UBSAN: object-size-mismatch in wg_xmit IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 member access within address 00000000b61512cb with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x49c/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4776 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4790 xmit_one net/core/dev.c:3584 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3600 __dev_queue_xmit+0xea9/0x18d0 net/core/dev.c:4163 dev_queue_xmit+0x17/0x20 net/core/dev.c:4196 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:516 [inline] ip6_finish_output2+0xdb0/0x12e0 net/ipv6/ip6_output.c:145 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:210 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4195 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3960 process_one_work+0x3d5/0x640 kernel/workqueue.c:2270 worker_thread+0x723/0xa60 kernel/workqueue.c:2416 kthread+0x365/0x400 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ ================================================================================ UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 member access within address 00000000b61512cb with insufficient space for an object of type 'struct sk_buff' CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x19c/0x1e2 lib/dump_stack.c:118 ubsan_epilogue lib/ubsan.c:148 [inline] handle_object_size_mismatch lib/ubsan.c:297 [inline] ubsan_type_mismatch_common+0x1ed/0x3a0 lib/ubsan.c:310 __ubsan_handle_type_mismatch_v1+0x4b/0x60 lib/ubsan.c:339 __skb_insert include/linux/skbuff.h:1909 [inline] __skb_queue_before include/linux/skbuff.h:2016 [inline] __skb_queue_tail include/linux/skbuff.h:2049 [inline] wg_xmit+0x4ff/0xa60 drivers/net/wireguard/device.c:182 __netdev_start_xmit include/linux/netdevice.h:4776 [inline] netdev_start_xmit+0x8a/0x160 include/linux/netdevice.h:4790 xmit_one net/core/dev.c:3584 [inline] dev_hard_start_xmit+0x18d/0x2f0 net/core/dev.c:3600 __dev_queue_xmit+0xea9/0x18d0 net/core/dev.c:4163 dev_queue_xmit+0x17/0x20 net/core/dev.c:4196 neigh_connected_output+0x288/0x2b0 net/core/neighbour.c:1532 neigh_output include/net/neighbour.h:516 [inline] ip6_finish_output2+0xdb0/0x12e0 net/ipv6/ip6_output.c:145 __ip6_finish_output+0x3e6/0x530 net/ipv6/ip6_output.c:210 ip6_finish_output+0x20b/0x220 net/ipv6/ip6_output.c:220 NF_HOOK_COND include/linux/netfilter.h:290 [inline] ip6_output+0x18c/0x3f0 net/ipv6/ip6_output.c:243 dst_output include/net/dst.h:443 [inline] NF_HOOK+0x88/0x210 include/linux/netfilter.h:301 ndisc_send_skb+0x653/0x9f0 net/ipv6/ndisc.c:508 ndisc_send_rs+0x26c/0x360 net/ipv6/ndisc.c:702 addrconf_dad_completed+0x493/0x970 net/ipv6/addrconf.c:4195 addrconf_dad_work+0x9d0/0x12d0 net/ipv6/addrconf.c:3960 process_one_work+0x3d5/0x640 kernel/workqueue.c:2270 worker_thread+0x723/0xa60 kernel/workqueue.c:2416 kthread+0x365/0x400 kernel/kthread.c:313 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:296 ================================================================================ forked to background, child pid 208 no interfaces have a carrier Starting sshd: OK syzkaller syzkaller login: [ 14.692924][ T22] kauditd_printk_skb: 60 callbacks suppressed [ 14.692935][ T22] audit: type=1400 audit(1669440265.020:71): avc: denied { transition } for pid=301 comm="sshd" path="/bin/sh" dev="sda1" ino=73 scontext=system_u:system_r:initrc_t tcontext=root:sysadm_r:sysadm_t tclass=process permissive=1 [ 14.698382][ T22] audit: type=1400 audit(1669440265.020:72): avc: denied { write } for pid=301 comm="sh" path="pipe:[11219]" dev="pipefs" ino=11219 scontext=root:sysadm_r:sysadm_t tcontext=system_u:system_r:initrc_t tclass=fifo_file permissive=1 Warning: Permanently added '10.128.10.7' (ECDSA) to the list of known hosts. 2022/11/26 05:24:31 fuzzer started 2022/11/26 05:24:31 connecting to host at 10.128.0.163:46237 2022/11/26 05:24:31 checking machine... 