81 .config console log report ci2-linux-4-19
2019/12/26 03:01 linux-4.19.y 672481c2deff be5c2c81 .config console log report ci2-linux-4-19
2019/12/21 20:43 linux-4.19.y 672481c2deff bc586918 .config console log report ci2-linux-4-19
2019/12/19 23:04 linux-4.19.y 7d120bf21c05 36650b4b .config console log report ci2-linux-4-19
2019/12/19 09:06 linux-4.19.y 7d120bf21c05 79b211f7 .config console log report ci2-linux-4-19
2019/12/08 19:10 linux-4.19.y fb683b5e3f53 1508f453 .config console log report ci2-linux-4-19
2019/10/31 04:38 linux-4.19.y ef244c308885 a41ca8fa .config console log report ci2-linux-4-19
* Struck through repros no longer work on HEAD.