================================================================== BUG: KASAN: slab-out-of-bounds in memcpy+0x1d/0x40 mm/kasan/kasan.c:317 at addr ffff8801d06f7318 Read of size 8192 by task syz-executor0/26475 ============================================================================= BUG kmalloc-512 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- INFO: Allocated in __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 age=5 cpu=1 pid=26475 ___slab_alloc.constprop.78+0x4c6/0x530 mm/slub.c:2475 __slab_alloc.isra.74.constprop.77+0x50/0xa0 mm/slub.c:2504 slab_alloc_node mm/slub.c:2567 [inline] slab_alloc mm/slub.c:2609 [inline] __kmalloc_track_caller+0x19c/0x2b0 mm/slub.c:4118 __kmalloc_reserve.isra.33+0x28/0xa0 net/core/skbuff.c:137 __alloc_skb+0xf5/0x610 net/core/skbuff.c:230 alloc_skb include/linux/skbuff.h:815 [inline] pfkey_sendmsg+0x10f/0x6c0 net/key/af_key.c:3657 sock_sendmsg_nosec net/socket.c:625 [inline] sock_sendmsg+0xb5/0xf0 net/socket.c:635 ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 __sys_sendmsg+0xc3/0x160 net/socket.c:1995 SYSC_sendmsg net/socket.c:2006 [inline] SyS_sendmsg+0xd/0x20 net/socket.c:2002 entry_SYSCALL_64_fastpath+0x16/0x76 INFO: Freed in load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 age=10 cpu=0 pid=26482 __slab_free+0x18c/0x2b0 mm/slub.c:2685 netlink: 6 bytes leftover after parsing attributes in process `syz-executor4'. slab_free mm/slub.c:2840 [inline] kfree+0x24f/0x2d0 mm/slub.c:3714 load_elf_binary+0x2049/0x4b70 fs/binfmt_elf.c:1075 search_binary_handler+0x124/0x610 fs/exec.c:1471 exec_binprm fs/exec.c:1513 [inline] do_execveat_common.isra.36+0x1370/0x1ef0 fs/exec.c:1635 do_execve+0x27/0x30 fs/exec.c:1679 call_usermodehelper_exec_async+0x288/0x4b0 kernel/kmod.c:252 ret_from_fork+0x3f/0x70 arch/x86/entry/entry_64.S:468 INFO: Slab 0xffffea000741bd00 objects=20 used=5 fp=0xffff8801d06f6ca0 flags=0x8000000000004080 INFO: Object 0xffff8801d06f7300 @offset=13056 fp=0x0000000f00000302 Bytes b4 ffff8801d06f72f0: 00 00 00 00 a6 67 00 00 1f b2 ff ff 00 00 00 00 .....g.......... Object ffff8801d06f7300: 02 03 00 00 0f 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f7310: 01 00 09 00 ff ff 00 00 05 00 06 00 00 00 00 00 ................ netlink: 6 bytes leftover after parsing attributes in process `syz-executor4'. Object ffff8801d06f7320: 0a 00 4e 20 00 00 00 00 00 00 00 00 00 00 00 00 ..N ............ Object ffff8801d06f7330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f7340: 02 00 01 00 00 00 00 00 00 00 00 0b 00 00 00 00 ................ netlink: 73 bytes leftover after parsing attributes in process `syz-executor4'. Object ffff8801d06f7350: 05 00 05 00 00 00 00 00 0a 00 4e 20 00 00 00 00 ..........N .... Object ffff8801d06f7360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f7370: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f7380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f7390: 5c 36 01 00 00 00 00 00 5c 36 01 00 00 00 00 00 \6......\6...... Object ffff8801d06f73a0: 00 00 20 00 00 00 00 00 01 00 00 00 06 00 00 00 .. ............. Object ffff8801d06f73b0: 30 42 01 00 00 00 00 00 30 42 21 00 00 00 00 00 0B......0B!..... Object ffff8801d06f73c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f73d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f73e0: 01 00 00 00 06 00 00 00 50 4d 01 00 00 00 00 00 ........PM...... Object ffff8801d06f73f0: 50 4d 21 00 00 00 00 00 50 4d 21 00 00 00 00 00 PM!.....PM!..... Object ffff8801d06f7400: f0 01 00 00 00 00 00 00 f0 01 00 00 00 00 00 00 ................ Object ffff8801d06f7410: 08 00 00 00 00 00 00 00 04 00 00 00 04 00 00 00 ................ Object ffff8801d06f7420: 54 02 00 00 00 00 00 00 54 02 00 00 00 00 00 00 T.......T....... Object ffff8801d06f7430: 54 02 00 00 00 00 00 00 44 00 00 00 00 00 00 00 T.......D....... Object ffff8801d06f7440: 44 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 D............... Object ffff8801d06f7450: 50 e5 74 64 04 00 00 00 b4 22 01 00 00 00 00 00 P.td....."