netlink: 20 bytes leftover after parsing attributes in process `syz-executor.3'. ================================================================== BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784 Read of size 8 at addr ffffffff875d0478 by task syz-executor.3/18854 CPU: 1 PID: 18854 Comm: syz-executor.3 Not tainted 4.14.168-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x142/0x197 lib/dump_stack.c:58 print_address_description.cold+0x5/0x1dc mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report mm/kasan/report.c:409 [inline] kasan_report.cold+0xa9/0x2af mm/kasan/report.c:393 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430 nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline] nfnetlink_parse_nat_setup+0x3a2/0x3b0 net/netfilter/nf_nat_core.c:784 ctnetlink_parse_nat_setup+0x76/0x4a0 net/netfilter/nf_conntrack_netlink.c:1421 ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1491 [inline] ctnetlink_create_conntrack+0x468/0x10c0 net/netfilter/nf_conntrack_netlink.c:1840 ctnetlink_new_conntrack+0x4af/0xcc0 net/netfilter/nf_conntrack_netlink.c:1964 nfnetlink_rcv_msg+0xa08/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x14f/0x3c0 net/netlink/af_netlink.c:2432 nfnetlink_rcv+0x1ab/0x1650 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1286 [inline] netlink_unicast+0x44d/0x650 net/netlink/af_netlink.c:1312 netlink_sendmsg+0x7c4/0xc60 net/netlink/af_netlink.c:1877 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xce/0x110 net/socket.c:656 ___sys_sendmsg+0x70a/0x840 net/socket.c:2062 __sys_sendmsg+0xb9/0x140 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x2d/0x50 net/socket.c:2103 do_syscall_64+0x1e8/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x45b349 RSP: 002b:00007f68f2a2cc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f68f2a2d6d4 RCX: 000000000045b349 RDX: 0000000000000000 RSI: 0000000020000280 RDI: 0000000000000003 RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000008f6 R14: 00000000004ca45f R15: 000000000075bf2c The buggy address belongs to the variable: nft_table_policy+0xd8/0xe0 Memory state around the buggy address: ffffffff875d0300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffffffff875d0380: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa >ffffffff875d0400: 00 00 00 00 fa fa fa fa 00 02 fa fa fa fa fa fa ^ ffffffff875d0480: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa ffffffff875d0500: 00 00 00 00 00 00 fa fa fa fa fa fa 00 00 00 00 ==================================================================