lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <0000000000004fd863058877c251@google.com>
Date:   Thu, 09 May 2019 10:27:06 -0700
From:   syzbot <syzbot+b8031b06e100c1c5292c@...kaller.appspotmail.com>
To:     ast@...nel.org, bpf@...r.kernel.org, daniel@...earbox.net,
        davem@...emloft.net, jon.maloy@...csson.com, kafai@...com,
        kuznet@....inr.ac.ru, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, songliubraving@...com,
        syzkaller-bugs@...glegroups.com,
        tipc-discussion@...ts.sourceforge.net, yhs@...com,
        ying.xue@...driver.com, yoshfuji@...ux-ipv6.org
Subject: KASAN: slab-out-of-bounds Read in ip_append_data

Hello,

syzbot found the following crash on:

HEAD commit:    80f23212 Merge git://git.kernel.org/pub/scm/linux/kernel/g..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1630988ca00000
kernel config:  https://syzkaller.appspot.com/x/.config?x=40a58b399941db7e
dashboard link: https://syzkaller.appspot.com/bug?extid=b8031b06e100c1c5292c
compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=17b4aec8a00000

The bug was bisected to:

commit 52dfae5c85a4c1078e9f1d5e8947d4a25f73dd81
Author: Jon Maloy <jon.maloy@...csson.com>
Date:   Thu Mar 22 19:42:52 2018 +0000

     tipc: obtain node identity from interface by default

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=10130c22a00000
final crash:    https://syzkaller.appspot.com/x/report.txt?x=12130c22a00000
console output: https://syzkaller.appspot.com/x/log.txt?x=14130c22a00000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+b8031b06e100c1c5292c@...kaller.appspotmail.com
Fixes: 52dfae5c85a4 ("tipc: obtain node identity from interface by default")

==================================================================
BUG: KASAN: slab-out-of-bounds in skb_queue_empty  
include/linux/skbuff.h:1478 [inline]
BUG: KASAN: slab-out-of-bounds in ip_append_data.part.0+0x16a/0x170  
net/ipv4/ip_output.c:1207
Read of size 8 at addr ffff8880a74d0bd4 by task udevd/7768

CPU: 0 PID: 7768 Comm: udevd Not tainted 5.1.0+ #3
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  <IRQ>
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x172/0x1f0 lib/dump_stack.c:113
  print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
  __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
  kasan_report+0x12/0x20 mm/kasan/common.c:614
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
  skb_queue_empty include/linux/skbuff.h:1478 [inline]
  ip_append_data.part.0+0x16a/0x170 net/ipv4/ip_output.c:1207
  ip_append_data+0x6e/0x90 net/ipv4/ip_output.c:1204
  icmp_push_reply+0x189/0x510 net/ipv4/icmp.c:375
  __icmp_send+0xaa1/0x1400 net/ipv4/icmp.c:737
  icmp_send include/net/icmp.h:47 [inline]
  __udp4_lib_rcv+0x1fe9/0x2ca0 net/ipv4/udp.c:2318
  udp_rcv+0x22/0x30 net/ipv4/udp.c:2477
  ip_protocol_deliver_rcu+0x3bc/0x940 net/ipv4/ip_input.c:211
  ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:238
  NF_HOOK include/linux/netfilter.h:305 [inline]
  NF_HOOK include/linux/netfilter.h:299 [inline]
  ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:259
  dst_input include/net/dst.h:439 [inline]
  ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:420
  NF_HOOK include/linux/netfilter.h:305 [inline]
  NF_HOOK include/linux/netfilter.h:299 [inline]
  ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:530
  __netif_receive_skb_one_core+0x18d/0x1f0 net/core/dev.c:4990
  __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5104
  process_backlog+0x206/0x750 net/core/dev.c:5944
  napi_poll net/core/dev.c:6367 [inline]
  net_rx_action+0x4fa/0x1070 net/core/dev.c:6433
  __do_softirq+0x266/0x95a kernel/softirq.c:293
  invoke_softirq kernel/softirq.c:374 [inline]
  irq_exit+0x180/0x1d0 kernel/softirq.c:414
  exiting_irq arch/x86/include/asm/apic.h:536 [inline]
  smp_apic_timer_interrupt+0x14a/0x570 arch/x86/kernel/apic/apic.c:1067
  apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
  </IRQ>
RIP: 0010:find_vma+0xe4/0x170 mm/mmap.c:2243
Code: 00 0f 85 8b 00 00 00 48 8b 5b 10 e8 f6 fe d2 ff 48 85 db 74 4c e8 ec  
fe d2 ff 48 8d 7b e8 48 89 f8 48 c1 e8 03 42 80 3c 38 00 <75> 58 4c 8b 73  
e8 4c 89 e6 4c 89 f7 e8 eb ff d2 ff 4d 39 e6 0f 87
RSP: 0000:ffff888090777e68 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13
RAX: 1ffff110123db801 RBX: ffff888091edc020 RCX: ffffffff819d8a45
RDX: 0000000000000000 RSI: ffffffff819d8a24 RDI: ffff888091edc008
RBP: ffff888090777e90 R08: ffff888093a62500 R09: ffff888093a62da0
R10: ffff888093a62d80 R11: ffff888093a62500 R12: 00007ffd5ea48f40
R13: 0000000000000000 R14: 00007f6ebd0e3000 R15: dffffc0000000000
  do_user_addr_fault arch/x86/mm/fault.c:1418 [inline]
  __do_page_fault+0x375/0xda0 arch/x86/mm/fault.c:1523
  do_page_fault+0x71/0x581 arch/x86/mm/fault.c:1554
  page_fault+0x1e/0x30 arch/x86/entry/entry_64.S:1142
RIP: 0033:0x407821
Code: 02 00 00 e9 c7 fb ff ff 8b 54 24 68 85 d2 0f 89 e9 fb ff ff 48 83 7c  
24 40 00 0f 84 9c fa ff ff 48 8b 54 24 40 48 8b 44 24 58 <c6> 04 02 00 e9  
89 fa ff ff 66 0f 1f 44 00 00 be 02 00 00 00 44 89
RSP: 002b:00007ffd5ea45cf0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: 0000000002215250 RCX: 00000000ffffffff
RDX: 00007ffd5ea48f40 RSI: 0000000000000002 RDI: 0000000000000007
RBP: 0000000000625500 R08: 00007ffd5ebb80b0 R09: 00007ffd5ebb8080
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffd5ea45dc0
R13: 0000000000000001 R14: 00007ffd5ea45d54 R15: 0000000002215250

