syzbot


KASAN: wild-memory-access Read in skb_copy_bits

Status: internal: reported C repro on 2022/09/09 03:00
Reported-by: syzbot+@syzkaller.appspotmail.com
Fix commit: 0d24148bd276 inet: ping: fix recent breakage
Patched on: [ci-qemu-upstream ci-qemu-upstream-386 ci-qemu2-arm32 ci-qemu2-arm64 ci-qemu2-arm64-compat ci-qemu2-arm64-mte ci-upstream-bpf-kasan-gce ci-upstream-bpf-next-kasan-gce ci-upstream-gce-arm64 ci-upstream-gce-leak ci-upstream-kasan-gce ci-upstream-kasan-gce-386 ci-upstream-kasan-gce-root ci-upstream-kasan-gce-selinux-root ci-upstream-kasan-gce-smack-root ci-upstream-kmsan-gce ci-upstream-kmsan-gce-386 ci-upstream-linux-next-kasan-gce-root ci-upstream-net-kasan-gce ci-upstream-net-this-kasan-gce ci2-upstream-fs ci2-upstream-kcsan-gce ci2-upstream-usb], missing on: [ci-qemu2-riscv64]
First crash: 142d, last: 142d
similar bugs (1):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: use-after-free Read in skb_copy_bits 7 329d 466d 0/24 auto-closed as invalid on 2022/06/04 10:20

Sample crash report:
==================================================================
BUG: KASAN: wild-memory-access in skb_copy_bits+0x408/0x780 net/core/skbuff.c:2441
Read of size 2 at addr 6b30f42a6e2ee404 by task syz-executor308/3908

CPU: 0 PID: 3908 Comm: syz-executor308 Not tainted 6.0.0-rc4-syzkaller-00859-g9f8f1933dce5 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
 memcpy+0x20/0x60 mm/kasan/shadow.c:65
 skb_copy_bits+0x408/0x780 net/core/skbuff.c:2441
 __skb_header_pointer include/linux/skbuff.h:3987 [inline]
 skb_header_pointer include/linux/skbuff.h:3996 [inline]
 ipv6_skip_exthdr+0x437/0x520 net/ipv6/exthdrs_core.c:85
 ipv6_get_l4proto net/netfilter/nf_conntrack_core.c:394 [inline]
 get_l4proto+0x325/0x500 net/netfilter/nf_conntrack_core.c:417
 nf_ct_get_tuplepr+0x8b/0x110 net/netfilter/nf_conntrack_core.c:433
 nf_conntrack_inet_error+0x1a8/0x710 net/netfilter/nf_conntrack_proto_icmp.c:124
 nf_conntrack_icmpv6_error+0x327/0x540 net/netfilter/nf_conntrack_proto_icmpv6.c:169
 nf_conntrack_handle_icmp net/netfilter/nf_conntrack_core.c:1899 [inline]
 nf_conntrack_in.cold+0x123/0x17b net/netfilter/nf_conntrack_core.c:1994
 nf_hook_entry_hookfn include/linux/netfilter.h:142 [inline]
 nf_hook_slow+0xc5/0x1f0 net/netfilter/core.c:614
 nf_hook include/linux/netfilter.h:257 [inline]
 __ip6_local_out+0x3e3/0x880 net/ipv6/output_core.c:149
 ip6_local_out+0x26/0x1a0 net/ipv6/output_core.c:159
 ip6_send_skb+0xb7/0x340 net/ipv6/ip6_output.c:1966
 ip6_push_pending_frames+0xdd/0x100 net/ipv6/ip6_output.c:1986
 icmpv6_push_pending_frames+0x2af/0x490 net/ipv6/icmp.c:303
 ping_v6_sendmsg+0xc44/0x1190 net/ipv6/ping.c:175
 inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
 sock_sendmsg_nosec net/socket.c:714 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:734
 ____sys_sendmsg+0x6eb/0x810 net/socket.c:2482
 ___sys_sendmsg+0x110/0x1b0 net/socket.c:2536
 __sys_sendmsg+0xf3/0x1c0 net/socket.c:2565
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f23eeecfa69
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcee890b18 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f23eeecfa69
RDX: 0000000000000000 RSI: 0000000020000180 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 000000000000000d R11: 0000000000000246 R12: 00007ffcee890b30
R13: 00000000000f4240 R14: 000000000000e4fb R15: 00007ffcee890b24
 </TASK>
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Assets Title
ci-upstream-net-kasan-gce 2022/09/09 05:57 net-next 9f8f1933dce5 f3027468 .config strace log report syz C [disk image] [vmlinux] KASAN: wild-memory-access Read in skb_copy_bits
ci-upstream-net-kasan-gce 2022/09/09 02:59 net-next 9f8f1933dce5 f3027468 .config console log report info [disk image] [vmlinux] KASAN: wild-memory-access Read in skb_copy_bits
* Struck through repros no longer work on HEAD.