| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 06 Mar 2018 22:59:03 -0800
From: syzbot <syzbot+92fa328176eb07e4ac1a@...kaller.appspotmail.com>
To: davem@...emloft.net, kuznet@....inr.ac.ru,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
syzkaller-bugs@...glegroups.com, yoshfuji@...ux-ipv6.org
Subject: KASAN: slab-out-of-bounds Read in ip6_xmit (2)
Hello,
syzbot hit the following crash on net-next commit
0f3e9c97eb5a97972b0c0076a5cc01bb142f8e70 (Tue Mar 6 05:53:44 2018 +0000)
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
So far this crash happened 21 times on net-next, upstream.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+92fa328176eb07e4ac1a@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for
details.
If you forward the report, please keep this part and the footer.
8021q: adding VLAN 0 to HW filter on device bond0
IPv6: ADDRCONF(NETDEV_UP): veth0: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
audit: type=1400 audit(1520381312.479:10): avc: denied { sys_chroot }
for pid=4238 comm="syzkaller248290" capability=18
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns
permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: slab-out-of-bounds in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801aff89718 by task syzkaller248290/4238
CPU: 1 PID: 4238 Comm: syzkaller248290 Not tainted 4.16.0-rc4+ #254
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23c/0x360 mm/kasan/report.c:412
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
ip6_dst_idev include/net/ip6_fib.h:192 [inline]
ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
sock_sendmsg_nosec net/socket.c:629 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:639
___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
__sys_sendmsg+0xe5/0x210 net/socket.c:2081
SYSC_sendmsg net/socket.c:2092 [inline]
SyS_sendmsg+0x2d/0x50 net/socket.c:2088
do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441ef9
RSP: 002b:00000000007dfea8 EFLAGS: 00000217 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 000000000000001a RCX: 0000000000441ef9
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 00000000004a3f26 R08: 0000000120080522 R09: 0000000120080522
R10: 0000000120080522 R11: 0000000000000217 R12: 00000000007dff70
R13: 0000000000402f30 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 0:
(stack is not available)
Freed by task 0:
(stack is not available)
The buggy address belongs to the object at ffff8801aff89700
which belongs to the cache ip_dst_cache of size 160
The buggy address is located 24 bytes inside of
160-byte region [ffff8801aff89700, ffff8801aff897a0)
The buggy address belongs to the page:
page:ffffea0006bfe240 count:1 mapcount:0 mapping:ffff8801aff89000 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801aff89000 0000000000000000 0000000100000010
raw: ffff8801d5b67d48 ffff8801d5b67d48 ffff8801d5b66680 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801aff89600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801aff89680: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc
> ffff8801aff89700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801aff89780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8801aff89800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.
syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
View attachment "raw.log.txt" of type "text/plain" (12506 bytes)
View attachment "repro.syz.txt" of type "text/plain" (1262 bytes)
View attachment "repro.c.txt" of type "text/plain" (17681 bytes)
View attachment "config.txt" of type "text/plain" (137453 bytes)
Powered by blists - more mailing lists