[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <0000000000000a5b840576bad225@google.com>
Date: Tue, 25 Sep 2018 16:54:03 -0700
From: syzbot <syzbot+12638b747fd208f6cff0@...kaller.appspotmail.com>
To: aviadye@...lanox.com, borisp@...lanox.com, davejwatson@...com,
davem@...emloft.net, linux-kernel@...r.kernel.org,
netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: KASAN: slab-out-of-bounds Read in tls_write_space
Hello,
syzbot found the following crash on:
HEAD commit: bd4d08daeb95 Merge branch 'net-dsa-b53-SGMII-modes-fixes'
git tree: net-next
console output: https://syzkaller.appspot.com/x/log.txt?x=110b6a1a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=e79b9299baeb2298
dashboard link: https://syzkaller.appspot.com/bug?extid=12638b747fd208f6cff0
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=167d9b9e400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=15c4003a400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+12638b747fd208f6cff0@...kaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: slab-out-of-bounds in __swab64p include/uapi/linux/swab.h:192
[inline]
BUG: KASAN: slab-out-of-bounds in __be64_to_cpup
include/uapi/linux/byteorder/little_endian.h:74 [inline]
BUG: KASAN: slab-out-of-bounds in is_tx_ready include/net/tls.h:354 [inline]
BUG: KASAN: slab-out-of-bounds in tls_write_space+0x29d/0x2d0
net/tls/tls_main.c:236
Read of size 8 at addr ffff8801bc3c9ff0 by task ksoftirqd/1/18
CPU: 1 PID: 18 Comm: ksoftirqd/1 Not tainted 4.19.0-rc4+ #227
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c4/0x2b4 lib/dump_stack.c:113
print_address_description.cold.8+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
__swab64p include/uapi/linux/swab.h:192 [inline]
__be64_to_cpup include/uapi/linux/byteorder/little_endian.h:74 [inline]
is_tx_ready include/net/tls.h:354 [inline]
tls_write_space+0x29d/0x2d0 net/tls/tls_main.c:236
tcp_new_space net/ipv4/tcp_input.c:5154 [inline]
tcp_check_space+0x53f/0x920 net/ipv4/tcp_input.c:5165
tcp_data_snd_check net/ipv4/tcp_input.c:5175 [inline]
tcp_rcv_established+0xde8/0x2120 net/ipv4/tcp_input.c:5656
tcp_v6_do_rcv+0x4b3/0x13c0 net/ipv6/tcp_ipv6.c:1326
tcp_v6_rcv+0x2f7a/0x38a0 net/ipv6/tcp_ipv6.c:1555
ip6_input_finish+0x3fc/0x1aa0 net/ipv6/ip6_input.c:384
NF_HOOK include/linux/netfilter.h:287 [inline]
ip6_input+0xe9/0x600 net/ipv6/ip6_input.c:427
dst_input include/net/dst.h:450 [inline]
ip6_rcv_finish+0x17a/0x330 net/ipv6/ip6_input.c:76
NF_HOOK include/linux/netfilter.h:287 [inline]
ipv6_rcv+0x113/0x640 net/ipv6/ip6_input.c:272
__netif_receive_skb_one_core+0x14d/0x200 net/core/dev.c:4894
__netif_receive_skb+0x2c/0x1e0 net/core/dev.c:5004
process_backlog+0x217/0x760 net/core/dev.c:5808
napi_poll net/core/dev.c:6228 [inline]
net_rx_action+0x7c5/0x1950 net/core/dev.c:6294
__do_softirq+0x30b/0xad8 kernel/softirq.c:292
run_ksoftirqd+0x94/0x100 kernel/softirq.c:653
smpboot_thread_fn+0x68b/0xa00 kernel/smpboot.c:164
kthread+0x35a/0x420 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
Allocated by task 3559:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
kmem_cache_alloc_trace+0x152/0x750 mm/slab.c:3620
kmalloc include/linux/slab.h:513 [inline]
kzalloc include/linux/slab.h:707 [inline]
kernfs_fop_open+0x358/0xf90 fs/kernfs/file.c:648
do_dentry_open+0x499/0x1250 fs/open.c:771
vfs_open+0xa0/0xd0 fs/open.c:880
do_last fs/namei.c:3418 [inline]
path_openat+0x12bf/0x5160 fs/namei.c:3534
do_filp_open+0x255/0x380 fs/namei.c:3564
do_sys_open+0x568/0x700 fs/open.c:1063
__do_sys_open fs/open.c:1081 [inline]
__se_sys_open fs/open.c:1076 [inline]
__x64_sys_open+0x7e/0xc0 fs/open.c:1076
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 3559:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3813
kernfs_fop_release+0x12b/0x1a0 fs/kernfs/file.c:783
__fput+0x385/0xa30 fs/file_table.c:278
____fput+0x15/0x20 fs/file_table.c:309
task_work_run+0x1e8/0x2a0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:193 [inline]
exit_to_usermode_loop+0x318/0x380 arch/x86/entry/common.c:166
prepare_exit_to_usermode arch/x86/entry/common.c:197 [inline]
syscall_return_slowpath arch/x86/entry/common.c:268 [inline]
do_syscall_64+0x6be/0x820 arch/x86/entry/common.c:293
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8801bc3c9c80
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 368 bytes to the right of
512-byte region [ffff8801bc3c9c80, ffff8801bc3c9e80)
The buggy address belongs to the page:
page:ffffea0006f0f240 count:1 mapcount:0 mapping:ffff8801da800940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0006ee1408 ffffea0007619c08 ffff8801da800940
raw: 0000000000000000 ffff8801bc3c9000 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801bc3c9e80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801bc3c9f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801bc3c9f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801bc3ca000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801bc3ca080: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists