syzbot


KASAN: global-out-of-bounds Read in wg_ratelimiter_gc_entries

Status: auto-obsoleted due to no activity on 2022/11/03 08:06
Subsystems: wireguard
[Documentation on labels]
Reported-by: syzbot+3c30512a976a4db505e8@syzkaller.appspotmail.com
First crash: 602d, last: 602d
Similar bugs (1)
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: null-ptr-deref Write in wg_ratelimiter_gc_entries wireguard 1 510d 510d 0/26 auto-obsoleted due to no activity on 2023/02/10 17:36

Sample crash report:
==================================================================
BUG: KASAN: global-out-of-bounds in wg_ratelimiter_gc_entries+0x1d6/0x31a drivers/net/wireguard/ratelimiter.c:72
Read of size 8 at addr ffffffff858c4c40 by task kworker/0:0/5

CPU: 0 PID: 5 Comm: kworker/0:0 Not tainted 5.17.0-rc1-syzkaller-00002-g0966d385830d #0
Hardware name: riscv-virtio,qemu (DT)
Workqueue: events_power_efficient wg_ratelimiter_gc_entries
Call Trace:
[<ffffffff8000a228>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:113
[<ffffffff831668cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:119
[<ffffffff831756ba>] __dump_stack lib/dump_stack.c:88 [inline]
[<ffffffff831756ba>] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:106
[<ffffffff8047479e>] print_address_description.constprop.0+0x2a/0x330 mm/kasan/report.c:255
[<ffffffff80474d4c>] __kasan_report mm/kasan/report.c:442 [inline]
[<ffffffff80474d4c>] kasan_report+0x184/0x1e0 mm/kasan/report.c:459
[<ffffffff80475b20>] check_region_inline mm/kasan/generic.c:183 [inline]
[<ffffffff80475b20>] __asan_load8+0x6e/0x96 mm/kasan/generic.c:256
[<ffffffff8176ba4c>] wg_ratelimiter_gc_entries+0x1d6/0x31a drivers/net/wireguard/ratelimiter.c:72
[<ffffffff80093b44>] process_one_work+0x654/0xffe kernel/workqueue.c:2307
[<ffffffff8009484e>] worker_thread+0x360/0x8fa kernel/workqueue.c:2454
[<ffffffff800a7f58>] kthread+0x19e/0x1fa kernel/kthread.c:377
[<ffffffff80005724>] ret_from_exception+0x0/0x10

The buggy address belongs to the variable:
 __key.0+0x20/0x40

Memory state around the buggy address:
 ffffffff858c4b00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
 ffffffff858c4b80: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
>ffffffff858c4c00: f9 f9 f9 f9 00 00 f9 f9 f9 f9 f9 f9 00 00 f9 f9
                                           ^
 ffffffff858c4c80: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
 ffffffff858c4d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================

Crashes (1):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2022/08/05 08:05 git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes 0966d385830d a65a7ce9 .config console log report info ci-qemu2-riscv64 KASAN: global-out-of-bounds Read in wg_ratelimiter_gc_entries
* Struck through repros no longer work on HEAD.