lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 13 Feb 2018 19:48:08 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     Cong Wang <xiyou.wangcong@...il.com>
Cc:     syzbot 
        <bot+1aa412fe58f4059538c0204a0f096524e6dce60b@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        LKML <linux-kernel@...r.kernel.org>,
        Linux Kernel Network Developers <netdev@...r.kernel.org>,
        syzkaller-bugs@...glegroups.com,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Willem de Bruijn <willemb@...gle.com>
Subject: Re: KASAN: use-after-free Read in sit_tunnel_xmit

On Mon, Oct 30, 2017 at 7:41 PM, Cong Wang <xiyou.wangcong@...il.com> wrote:
> On Mon, Oct 30, 2017 at 8:34 AM, syzbot
> <bot+1aa412fe58f4059538c0204a0f096524e6dce60b@...kaller.appspotmail.com>
> wrote:
>> Hello,
>>
>> syzkaller hit the following crash on
>> 4dc12ffeaeac939097a3f55c881d3dc3523dff0c
>> git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
>> compiler: gcc (GCC) 7.1.1 20170620
>> .config is attached
>> Raw console output is attached.
>>
>> skbuff: bad partial csum: csum=53081/14726 len=2273
>> ==================================================================
>> BUG: KASAN: use-after-free in ipv6_get_dsfield include/net/dsfield.h:23
>> [inline]
>> BUG: KASAN: use-after-free in ipip6_tunnel_xmit net/ipv6/sit.c:968 [inline]
>> BUG: KASAN: use-after-free in sit_tunnel_xmit+0x2a41/0x3130
>> net/ipv6/sit.c:1016
>> Read of size 2 at addr ffff8801c64afd00 by task syz-executor3/16942
>>
>> CPU: 0 PID: 16942 Comm: syz-executor3 Not tainted 4.14.0-rc5+ #97
>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
>> Google 01/01/2011
>> Call Trace:
>>  __dump_stack lib/dump_stack.c:16 [inline]
>>  dump_stack+0x194/0x257 lib/dump_stack.c:52
>>  print_address_description+0x73/0x250 mm/kasan/report.c:252
>>  kasan_report_error mm/kasan/report.c:351 [inline]
>>  kasan_report+0x25b/0x340 mm/kasan/report.c:409
>>  __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
>>  ipv6_get_dsfield include/net/dsfield.h:23 [inline]
>>  ipip6_tunnel_xmit net/ipv6/sit.c:968 [inline]
>>  sit_tunnel_xmit+0x2a41/0x3130 net/ipv6/sit.c:1016
>>  __netdev_start_xmit include/linux/netdevice.h:4022 [inline]
>>  netdev_start_xmit include/linux/netdevice.h:4031 [inline]
>>  xmit_one net/core/dev.c:3008 [inline]
>>  dev_hard_start_xmit+0x248/0xac0 net/core/dev.c:3024
>>  __dev_queue_xmit+0x17d2/0x2070 net/core/dev.c:3505
>>  dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
>>  neigh_direct_output+0x15/0x20 net/core/neighbour.c:1390
>>  neigh_output include/net/neighbour.h:481 [inline]
>>  ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
>>  ip6_fragment+0x25ae/0x3420 net/ipv6/ip6_output.c:723
>>  ip6_finish_output+0x319/0x920 net/ipv6/ip6_output.c:144
>>  NF_HOOK_COND include/linux/netfilter.h:238 [inline]
>>  ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
>>  dst_output include/net/dst.h:459 [inline]
>>  ip6_local_out+0x95/0x160 net/ipv6/output_core.c:176
>>  ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1658
>>  ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1678
>>  rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
>>  rawv6_sendmsg+0x2eb9/0x3e40 net/ipv6/raw.c:935
>>  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
>>  sock_sendmsg_nosec net/socket.c:633 [inline]
>>  sock_sendmsg+0xca/0x110 net/socket.c:643
>>  SYSC_sendto+0x352/0x5a0 net/socket.c:1750
>>  SyS_sendto+0x40/0x50 net/socket.c:1718
>>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>> RIP: 0033:0x452869
>> RSP: 002b:00007fe3c12e5be8 EFLAGS: 00000212 ORIG_RAX: 000000000000002c
>> RAX: ffffffffffffffda RBX: 00000000007580d8 RCX: 0000000000452869
>> RDX: 00000000000007f1 RSI: 000000002013b7ff RDI: 0000000000000014
>> RBP: 0000000000000161 R08: 00000000204e8fe4 R09: 000000000000001c
>> R10: 0000000001000000 R11: 0000000000000212 R12: 00000000006f01b8
>> R13: 00000000ffffffff R14: 00007fe3c12e66d4 R15: 0000000000000017
>>
>> Allocated by task 16924:
>>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
>>  __do_kmalloc_node mm/slab.c:3689 [inline]
>>  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3703
>>  __kmalloc_reserve.isra.40+0x41/0xd0 net/core/skbuff.c:138
>>  __alloc_skb+0x13b/0x780 net/core/skbuff.c:206
>>  alloc_skb include/linux/skbuff.h:985 [inline]
>>  sock_wmalloc+0x140/0x1d0 net/core/sock.c:1932
>>  __ip6_append_data.isra.43+0x2681/0x3340 net/ipv6/ip6_output.c:1397
>>  ip6_append_data+0x189/0x290 net/ipv6/ip6_output.c:1552
>>  rawv6_sendmsg+0x1dd9/0x3e40 net/ipv6/raw.c:928
>>  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
>>  sock_sendmsg_nosec net/socket.c:633 [inline]
>>  sock_sendmsg+0xca/0x110 net/socket.c:643
>>  SYSC_sendto+0x352/0x5a0 net/socket.c:1750
>>  SyS_sendto+0x40/0x50 net/socket.c:1718
>>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>>
>> Freed by task 16942:
>>  save_stack_trace+0x16/0x20 arch/x86/kernel/stacktrace.c:59
>>  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
>>  set_track mm/kasan/kasan.c:459 [inline]
>>  kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
>>  __cache_free mm/slab.c:3503 [inline]
>>  kfree+0xca/0x250 mm/slab.c:3820
>>  skb_free_head+0x74/0xb0 net/core/skbuff.c:554
>>  pskb_expand_head+0x36b/0x1210 net/core/skbuff.c:1494
>>  __pskb_pull_tail+0x14a/0x17c0 net/core/skbuff.c:1877
>>  pskb_may_pull include/linux/skbuff.h:2102 [inline]
>>  _decode_session6+0x8a4/0x1100 net/ipv6/xfrm6_policy.c:148
>
> Looks like we should indicate error by returning some int
> for afinfo->decode_session().


