syzbot


KASAN: use-after-free Read in sock_has_perm

Status: auto-closed as invalid on 2019/02/22 15:19
First crash: 2190d, last: 2190d
Similar bugs (2)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in sock_has_perm selinux 1 594d 590d 0/26 auto-obsoleted due to no activity on 2022/12/09 14:55
linux-4.14 KASAN: use-after-free Read in sock_has_perm 1 1550d 1550d 0/1 auto-closed as invalid on 2020/04/28 08:59

Sample crash report:
==================================================================
BUG: KASAN: use-after-free in sock_has_perm+0x3f0/0x400 security/selinux/hooks.c:4064
Read of size 8 at addr ffff8801d29814f8 by task syz-executor7/13410

CPU: 1 PID: 13410 Comm: syz-executor7 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000000 7ffe728202d4fde7 ffff8801d28078b8 ffffffff81d067bd
 ffffea00074a6000 ffff8801d29814f8 0000000000000000 ffff8801d29814f8
 ffff8801d28f9800 ffff8801d28078f0 ffffffff814fea83 ffff8801d29814f8
Call Trace:
 [<ffffffff81d067bd>] __dump_stack lib/dump_stack.c:15 [inline]
 [<ffffffff81d067bd>] dump_stack+0xc1/0x124 lib/dump_stack.c:51
 [<ffffffff814fea83>] print_address_description+0x73/0x260 mm/kasan/report.c:252
 [<ffffffff814fef95>] kasan_report_error mm/kasan/report.c:351 [inline]
 [<ffffffff814fef95>] kasan_report+0x285/0x370 mm/kasan/report.c:408
 [<ffffffff814ff0f4>] __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:429
 [<ffffffff81b6aff0>] sock_has_perm+0x3f0/0x400 security/selinux/hooks.c:4064
 [<ffffffff81b6b19f>] selinux_socket_sendmsg+0x3f/0x50 security/selinux/hooks.c:4325
 [<ffffffff81b4967d>] security_socket_sendmsg+0x7d/0xb0 security/security.c:1231
 [<ffffffff82df1603>] sock_sendmsg+0x43/0x110 net/socket.c:632
 [<ffffffff82df3261>] ___sys_sendmsg+0x6c1/0x7c0 net/socket.c:1962
 [<ffffffff82df52b3>] __sys_sendmsg+0xd3/0x190 net/socket.c:1996
 [<ffffffff82ee01fa>] C_SYSC_sendmsg net/compat.c:720 [inline]
 [<ffffffff82ee01fa>] compat_SyS_sendmsg+0x2a/0x40 net/compat.c:718
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

Allocated by task 13410:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fddbd>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fddbd>] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:616
 [<ffffffff814fa0a4>] __kmalloc+0x124/0x320 mm/slub.c:3613
 [<ffffffff82df8d1c>] kmalloc include/linux/slab.h:481 [inline]
 [<ffffffff82df8d1c>] sk_prot_alloc+0x18c/0x310 net/core/sock.c:1354
 [<ffffffff82dff03a>] sk_alloc+0x3a/0x3a0 net/core/sock.c:1419
 [<ffffffff83467b43>] pppol2tp_create+0x33/0x1f0 net/l2tp/l2tp_ppp.c:551
 [<ffffffff82800cc1>] pppox_create+0xf1/0x200 drivers/net/ppp/pppox.c:121
 [<ffffffff82df3c6c>] __sock_create+0x3ac/0x640 net/socket.c:1177
 [<ffffffff82df4130>] sock_create net/socket.c:1217 [inline]
 [<ffffffff82df4130>] SYSC_socket net/socket.c:1247 [inline]
 [<ffffffff82df4130>] SyS_socket+0xf0/0x1b0 net/socket.c:1227
 [<ffffffff81006d91>] do_syscall_32_irqs_on arch/x86/entry/common.c:392 [inline]
 [<ffffffff81006d91>] do_fast_syscall_32+0x321/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

