syzbot

 sign-in | mailing list | source | docs
🐞 Open [1613]
Subsystems
🐞 Fixed [5937]
🐞 Invalid [14471]
Missing Backports [107]
Crashes
Kernel Health Bugs/Month Bug Lifetimes Fuzzing
Total Repo Heatmap Subsystems Heatmap
💬 Send us feedback

KASAN: slab-out-of-bounds Write in process_preds

Status: fixed on 2018/08/24 18:06
Subsystems: trace
[Documentation on labels]
Reported-by: syzbot+5702a7e6d4a13b3accd5@syzkaller.appspotmail.com
Fix commit: 70303420b572 tracing: Check for no filter when processing event filters
First crash: 2451d, last: 2375d
Duplicate bugs (2)
duplicates (2):
Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
KASAN: use-after-free Write in process_preds trace 7 2379d 2428d 0/28 closed as dup on 2018/05/04 05:37
KASAN: use-after-free Read in process_preds trace 2 2408d 2435d 0/28 closed as dup on 2018/05/04 05:38
Discussions (1)
Title Replies (including bot) Last reply
KASAN: slab-out-of-bounds Write in process_preds 6 (7) 2018/08/24 17:46

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KASAN: slab-out-of-bounds in predicate_parse kernel/trace/trace_events_filter.c:557 [inline]
BUG: KASAN: slab-out-of-bounds in process_preds+0x3ecf/0x4160 kernel/trace/trace_events_filter.c:1509
Write of size 4 at addr ffff8801cdbcdf70 by task syz-executor235/4508

CPU: 0 PID: 4508 Comm: syz-executor235 Not tainted 4.17.0+ #105
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412
 __asan_report_store4_noabort+0x17/0x20 mm/kasan/report.c:437
 predicate_parse kernel/trace/trace_events_filter.c:557 [inline]
 process_preds+0x3ecf/0x4160 kernel/trace/trace_events_filter.c:1509
 create_filter+0x167/0x280 kernel/trace/trace_events_filter.c:1717
 ftrace_profile_set_filter+0x135/0x2f0 kernel/trace/trace_events_filter.c:2042
 perf_event_set_filter+0x251/0x1260 kernel/events/core.c:9078
 _perf_ioctl+0x865/0x1600 kernel/events/core.c:5059
 perf_ioctl+0x59/0x80 kernel/events/core.c:5110
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 __do_sys_ioctl fs/ioctl.c:708 [inline]
 __se_sys_ioctl fs/ioctl.c:706 [inline]
 __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706
 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
 entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x43fdb9
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 6b 45 00 00 c3 66 2e 0f 1f 84 00 00 00 00 
RSP: 002b:00007ffc3e6e5df8 EFLAGS: 00000213 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fdb9
RDX: 0000000020000040 RSI: 0000000040082406 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000000000000 R11: 0000000000000213 R12: 00000000004016e0
R13: 0000000000401770 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 19:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
 kmem_cache_alloc_trace+0x152/0x780 mm/slab.c:3620
 kmalloc include/linux/slab.h:513 [inline]
 call_modprobe kernel/kmod.c:80 [inline]
 __request_module+0x386/0xcdd kernel/kmod.c:171
 snd_request_card+0x6b/0x80 sound/core/sound.c:75
 snd_seq_client_use_ptr+0x3aa/0x3f0 sound/core/seq/seq_clientmgr.c:162
 snd_seq_ioctl_query_next_client+0xd8/0x160 sound/core/seq/seq_clientmgr.c:2011
 snd_seq_kernel_client_ctl+0x15a/0x190 sound/core/seq/seq_clientmgr.c:2360
 snd_seq_oss_midi_lookup_ports+0xf6/0x270 sound/core/seq/oss/seq_oss_midi.c:90
 async_call_lookup_ports+0x14/0x20 sound/core/seq/oss/seq_oss_init.c:67
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

Freed by task 19:
 save_stack+0x43/0xd0 mm/kasan/kasan.c:448
 set_track mm/kasan/kasan.c:460 [inline]
 __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
 __cache_free mm/slab.c:3498 [inline]
 kfree+0xd9/0x260 mm/slab.c:3813
 free_modprobe_argv+0x74/0xa0 kernel/kmod.c:67
 call_usermodehelper_freeinfo kernel/umh.c:44 [inline]
 call_usermodehelper_exec+0x27a/0x500 kernel/umh.c:576
 call_modprobe kernel/kmod.c:99 [inline]
 __request_module+0x4ba/0xcdd kernel/kmod.c:171
 snd_request_card+0x6b/0x80 sound/core/sound.c:75
 snd_seq_client_use_ptr+0x3aa/0x3f0 sound/core/seq/seq_clientmgr.c:162
 snd_seq_ioctl_query_next_client+0xd8/0x160 sound/core/seq/seq_clientmgr.c:2011
 snd_seq_kernel_client_ctl+0x15a/0x190 sound/core/seq/seq_clientmgr.c:2360
 snd_seq_oss_midi_lookup_ports+0xf6/0x270 sound/core/seq/oss/seq_oss_midi.c:90
 async_call_lookup_ports+0x14/0x20 sound/core/seq/oss/seq_oss_init.c:67
 process_one_work+0xc73/0x1ba0 kernel/workqueue.c:2153
 worker_thread+0x189/0x13c0 kernel/workqueue.c:2296
 kthread+0x345/0x410 kernel/kthread.c:240
 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412

