KASAN: slab-out-of-bounds Read in bpf_skb_change

Kernel	Title	Repro	Cause bisect	Fix bisect	Count	Last	Reported	Patched	Status
upstream	KASAN: slab-out-of-bounds Read in bpf_skb_change_head bpf net	C			2	2142d	2142d	8/26	fixed on 2018/07/09 18:05
android-414	KASAN: slab-out-of-bounds Read in bpf_skb_change_head	C			8	1629d	1840d	0/1	public: reported C repro on 2019/04/12 00:01

Created	Duration	User	Patch	Repo	Result
2020/01/24 06:48	3h09m	bisect fix		linux-4.14.y	job log (1)
2019/12/25 04:55	23m	bisect fix		linux-4.14.y	job log (0) log

Created

Duration

User

Patch

Repo

Result

2020/01/24 06:48

3h09m

bisect fix

linux-4.14.y

job log (1)

2019/12/25 04:55

23m

bisect fix

linux-4.14.y

job log (0) log

random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) random: sshd: uninitialized urandom read (32 bytes read) audit: type=1400 audit(1574657512.219:36): avc: denied { map } for pid=6982 comm="syz-executor856" path="/root/syz-executor856703914" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1 ================================================================== BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_head net/core/filter.c:2423 [inline] BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4f3/0x600 net/core/filter.c:2419 Read of size 4 at addr ffff8880a4d0f440 by task syz-executor856/6982 CPU: 0 PID: 6982 Comm: syz-executor856 Not tainted 4.14.156-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 ____bpf_skb_change_head net/core/filter.c:2423 [inline] bpf_skb_change_head+0x4f3/0x600 net/core/filter.c:2419 bpf_prog_147a7bac71f62ca7+0x428/0x1000 Allocated by task 0: (stack is not available) Freed by task 0: (stack is not available) The buggy address belongs to the object at ffff8880a4d0f340 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 24 bytes to the right of 232-byte region [ffff8880a4d0f340, ffff8880a4d0f428) The buggy address belongs to the page: page:ffffea00029343c0 count:1 mapcount:0 mapping:ffff8880a4d0f0c0 index:0x0 flags: 0x1fffc0000000100(slab) raw: 01fffc0000000100 ffff8880a4d0f0c0 0000000000000000 000000010000000c raw: ffffea0002a3a820 ffffea00026100e0 ffff8880a9e19a80 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880a4d0f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a4d0f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff8880a4d0f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8880a4d0f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8880a4d0f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ==================================================================

Crashes (2):
Time	Kernel	Commit	Syzkaller	Config	Log	Report	Syz repro	C repro	VM info	Assets (help?)	Manager	Title
2019/11/25 04:55	linux-4.14.y	43598c571e7e	598ca6c8	.config	console log	report	syz	C			ci2-linux-4-14
2019/10/17 01:23	linux-4.14.y	e132c8d7b58d	8c88c9c1	.config	console log	report	syz	C			ci2-linux-4-14

Crashes (2):

Assets (help?)