lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Thu, 18 Jan 2018 15:58:01 -0800
From:   syzbot <syzbot+9da69ebac7dddd804552@...kaller.appspotmail.com>
To:     andreyknvl@...gle.com, anoob.soman@...rix.com, davem@...emloft.net,
        edumazet@...gle.com, elena.reshetova@...el.com,
        keescook@...omium.org, linux-kernel@...r.kernel.org,
        maloney@...gle.com, netdev@...r.kernel.org, rami.rosen@...el.com,
        sowmini.varadhan@...cle.com, syzkaller-bugs@...glegroups.com,
        willemb@...gle.com
Subject: KASAN: slab-out-of-bounds Read in __dev_queue_xmit

Hello,

syzbot hit the following crash on linux-next commit
0e08c463db387a2adcb0243b15ab868a73f87807

So far this crash happened 6 times on linux-next, mmots, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+9da69ebac7dddd804552@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

device syz0 entered promiscuous mode
audit: type=1400 audit(1514752309.665:10): avc:  denied  { net_raw } for   
pid=3143 comm="syzkaller343753" capability=13   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
audit: type=1400 audit(1514752309.668:11): avc:  denied  { net_admin } for   
pid=3143 comm="syzkaller343753" capability=12   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in __tcp_hdrlen include/linux/tcp.h:35  
[inline]
BUG: KASAN: slab-out-of-bounds in tcp_hdrlen include/linux/tcp.h:40 [inline]
BUG: KASAN: slab-out-of-bounds in qdisc_pkt_len_init net/core/dev.c:3160  
[inline]
BUG: KASAN: slab-out-of-bounds in __dev_queue_xmit+0x20d3/0x2200  
net/core/dev.c:3465
Read of size 2 at addr ffff8801c85791e0 by task syzkaller343753/3143

CPU: 0 PID: 3143 Comm: syzkaller343753 Not tainted  
4.15.0-rc4-next-20171221+ #78
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x257 lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:252
  kasan_report_error mm/kasan/report.c:351 [inline]
  kasan_report+0x25b/0x340 mm/kasan/report.c:409
  __asan_report_load2_noabort+0x14/0x20 mm/kasan/report.c:428
  __tcp_hdrlen include/linux/tcp.h:35 [inline]
  tcp_hdrlen include/linux/tcp.h:40 [inline]
  qdisc_pkt_len_init net/core/dev.c:3160 [inline]
  __dev_queue_xmit+0x20d3/0x2200 net/core/dev.c:3465
  dev_queue_xmit+0x17/0x20 net/core/dev.c:3554
  packet_snd net/packet/af_packet.c:2943 [inline]
  packet_sendmsg+0x3ad5/0x60a0 net/packet/af_packet.c:2968
  sock_sendmsg_nosec net/socket.c:628 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:638
  sock_write_iter+0x31a/0x5d0 net/socket.c:907
  call_write_iter include/linux/fs.h:1776 [inline]
  new_sync_write fs/read_write.c:469 [inline]
  __vfs_write+0x684/0x970 fs/read_write.c:482
  vfs_write+0x189/0x510 fs/read_write.c:544
  SYSC_write fs/read_write.c:589 [inline]
  SyS_write+0xef/0x220 fs/read_write.c:581
  entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x444df9
RSP: 002b:00000000007eff78 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007ffc3d2180f0 RCX: 0000000000444df9
RDX: 00000000000000ce RSI: 0000000020fecf2b RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000297 R12: 00000000004029f0
R13: 0000000000402a80 R14: 0000000000000000 R15: 0000000000000000

Allocated by task 3143:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:447
  set_track mm/kasan/kasan.c:459 [inline]
  kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
  __do_kmalloc_node mm/slab.c:3673 [inline]
  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3687
  __kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137
  __alloc_skb+0x13b/0x780 net/core/skbuff.c:205
  alloc_skb include/linux/skbuff.h:983 [inline]
  alloc_skb_with_frags+0x10d/0x750 net/core/skbuff.c:5146
  sock_alloc_send_pskb+0x787/0x9b0 net/core/sock.c:2088
  packet_alloc_skb net/packet/af_packet.c:2802 [inline]
  packet_snd net/packet/af_packet.c:2893 [inline]
  packet_sendmsg+0x1ec2/0x60a0 net/packet/af_packet.c:2968
  sock_sendmsg_nosec net/socket.c:628 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:638
  sock_write_iter+0x31a/0x5d0 net/socket.c:907
  call_write_iter include/linux/fs.h:1776 [inline]
  new_sync_write fs/read_write.c:469 [inline]
  __vfs_write+0x684/0x970 fs/read_write.c:482
  vfs_write+0x189/0x510 fs/read_write.c:544
  SYSC_write fs/read_write.c:589 [inline]
  SyS_write+0xef/0x220 fs/read_write.c:581
  entry_SYSCALL_64_fastpath+0x1f/0x96

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8801c8578d80
  which belongs to the cache kmalloc-1024 of size 1024
The buggy address is located 96 bytes to the right of
  1024-byte region [ffff8801c8578d80, ffff8801c8579180)
The buggy address belongs to the page:
page:00000000c294763f count:1 mapcount:0 mapping:0000000098a38184 index:0x0  
compound_mapcount: 0
flags: 0x2fffc0000008100(slab|head)
raw: 02fffc0000008100 ffff8801c8578000 0000000000000000 0000000100000007
raw: ffffea0007252920 ffff8801dac01848 ffff8801dac00ac0 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801c8579080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8801c8579100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c8579180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                                                        ^
  ffff8801c8579200: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8801c8579280: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (12473 bytes)

View attachment "repro.syz.txt" of type "text/plain" (2347 bytes)

View attachment "repro.c.txt" of type "text/plain" (13666 bytes)

View attachment "config.txt" of type "text/plain" (126365 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