...... Object ffff8801d06f7460: b4 22 01 00 00 00 00 00 b4 22 01 00 00 00 00 00 ."......."...... Object ffff8801d06f7470: 74 02 00 00 00 00 00 00 74 02 00 00 00 00 00 00 t.......t....... Object ffff8801d06f7480: 04 00 00 00 00 00 00 00 51 e5 74 64 06 00 00 00 ........Q.td.... Object ffff8801d06f7490: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f74a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Object ffff8801d06f74b0: 00 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 ................ Object ffff8801d06f74c0: 52 e5 74 64 04 00 00 00 30 42 01 00 00 00 00 00 R.td....0B...... Object ffff8801d06f74d0: 30 42 21 00 00 00 00 00 30 42 21 00 00 00 00 00 0B!.....0B!..... Object ffff8801d06f74e0: d0 0d 00 00 00 00 00 00 d0 0d 00 00 00 00 00 00 ................ Object ffff8801d06f74f0: 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ CPU: 1 PID: 26475 Comm: syz-executor0 Tainted: G B 4.4.105-ge303a83 #5 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 0000000000000000 f46e27f803adc14b ffff8801d6167708 ffffffff81cc9b4f ffff8801d06f4010 ffff8801d06f7300 ffff8801d6167738 ffffffff814d3af4 ffff8801da402a00 ffffea000741bd00 ffff8801d06f7300 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x8e/0xcf lib/dump_stack.c:51 [] print_trailer+0x114/0x1a0 mm/slub.c:682 [] object_err+0x2f/0x40 mm/slub.c:689 [] print_address_description mm/kasan/report.c:139 [inline] [] kasan_report_error mm/kasan/report.c:237 [inline] [] kasan_report.part.2+0x227/0x530 mm/kasan/report.c:262 [] kasan_report+0x20/0x30 mm/kasan/report.c:249 [] check_memory_region mm/kasan/kasan.c:284 [inline] [] __asan_loadN+0x117/0x180 mm/kasan/kasan.c:532 [] memcpy+0x1d/0x40 mm/kasan/kasan.c:317 [] pfkey_msg2xfrm_state net/key/af_key.c:1219 [inline] [] pfkey_add+0x13b4/0x3d80 net/key/af_key.c:1498 [] pfkey_process+0x58d/0x900 net/key/af_key.c:2826 [] pfkey_sendmsg+0x35b/0x6c0 net/key/af_key.c:3670 [] sock_sendmsg_nosec net/socket.c:625 [inline] [] sock_sendmsg+0xb5/0xf0 net/socket.c:635 [] ___sys_sendmsg+0x66d/0x7d0 net/socket.c:1961 [] __sys_sendmsg+0xc3/0x160 net/socket.c:1995 [] SYSC_sendmsg net/socket.c:2006 [inline] [] SyS_sendmsg+0xd/0x20 net/socket.c:2002 [] entry_SYSCALL_64_fastpath+0x16/0x76 Memory state around the buggy address: ffff8801d06f7400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801d06f7480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801d06f7500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff8801d06f7580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff8801d06f7600: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 ================================================================== netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. ALSA: seq fatal error: cannot create timer (-22) netlink: 8 bytes leftover after parsing attributes in process `syz-executor1'. ALSA: seq fatal error: cannot create timer (-22) SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 6 bytes leftover after parsing attributes in process `syz-executor5'. netlink: 8 bytes leftover after parsing attributes in process `syz-executor3'. SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket audit: type=1326 audit(1513136283.626:28): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=26829 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 audit: type=1326 audit(1513136283.726:29): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=26829 comm="syz-executor0" exe="/root/syz-executor0" sig=9 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 ALSA: seq fatal error: cannot create timer (-22) ALSA: seq fatal error: cannot create timer (-22) audit: type=1400 audit(1513136284.776:30): avc: denied { create } for pid=27284 comm="syz-executor3" scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=netlink_rdma_socket permissive=1 binder: 27423:27426 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 27423: binder_alloc_buf, no vma binder: 27423:27437 transaction failed 29189/-3, size 0-0 line 3131 binder: 27423:27448 got reply transaction with no transaction stack binder: 27423:27448 transaction failed 29201/-71, size 24-8 line 2924 device gre0 entered promiscuous mode binder: undelivered TRANSACTION_ERROR: 29201 binder: 27423:27448 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 27423: binder_alloc_buf, no vma binder: 27423:27437 transaction failed 29189/-3, size 0-0 line 3131 binder: 27423:27448 got reply transaction with no transaction stack binder: 27423:27448 transaction failed 29201/-71, size 24-8 line 2924 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 device gre0 entered promiscuous mode SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket SELinux: unrecognized netlink message: protocol=0 nlmsg_type=8 sclass=netlink_route_socket device gre0 entered promiscuous mode device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode nla_parse: 28 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor4'. device gre0 entered promiscuous mode keychord: invalid keycode count 0 netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. keychord: invalid keycode count 0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket netlink: 8 bytes leftover after parsing attributes in process `syz-executor2'. audit: type=1326 audit(1513136287.016:31): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=28155 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket audit: type=1326 audit(1513136287.126:32): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=28155 comm="syz-executor1" exe="/root/syz-executor1" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor3'. netlink: 73 bytes leftover after parsing attributes in process `syz-executor6'. device gre0 entered promiscuous mode device gre0 entered promiscuous mode netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor4'. netlink: 5 bytes leftover after parsing attributes in process `syz-executor1'. device gre0 entered promiscuous mode binder: 28676:28681 ioctl c0086420 20ee6000 returned -22 binder: 28676:28681 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 28676: binder_alloc_buf, no vma binder: 28676:28697 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: 28676:28707 ioctl c0086420 20ee6000 returned -22 binder: 28676:28707 ERROR: BC_REGISTER_LOOPER called without request binder: BINDER_SET_CONTEXT_MGR already set binder: 28676:28697 ioctl 40046207 0 returned -16 binder_alloc: 28676: binder_alloc_buf, no vma binder: 28676:28707 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: 28808:28809 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 28808: binder_alloc_buf, no vma binder: 28808:28820 transaction failed 29189/-3, size 0-0 line 3131 binder: 28808:28809 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 28808: binder_alloc_buf, no vma binder: 28808:28820 transaction failed 29189/-3, size 0-0 line 3131 binder: 28808:28833 got reply transaction with no transaction stack binder: 28808:28833 transaction failed 29201/-71, size 24-8 line 2924 binder: 28808:28809 BC_FREE_BUFFER u0000000000000000 no match binder: 28808:28809 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 28808:28809 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 28808:28809 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 28808:28809 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 28808:28809 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3 binder: 28808:28809 got reply transaction with no transaction stack binder: 28808:28809 transaction failed 29201/-71, size 24-16 line 2924 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 28886:28890 ERROR: BC_REGISTER_LOOPER called without request ALSA: seq fatal error: cannot create timer (-22) binder: 28886:28914 got reply transaction with no transaction stack binder: 28886:28914 transaction failed 29201/-71, size 24-8 line 2924 ALSA: seq fatal error: cannot create timer (-22) SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket binder: undelivered TRANSACTION_ERROR: 29201 binder: 28886:28932 ERROR: BC_REGISTER_LOOPER called without request binder: 