syzbot |
sign-in | mailing list | source | docs |
| 🐞 Open [979] ≡ Subsystems 🐞 Fixed [5236] 🐞 Invalid [12497] ⬇ Missing Backports [83] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes | 💬 Send us feedback |
| Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
|---|---|---|---|---|---|---|---|---|---|
| linux-4.14 | KASAN: use-after-free Read in tcp_ack | 30 | 1677d | 1687d | 0/1 | auto-closed as invalid on 2019/12/19 23:16 | |||
| android-414 | KASAN: use-after-free Read in tcp_ack | 9 | 1677d | 1688d | 0/1 | auto-closed as invalid on 2020/01/18 23:16 |
================================================================== BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1706 [inline] BUG: KASAN: use-after-free in tcp_ack+0x42bb/0x4fd0 net/ipv4/tcp_input.c:3537 dccp_invalid_packet: P.Data Offset(0) too small Read of size 4 at addr ffff8801d49c7a68 by task syz-executor2/8780 CPU: 0 PID: 8780 Comm: syz-executor2 Not tainted 4.14.0-rc8+ #123 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:252 dccp_invalid_packet: P.Data Offset(0) too small kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 tcp_highest_sack_seq include/net/tcp.h:1706 [inline] tcp_ack+0x42bb/0x4fd0 net/ipv4/tcp_input.c:3537 tcp_rcv_established+0x672/0x18a0 net/ipv4/tcp_input.c:5439 tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1468 sk_backlog_rcv include/net/sock.h:914 [inline] __release_sock+0x124/0x360 net/core/sock.c:2266 release_sock+0xa4/0x2a0 net/core/sock.c:2781 tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x452879 RSP: 002b:00007fd915ccebe8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452879 RDX: 0000000000000002 RSI: 0000000020023ffe RDI: 0000000000000013 RBP: 0000000000000000 R08: 0000000020000000 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000000212 R12: 0000000000000000 R13: 0000000000a6f7ff R14: 00007fd915ccf9c0 R15: 0000000000000000 Allocated by task 8780: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc_node+0x144/0x760 mm/slab.c:3652 __alloc_skb+0xf1/0x780 net/core/skbuff.c:194 alloc_skb_fclone include/linux/skbuff.h:1026 [inline] sk_stream_alloc_skb+0x11d/0x900 net/ipv4/tcp.c:870 tcp_sendmsg_locked+0x1341/0x3b80 net/ipv4/tcp.c:1299 tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1461 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 8780: save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59 save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3504 [inline] kmem_cache_free+0x77/0x280 mm/slab.c:3764 kfree_skbmem+0xdd/0x1d0 net/core/skbuff.c:607 __kfree_skb+0x1d/0x20 net/core/skbuff.c:646 tcp_check_urg net/ipv4/tcp_input.c:5105 [inline] tcp_urg+0x9fe/0xbd0 net/ipv4/tcp_input.c:5123 tcp_rcv_established+0x832/0x18a0 net/ipv4/tcp_input.c:5445 tcp_v4_do_rcv+0x2ab/0x7d0 net/ipv4/tcp_ipv4.c:1468 sk_backlog_rcv include/net/sock.h:914 [inline] __release_sock+0x124/0x360 net/core/sock.c:2266 release_sock+0xa4/0x2a0 net/core/sock.c:2781 tcp_sendmsg+0x3a/0x50 net/ipv4/tcp.c:1462 inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763 sock_sendmsg_nosec net/socket.c:633 [inline] sock_sendmsg+0xca/0x110 net/socket.c:643 SYSC_sendto+0x352/0x5a0 net/socket.c:1750 SyS_sendto+0x40/0x50 net/socket.c:1718 entry_SYSCALL_64_fastpath+0x1f/0xbe The buggy address belongs to the object at ffff8801d49c7a40 which belongs to the cache skbuff_fclone_cache of size 456 The buggy address is located 40 bytes inside of 456-byte region [ffff8801d49c7a40, ffff8801d49c7c08) The buggy address belongs to the page: page:ffffea00075271c0 count:1 mapcount:0 mapping:ffff8801d49c7040 index:0xffff8801d49c72c0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801d49c7040 ffff8801d49c72c0 0000000100000005 raw: ffffea0007148820 ffffea000723b5a0 ffff8801d9827cc0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d49c7900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d49c7980: fb fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8801d49c7a00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801d49c7a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801d49c7b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ==================================================================
| Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets (help?) | Manager | Title |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2017/11/15 03:10 | net-next-old | 4497478c60c0 | cf38de00 | .config | console log | report | ci-upstream-net-kasan-gce | |||||
| 2017/11/14 08:43 | net-next-old | ee0ab7a2b00f | cf38de00 | .config | console log | report | ci-upstream-net-kasan-gce | |||||
| 2017/11/14 05:15 | net-next-old | ee0ab7a2b00f | cf38de00 | .config | console log | report | ci-upstream-net-kasan-gce | |||||
| 2017/11/15 05:00 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/15 04:02 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/15 02:47 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 23:56 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 17:49 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | skylake-linux-next-kasan-qemu | |||||
| 2017/11/14 16:52 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 16:36 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 16:10 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | skylake-linux-next-kasan-qemu | |||||
| 2017/11/14 11:03 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 09:03 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 07:27 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | skylake-linux-next-kasan-qemu | |||||
| 2017/11/14 06:39 | linux-next | c9b945f2a731 | cf38de00 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 04:58 | linux-next | c348a99ee55f | f9a8d567 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 03:48 | linux-next | c348a99ee55f | f9a8d567 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/14 02:41 | linux-next | c348a99ee55f | f9a8d567 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/13 09:25 | linux-next | c348a99ee55f | f9a8d567 | .config | console log | report | ci-upstream-next-kasan-gce | |||||
| 2017/11/13 08:56 | linux-next | c348a99ee55f | f9a8d567 | .config | console log | report | ci-upstream-next-kasan-gce |