syzbot |
sign-in | mailing list | source | docs |
🐞 Open [741] 🐞 Fixed [297] 🐞 Invalid [782] 📈 Kernel Health 📈 Bug Lifetimes 📈 Fuzzing 📈 Crashes |
Kernel | Title | Repro | Cause bisect | Fix bisect | Count | Last | Reported | Patched | Status |
---|---|---|---|---|---|---|---|---|---|
linux-4.14 | KASAN: use-after-free Read in hci_chan_del | C | error | 21 | 180d | 916d | 0/1 | upstream: reported C repro on 2020/08/03 13:37 | |
upstream | KASAN: use-after-free Read in hci_chan_del | C | done | done | 87 | 638d | 917d | 0/24 | upstream: reported C repro on 2020/08/02 20:45 |
audit: type=1400 audit(1596890721.083:8): avc: denied { execmem } for pid=6463 comm="syz-executor950" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:kernel_t:s0 tclass=process permissive=1 IPVS: ftp: loaded support on port[0] = 21 ================================================================== BUG: KASAN: use-after-free in hci_chan_del+0x13e/0x180 net/bluetooth/hci_conn.c:1666 Read of size 8 at addr ffff8880a9609a98 by task syz-executor950/6464 CPU: 0 PID: 6464 Comm: syz-executor950 Not tainted 4.19.138-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1fc/0x2fe lib/dump_stack.c:118 print_address_description.cold+0x54/0x219 mm/kasan/report.c:256 kasan_report_error.cold+0x8a/0x1c7 mm/kasan/report.c:354 kasan_report mm/kasan/report.c:412 [inline] __asan_report_load8_noabort+0x88/0x90 mm/kasan/report.c:433 hci_chan_del+0x13e/0x180 net/bluetooth/hci_conn.c:1666 l2cap_conn_del+0x44f/0x6b0 net/bluetooth/l2cap_core.c:1736 l2cap_disconn_cfm net/bluetooth/l2cap_core.c:7435 [inline] l2cap_disconn_cfm+0x85/0xa0 net/bluetooth/l2cap_core.c:7428 hci_disconn_cfm include/net/bluetooth/hci_core.h:1261 [inline] hci_conn_hash_flush+0x114/0x220 net/bluetooth/hci_conn.c:1495 hci_dev_do_close+0x624/0xe70 net/bluetooth/hci_core.c:1666 hci_unregister_dev+0x17c/0x7f0 net/bluetooth/hci_core.c:3271 vhci_release+0x70/0xe0 drivers/bluetooth/hci_vhci.c:354 __fput+0x2ce/0x890 fs/file_table.c:278 task_work_run+0x148/0x1c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0xbb2/0x2b70 kernel/exit.c:887 do_group_exit+0x125/0x310 kernel/exit.c:990 __do_sys_exit_group kernel/exit.c:1001 [inline] __se_sys_exit_group kernel/exit.c:999 [inline] __x64_sys_exit_group+0x3a/0x50 kernel/exit.c:999 do_syscall_64+0xf9/0x620 arch/x86/entry/common.c:293 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x445138 Code: Bad RIP value. RSP: 002b:00007ffee4fe1778 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 0000000000445138 RDX: 0000000000000001 RSI: 000000000000003c RDI: 0000000000000001 RBP: 00000000004ccef0 R08: 00000000000000e7 R09: ffffffffffffffd0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001 R13: 00000000006e0220 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 1229: kmem_cache_alloc_trace+0x12f/0x380 mm/slab.c:3625 kmalloc include/linux/slab.h:515 [inline] kzalloc include/linux/slab.h:709 [inline] hci_chan_create+0x8e/0x310 net/bluetooth/hci_conn.c:1651 l2cap_conn_add.part.0+0x18/0xc40 net/bluetooth/l2cap_core.c:7056 l2cap_conn_add net/bluetooth/l2cap_core.c:7415 [inline] l2cap_connect_cfm+0x236/0xe70 net/bluetooth/l2cap_core.c:7373 hci_connect_cfm include/net/bluetooth/hci_core.h:1246 [inline] le_conn_complete_evt+0x111b/0x1730 net/bluetooth/hci_event.c:4931 hci_le_enh_conn_complete_evt net/bluetooth/hci_event.c:4973 [inline] hci_le_meta_evt+0x32c/0x3a50 net/bluetooth/hci_event.c:5661 hci_event_packet+0x1a29/0x858f net/bluetooth/hci_event.c:5897 hci_rx_work+0x46b/0xa90 net/bluetooth/hci_core.c:4359 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x30b/0x410 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 Freed by task 1229: __cache_free mm/slab.c:3503 [inline] kfree+0xcc/0x210 mm/slab.c:3822 hci_disconn_loglink_complete_evt net/bluetooth/hci_event.c:4758 [inline] hci_event_packet+0xf52/0x858f net/bluetooth/hci_event.c:5918 hci_rx_work+0x46b/0xa90 net/bluetooth/hci_core.c:4359 process_one_work+0x864/0x1570 