28886:28890 got reply transaction with no transaction stack binder: 28886:28890 transaction failed 29201/-71, size 24-8 line 2924 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=0 sclass=netlink_route_socket binder: undelivered TRANSACTION_ERROR: 29201 SELinux: unrecognized netlink message: protocol=0 nlmsg_type=23916 sclass=netlink_route_socket device gre0 entered promiscuous mode device gre0 left promiscuous mode device gre0 entered promiscuous mode device gre0 entered promiscuous mode binder: 29273:29278 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 29273: binder_alloc_buf, no vma binder: 29273:29293 transaction failed 29189/-3, size 0-0 line 3131 binder: 29273:29305 got reply transaction with no transaction stack binder: 29273:29305 transaction failed 29201/-71, size 24-8 line 2924 binder: undelivered TRANSACTION_ERROR: 29201 binder: 29273:29293 ERROR: BC_REGISTER_LOOPER called without request binder: 29273:29293 got reply transaction with no transaction stack binder_alloc: 29273: binder_alloc_buf, no vma binder: 29273:29278 transaction failed 29189/-3, size 0-0 line 3131 binder: 29273:29293 transaction failed 29201/-71, size 24-8 line 2924 binder: 29273:29305 BC_FREE_BUFFER u0000000000000000 no match binder: 29273:29305 BC_ACQUIRE_DONE uffffffffffffffff no match binder: 29273:29305 IncRefs 0 refcount change on invalid ref 1 ret -22 binder: 29273:29305 DecRefs 0 refcount change on invalid ref 4 ret -22 binder: 29273:29305 BC_CLEAR_DEATH_NOTIFICATION invalid ref 0 binder: 29273:29305 BC_REQUEST_DEATH_NOTIFICATION invalid ref 3 binder: 29273:29305 got reply transaction with no transaction stack binder: 29273:29305 transaction failed 29201/-71, size 24-16 line 2924 binder: 29332:29338 ERROR: BC_REGISTER_LOOPER called without request binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder_alloc: 29332: binder_alloc_buf, no vma binder: 29332:29350 transaction failed 29189/-3, size 0-0 line 3131 binder: 29332:29365 got reply transaction with no transaction stack binder: 29332:29365 transaction failed 29201/-71, size 24-8 line 2924 binder: BINDER_SET_CONTEXT_MGR already set binder: 29332:29365 ioctl 40046207 0 returned -16 binder: 29332:29365 ERROR: BC_REGISTER_LOOPER called without request binder_alloc: 29332: binder_alloc_buf, no vma binder: 29332:29350 transaction failed 29189/-3, size 0-0 line 3131 binder: undelivered TRANSACTION_ERROR: 29189 binder: undelivered TRANSACTION_ERROR: 29201 binder: 29410:29417 ioctl 40046205 2 returned -22 binder: 29410:29417 ioctl c0086420 20ee6000 returned -22 binder: 29410:29432 ioctl 40046205 2 returned -22 binder: 29410:29417 ioctl c0086420 20ee6000 returned -22 binder: 29475:29502 ioctl c018620b 2000afe8 returned -14 binder: 29788:29790 ioctl 40046205 2 returned -22 binder: 29788:29798 ioctl c0086420 20ee6000 returned -22 device gre0 entered promiscuous mode binder: 29788:29790 ioctl 40046205 2 returned -22 binder: 29788:29790 ioctl c0086420 20ee6000 returned -22 device gre0 entered promiscuous mode nla_parse: 25 callbacks suppressed netlink: 1 bytes leftover after parsing attributes in process `syz-executor2'. netlink: 16 bytes leftover after parsing attributes in process `syz-executor1'. netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. ALSA: seq fatal error: cannot create timer (-22) netlink: 1 bytes leftover after parsing attributes in process `syz-executor1'. binder: 30125:30142 ioctl 4b3a 3 returned -22 binder: 30125:30142 ioctl c018620b 2000afe8 returned -14 binder: 30125:30155 ioctl 4b3a 3 returned -22 binder: 30125:30155 ioctl c018620b 2000afe8 returned -14 audit: type=1326 audit(1513136292.056:33): auid=4294967295 uid=0 gid=0 ses=4294967295 subj=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 pid=30165 comm="syz-executor0" exe="/root/syz-executor0" sig=31 arch=c000003e syscall=202 compat=0 ip=0x452a39 code=0x0 netlink: 73 bytes leftover after parsing attributes in process `syz-executor7'. netlink: 73 bytes leftover after parsing attributes in process `syz-executor7'.