netlink: 8 bytes leftover after parsing attributes in process `syz-executor.1'. ================================================================== BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline] BUG: KASAN: global-out-of-bounds in nfnetlink_parse_nat_setup+0x516/0x560 net/netfilter/nf_nat_core.c:784 Read of size 8 at addr ffffffff873d5198 by task syz-executor.1/21412 CPU: 0 PID: 21412 Comm: syz-executor.1 Not tainted 4.14.197-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1b2/0x283 lib/dump_stack.c:58 print_address_description.cold+0x5/0x1d3 mm/kasan/report.c:252 kasan_report_error.cold+0x8a/0x194 mm/kasan/report.c:351 kasan_report mm/kasan/report.c:409 [inline] __asan_report_load8_noabort+0x68/0x70 mm/kasan/report.c:430 nfnetlink_parse_nat net/netfilter/nf_nat_core.c:747 [inline] nfnetlink_parse_nat_setup+0x516/0x560 net/netfilter/nf_nat_core.c:784 ctnetlink_parse_nat_setup+0x70/0x490 net/netfilter/nf_conntrack_netlink.c:1421 ctnetlink_setup_nat net/netfilter/nf_conntrack_netlink.c:1496 [inline] ctnetlink_create_conntrack+0x47b/0x1050 net/netfilter/nf_conntrack_netlink.c:1840 ctnetlink_new_conntrack+0x457/0xbf0 net/netfilter/nf_conntrack_netlink.c:1964 nfnetlink_rcv_msg+0x9bb/0xc00 net/netfilter/nfnetlink.c:214 netlink_rcv_skb+0x125/0x390 net/netlink/af_netlink.c:2433 nfnetlink_rcv+0x1ab/0x1da0 net/netfilter/nfnetlink.c:515 netlink_unicast_kernel net/netlink/af_netlink.c:1287 [inline] netlink_unicast+0x437/0x610 net/netlink/af_netlink.c:1313 netlink_sendmsg+0x62e/0xb80 net/netlink/af_netlink.c:1878 sock_sendmsg_nosec net/socket.c:646 [inline] sock_sendmsg+0xb5/0x100 net/socket.c:656 ___sys_sendmsg+0x6c8/0x800 net/socket.c:2062 __sys_sendmsg+0xa3/0x120 net/socket.c:2096 SYSC_sendmsg net/socket.c:2107 [inline] SyS_sendmsg+0x27/0x40 net/socket.c:2103 do_syscall_64+0x1d5/0x640 arch/x86/entry/common.c:292 entry_SYSCALL_64_after_hwframe+0x46/0xbb RIP: 0033:0x45d5b9 RSP: 002b:00007f6d09c9ac78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 000000000002a600 RCX: 000000000045d5b9 RDX: 0000000000000000 RSI: 0000000020000580 RDI: 0000000000000003 RBP: 000000000118cf80 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118cf4c R13: 00007ffc03dc744f R14: 00007f6d09c9b9c0 R15: 000000000118cf4c The buggy address belongs to the variable: nft_reject_policy+0x38/0x60 Memory state around the buggy address: ffffffff873d5080: fa fa fa fa 00 00 00 03 fa fa fa fa 04 fa fa fa ffffffff873d5100: fa fa fa fa 04 fa fa fa fa fa fa fa 00 00 00 00 >ffffffff873d5180: 00 00 fa fa fa fa fa fa 00 00 00 00 00 00 00 00 ^ ffffffff873d5200: 00 00 00 fa fa fa fa fa 07 fa fa fa fa fa fa fa ffffffff873d5280: 00 00 00 00 fa fa fa fa 00 00 00 00 03 fa fa fa ================================================================== audit: type=1804 audit(1599749731.419:278): pid=21429 uid=0 auid=0 ses=4 subj=system_u:system_r:kernel_t:s0 op="invalid_pcr" cause="open_writers" comm="syz-executor.3" name="/root/syzkaller-testdir483657385/syzkaller.0q59L5/238/bus" dev="sda1" ino=16642 res=1