2022/11/26 05:24:31 checking revisions... 2022/11/26 05:24:31 testing simple program... [ 21.315862][ T22] audit: type=1400 audit(1669440271.640:73): avc: denied { integrity } for pid=373 comm="syz-fuzzer" lockdown_reason="debugfs access" scontext=root:sysadm_r:sysadm_t tcontext=root:sysadm_r:sysadm_t tclass=lockdown permissive=1 [ 21.332281][ T382] cgroup: Unknown subsys name 'net' [ 21.338883][ T22] audit: type=1400 audit(1669440271.640:74): avc: denied { getattr } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.367286][ T22] audit: type=1400 audit(1669440271.640:75): avc: denied { read } for pid=373 comm="syz-fuzzer" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.367424][ T382] cgroup: Unknown subsys name 'devices' [ 21.388449][ T22] audit: type=1400 audit(1669440271.640:76): avc: denied { open } for pid=373 comm="syz-fuzzer" path="user:[4026531837]" dev="nsfs" ino=4026531837 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:nsfs_t tclass=file permissive=1 [ 21.417430][ T22] audit: type=1400 audit(1669440271.640:77): avc: denied { read } for pid=373 comm="syz-fuzzer" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.440248][ T22] audit: type=1400 audit(1669440271.640:78): avc: denied { open } for pid=373 comm="syz-fuzzer" path="/dev/raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.463557][ T22] audit: type=1400 audit(1669440271.640:79): avc: denied { mounton } for pid=382 comm="syz-executor" path="/syzcgroup/unified" dev="sda1" ino=1136 scontext=root:sysadm_r:sysadm_t tcontext=root:object_r:root_t tclass=dir permissive=1 [ 21.486331][ T22] audit: type=1400 audit(1669440271.640:80): avc: denied { mount } for pid=382 comm="syz-executor" name="/" dev="cgroup2" ino=1 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.508479][ T22] audit: type=1400 audit(1669440271.680:81): avc: denied { unmount } for pid=382 comm="syz-executor" scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:cgroup_t tclass=filesystem permissive=1 [ 21.592884][ T382] cgroup: Unknown subsys name 'hugetlb' [ 21.598733][ T382] cgroup: Unknown subsys name 'rlimit' [ 21.722360][ T22] audit: type=1400 audit(1669440272.050:82): avc: denied { setattr } for pid=382 comm="syz-executor" name="raw-gadget" dev="devtmpfs" ino=165 scontext=root:sysadm_r:sysadm_t tcontext=system_u:object_r:device_t tclass=chr_file permissive=1 [ 21.779458][ T385] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.786819][ T385] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.794330][ T385] device bridge_slave_0 entered promiscuous mode [ 21.801037][ T385] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.808337][ T385] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.815704][ T385] device bridge_slave_1 entered promiscuous mode [ 21.845057][ T385] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.852267][ T385] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.859520][ T385] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.866755][ T385] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.884042][ T18] bridge0: port 1(bridge_slave_0) entered disabled state [ 21.891455][ T18] bridge0: port 2(bridge_slave_1) entered disabled state [ 21.898636][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready [ 21.906539][ T18] IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready [ 21.922407][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_0: link becomes ready [ 21.930571][ T383] bridge0: port 1(bridge_slave_0) entered blocking state [ 21.937599][ T383] bridge0: port 1(bridge_slave_0) entered forwarding state [ 21.945201][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): bridge_slave_1: link becomes ready [ 21.954259][ T383] bridge0: port 2(bridge_slave_1) entered blocking state [ 21.961436][ T383] bridge0: port 2(bridge_slave_1) entered forwarding state [ 21.968976][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_0: link becomes ready [ 21.977183][ T383] IPv6: ADDRCONF(NETDEV_CHANGE): hsr_slave_1: link becomes ready [ 21.989229][ T73] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_virt_wifi: link becomes ready [ 22.007232][ T73] ================================================================================ [ 22.016541][ T73] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:2016:28 [ 22.024348][ T73] member access within address 00000000b61512cb with insufficient space [ 22.032660][ T73] for an object of type 'struct sk_buff' [ 22.038304][ T73] CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0 [ 22.046285][ T73] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.056481][ T73] Workqueue: ipv6_addrconf addrconf_dad_work [ 22.062532][ T73] Call Trace: [ 22.065803][ T73] dump_stack+0x19c/0x1e2 [ 22.070120][ T73] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 22.075816][ T73] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 22.081778][ T73] wg_xmit+0x49c/0xa60 [ 22.085849][ T73] netdev_start_xmit+0x8a/0x160 [ 22.090678][ T73] dev_hard_start_xmit+0x18d/0x2f0 [ 22.095766][ T73] __dev_queue_xmit+0xea9/0x18d0 [ 22.100687][ T73] dev_queue_xmit+0x17/0x20 [ 22.105182][ T73] neigh_connected_output+0x288/0x2b0 [ 22.110549][ T73] ip6_finish_output2+0xdb0/0x12e0 [ 22.115647][ T73] ? ip6_mtu+0xf1/0x140 [ 22.119786][ T73] __ip6_finish_output+0x3e6/0x530 [ 22.124877][ T73] ip6_finish_output+0x20b/0x220 [ 22.131703][ T73] ? ip6_output+0x175/0x3f0 [ 22.136196][ T73] ip6_output+0x18c/0x3f0 [ 22.140615][ T73] ? ip6_dst_idev+0x40/0x40 [ 22.145098][ T73] NF_HOOK+0x88/0x210 [ 22.149057][ T73] ? NF_HOOK+0x210/0x210 [ 22.153276][ T73] ndisc_send_skb+0x653/0x9f0 [ 22.158047][ T73] ndisc_send_rs+0x26c/0x360 [ 22.162619][ T73] addrconf_dad_completed+0x493/0x970 [ 22.168151][ T73] addrconf_dad_work+0x9d0/0x12d0 [ 22.173168][ T73] process_one_work+0x3d5/0x640 [ 22.178019][ T73] worker_thread+0x723/0xa60 [ 22.182587][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 22.188020][ T73] kthread+0x365/0x400 [ 22.192059][ T73] ? pr_cont_work+0x110/0x110 [ 22.196715][ T73] ? __list_add+0xc0/0xc0 [ 22.201034][ T73] ret_from_fork+0x1f/0x30 [ 22.205478][ T73] ================================================================================ [ 22.214771][ T73] ================================================================================ [ 22.224164][ T73] UBSAN: object-size-mismatch in ./include/linux/skbuff.h:1909:2 [ 22.231894][ T73] member access within address 00000000b61512cb with insufficient space [ 22.240287][ T73] for an object of type 'struct sk_buff' [ 22.245938][ T73] CPU: 0 PID: 73 Comm: kworker/0:1 Not tainted 5.10.80-syzkaller #0 [ 22.253984][ T73] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 [ 22.264212][ T73] Workqueue: ipv6_addrconf addrconf_dad_work [ 22.270259][ T73] Call Trace: [ 22.273543][ T73] dump_stack+0x19c/0x1e2 [ 22.277865][ T73] ubsan_type_mismatch_common+0x1ed/0x3a0 [ 22.283577][ T73] __ubsan_handle_type_mismatch_v1+0x4b/0x60 [ 22.289538][ T73] wg_xmit+0x4ff/0xa60 [ 22.293581][ T73] netdev_start_xmit+0x8a/0x160 [ 22.298424][ T73] dev_hard_start_xmit+0x18d/0x2f0 [ 22.303510][ T73] __dev_queue_xmit+0xea9/0x18d0 [ 22.308417][ T73] dev_queue_xmit+0x17/0x20 [ 22.312892][ T73] neigh_connected_output+0x288/0x2b0 [ 22.318246][ T73] ip6_finish_output2+0xdb0/0x12e0 [ 22.323341][ T73] ? ip6_mtu+0xf1/0x140 [ 22.327482][ T73] __ip6_finish_output+0x3e6/0x530 [ 22.332740][ T73] ip6_finish_output+0x20b/0x220 [ 22.337654][ T73] ? ip6_output+0x175/0x3f0 [ 22.342135][ T73] ip6_output+0x18c/0x3f0 [ 22.346440][ T73] ? ip6_dst_idev+0x40/0x40 [ 22.350911][ T73] NF_HOOK+0x88/0x210 [ 22.354858][ T73] ? NF_HOOK+0x210/0x210 [ 22.359066][ T73] ndisc_send_skb+0x653/0x9f0 [ 22.363711][ T73] ndisc_send_rs+0x26c/0x360 [ 22.368268][ T73] addrconf_dad_completed+0x493/0x970 [ 22.373703][ T73] addrconf_dad_work+0x9d0/0x12d0 [ 22.378696][ T73] process_one_work+0x3d5/0x640 [ 22.383536][ T73] worker_thread+0x723/0xa60 [ 22.388103][ T73] ? _raw_spin_lock_irqsave+0xa2/0x220 [ 22.393529][ T73] kthread+0x365/0x400 [ 22.397912][ T73] ? pr_cont_work+0x110/0x110 [ 22.402562][ T73] ? __list_add+0xc0/0xc0 [ 22.406861][ T73] ret_from_fork+0x1f/0x30 [ 22.411277][ T73] ================================================================================ [ 22.421030][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_to_batadv: link becomes ready [ 22.429866][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth1_to_batadv: link becomes ready [ 22.438376][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_vlan: link becomes ready 2022/11/26 05:24:32 building call list... [ 22.446238][ T107] IPv6: ADDRCONF(NETDEV_CHANGE): veth0_macvtap: link becomes ready [ 22.461686][ T385] cgroup: cgroup: disabling cgroup2 socket matching due to net_prio or net_cls activation [ 23.011401][ T98] device bridge_slave_1 left promiscuous mode [ 23.021239][ T98] bridge0: port 2(bridge_slave_1) entered disabled state [ 23.028753][ T98] device bridge_slave_0 left promiscuous mode [ 23.035341][ T98] bridge0: port 1(bridge_slave_0) entered disabled state syzkaller build log: go env (err=) GO111MODULE="auto" GOARCH="amd64" GOBIN="" GOCACHE="/syzkaller/.cache/go-build" GOENV="/syzkaller/.config/go/env" GOEXE="" GOEXPERIMENT="" GOFLAGS="" GOHOSTARCH="amd64" GOHOSTOS="linux" GOINSECURE="" GOMODCACHE="/syzkaller/jobs/linux/gopath/pkg/mod" GONOPROXY="" GONOSUMDB="" GOOS="linux" GOPATH="/syzkaller/jobs/linux/gopath" GOPRIVATE="" GOPROXY="https://proxy.golang.org,direct" GOROOT="/usr/local/go" GOSUMDB="sum.golang.org" GOTMPDIR="" GOTOOLDIR="/usr/local/go/pkg/tool/linux_amd64" GOVCS="" GOVERSION="go1.17" GCCGO="gccgo" AR="ar" CC="gcc" CXX="g++" CGO_ENABLED="1" GOMOD="/syzkaller/jobs/linux/gopath/src/github.com/google/syzkaller/go.mod" CGO_CFLAGS="-g -O2" CGO_CPPFLAGS="" CGO_CXXFLAGS="-g -O2" CGO_FFLAGS="-g -O2" CGO_LDFLAGS="-g -O2" PKG_CONFIG="pkg-config" GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build3887443328=/tmp/go-build -gno-record-gcc-switches" git status (err=) HEAD detached at c0b80a55c nothing to commit, working tree clean tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified Makefile:32: run command via tools/syz-env for best compatibility, see: Makefile:33: https://github.com/google/syzkaller/blob/master/docs/contributing.md#using-syz-env go list -f '{{.Stale}}' ./sys/syz-sysgen | grep -q false || go install ./sys/syz-sysgen make .descriptions tput: No value for $TERM and no -T specified tput: No value for $TERM and no -T specified bin/syz-sysgen touch .descriptions GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-fuzzer github.com/google/syzkaller/syz-fuzzer GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-execprog github.com/google/syzkaller/tools/syz-execprog GOOS=linux GOARCH=amd64 go build "-ldflags=-s -w -X github.com/google/syzkaller/prog.GitRevision=c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2 -X 'github.com/google/syzkaller/prog.gitRevisionDate=20221021-135310'" "-tags=syz_target syz_os_linux syz_arch_amd64 " -o ./bin/linux_amd64/syz-stress github.com/google/syzkaller/tools/syz-stress mkdir -p ./bin/linux_amd64 gcc -o ./bin/linux_amd64/syz-executor executor/executor.cc \ -m64 -O2 -pthread -Wall -Werror -Wparentheses -Wunused-const-variable -Wframe-larger-than=16384 -Wno-stringop-overflow -Wno-array-bounds -Wno-format-overflow -static-pie -fpermissive -w -DGOOS_linux=1 -DGOARCH_amd64=1 \ -DHOSTGOOS_linux=1 -DGIT_REVISION=\"c0b80a55c9c8cfe75e77c555ed0d4ae7aa373cc2\"