================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/kasan.c:317 at addr ffff8800b6170348 Read of size 8192 by task syz-executor0/5325 ============================================================================= BUG kmalloc-512 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:230 age=5 cpu=1 pid=5325 ___slab_alloc.constprop.78+0x4c6/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2504 slab_alloc_node /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2567 [inline] slab_alloc /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:230 alloc_skb /syzkaller/managers/android-44-kasan-gce/kernel/include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3657 sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in skb_free_head /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:571 [inline] age=11 cpu=0 pid=5322 INFO: Freed in skb_release_data+0x2aa/0x380 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:602 age=11 cpu=0 pid=5322 __slab_free+0x18c/0x2b0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2685 slab_free /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:3714 skb_free_head /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:571 [inline] skb_release_data+0x2aa/0x380 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:602 skb_release_all+0x3d/0x50 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:661 __kfree_skb+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:675 kfree_skb+0xdd/0x350 /syzkaller/managers/android-44-kasan-gce/kernel/net/core/skbuff.c:696 pfkey_sendmsg+0x590/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3676 sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Slab 0xffffea0002d85c00 objects=20 used=11 fp=0xffff8800b6173960 flags=0x4000000000004080 INFO: Object 0xffff8800b6170330 @offset=816 fp=0x0000000f03000302 Bytes b4 ffff8800b6170320: 00 00 00 00 d8 14 00 00 f1 9f ff ff 00 00 00 00 ................ Object ffff8800b6170330: 02 03 00 03 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170340: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ Object ffff8800b6170350: 0a 00 4e 20 00 00 00 00 00 00 00 00 00 00 00 00 ..N ............ Object ffff8800b6170360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170370: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ Object ffff8800b6170380: 05 00 05 00 00 00 00 00 0a 00 4e 20 00 00 00 00 ..........N .... Object ffff8800b6170390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61703a0: 00 00 00 00 00 00 00 00 e0 43 8b 83 ff ff ff ff .........C...... Object ffff8800b61703b0: 00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N.......... Object ffff8800b61703c0: ff ff ff ff ff ff ff ff 00 e3 70 85 ff ff ff ff ..........p..... Object ffff8800b61703d0: 40 be 17 85 ff ff ff ff 00 00 00 00 00 00 00 00 @............... Object ffff8800b61703e0: a0 43 8b 83 ff ff ff ff e8 03 17 b6 00 88 ff ff .C.............. Object ffff8800b61703f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170410: 01 00 00 00 01 00 00 00 01 00 00 00 00 00 00 00 ................ Object ffff8800b6170420: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170430: 00 00 00 00 00 00 00 00 e0 73 76 da 01 88 ff ff .........sv..... Object ffff8800b6170440: 80 6b 28 84 ff ff ff ff 00 00 00 00 00 00 00 00 .k(............. Object ffff8800b6170450: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170460: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170470: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b61704f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8800b6170520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 5325 Comm: syz-executor0 Tainted: G B 4.4.105-g36205b7 #4 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 e2580bf898eebf9a ffff8800b8b8f708 ffffffff81cc9b4f ffff8800b6170010 ffff8800b6170330 ffff8800b8b8f738 ffffffff814d3af4 ffff8801da402a00 ffffea0002d85c00 ffff8800b6170330 0000000000000000 Call Trace: [] __dump_stack /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf /syzkaller/managers/android-44-kasan-gce/kernel/lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:682 [] object_err+0x2f/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/slub.c:689 [] print_address_description /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:139 [inline] [] kasan_report_error /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:262 [] kasan_report+0x20/0x30 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/report.c:249 [] check_memory_region /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 /syzkaller/managers/android-44-kasan-gce/kernel/mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 /syzkaller/managers/android-44-kasan-gce/kernel/net/key/af_key.c:3670 [] sock_sendmsg_nosec /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:1995 [] SYSC_sendmsg /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 /syzkaller/managers/android-44-kasan-gce/kernel/net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8800b6170400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8800b6170480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8800b6170500: 00 00 00 00 00 00 fc fc fc fc fc fc fc fc fc fc ^ ffff8800b6170580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8800b6170600: fc fc fc fc fc fc fc fc fc fc fc fc fb fb fb fb ================================================================== audit: type=1400 audit(1513084344.863:14): avc: denied { create } for pid=5371 comm="syz-executor6" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 audit: type=1400 audit(1513084344.893:15): avc: denied { ioctl } for pid=5371 comm="syz-executor6" path="socket:[12582]" dev="sockfs" ino=12582 ioctlcmd=8932 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_generic_socket permissive=1 nla_parse: 25 callbacks suppressed netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=26927 sclass=netlink_route_socket netlink: 6 bytes leftover after parsing attributes in process `syz-executor1'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=7 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=0 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket nla_parse: 19 callbacks suppressed netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor0'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket netlink: 10 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 10 bytes leftover after parsing attributes in process `syz-executor7'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=19802 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=19802 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9472 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=9472 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=4 nlmsg_type=99 sclass=netlink_tcpdiag_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=19802 sclass=netlink_route_socket audit: type=1400 audit(1513084353.723:16): avc: denied { create } for pid=7500 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_iscsi_socket permissive=1