Allocated by task 7810:
  save_stack+0x23/0x90 mm/kasan/common.c:71
  set_track mm/kasan/common.c:79 [inline]
  __kasan_kmalloc mm/kasan/common.c:489 [inline]
  __kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
  kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:497
  slab_post_alloc_hook mm/slab.h:437 [inline]
  slab_alloc mm/slab.c:3357 [inline]
  kmem_cache_alloc+0x11a/0x6f0 mm/slab.c:3519
  sk_prot_alloc+0x67/0x2e0 net/core/sock.c:1602
  sk_alloc+0x39/0xf70 net/core/sock.c:1662
  inet_create net/ipv4/af_inet.c:325 [inline]
  inet_create+0x36a/0xe10 net/ipv4/af_inet.c:251
  __sock_create+0x3e6/0x750 net/socket.c:1430
  sock_create_kern+0x3b/0x50 net/socket.c:1499
  inet_ctl_sock_create+0x9d/0x1f0 net/ipv4/af_inet.c:1624
  icmp_sk_init+0x11c/0x4c0 net/ipv4/icmp.c:1204
  ops_init+0xb6/0x410 net/core/net_namespace.c:129
  setup_net+0x2d3/0x740 net/core/net_namespace.c:315
  copy_net_ns+0x1df/0x340 net/core/net_namespace.c:438
  create_new_namespaces+0x400/0x7b0 kernel/nsproxy.c:107
  unshare_nsproxy_namespaces+0xc2/0x200 kernel/nsproxy.c:206
  ksys_unshare+0x440/0x980 kernel/fork.c:2661
  __do_sys_unshare kernel/fork.c:2729 [inline]
  __se_sys_unshare kernel/fork.c:2727 [inline]
  __x64_sys_unshare+0x31/0x40 kernel/fork.c:2727
  do_syscall_64+0x103/0x670 arch/x86/entry/common.c:298
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

Freed by task 0:
(stack is not available)

The buggy address belongs to the object at ffff8880a74d0680
  which belongs to the cache RAW of size 1352
The buggy address is located 12 bytes to the right of
  1352-byte region [ffff8880a74d0680, ffff8880a74d0bc8)
The buggy address belongs to the page:
page:ffffea00029d3400 count:1 mapcount:0 mapping:ffff88821ac8bc00 index:0x0  
compound_mapcount: 0
flags: 0x1fffc0000010200(slab|head)
raw: 01fffc0000010200 ffffea0002970088 ffffea000219cb88 ffff88821ac8bc00
raw: 0000000000000000 ffff8880a74d0080 0000000100000005 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8880a74d0a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8880a74d0b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8880a74d0b80: 00 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc
                                                  ^
  ffff8880a74d0c00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8880a74d0c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