syzbot


KASAN: slab-out-of-bounds Read in bpf_skb_change_head
Status: fixed on 2020/01/25 22:00
Reported-by: syzbot+f0da52642af6658df2de@syzkaller.appspotmail.com
Fix commit: 7fed98f4a1e6 bpf: reject passing modified ctx to helper functions
First crash: 948d, last: 879d

Fix bisection: fixed by (bisect log) :
commit 7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Thu Jun 7 15:40:03 2018 +0000

  bpf: reject passing modified ctx to helper functions

similar bugs (2):
Kernel Title Repro Cause bisect Fix bisect Count Last Reported Patched Status
upstream KASAN: slab-out-of-bounds Read in bpf_skb_change_head C 2 1438d 1438d 9/22 fixed on 2018/07/09 18:05
android-414 KASAN: slab-out-of-bounds Read in bpf_skb_change_head C 8 925d 1136d 0/1 public: reported C repro on 2019/04/12 00:01

Sample crash report:
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
audit: type=1400 audit(1574657512.219:36): avc:  denied  { map } for  pid=6982 comm="syz-executor856" path="/root/syz-executor856703914" dev="sda1" ino=16484 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ____bpf_skb_change_head net/core/filter.c:2423 [inline]
BUG: KASAN: slab-out-of-bounds in bpf_skb_change_head+0x4f3/0x600 net/core/filter.c:2419
Read of size 4 at addr ffff8880a4d0f440 by task syz-executor856/6982

CPU: 0 PID: 6982 Comm: syz-executor856 Not tainted 4.14.156-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x142/0x197 lib/dump_stack.c:58
 print_address_description.cold+0x7c/0x1dc mm/kasan/report.c:252
 kasan_report_error mm/kasan/report.c:351 [inline]
 kasan_report mm/kasan/report.c:409 [inline]
 kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393
 __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429
 ____bpf_skb_change_head net/core/filter.c:2423 [inline]
 bpf_skb_change_head+0x4f3/0x600 net/core/filter.c:2419
 bpf_prog_147a7bac71f62ca7+0x428/0x1000

Allocated by task 0:
(stack is not available)

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a4d0f340
 which belongs to the cache skbuff_head_cache of size 232
The buggy address is located 24 bytes to the right of
 232-byte region [ffff8880a4d0f340, ffff8880a4d0f428)
The buggy address belongs to the page:
page:ffffea00029343c0 count:1 mapcount:0 mapping:ffff8880a4d0f0c0 index:0x0
flags: 0x1fffc0000000100(slab)
raw: 01fffc0000000100 ffff8880a4d0f0c0 0000000000000000 000000010000000c
raw: ffffea0002a3a820 ffffea00026100e0 ffff8880a9e19a80 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
 ffff8880a4d0f300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a4d0f380: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a4d0f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                           ^
 ffff8880a4d0f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8880a4d0f500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================

Crashes (2):
Manager Time Kernel Commit Syzkaller Config Log Report Syz repro C repro VM info Title
ci2-linux-4-14 2019/11/25 04:55 linux-4.14.y 43598c571e7e 598ca6c8 .config log report syz C
ci2-linux-4-14 2019/10/17 01:23 linux-4.14.y e132c8d7b58d 8c88c9c1 .config log report syz C