================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8800b5b2f648 Read of size 8192 by task syz-executor3/19317 ============================================================================= BUG kmalloc-512 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1 pid=19317 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 netlink: 64 bytes leftover after parsing attributes in process `syz-executor7'. slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x203d/0x4b70 fs/binfmt_elf.c:1074 age=12 cpu=1 pid=19332 __slab_free+0x18c/0x2b0 mm/slub.c:2685 slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x203d/0x4b70 fs/binfmt_elf.c:1074 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea0002d6cb00 objects=20 used=18 fp=0xffff8800b5b2e310 flags=0x4000000000004080 INFO: Object 0xffff8800b5b2f630 @offset=13872 fp=0x0000000f03000202 Bytes b4 ffff8800b5b2f620: 00 00 00 00 8f 31 00 00 27 ed ff ff 00 00 00 00 .....1..'....... Object ffff8800b5b2f630: 02 02 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f640: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8800b5b2f650: 0a 00 4e 2c 00 00 00 00 00 00 00 00 00 00 00 00 ..N,............ Object ffff8800b5b2f660: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f670: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8800b5b2f680: 05 00 05 00 00 00 00 00 0a 00 4e 2c 00 00 00 00 ..........N,.... Object ffff8800b5b2f690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f6a0: 00 00 00 00 00 00 00 00 30 fe 01 00 00 00 00 00 ........0....... Object ffff8800b5b2f6b0: 30 fe 21 00 00 00 00 00 30 fe 21 00 00 00 00 00 0.!.....0.!..... Object ffff8800b5b2f6c0: 90 01 00 00 00 00 00 00 90 01 00 00 00 00 00 00 ................ Object ffff8800b5b2f6d0: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8800b5b2f6e0: c8 01 00 00 00 00 00 00 c8 01 00 00 00 00 00 00 ................ Object ffff8800b5b2f6f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f710: 01 00 00 00 04 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8800b5b2f720: 80 d1 01 00 00 00 00 00 80 d1 01 00 00 00 00 00 ................ Object ffff8800b5b2f730: 44 06 00 00 00 00 00 00 44 06 00 00 00 00 00 00 D.......D....... Object ffff8800b5b2f740: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8800b5b2f750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f770: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f780: 52 e5 74 64 04 00 00 00 a8 fb 01 00 00 00 00 00 R.td............ Object ffff8800b5b2f790: a8 fb 21 00 00 00 00 00 a8 fb 21 00 00 00 00 00 ..!.......!..... Object ffff8800b5b2f7a0: 58 04 00 00 00 00 00 00 58 04 00 00 00 00 00 00 X.......X....... Object ffff8800b5b2f7b0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f7d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f810: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b5b2f820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 19317 Comm: syz-executor3 Tainted: G B 4.4.105-gb5797f6 #6 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 9ff5366f2d3ba5da ffff8801d24df708 ffffffff81cc9b4f ffff8800b5b2c010 ffff8800b5b2f630 ffff8801d24df738 ffffffff814d3af4 ffff8801da402a00 ffffea0002d6cb00 ffff8800b5b2f630 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8800b5b2f700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800b5b2f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800b5b2f800: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8800b5b2f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b5b2f900: fc fc fc fc fc fc fc fc fc fc fc fc 00 00 00 00 ================================================================== audit: type=1326 audit(1513186422.504:66): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19450 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1326 audit(1513186422.574:67): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=19450 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 netlink: 2 bytes leftover after parsing attributes in process `syz-executor6'. binder: 19519:19523 ioctl 40046205 d3 returned -22 audit: type=1400 audit(1513186422.654:68): avc: denied { set_context_mgr } for pid=19519 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 audit: type=1400 audit(1513186422.684:69): avc: denied { call } for pid=19519 comm="syz-executor0" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=binder permissive=1 binder_alloc: 19519: binder_alloc_buf, no vma binder: 19519:19523 transaction failed 29189/-3, size 72-32 line 3131 binder: 19519:19536 ioctl 40046205 d3 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 19519:19523 ioctl 40046207 0 returned -16 binder_alloc: 19519: binder_alloc_buf, no vma binder: 19519:19536 transaction failed 29189/-3, size 72-32 line 3131 nla_parse: 2 callbacks suppressed netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor5'. loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) netlink: 64 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 64 bytes leftover after parsing attributes in process `syz-executor1'. binder: 20624:20626 ioctl 40046205 d3 returned -22 binder: 20624:20626 not enough space to store 3 fds in buffer binder: 20624:20626 transaction failed 29201/-22, size 72-32 line 3273 binder: 20624:20634 ioctl 40046205 d3 returned -22 binder: BINDER_SET_CONTEXT_MGR already set binder: 20624:20634 ioctl 40046207 0 returned -16 loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) device gre0 entered promiscuous mode binder_alloc: 20624: binder_alloc_buf, no vma binder: 20624:20626 transaction failed 29189/-3, size 72-32 line 3131 loop_reread_partitions: partition scan of loop0 () failed (rc=-13) netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor6'. SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket netlink: 2 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: unrecognized netlink message: protocol=6 nlmsg_type=64340 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=64340 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=9 nlmsg_type=46 sclass=netlink_audit_socket IPv6: Can't replace route, no match found SELinux: unrecognized netlink message: protocol=9 nlmsg_type=46 sclass=netlink_audit_socket IPv6: Can't replace route, no match found IPVS: Creating netns size=2552 id=11 IPVS: Creating netns size=2552 id=12 binder: 21565:21567 ioctl 40046205 d3 returned -22 binder: 21565:21567 transaction failed 29189/-22, size 72-32 line 3008 binder: 21565:21579 ioctl 40046205 d3 returned -22 binder: 21565:21567 transaction failed 29189/-22, size 72-32 line 3008 SELinux: unrecognized netlink message: protocol=6 nlmsg_type=46 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=6 nlmsg_type=46 sclass=netlink_xfrm_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65 sclass=netlink_route_socket loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) SELinux: unrecognized netlink message: protocol=0 nlmsg_type=65 sclass=netlink_route_socket loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) loop_reread_partitions: partition scan of loop0 () failed (rc=-13) device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=9 nlmsg_type=19 sclass=netlink_audit_socket loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) nla_parse: 9 callbacks suppressed netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor6'. audit: type=1326 audit(1513186430.774:70): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=22504 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 loop_reread_partitions: partition scan of loop0 (2°]€fI¸Òæ¶Ì”B±!S,›ùDÏ') failed (rc=-13) audit: type=1326 audit(1513186430.834:71): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=22504 comm="syz-executor7" exe="/root/syz-executor7" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 loop_reread_partitions: partition scan of loop0 () failed (rc=-13) netlink: 13 bytes leftover after parsing attributes in process `syz-executor3'.