lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6747954b.050a0220.253251.0064.GAE@google.com>
Date: Wed, 27 Nov 2024 13:55:23 -0800
From: syzbot <syzbot+a29a4fe94b1560756f7d@...kaller.appspotmail.com>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, 
	syzkaller-bugs@...glegroups.com
Subject: [syzbot] [net?] KASAN: global-out-of-bounds Read in __hw_addr_add_ex (2)

Hello,

syzbot found the following issue on:

HEAD commit:    5f153a692bac Merge commit 'bf40167d54d5' into fixes
git tree:       git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux.git fixes
console output: https://syzkaller.appspot.com/x/log.txt?x=17e6d230580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=cdbbf8ef410bf2e8
dashboard link: https://syzkaller.appspot.com/bug?extid=a29a4fe94b1560756f7d
compiler:       riscv64-linux-gnu-gcc (Debian 12.2.0-13) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: riscv64
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=1080aca7980000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=11c3a940580000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/a741b348759c/non_bootable_disk-5f153a69.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/bf8994051afc/vmlinux-5f153a69.xz
kernel image: https://storage.googleapis.com/syzbot-assets/7603ef590293/Image-5f153a69.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+a29a4fe94b1560756f7d@...kaller.appspotmail.com

==================================================================
BUG: KASAN: global-out-of-bounds in memcmp+0xc0/0xca lib/string.c:676
Read of size 1 at addr ffffffff895cb520 by task syz-executor156/3200

CPU: 1 UID: 0 PID: 3200 Comm: syz-executor156 Not tainted 6.12.0-rc1-syzkaller-00012-g5f153a692bac #0
Hardware name: riscv-virtio,qemu (DT)
Call Trace:
[<ffffffff80010a14>] dump_backtrace+0x2e/0x3c arch/riscv/kernel/stacktrace.c:130
[<ffffffff85f7c3cc>] show_stack+0x34/0x40 arch/riscv/kernel/stacktrace.c:136
[<ffffffff85fd797a>] __dump_stack lib/dump_stack.c:94 [inline]
[<ffffffff85fd797a>] dump_stack_lvl+0x122/0x196 lib/dump_stack.c:120
[<ffffffff85f861e4>] print_address_description mm/kasan/report.c:377 [inline]
[<ffffffff85f861e4>] print_report+0x290/0x5a0 mm/kasan/report.c:488
[<ffffffff80970318>] kasan_report+0xec/0x118 mm/kasan/report.c:601
[<ffffffff8097214e>] __asan_report_load1_noabort+0x12/0x1a mm/kasan/report_generic.c:378
[<ffffffff85f525ae>] memcmp+0xc0/0xca lib/string.c:676
[<ffffffff84d3805e>] __hw_addr_add_ex+0xee/0x676 net/core/dev_addr_lists.c:88
[<ffffffff84d3b06a>] __dev_mc_add net/core/dev_addr_lists.c:867 [inline]
[<ffffffff84d3b06a>] dev_mc_add+0xac/0x108 net/core/dev_addr_lists.c:885
[<ffffffff84edd5e2>] mrp_init_applicant+0xe8/0x56e net/802/mrp.c:873
[<ffffffff85ad13e2>] vlan_mvrp_init_applicant+0x26/0x30 net/8021q/vlan_mvrp.c:57
[<ffffffff85ac7490>] register_vlan_dev+0x1b4/0x922 net/8021q/vlan.c:170
[<ffffffff85acfab0>] vlan_newlink+0x3d2/0x5fc net/8021q/vlan_netlink.c:193
[<ffffffff84d83228>] rtnl_newlink_create net/core/rtnetlink.c:3510 [inline]
[<ffffffff84d83228>] __rtnl_newlink+0xfe2/0x1738 net/core/rtnetlink.c:3730
[<ffffffff84d839ea>] rtnl_newlink+0x6c/0xa2 net/core/rtnetlink.c:3743
[<ffffffff84d7259a>] rtnetlink_rcv_msg+0x428/0xdbe net/core/rtnetlink.c:6646
[<ffffffff850b3e8e>] netlink_rcv_skb+0x216/0x3dc net/netlink/af_netlink.c:2550
[<ffffffff84d6454c>] rtnetlink_rcv+0x26/0x30 net/core/rtnetlink.c:6664
[<ffffffff850b2140>] netlink_unicast_kernel net/netlink/af_netlink.c:1331 [inline]
[<ffffffff850b2140>] netlink_unicast+0x4f0/0x82c net/netlink/af_netlink.c:1357
[<ffffffff850b2ce0>] netlink_sendmsg+0x864/0xdc6 net/netlink/af_netlink.c:1901
[<ffffffff84c5e82a>] sock_sendmsg_nosec net/socket.c:729 [inline]
[<ffffffff84c5e82a>] __sock_sendmsg+0xcc/0x160 net/socket.c:744
[<ffffffff84c5f436>] ____sys_sendmsg+0x5ce/0x79e net/socket.c:2602
[<ffffffff84c66b4c>] ___sys_sendmsg+0x144/0x1e6 net/socket.c:2656
[<ffffffff84c67624>] __sys_sendmsg+0x130/0x1f0 net/socket.c:2685
[<ffffffff84c67754>] __do_sys_sendmsg net/socket.c:2694 [inline]
[<ffffffff84c67754>] __se_sys_sendmsg net/socket.c:2692 [inline]
[<ffffffff84c67754>] __riscv_sys_sendmsg+0x70/0xa2 net/socket.c:2692
[<ffffffff8000f2d4>] syscall_handler+0x94/0x118 arch/riscv/include/asm/syscall.h:90
[<ffffffff85fd9c4a>] do_trap_ecall_u+0x1aa/0x216 arch/riscv/kernel/traps.c:331
[<ffffffff85ffcac6>] _new_vmalloc_restore_context_a0+0xc2/0xce

The buggy address belongs to the variable:
 vlan_mrp_app+0x60/0x3e80

The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x897cb
flags: 0xffe000000002000(reserved|node=0|zone=0|lastcpupid=0x7ff)
raw: 0ffe000000002000 ff1c00000025f2c8 ff1c00000025f2c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner info is not present (never set?)

Memory state around the buggy address:
 ffffffff895cb400: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
 ffffffff895cb480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>ffffffff895cb500: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
                               ^
 ffffffff895cb580: 00 00 00 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9
 ffffffff895cb600: 00 00 00 00 f9 f9 f9 f9 00 00 00 00 00 00 00 00
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