syzbot


KASAN: slab-out-of-bounds Read in bpf_skb_change_tail
Status: fixed on 2020/02/05 13:33
Reported-by: syzbot+75bc540c9480645ad6f1@syzkaller.appspotmail.com
Fix commit: 7fed98f4a1e6 bpf: reject passing modified ctx to helper functions
First crash: 1018d, last: 872d

Fix bisection: fixed by (bisect log) :
commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Jun 7 15:40:03 2018 +0000

  bpf: reject passing modified ctx to helper functions

similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
android-414 KASAN: slab-out-of-bounds Read in bpf_skb_change_tail syz 1 1282d 1137d 0/1 public: reported syz repro on 2019/04/13 00:01

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1565881590.124:36): avc:  denied  { map } for  pid=6929 comm="syz-executor301" path="/root/syz-executor301029181" dev="sda1" ino=16483 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_tail net/core/filter.c:2371 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_tail+0xa7f/0xba0 net/core/filter.c:2368
Read of size 8 at addr ffff88809c1cd510 by task syz-executor301/6929

CPU: 0 PID: 6929 Comm: syz-executor301 Not tainted 4.14.138 #34
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x138/0x19c lib/dump_stack.c:53
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
 ____bpf_skb_change_tail net/core/filter.c:2371 [inline]
 bpf_skb_change_tail+0xa7f/0xba0 net/core/filter.c:2368
 bpf_prog_ac477e10ee530e9d+0xe53/0x1000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff88809c1cd480
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 144 bytes inside of
 232-byte region [ffff88809c1cd480, ffff88809c1cd568)
The buggy address belongs to the page:
page:ffffea0002707340 count:1 mapcount:0 mapping:ffff88809c1cd0c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff88809c1cd0c0 0000000000000000 000000010000000c
raw: ffffea0002575fe0 ffff8880a9e18748 ffff88821b757240 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff88809c1cd400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809c1cd480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88809c1cd500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                         ^
 ffff88809c1cd580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff88809c1cd600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2019/08/15 15:09 linux-4.14.y 3ffe1e79c174 0d298d6b .config log report syz C
ci2-linux-4-14 2019/08/10 11:08 linux-4.14.y 3ffe1e79c174 acb51638 .config log report syz C