| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 23 Dec 2019 06:55:11 -0800
From: syzbot <syzbot+6745e272378d071cac7f@...kaller.appspotmail.com>
To: arnd@...db.de, daniel@...earbox.net, davej@...hat.com,
davem@...emloft.net, dhowells@...hat.com, edumazet@...gle.com,
hkallweit1@...il.com, jasowang@...hat.com,
linux-kernel@...r.kernel.org, maximmi@...lanox.com, mst@...hat.com,
mtk.manpages@...il.com, netdev@...r.kernel.org,
peterpenkov96@...il.com, sdf@...gle.com,
syzkaller-bugs@...glegroups.com, tglx@...utronix.de
Subject: KASAN: use-after-free Read in eth_type_trans
Hello,
syzbot found the following crash on:
HEAD commit: 4a94c433 Merge tag 'tpmdd-next-20191219' of git://git.infr..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=15e240aee00000
kernel config: https://syzkaller.appspot.com/x/.config?x=745a1e367d8abf39
dashboard link: https://syzkaller.appspot.com/bug?extid=6745e272378d071cac7f
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1351eb1ee00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11911f2ee00000
The bug was bisected to:
commit 90e33d45940793def6f773b2d528e9f3c84ffdc7
Author: Petar Penkov <peterpenkov96@...il.com>
Date: Fri Sep 22 20:49:15 2017 +0000
tun: enable napi_gro_frags() for TUN/TAP driver
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114ebf2ee00000
final crash: https://syzkaller.appspot.com/x/report.txt?x=134ebf2ee00000
console output: https://syzkaller.appspot.com/x/log.txt?x=154ebf2ee00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+6745e272378d071cac7f@...kaller.appspotmail.com
Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")
==================================================================
BUG: KASAN: use-after-free in ether_addr_equal_64bits
include/linux/etherdevice.h:348 [inline]
BUG: KASAN: use-after-free in eth_type_trans+0x6ce/0x760
net/ethernet/eth.c:167
Read of size 8 at addr ffff888084bf0040 by task syz-executor336/10162
CPU: 1 PID: 10162 Comm: syz-executor336 Not tainted 5.5.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
ether_addr_equal_64bits include/linux/etherdevice.h:348 [inline]
eth_type_trans+0x6ce/0x760 net/ethernet/eth.c:167
napi_frags_finish net/core/dev.c:5924 [inline]
napi_gro_frags+0x8c2/0xd00 net/core/dev.c:5999
tun_get_user+0x2e7f/0x3fc0 drivers/net/tun.c:1976
tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2022
call_write_iter include/linux/fs.h:1902 [inline]
do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
do_iter_write fs/read_write.c:970 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:951
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
do_writev+0x15b/0x330 fs/read_write.c:1058
__do_sys_writev fs/read_write.c:1131 [inline]
__se_sys_writev fs/read_write.c:1128 [inline]
__x64_sys_writev+0x75/0xb0 fs/read_write.c:1128
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x441800
Code: 05 48 3d 01 f0 ff ff 0f 83 fd 0e fc ff c3 66 2e 0f 1f 84 00 00 00 00
00 66 90 83 3d 51 9c 29 00 00 75 14 b8 14 00 00 00 0f 05 <48> 3d 01 f0 ff
ff 0f 83 d4 0e fc ff c3 48 83 ec 08 e8 9a 2b 00 00
RSP: 002b:00007ffe7bc617c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000014
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441800
RDX: 0000000000000001 RSI: 00007ffe7bc61820 RDI: 00000000000000f0
RBP: 00007ffe7bc617f0 R08: 0000000000000000 R09: 0000000000000020
R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000000003
R13: 0000000000000004 R14: 00007ffe7bc61870 R15: 0000000000000000
The buggy address belongs to the page:
page:ffffea000212fc00 refcount:0 mapcount:0 mapping:0000000000000000
index:0x0
raw: 00fffe0000000000 ffffea000212fc08 ffffea000212fc08 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888084beff00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888084beff80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
> ffff888084bf0000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff888084bf0080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff888084bf0100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
Powered by blists - more mailing lists