KASAN: global-out-of-bounds Read in netlink_policy_dump_add

KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy (2)
Status: fixed on 2021/05/26 09:32
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 33b347503f01 vdpa: Define vdpa mgmt device, ops and a netlink interface
First crash: 302d, last: 302d

Cause bisection: introduced by (bisect log) :
commit 001e0804a6bb8de48f2a2967240bb9d0d67fcb18
Author: Parav Pandit <parav@nvidia.com>
Date: Tue Jan 5 10:32:00 2021 +0000

vdpa: Define vdpa mgmt device, ops and a netlink interface

Crash: KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy (log)
Repro: C syz .config

similar bugs (1):
Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy	C			6	310d	313d	0/22	closed as invalid on 2021/02/08 16:39

Sample crash report:

==================================================================
BUG: KASAN: global-out-of-bounds in netlink_policy_dump_add_policy+0x3b6/0x440 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/policy.c:160
Read of size 1 at addr ffffffff89cc61d0 by task syz-executor181/8413

CPU: 0 PID: 8413 Comm: syz-executor181 Not tainted 5.11.0-rc6-next-20210205-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/lib/dump_stack.c:79 [inline]
 dump_stack+0x107/0x163 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/lib/dump_stack.c:120
 print_address_description.constprop.0.cold+0x5/0x2f8 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/mm/kasan/report.c:232
 __kasan_report syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/mm/kasan/report.c:399 [inline]
 kasan_report.cold+0x7c/0xd8 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/mm/kasan/report.c:416
 netlink_policy_dump_add_policy+0x3b6/0x440 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/policy.c:160
 ctrl_dumppolicy_start+0x3e1/0x760 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:1181
 genl_start+0x3cc/0x670 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:604
 __netlink_dump_start+0x584/0x900 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/af_netlink.c:2363
 genl_family_rcv_msg_dumpit+0x2af/0x310 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:686
 genl_family_rcv_msg syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:780 [inline]
 genl_rcv_msg+0x434/0x580 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:800
 netlink_rcv_skb+0x153/0x420 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/af_netlink.c:2494
 genl_rcv+0x24/0x40 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/genetlink.c:811
 netlink_unicast_kernel syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x533/0x7d0 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/af_netlink.c:1330
 netlink_sendmsg+0x856/0xd90 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/socket.c:654 [inline]
 sock_sendmsg+0xcf/0x120 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/socket.c:674
 ____sys_sendmsg+0x6e8/0x810 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/socket.c:2350
 ___sys_sendmsg+0xf3/0x170 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/socket.c:2404
 __sys_sendmsg+0xe5/0x1b0 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/net/socket.c:2437
 do_syscall_64+0x2d/0x70 syzkaller/managers/upstream-linux-next-kasan-gce-root/kernel/arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43ef29
Code: 28 c3 e8 2a 14 00 00 66 2e 0f 1f 84 00 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc75c06108 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000400488 RCX: 000000000043ef29
RDX: 0000000000000000 RSI: 00000000200029c0 RDI: 0000000000000003
RBP: 0000000000402f10 R08: 00000000004ac018 R09: 0000000000400488
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000402fa0
R13: 0000000000000000 R14: 00000000004ac018 R15: 0000000000400488

The buggy address belongs to the variable:
 vdpa_nl_policy+0x90/0x3a00

Memory state around the buggy address:
 ffffffff89cc6080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff89cc6100: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
>ffffffff89cc6180: 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9
                                                 ^
 ffffffff89cc6200: 05 f9 f9 f9 f9 f9 f9 f9 00 00 07 f9 f9 f9 f9 f9
 ffffffff89cc6280: 00 00 00 01 f9 f9 f9 f9 00 07 f9 f9 f9 f9 f9 f9
==================================================================

Crashes (2):
Manager	Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Title
ci-upstream-linux-next-kasan-gce-root	2021/02/08 17:55	linux-next	aa2b88209686	2ce644fc	.config	log	report	syz	C		KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy
ci-upstream-linux-next-kasan-gce-root	2021/02/08 17:42	linux-next	aa2b88209686	2ce644fc	.config	log	report			info	KASAN: global-out-of-bounds Read in netlink_policy_dump_add_policy