syzbot


KASAN: stack-out-of-bounds Read in xfrm_state_find (4)

Status: fixed on 2018/03/23 18:14
Reported-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
Fix commit: 19d7df69fdb2 xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
First crash: 1764d, last: 1713d
similar bugs (10):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (3) C 10353 1769d 1836d 4/24 fixed on 2018/01/31 00:24
android-44 KASAN: stack-out-of-bounds Read in xfrm_state_find C 842 1096d 1329d 0/2 public: reported C repro on 2019/04/12 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (5) C done 654 1401d 1704d 14/24 fixed on 2019/11/11 16:48
upstream KMSAN: uninit-value in xfrm_state_find C 193 40d 1629d 0/24 upstream: reported C repro on 2018/06/15 07:30
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find C 365 1864d 1937d 0/24 closed as invalid on 2017/10/23 16:19
android-5-10 KASAN: stack-out-of-bounds Read in xfrm_state_find 1 388d 388d 0/2 closed as invalid on 2022/02/03 13:56
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find C 4151 1429d 1941d 0/3 closed as invalid on 2019/01/01 20:10
android-414 KASAN: stack-out-of-bounds Read in xfrm_state_find C 137 1403d 1330d 0/1 public: reported C repro on 2019/04/11 00:00
upstream KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 93 1847d 1855d 3/24 fixed on 2017/11/18 01:42
android-49 KASAN: stack-out-of-bounds Read in xfrm_state_find (2) C 392 1093d 1329d 0/3 public: reported C repro on 2019/04/11 08:44

Sample crash report:
audit: type=1400 audit(1519699153.102:6): avc:  denied  { map } for  pid=4224 comm="bash" path="/bin/bash" dev="sda1" ino=1457 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file permissive=1
audit: type=1400 audit(1519699167.021:7): avc:  denied  { map } for  pid=4240 comm="syzkaller703456" path="/root/syzkaller703456610" dev="sda1" ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1051
Read of size 4 at addr ffff8801b01b7480 by task syzkaller703456/4240

CPU: 0 PID: 4240 Comm: syzkaller703456 Not tainted 4.16.0-rc3+ #330
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:432
 xfrm_state_find+0x30de/0x3210 net/xfrm/xfrm_state.c:1051
 xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1393 [inline]
 xfrm_tmpl_resolve+0x2ee/0xc40 net/xfrm/xfrm_policy.c:1437
 xfrm_resolve_and_create_bundle+0x184/0x28d0 net/xfrm/xfrm_policy.c:1830
 xfrm_lookup+0xfcb/0x25c0 net/xfrm/xfrm_policy.c:2160
 xfrm_lookup_route+0x39/0x1a0 net/xfrm/xfrm_policy.c:2280
 ip_route_output_flow+0x7c/0xa0 net/ipv4/route.c:2558
 udp_sendmsg+0x19bd/0x2f70 net/ipv4/udp.c:1012
 udpv6_sendmsg+0x757/0x3400 net/ipv6/udp.c:1156
 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
 sock_sendmsg_nosec net/socket.c:630 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:640
 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
 __sys_sendmsg+0xe5/0x210 net/socket.c:2080
 SYSC_sendmsg net/socket.c:2091 [inline]
 SyS_sendmsg+0x2d/0x50 net/socket.c:2087
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4402a9
RSP: 002b:00007ffdde36c7b8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004402a9
RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 00000000000000e8 R11: 0000000000000217 R12: 0000000000401bd0
R13: 0000000000401c60 R14: 0000000000000000 R15: 0000000000000000

The buggy address belongs to the page:
page:ffffea0006c06dc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 ffffea0006c00101 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801b01b7380: f2 00 f2 f2 f2 f2 f2 f2 f2 f8 f2 f2 f2 f2 f2 f2
 ffff8801b01b7400: f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00
>ffff8801b01b7480: f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 f2
                   ^
 ffff8801b01b7500: f2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffff8801b01b7580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
==================================================================