Cong, do you want to do something with this bug? Otherwise I want to
close this as part of old bug bankruptcy.


>>  __xfrm_decode_session+0x63/0x100 net/xfrm/xfrm_policy.c:2343
>>  xfrm_decode_session_reverse include/net/xfrm.h:1181 [inline]
>>  icmpv6_route_lookup+0x343/0x640 net/ipv6/icmp.c:372
>>  icmp6_send+0x1569/0x25b0 net/ipv6/icmp.c:551
>>  icmpv6_send+0x142/0x280 net/ipv6/ip6_icmp.c:42
>>  ip6_link_failure+0x94/0x580 net/ipv6/route.c:1997
>>  dst_link_failure include/net/dst.h:442 [inline]
>>  ipip6_tunnel_xmit net/ipv6/sit.c:940 [inline]
>>  sit_tunnel_xmit+0x244f/0x3130 net/ipv6/sit.c:1016
>>  __netdev_start_xmit include/linux/netdevice.h:4022 [inline]
>>  netdev_start_xmit include/linux/netdevice.h:4031 [inline]
>>  xmit_one net/core/dev.c:3008 [inline]
>>  dev_hard_start_xmit+0x248/0xac0 net/core/dev.c:3024
>>  __dev_queue_xmit+0x17d2/0x2070 net/core/dev.c:3505
>>  dev_queue_xmit+0x17/0x20 net/core/dev.c:3538
>>  neigh_direct_output+0x15/0x20 net/core/neighbour.c:1390
>>  neigh_output include/net/neighbour.h:481 [inline]
>>  ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120
>>  ip6_fragment+0x25ae/0x3420 net/ipv6/ip6_output.c:723
>>  ip6_finish_output+0x319/0x920 net/ipv6/ip6_output.c:144
>>  NF_HOOK_COND include/linux/netfilter.h:238 [inline]
>>  ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163
>>  dst_output include/net/dst.h:459 [inline]
>>  ip6_local_out+0x95/0x160 net/ipv6/output_core.c:176
>>  ip6_send_skb+0xa1/0x330 net/ipv6/ip6_output.c:1658
>>  ip6_push_pending_frames+0xb3/0xe0 net/ipv6/ip6_output.c:1678
>>  rawv6_push_pending_frames net/ipv6/raw.c:616 [inline]
>>  rawv6_sendmsg+0x2eb9/0x3e40 net/ipv6/raw.c:935
>>  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
>>  sock_sendmsg_nosec net/socket.c:633 [inline]
>>  sock_sendmsg+0xca/0x110 net/socket.c:643
>>  SYSC_sendto+0x352/0x5a0 net/socket.c:1750
>>  SyS_sendto+0x40/0x50 net/socket.c:1718
>>  entry_SYSCALL_64_fastpath+0x1f/0xbe
>>
>> The buggy address belongs to the object at ffff8801c64afc80
>>  which belongs to the cache kmalloc-512 of size 512
>> The buggy address is located 128 bytes inside of
>>  512-byte region [ffff8801c64afc80, ffff8801c64afe80)
>> The buggy address belongs to the page:
>> page:ffffea0007192bc0 count:1 mapcount:0 mapping:ffff8801c64af000 index:0x0
>> flags: 0x200000000000100(slab)
>> raw: 0200000000000100 ffff8801c64af000 0000000000000000 0000000100000006
>> raw: ffffea00072d04e0 ffffea0007083fe0 ffff8801dac00940 0000000000000000
>> page dumped because: kasan: bad access detected
>>
>> Memory state around the buggy address:
>>  ffff8801c64afc00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>>  ffff8801c64afc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>>
>>> ffff8801c64afd00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>
>>                    ^
>>  ffff8801c64afd80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>  ffff8801c64afe00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> ==================================================================
>>
>>
>> ---
>> This bug is generated by a dumb bot. It may contain errors.
>> See https://goo.gl/tpsmEJ for details.
>> Direct all questions to syzkaller@...glegroups.com.
>>
>> syzbot will keep track of this bug report.
>> Once a fix for this bug is committed, please reply to this email with:
>> #syz fix: exact-commit-title
>> To mark this as a duplicate of another syzbot report, please reply with:
>> #syz dup: exact-subject-of-another-report
>> If it's a one-off invalid bug report, please reply with:
>> #syz invalid
>> Note: if the crash happens again, it will cause creation of a new bug
>> report.
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@...glegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/CAM_iQpVyf_%3DUFW5Oay9a15GD8QaXbgbPse333SWAivE%3Ddd%2BTXQ%40mail.gmail.com.
> For more options, visit https://groups.google.com/d/optout.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