kernel/workqueue.c:2155 worker_thread+0x64c/0x1130 kernel/workqueue.c:2298 kthread+0x30b/0x410 kernel/kthread.c:246 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:415 The buggy address belongs to the object at ffff8880a9609a80 which belongs to the cache kmalloc-128 of size 128 The buggy address is located 24 bytes inside of 128-byte region [ffff8880a9609a80, ffff8880a9609b00) The buggy address belongs to the page: page:ffffea0002a58240 count:1 mapcount:0 mapping:ffff88812c39c640 index:0x0 flags: 0xfffe0000000100(slab) raw: 00fffe0000000100 ffffea0002a57d88 ffffea0002a3f588 ffff88812c39c640 raw: 0000000000000000 ffff8880a9609000 0000000100000015 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a9609980: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 ffff8880a9609a00: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc >ffff8880a9609a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880a9609b00: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ffff8880a9609b80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc ==================================================================
Manager | Time | Kernel | Commit | Syzkaller | Config | Log | Report | Syz repro | C repro | VM info | Assets | Title |
---|---|---|---|---|---|---|---|---|---|---|---|---|
ci2-linux-4-19 | 2020/08/08 12:47 | linux-4.19.y | 961f830af065 | 01975a06 | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/07 18:48 | linux-4.19.y | 961f830af065 | 28ac5c9e | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/06 18:35 | linux-4.19.y | c076c79e03c6 | 4ca1c0ea | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/06 01:57 | linux-4.19.y | c076c79e03c6 | 0487ea6f | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/05 14:27 | linux-4.19.y | c076c79e03c6 | b7129355 | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/05 04:34 | linux-4.19.y | 13af6c74b14a | 02034dac | .config | console log | report | syz | C | |||
ci2-linux-4-19 | 2020/08/05 13:24 | linux-4.19.y | c076c79e03c6 | b7129355 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/05 11:53 | linux-4.19.y | c076c79e03c6 | b7129355 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/05 08:35 | linux-4.19.y | 13af6c74b14a | 02034dac | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/03 19:38 | linux-4.19.y | 13af6c74b14a | 96dd3623 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/03 12:29 | linux-4.19.y | 13af6c74b14a | 96dd3623 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/03 07:57 | linux-4.19.y | 13af6c74b14a | 96dd3623 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2020/08/03 02:40 | linux-4.19.y | 13af6c74b14a | 96dd3623 | .config | console log | report | syz | ||||
ci2-linux-4-19 | 2021/05/15 17:08 | linux-4.19.y | 3c8c23092588 | 93f844de | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/05/11 19:01 | linux-4.19.y | 3c8c23092588 | b3c3bb8e | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/05/10 00:55 | linux-4.19.y | 3c8c23092588 | bc5434be | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/05/08 15:46 | linux-4.19.y | 3c8c23092588 | bc5434be | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/05/05 20:40 | linux-4.19.y | 97a8651cadce | 06c27ff5 | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/04/19 10:40 | linux-4.19.y | 2965db2e004c | 50f523d7 | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/03/07 02:54 | linux-4.19.y | dfb571610ba3 | e4b4d570 | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/02/19 00:13 | linux-4.19.y | 811218eceeaa | 14052202 | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2021/01/20 19:48 | linux-4.19.y | 43d555d83c3f | d4f4eca5 | .config | console log | report | info | KASAN: use-after-free Read in hci_chan_del | |||
ci2-linux-4-19 | 2020/12/06 04:42 | linux-4.19.y | daefdc9eb24b | 50503117 | .config | console log | report | info | ||||
ci2-linux-4-19 | 2020/09/22 08:01 | linux-4.19.y | 015e94d0e37b | 9e1fa68e | .config | console log | report | info |