lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000000000000b436ad058255c528@google.com>
Date:   Wed, 20 Feb 2019 08:23:04 -0800
From:   syzbot <syzbot+3d7fa0f0de0f86d0eb4f@...kaller.appspotmail.com>
To:     davem@...emloft.net, kuznet@....inr.ac.ru,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, yoshfuji@...ux-ipv6.org
Subject: KASAN: use-after-free Read in icmp_sk_exit

Hello,

syzbot found the following crash on:

HEAD commit:    1f43f400a2cb net: netcp: Fix ethss driver probe issue
git tree:       net
console output: https://syzkaller.appspot.com/x/log.txt?x=1276fea2c00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=ee434566c893c7b1
dashboard link: https://syzkaller.appspot.com/bug?extid=3d7fa0f0de0f86d0eb4f
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)

Unfortunately, I don't have any reproducer for this crash yet.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+3d7fa0f0de0f86d0eb4f@...kaller.appspotmail.com

IPVS: set_ctl: invalid protocol: 63 172.20.20.187:20002
kernel msg: ebtables bug: please report to author: entries_size too small
kernel msg: ebtables bug: please report to author: entries_size too small
==================================================================
BUG: KASAN: use-after-free in inet_ctl_sock_destroy  
include/net/inet_common.h:56 [inline]
BUG: KASAN: use-after-free in icmp_sk_exit+0x1ce/0x1f0 net/ipv4/icmp.c:1187
Read of size 8 at addr ffff8880847adc50 by task kworker/u4:1/21

CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0-rc6+ #85
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Workqueue: netns cleanup_net
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
  kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
  inet_ctl_sock_destroy include/net/inet_common.h:56 [inline]
  icmp_sk_exit+0x1ce/0x1f0 net/ipv4/icmp.c:1187
  ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
  cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
  process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
  worker_thread+0x98/0xe40 kernel/workqueue.c:2319
  kthread+0x357/0x430 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

Allocated by task 25570:
  save_stack+0x45/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  __kasan_kmalloc mm/kasan/common.c:496 [inline]
  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:469
  kasan_kmalloc mm/kasan/common.c:504 [inline]
  kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:411
  kmem_cache_alloc+0x12d/0x710 mm/slab.c:3543
  sk_prot_alloc+0x67/0x2e0 net/core/sock.c:1471
  sk_alloc+0x39/0xf70 net/core/sock.c:1531
  inet_create net/ipv4/af_inet.c:321 [inline]
  inet_create+0x36a/0xe10 net/ipv4/af_inet.c:247
  __sock_create+0x3e6/0x750 net/socket.c:1275
  sock_create_kern+0x3b/0x50 net/socket.c:1321
  inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1614
  icmp_sk_init net/ipv4/icmp.c:1203 [inline]
  icmp_sk_init+0x120/0x680 net/ipv4/icmp.c:1192
  ops_init+0xb6/0x410 net/core/net_namespace.c:129
  setup_net+0x2c5/0x730 net/core/net_namespace.c:314
  copy_net_ns+0x1d9/0x340 net/core/net_namespace.c:437
  create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
  unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
  ksys_unshare+0x440/0x980 kernel/fork.c:2550
  __do_sys_unshare kernel/fork.c:2618 [inline]
  __se_sys_unshare kernel/fork.c:2616 [inline]
  __x64_sys_unshare+0x31/0x40 kernel/fork.c:2616
  do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 21:
  save_stack+0x45/0xd0 mm/kasan/common.c:73
  set_track mm/kasan/common.c:85 [inline]
  __kasan_slab_free+0x102/0x150 mm/kasan/common.c:458
  kasan_slab_free+0xe/0x10 mm/kasan/common.c:466
  __cache_free mm/slab.c:3487 [inline]
  kmem_cache_free+0x86/0x260 mm/slab.c:3749
  sk_prot_free net/core/sock.c:1512 [inline]
  __sk_destruct+0x4b6/0x6d0 net/core/sock.c:1596
  sk_destruct+0x7b/0x90 net/core/sock.c:1604
  __sk_free+0xce/0x300 net/core/sock.c:1615
  sk_free+0x42/0x50 net/core/sock.c:1626
  sock_put include/net/sock.h:1707 [inline]
  sk_common_release+0x224/0x330 net/core/sock.c:3042
  raw_close+0x22/0x30 net/ipv4/raw.c:708
  inet_release+0x105/0x1f0 net/ipv4/af_inet.c:428
  __sock_release+0x1d3/0x250 net/socket.c:579
  sock_release+0x18/0x20 net/socket.c:598
  inet_ctl_sock_destroy include/net/inet_common.h:56 [inline]
  icmp_sk_exit+0x11f/0x1f0 net/ipv4/icmp.c:1187
  ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
  cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
  process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
  worker_thread+0x98/0xe40 kernel/workqueue.c:2319
  kthread+0x357/0x430 kernel/kthread.c:246
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352

The buggy address belongs to the object at ffff8880847ad840
  which belongs to the cache RAW(97:syz4) of size 1320
The buggy address is located 1040 bytes inside of
  1320-byte region [ffff8880847ad840, ffff8880847add68)
The buggy address belongs to the page:
page:ffffea000211eb00 count:1 mapcount:0 mapping:ffff8880a84bf1c0  
index:0xffff8880847ac140 compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffff8880a4cd5b38 ffff8880a4cd5b38 ffff8880a84bf1c0
raw: ffff8880847ac140 ffff8880847ac140 0000000100000003 ffff888067b1a1c0
page dumped because: kasan: bad access detected
page->mem_cgroup:ffff888067b1a1c0

Memory state around the buggy address:
  ffff8880847adb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880847adb80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff8880847adc00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                  ^
  ffff8880847adc80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
  ffff8880847add00: fb fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