syzbot

 sign-in | mailing list | source | docs
🐞 Open [1651]
Subsystems
🐞 Fixed [6000]
🐞 Invalid [14793]
Missing Backports [135]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: use-after-free Read in tcp_rcv_state_process

Status: closed as invalid on 2018/01/20 19:57
Subsystems: net
[Documentation on labels]
First crash: 2607d, last: 2607d

Sample crash report:
netlink: 25 bytes leftover after parsing attributes in process `syz-executor6'.
netlink: 1 bytes leftover after parsing attributes in process `syz-executor7'.
==================================================================
BUG: KASAN: use-after-free in tcp_rcv_state_process+0x3f53/0x4800 net/ipv4/tcp_input.c:5854
Read of size 1 at addr ffff8801cd58c5bd by task syz-executor4/7102

CPU: 0 PID: 7102 Comm: syz-executor4 Not tainted 4.15.0-rc2+ #146
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x257 lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report+0x25b/0x340 mm/kasan/report.c:409
 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427
 tcp_rcv_state_process+0x3f53/0x4800 net/ipv4/tcp_input.c:5854
 tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1490
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2264
 release_sock+0xa4/0x2a0 net/core/sock.c:2779
 inet_wait_for_connect net/ipv4/af_inet.c:558 [inline]
 __inet_stream_connect+0x651/0xf00 net/ipv4/af_inet.c:644
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:683
 SYSC_connect+0x20a/0x480 net/socket.c:1641
 SyS_connect+0x24/0x30 net/socket.c:1622
 entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x452a39
RSP: 002b:00007fc61d93cc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a
RAX: ffffffffffffffda RBX: 00007fc61d93d700 RCX: 0000000000452a39
RDX: 0000000000000010 RSI: 0000000020001ffa RDI: 0000000000000015
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000212 R12: 0000000000000000
R13: 0000000000a6f7ff R14: 00007fc61d93d9c0 R15: 0000000000000001

Allocated by task 7102:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
 __do_kmalloc_node mm/slab.c:3675 [inline]
 __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3689
 __kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137
 __alloc_skb+0x13b/0x780 net/core/skbuff.c:205
 alloc_skb include/linux/skbuff.h:983 [inline]
 tcp_send_ack.part.41+0xce/0x610 net/ipv4/tcp_output.c:3596
 tcp_send_ack+0x49/0x60 net/ipv4/tcp_output.c:3587
 tcp_send_challenge_ack.isra.48+0x356/0x410 net/ipv4/tcp_input.c:3404
 tcp_validate_incoming+0x9fa/0x1380 net/ipv4/tcp_input.c:5259
 tcp_rcv_state_process+0x31f/0x4800 net/ipv4/tcp_input.c:5857
 tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1490
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2264
 release_sock+0xa4/0x2a0 net/core/sock.c:2779
 inet_wait_for_connect net/ipv4/af_inet.c:558 [inline]
 __inet_stream_connect+0x651/0xf00 net/ipv4/af_inet.c:644
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:683
 SYSC_connect+0x20a/0x480 net/socket.c:1641
 SyS_connect+0x24/0x30 net/socket.c:1622
 entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 7102:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:447
 set_track mm/kasan/kasan.c:459 [inline]
 kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
 __cache_free mm/slab.c:3491 [inline]
 kfree+0xca/0x250 mm/slab.c:3806
 skb_free_head+0x74/0xb0 net/core/skbuff.c:550
 skb_release_data+0x58c/0x790 net/core/skbuff.c:570
 skb_release_all+0x4a/0x60 net/core/skbuff.c:627
 __kfree_skb+0x15/0x20 net/core/skbuff.c:641
 tcp_drop+0xcf/0x100 net/ipv4/tcp_input.c:4286
 tcp_validate_incoming+0x903/0x1380 net/ipv4/tcp_input.c:5266
 tcp_rcv_state_process+0x31f/0x4800 net/ipv4/tcp_input.c:5857
 tcp_v4_do_rcv+0x55c/0x7d0 net/ipv4/tcp_ipv4.c:1490
 sk_backlog_rcv include/net/sock.h:911 [inline]
 __release_sock+0x124/0x360 net/core/sock.c:2264
 release_sock+0xa4/0x2a0 net/core/sock.c:2779
 inet_wait_for_connect net/ipv4/af_inet.c:558 [inline]
 __inet_stream_connect+0x651/0xf00 net/ipv4/af_inet.c:644
 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:683
 SYSC_connect+0x20a/0x480 net/socket.c:1641
 SyS_connect+0x24/0x30 net/socket.c:1622
 entry_SYSCALL_64_fastpath+0x1f/0x96

The buggy address belongs to the object at ffff8801cd58c4c0
 which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 253 bytes inside of
 1024-byte region [ffff8801cd58c4c0, ffff8801cd58c8c0)
The buggy address belongs to the page:
page:00000000dc93578e count:1 mapcount:0 mapping:00000000976cf74f index:0x0 compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801cd58c040 0000000000000000 0000000100000007
raw: ffffea000701e1a0 ffffea00071ff420 ffff8801db000ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cd58c480: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
 ffff8801cd58c500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8801cd58c580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                        ^
 ffff8801cd58c600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8801cd58c680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2017/12/08 07:44 net-next-old 66c5c5b56682 5d643f8e .config console log report ci-upstream-net-kasan-gce
* Struck through repros no longer work on HEAD.