The buggy address belongs to the object at ffff8801cdbcdf00
 which belongs to the cache kmalloc-64 of size 64
The buggy address is located 48 bytes to the right of
 64-byte region [ffff8801cdbcdf00, ffff8801cdbcdf40)
The buggy address belongs to the page:
page:ffffea000736f340 count:1 mapcount:0 mapping:ffff8801da800340 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea000739d308 ffffea0007353e48 ffff8801da800340
raw: 0000000000000000 ffff8801cdbcd000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8801cdbcde00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
 ffff8801cdbcde80: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff8801cdbcdf00: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
                                                             ^
 ffff8801cdbcdf80: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc
 ffff8801cdbce000: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
==================================================================

Crashes (6020):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2018/06/16 10:05 upstream 9215310cf13b 27c5f59f .config console log report syz C ci-upstream-kasan-gce
2018/06/16 10:03 upstream 9215310cf13b 27c5f59f .config console log report syz C ci-upstream-kasan-gce-root
2018/06/16 06:23 upstream 9215310cf13b 27c5f59f .config console log report syz C ci-upstream-kasan-gce
2018/06/16 06:22 upstream 9215310cf13b 27c5f59f .config console log report syz C ci-upstream-kasan-gce-root
2018/05/31 03:13 upstream d60d61f36b8f 2f93b54f .config console log report syz C ci-upstream-kasan-gce-root
2018/05/21 08:21 upstream 771c577c23ba f48c20b8 .config console log report syz C ci-upstream-kasan-gce-root
2018/05/09 02:32 upstream 036db8bd9637 b88872ba .config console log report syz C ci-upstream-kasan-gce
2018/05/08 22:34 upstream 036db8bd9637 b88872ba .config console log report syz C ci-upstream-kasan-gce-root
2018/05/04 04:25 upstream c15f6d8d4715 9ce14f4b .config console log report syz C ci-upstream-kasan-gce-root
2018/05/03 07:50 upstream f4ef6a438cee 9ce14f4b .config console log report syz C ci-upstream-kasan-gce-root
2018/04/28 00:59 upstream d8a332730e75 7785e404 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/15 11:33 upstream 18b7fd1c93e5 7a67784c .config console log report syz C ci-upstream-kasan-gce-root
2018/04/12 10:26 upstream b284d4d5a678 9cd56d71 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/12 08:26 upstream b284d4d5a678 9cd56d71 .config console log report syz C ci-upstream-kasan-gce-root
2018/04/12 06:20 upstream b284d4d5a678 9cd56d71 .config console log report syz C ci-upstream-kasan-gce
2018/04/11 10:03 upstream b284d4d5a678 8b8de427 .config console log report syz C ci-upstream-kasan-gce-root
2018/06/16 10:04 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/06/16 06:23 bpf-next f0dc7f9c6dd9 27c5f59f .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/05/21 07:31 bpf-next d849f9f9768c f48c20b8 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/05/08 22:32 bpf-next 724e47a149f5 b88872ba .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/05/04 04:12 bpf-next 03f5781be2c7 9ce14f4b .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/05/03 07:38 bpf-next 6f96674dbd8c 9ce14f4b .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/04/26 19:12 bpf-next af487c577770 73417389 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/04/18 17:01 bpf-next 0c90f2243ec6 52643b44 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/04/17 18:14 bpf-next 5d1365940a68 b80fd3b5 .config console log report syz C ci-upstream-bpf-next-kasan-gce
2018/06/16 10:06 upstream 9215310cf13b 27c5f59f .config console log report syz ci-upstream-kasan-gce-386
2018/06/16 06:25 upstream 9215310cf13b 27c5f59f .config console log report syz ci-upstream-kasan-gce-386
2018/05/08 22:35 upstream 036db8bd9637 b88872ba .config console log report syz ci-upstream-kasan-gce-386
2018/06/21 21:43 upstream 1abd8a8f39cd 095ef806 .config console log report ci-upstream-kasan-gce
2018/06/19 12:22 upstream ba4dbdedd3ed 732e4256 .config console log report ci-upstream-kasan-gce-root
2018/06/16 01:21 upstream 4c5e8fc62d6a 27c5f59f .config console log report ci-upstream-kasan-gce-386
2018/06/26 10:17 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 09:10 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 07:56 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 07:09 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 06:04 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 05:00 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 04:38 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 03:34 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 02:23 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/26 00:52 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 23:49 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 22:38 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 22:16 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 20:56 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 19:53 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 19:43 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 18:26 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 17:25 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 16:22 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 15:20 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 14:31 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 13:30 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 12:15 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 11:14 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 10:56 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 09:44 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 08:42 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 07:38 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 06:40 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 05:37 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 04:29 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 03:24 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 02:35 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 01:27 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/25 01:05 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/24 23:37 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/24 22:21 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
2018/06/24 22:14 bpf-next f0dc7f9c6dd9 2064fc5c .config console log report ci-upstream-bpf-next-kasan-gce
* Struck through repros no longer work on HEAD.