Crashes (102):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci-upstream-kasan-gce 2018/02/27 02:41 upstream 4a3928c6f8a5 b370d4a7 .config log report syz C
ci-upstream-kasan-gce 2018/01/31 09:11 upstream 72906f38934a 02553e22 .config log report syz C
ci-upstream-kasan-gce-386 2018/01/31 09:12 upstream 72906f38934a 02553e22 .config log report syz C
ci-upstream-net-kasan-gce 2018/02/27 03:00 net-next ba6056a41cb0 b370d4a7 .config log report syz C
ci-upstream-net-kasan-gce 2018/01/31 09:00 net-next 91e6dd828425 02553e22 .config log report syz C
ci-upstream-kasan-gce-386 2018/02/27 02:41 upstream 4a3928c6f8a5 b370d4a7 .config log report syz
ci-upstream-kasan-gce 2018/03/23 14:09 upstream f36b7534b833 2e9d9054 .config log report
ci-upstream-kasan-gce 2018/03/22 13:06 upstream 3215b9d57a2c 2e9d9054 .config log report
ci-upstream-kasan-gce 2018/03/21 07:04 upstream 3215b9d57a2c 113a43ff .config log report
ci-upstream-kasan-gce-386 2018/03/22 08:16 upstream 3215b9d57a2c 95c88d7a .config log report
ci-upstream-net-kasan-gce 2018/03/14 12:26 net-next a870a02cc963 08dacaa0 .config log report
ci-upstream-net-kasan-gce 2018/03/14 07:46 net-next be9fc0971a5c 08dacaa0 .config log report
ci-upstream-net-kasan-gce 2018/03/14 02:17 net-next be9fc0971a5c 08dacaa0 .config log report
ci-upstream-net-kasan-gce 2018/03/13 21:16 net-next 9ba32046fc2d 08dacaa0 .config log report
ci-upstream-net-kasan-gce 2018/03/12 23:46 net-next 129cf5f7f196 f505ca4b .config log report
ci-upstream-net-kasan-gce 2018/03/12 20:54 net-next 129cf5f7f196 f505ca4b .config log report
ci-upstream-net-kasan-gce 2018/03/12 19:27 net-next 129cf5f7f196 f505ca4b .config log report
ci-upstream-net-kasan-gce 2018/03/12 13:54 net-next 8b4c6ed2ed0e f505ca4b .config log report
ci-upstream-net-kasan-gce 2018/03/12 09:19 net-next 8b4c6ed2ed0e 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/12 05:27 net-next 8b4c6ed2ed0e 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/12 03:22 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/11 22:41 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/11 06:26 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/11 03:46 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/10 23:41 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/10 05:53 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/10 04:01 net-next f44b1886a5f8 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/10 02:06 net-next cf29bded91f9 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 21:22 net-next cf29bded91f9 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 19:30 net-next cf29bded91f9 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 16:20 net-next cf29bded91f9 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 10:13 net-next fd372a7a9e5e 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 04:35 net-next fd372a7a9e5e 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/09 02:08 net-next fd372a7a9e5e 36d1c454 .config log report
ci-upstream-net-kasan-gce 2018/03/08 22:57 net-next 67ae686b3e14 acd0caa5 .config log report
ci-upstream-net-kasan-gce 2018/03/08 13:02 net-next a366e300ae9f acd0caa5 .config log report
ci-upstream-net-kasan-gce 2018/03/08 07:19 net-next a366e300ae9f d50edb7e .config log report
ci-upstream-net-kasan-gce 2018/03/08 02:49 net-next a366e300ae9f d50edb7e .config log report
ci-upstream-net-kasan-gce 2018/03/08 00:39 net-next 30855ffc29b9 a5e76540 .config log report
ci-upstream-net-kasan-gce 2018/03/07 17:14 net-next 30855ffc29b9 a5e76540 .config log report
ci-upstream-net-kasan-gce 2018/03/07 15:25 net-next 0f3e9c97eb5a a5e76540 .config log report
ci-upstream-net-kasan-gce 2018/03/07 08:57 net-next 0f3e9c97eb5a c8a18476 .config log report
ci-upstream-net-kasan-gce 2018/03/06 22:37 net-next 0f3e9c97eb5a c8a18476 .config log report
ci-upstream-net-kasan-gce 2018/03/06 19:13 net-next 0f3e9c97eb5a c8a18476 .config log report
ci-upstream-net-kasan-gce 2018/03/06 17:16 net-next 0f3e9c97eb5a aef0b792 .config log report
ci-upstream-net-kasan-gce 2018/03/06 16:46 net-next 0f3e9c97eb5a aef0b792 .config log report
ci-upstream-net-kasan-gce 2018/03/06 16:21 net-next 0f3e9c97eb5a aef0b792 .config log report
ci-upstream-net-kasan-gce 2018/03/06 16:07 net-next 0f3e9c97eb5a aef0b792 .config log report
* Struck through repros no longer work on HEAD.