syzbot


KASAN: use-after-free Read in _decode_session6

Status: auto-closed as invalid on 2019/03/12 14:41
First crash: 2084d, last: 2084d
Similar bugs (5)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
linux-4.19 KASAN: slab-out-of-bounds Read in _decode_session6 23 889d 1543d 0/1 auto-closed as invalid on 2022/04/20 21:31
linux-4.19 KASAN: use-after-free Read in _decode_session6 (2) 1 741d 741d 0/1 auto-obsoleted due to no activity on 2022/09/15 14:44
linux-4.14 KASAN: use-after-free Read in _decode_session6 2 1465d 1474d 0/1 auto-closed as invalid on 2020/09/21 07:45
linux-4.19 KASAN: use-after-free Read in _decode_session6 2 1434d 1466d 0/1 auto-closed as invalid on 2020/10/22 17:34
upstream KASAN: use-after-free Read in _decode_session6 net C done 4 2023d 2091d 13/26 fixed on 2019/11/07 18:45

Sample crash report:
audit: type=1400 audit(1536849426.508:17): avc:  denied  { prog_load } for  pid=5545 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=bpf permissive=1
==================================================================
BUG: KASAN: use-after-free in _decode_session6+0xe55/0x1370 net/ipv6/xfrm6_policy.c:175
Read of size 2 at addr ffff8801cb94a196 by task syz-executor3/5551

CPU: 0 PID: 5551 Comm: syz-executor3 Not tainted 4.14.69+ #5
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0xb9/0x11b lib/dump_stack.c:53
 print_address_description+0x60/0x22b mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report.cold.6+0x11b/0x2dd mm/kasan/report.c:409
 _decode_session6+0xe55/0x1370 net/ipv6/xfrm6_policy.c:175
 __xfrm_decode_session+0x64/0x100 net/xfrm/xfrm_policy.c:2423
 xfrm_decode_session include/net/xfrm.h:1201 [inline]
 vti6_tnl_xmit+0x31b/0x15b0 net/ipv6/ip6_vti.c:550
 __netdev_start_xmit include/linux/netdevice.h:4023 [inline]
 netdev_start_xmit include/linux/netdevice.h:4032 [inline]
 xmit_one net/core/dev.c:2987 [inline]
 dev_hard_start_xmit+0x191/0x890 net/core/dev.c:3003
 __dev_queue_xmit+0x13d9/0x1f40 net/core/dev.c:3503
 __bpf_tx_skb net/core/filter.c:1708 [inline]
 __bpf_redirect_common net/core/filter.c:1746 [inline]
 __bpf_redirect+0x5b0/0x990 net/core/filter.c:1753
 ____bpf_clone_redirect net/core/filter.c:1786 [inline]
 bpf_clone_redirect+0x1d4/0x2b0 net/core/filter.c:1758
 ___bpf_prog_run+0x248e/0x5c70 kernel/bpf/core.c:1012

The buggy address belongs to the page:
page:ffffea00072e5280 count:0 mapcount:-127 mapping:          (null) index:0xffff880155729080
flags: 0x4000000000000000()
raw: 4000000000000000 0000000000000000 ffff880155729080 00000000ffffff80
raw: ffffea00074ce8a0 ffffea0007309d20 0000000000000001 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cb94a080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801cb94a100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff8801cb94a180: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
 ffff8801cb94a200: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
 ffff8801cb94a280: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/09/13 14:37 android-4.14 fc59235394b2 19e9088b .config console log report ci-android-414-kasan-gce-root
* Struck through repros no longer work on HEAD.