Freed by task 13416:
 [<ffffffff81035d76>] save_stack_trace+0x26/0x50 arch/x86/kernel/stacktrace.c:63
 [<ffffffff814fdaf3>] save_stack+0x43/0xd0 mm/kasan/kasan.c:512
 [<ffffffff814fe412>] set_track mm/kasan/kasan.c:524 [inline]
 [<ffffffff814fe412>] kasan_slab_free+0x72/0xc0 mm/kasan/kasan.c:589
 [<ffffffff814faeac>] slab_free_hook mm/slub.c:1383 [inline]
 [<ffffffff814faeac>] slab_free_freelist_hook mm/slub.c:1405 [inline]
 [<ffffffff814faeac>] slab_free mm/slub.c:2859 [inline]
 [<ffffffff814faeac>] kfree+0xfc/0x300 mm/slub.c:3749
 [<ffffffff82e02c07>] sk_prot_free net/core/sock.c:1391 [inline]
 [<ffffffff82e02c07>] sk_destruct+0x3f7/0x4c0 net/core/sock.c:1472
 [<ffffffff82e02d27>] __sk_free+0x57/0x230 net/core/sock.c:1480
 [<ffffffff82e02f30>] sk_free+0x30/0x40 net/core/sock.c:1491
 [<ffffffff8346b14f>] sock_put include/net/sock.h:1639 [inline]
 [<ffffffff8346b14f>] pppol2tp_session_sock_put+0x5f/0x70 net/l2tp/l2tp_ppp.c:286
 [<ffffffff83463b44>] l2tp_tunnel_closeall+0x254/0x3b0 net/l2tp/l2tp_core.c:1277
 [<ffffffff8346472b>] l2tp_udp_encap_destroy+0x8b/0xf0 net/l2tp/l2tp_core.c:1300
 [<ffffffff833729c1>] udpv6_destroy_sock+0xb1/0xd0 net/ipv6/udp.c:1421
 [<ffffffff82e048fb>] sk_common_release+0x6b/0x300 net/core/sock.c:2680
 [<ffffffff83371975>] udp_lib_close+0x15/0x20 include/net/udp.h:190
 [<ffffffff831d5eba>] inet_release+0xfa/0x1d0 net/ipv4/af_inet.c:435
 [<ffffffff832fb320>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:424
 [<ffffffff82ded7fd>] sock_release+0x8d/0x1e0 net/socket.c:586
 [<ffffffff82ded966>] sock_close+0x16/0x20 net/socket.c:1037
 [<ffffffff81523f43>] __fput+0x233/0x6d0 fs/file_table.c:208
 [<ffffffff81524465>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff8118bd44>] task_work_run+0x104/0x180 kernel/task_work.c:115
 [<ffffffff8100361d>] tracehook_notify_resume include/linux/tracehook.h:191 [inline]
 [<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160 arch/x86/entry/common.c:252
 [<ffffffff81007084>] prepare_exit_to_usermode arch/x86/entry/common.c:283 [inline]
 [<ffffffff81007084>] syscall_return_slowpath arch/x86/entry/common.c:348 [inline]
 [<ffffffff81007084>] do_syscall_32_irqs_on arch/x86/entry/common.c:398 [inline]
 [<ffffffff81007084>] do_fast_syscall_32+0x614/0x8a0 arch/x86/entry/common.c:459
 [<ffffffff8377b2aa>] sysenter_flags_fixed+0xd/0x17

The buggy address belongs to the object at ffff8801d2981100
 which belongs to the cache kmalloc-2048 of size 2048
The buggy address is located 1016 bytes inside of
 2048-byte region [ffff8801d2981100, ffff8801d2981900)
The buggy address belongs to the page:
page:ffffea00074a6000 count:1 mapcount:-2146500592 mapping:          (null) index:0x0
BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<          (null)>]           (null)
PGD 80000000ac76e067 PUD ac777067 PMD 0 
Oops: 0010 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 4.4.125-g38f41ec #21
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: ffffffff84217840 task.stack: ffffffff84200000
RIP: 0010:[<0000000000000000>]  [<          (null)>]           (null)
RSP: 0018:ffff8801db207df0  EFLAGS: 00010006
RAX: ffffffff84217840 RBX: ffff8801d26dfd28 RCX: ffffffff812adea0
RDX: 0000000000010000 RSI: ffffffff839fef20 RDI: ffff8801d26dfd28
RBP: ffff8801db207ee0 R08: 1ffff10016e8bba0 R09: 0000000000000001
R10: 0000000000000000 R11: 1ffff1003b640f6a R12: 0000000000000000
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff8801db219640
FS:  0000000000000000(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000000ac75e000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
 ffffffff812adea6 ffff88021fffd017 ffff88021fffd01b ffff88021fffd00f
 1ffff1003b640fcb ffff8801db2196a0 ffffed003b640fca ffff8801db219700
 0303fc0000000001 ffff8801db219678 ffffed003b6432d4 ffff8801db219718
Call Trace:
 <IRQ> 
 [<ffffffff812b0386>] hrtimer_interrupt+0x1a6/0x440 kernel/time/hrtimer.c:1358
 [<ffffffff810b0e5a>] local_apic_timer_interrupt+0x6a/0xb0 arch/x86/kernel/apic/apic.c:901
 [<ffffffff8377c576>] smp_apic_timer_interrupt+0x76/0xa0 arch/x86/kernel/apic/apic.c:925
 [<ffffffff8377b4d0>] apic_timer_interrupt+0xa0/0xb0 arch/x86/entry/entry_64.S:741
 <EOI> 
 [<ffffffff81027e65>] arch_safe_halt arch/x86/include/asm/paravirt.h:117 [inline]
 [<ffffffff81027e65>] default_idle+0x55/0x3c0 arch/x86/kernel/process.c:290
 [<ffffffff810293da>] arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:281
 [<ffffffff81221948>] default_idle_call+0x48/0x70 kernel/sched/idle.c:93
 [<ffffffff8122204d>] cpuidle_idle_call kernel/sched/idle.c:157 [inline]
 [<ffffffff8122204d>] cpu_idle_loop kernel/sched/idle.c:253 [inline]
 [<ffffffff8122204d>] cpu_startup_entry+0x5fd/0x8f0 kernel/sched/idle.c:301
 [<ffffffff837667b9>] rest_init+0x189/0x190 init/main.c:410
 [<ffffffff84823811>] start_kernel+0x6b9/0x6ee init/main.c:682
 [<ffffffff84822312>] x86_64_start_reservations+0x2a/0x2c arch/x86/kernel/head64.c:196
 [<ffffffff84822454>] x86_64_start_kernel+0x140/0x163 arch/x86/kernel/head64.c:185
Code:  Bad RIP value.
RIP  [<          (null)>]           (null)
 RSP <ffff8801db207df0>
CR2: 0000000000000000
---[ end trace f7ec496779befe4c ]---

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/03/29 20:16 https://android.googlesource.com/kernel/common android-4.4 38f41ec1cb31 d47f0ed6 .config console log report ci-android-44-kasan-gce-386
* Struck through repros no longer work on HEAD.