syzbot


UBSAN: shift-out-of-bounds in __detect_linklayer

Status: fixed on 2021/03/10 01:49
Subsystems: net
[Documentation on labels]
Fix commit: e4bedf48aaa5 net_sched: reject silly cell_log in qdisc_get_rtab()
First crash: 1258d, last: 1251d
Cause bisection: introduced by (bisect log) [release commit]:
commit 4d856f72c10ecb060868ed10ff1b1453943fc6c8
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date: Sun Sep 15 21:19:32 2019 +0000

  Linux 5.3

Crash: UBSAN: undefined-behaviour in qdisc_get_rtab (log)
Repro: C syz .config
  
Fix bisection: fixed by (bisect log) :
commit e4bedf48aaa5552bc1f49703abd17606e7e6e82a
Author: Eric Dumazet <edumazet@google.com>
Date: Thu Jan 14 16:06:37 2021 +0000

  net_sched: reject silly cell_log in qdisc_get_rtab()

  

Sample crash report:
IPVS: ftp: loaded support on port[0] = 21
netlink: 24 bytes leftover after parsing attributes in process `syz-executor586'.
================================================================================
UBSAN: shift-out-of-bounds in net/sched/sch_api.c:389:22
shift exponent 130 is too large for 32-bit type 'int'
CPU: 1 PID: 8450 Comm: syz-executor586 Not tainted 5.11.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:79 [inline]
 dump_stack+0x183/0x22e lib/dump_stack.c:120
 ubsan_epilogue lib/ubsan.c:148 [inline]
 __ubsan_handle_shift_out_of_bounds+0x432/0x4d0 lib/ubsan.c:395
 __detect_linklayer+0x2a9/0x330 net/sched/sch_api.c:389
 qdisc_get_rtab+0x2b5/0x410 net/sched/sch_api.c:435
 cbq_init+0x28f/0x12c0 net/sched/sch_cbq.c:1180
 qdisc_create+0x801/0x1470 net/sched/sch_api.c:1246
 tc_modify_qdisc+0x9e3/0x1fc0 net/sched/sch_api.c:1662
 rtnetlink_rcv_msg+0xb1d/0xe60 net/core/rtnetlink.c:5564
 netlink_rcv_skb+0x1f0/0x460 net/netlink/af_netlink.c:2494
 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline]
 netlink_unicast+0x7de/0x9b0 net/netlink/af_netlink.c:1330
 netlink_sendmsg+0xaa6/0xe90 net/netlink/af_netlink.c:1919
 sock_sendmsg_nosec net/socket.c:652 [inline]
 sock_sendmsg net/socket.c:672 [inline]
 ____sys_sendmsg+0x5a2/0x900 net/socket.c:2345
 ___sys_sendmsg net/socket.c:2399 [inline]
 __sys_sendmsg+0x319/0x400 net/socket.c:2432
 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x441419
Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 0d fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffd531509c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441419
RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003
RBP: 00007ffd531509e0 R08: 00000000bb1414ac R09: 00000000bb1414ac
R10: 00000000bb1414ac R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
================================================================================

Crashes (31):
Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets (help?) Manager Title
2021/01/14 13:02 upstream 65f0d2414b70 269d24e8 .config console log report syz C ci-upstream-kasan-gce-smack-root
2021/01/20 17:55 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 17:54 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 17:54 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 17:23 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 16:27 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 16:26 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 16:23 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/20 14:31 upstream 45dfb8a5659a d4f4eca5 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/19 06:06 upstream 1e2a199f6ccd 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/18 22:18 upstream 19c329f68089 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/18 19:14 upstream 19c329f68089 63631df1 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/18 05:21 upstream a1339d6355ac fd103621 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/17 15:04 upstream 0da0a8a0a0e1 813be542 .config console log report info ci-upstream-kasan-gce-smack-root UBSAN: shift-out-of-bounds in __detect_linklayer
2021/01/17 10:47 upstream 0da0a8a0a0e1 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/17 01:19 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 16:17 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 16:13 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 16:11 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 16:08 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 16:02 upstream 1d94330a437a 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 05:46 upstream f4e087c666f5 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/16 05:45 upstream f4e087c666f5 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/15 04:23 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 22:46 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 20:15 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 18:51 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 18:46 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 18:46 upstream 65f0d2414b70 65a7a854 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 12:42 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-smack-root
2021/01/14 12:42 upstream 65f0d2414b70 269d24e8 .config console log report info ci-upstream-kasan-gce-smack-root
* Struck through repros no longer work on HEAD.