netlink: 3 bytes leftover after parsing attributes in process `syz-executor2'. ================================================================== BUG: KASAN: slab-out-of-bounds in asn1_ber_decoder+0x1436/0x1c20 lib/asn1_decoder.c:233 Read of size 1 at addr ffff8801d32b3982 by task syz-executor3/11383 CPU: 1 PID: 11383 Comm: syz-executor3 Not tainted 4.14.0-rc5-mm1+ #20 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:16 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:52 print_address_description+0x73/0x250 mm/kasan/report.c:252 kasan_report_error mm/kasan/report.c:351 [inline] kasan_report+0x25b/0x340 mm/kasan/report.c:409 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:427 asn1_ber_decoder+0x1436/0x1c20 lib/asn1_decoder.c:233 x509_cert_parse+0x1dd/0x680 crypto/asymmetric_keys/x509_cert_parser.c:89 x509_key_preparse+0x64/0x8b0 crypto/asymmetric_keys/x509_public_key.c:174 asymmetric_key_preparse+0xa8/0x110 crypto/asymmetric_keys/asymmetric_type.c:386 key_create_or_update+0x4c6/0xe20 security/keys/key.c:846 SYSC_add_key security/keys/keyctl.c:122 [inline] SyS_add_key+0x18a/0x340 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe RIP: 0033:0x452869 RSP: 002b:00007ff8c048dbe8 EFLAGS: 00000212 ORIG_RAX: 00000000000000f8 RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869 RDX: 0000000020ce1000 RSI: 0000000020ef2ffb RDI: 0000000020b79000 RBP: 0000000000000082 R08: ffffffffffffffff R09: 0000000000000000 R10: 0000000000000002 R11: 0000000000000212 R12: 00000000006f4a30 R13: 00000000ffffffff R14: 00007ff8c048e6d4 R15: 0000000000000000 Allocated by task 11383: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 __do_kmalloc_node mm/slab.c:3676 [inline] __kmalloc_node+0x47/0x70 mm/slab.c:3683 kmalloc_node include/linux/slab.h:541 [inline] kvmalloc_node+0x99/0xd0 mm/util.c:397 kvmalloc include/linux/mm.h:538 [inline] SYSC_add_key security/keys/keyctl.c:104 [inline] SyS_add_key+0x279/0x340 security/keys/keyctl.c:62 entry_SYSCALL_64_fastpath+0x1f/0xbe Freed by task 9331: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 __cache_free mm/slab.c:3492 [inline] kfree+0xca/0x250 mm/slab.c:3807 selinux_sk_free_security+0x4f/0x60 security/selinux/hooks.c:4892 security_sk_free+0x48/0x80 security/security.c:1430 sk_prot_free net/core/sock.c:1502 [inline] __sk_destruct+0x609/0x910 net/core/sock.c:1585 sk_destruct+0x47/0x80 net/core/sock.c:1593 __sk_free+0x57/0x230 net/core/sock.c:1601 sk_free+0x2a/0x40 net/core/sock.c:1612 sock_put include/net/sock.h:1651 [inline] dccp_close+0x6de/0xc10 net/dccp/proto.c:1081 inet_release+0xed/0x1c0 net/ipv4/af_inet.c:426 inet6_release+0x50/0x70 net/ipv6/af_inet6.c:433 sock_release+0x8d/0x1e0 net/socket.c:596 SYSC_socketpair net/socket.c:1448 [inline] SyS_socketpair+0x4da/0x640 net/socket.c:1352 entry_SYSCALL_64_fastpath+0x1f/0xbe The buggy address belongs to the object at ffff8801d32b3980 which belongs to the cache kmalloc-32 of size 32 The buggy address is located 2 bytes inside of 32-byte region [ffff8801d32b3980, ffff8801d32b39a0) The buggy address belongs to the page: page:ffffea00074cacc0 count:1 mapcount:0 mapping:ffff8801d32b3000 index:0xffff8801d32b3fc1 flags: 0x200000000000100(slab) raw: 0200000000000100 ffff8801d32b3000 ffff8801d32b3fc1 0000000100000033 raw: ffffea00074bac20 ffffea00074bdca0 ffff8801dac001c0 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801d32b3880: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8801d32b3900: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc >ffff8801d32b3980: 02 fc fc fc fc fc fc fc fb fb fb fb fc fc fc fc ^ ffff8801d32b3a00: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ffff8801d32b3a80: fb fb fb fb fc fc fc fc fb fb fb fb fc fc fc fc ==================================================================