lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+aq3pDM4=fXwpAMNLiZWRC6H_050t4dgoK94kWxvV3pjg@mail.gmail.com>
Date:   Fri, 15 Jun 2018 09:31:43 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     syzbot <syzbot+131cd4c6d21724b99a26@...kaller.appspotmail.com>
Cc:     David Miller <davem@...emloft.net>,
        Herbert Xu <herbert@...dor.apana.org.au>,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        icytxw@...il.com
Subject: Re: KMSAN: uninit-value in xfrm_state_find

On Fri, Jun 15, 2018 at 9:30 AM, syzbot
<syzbot+131cd4c6d21724b99a26@...kaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    1df165c8d2d6 kmsan: introduce kmsan_clear_user_page()
> git tree:       https://github.com/google/kmsan.git/master
> console output: https://syzkaller.appspot.com/x/log.txt?x=15336e97800000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f
> dashboard link: https://syzkaller.appspot.com/bug?extid=131cd4c6d21724b99a26
> compiler:       clang version 7.0.0 (trunk 329391)
> syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=12c7a417800000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=13710197800000
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+131cd4c6d21724b99a26@...kaller.appspotmail.com

This may be related to "BUG: KASAN: stack-out-of-bounds in
ipv6_addr_equal include/net/ipv6.h":
https://groups.google.com/d/msg/syzkaller/va_9cjZsHQE/Htc7sYY2BwAJ


> IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KMSAN: uninit-value in __arch_swab32
> arch/x86/include/uapi/asm/swab.h:10 [inline]
> BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
> BUG: KMSAN: uninit-value in __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29
> [inline]
> BUG: KMSAN: uninit-value in __xfrm_dst_hash net/xfrm/xfrm_hash.h:96 [inline]
> BUG: KMSAN: uninit-value in xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline]
> BUG: KMSAN: uninit-value in xfrm_state_find+0x2b15/0x4f40
> net/xfrm/xfrm_state.c:952
> CPU: 0 PID: 4464 Comm: syz-executor988 Not tainted 4.17.0-rc3+ #93
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x185/0x1d0 lib/dump_stack.c:113
>  kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1084
>  __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
>  __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
>  __fswab32 include/uapi/linux/swab.h:59 [inline]
>  __xfrm6_daddr_saddr_hash net/xfrm/xfrm_hash.h:29 [inline]
>  __xfrm_dst_hash net/xfrm/xfrm_hash.h:96 [inline]
>  xfrm_dst_hash net/xfrm/xfrm_state.c:60 [inline]
>  xfrm_state_find+0x2b15/0x4f40 net/xfrm/xfrm_state.c:952
>  xfrm_tmpl_resolve_one net/xfrm/xfrm_policy.c:1393 [inline]
>  xfrm_tmpl_resolve net/xfrm/xfrm_policy.c:1437 [inline]
>  xfrm_resolve_and_create_bundle+0xc31/0x5270 net/xfrm/xfrm_policy.c:1833
>  xfrm_lookup+0x606/0x39d0 net/xfrm/xfrm_policy.c:2163
>  xfrm_lookup_route+0xfa/0x360 net/xfrm/xfrm_policy.c:2283
>  ip_route_output_flow+0x35b/0x3b0 net/ipv4/route.c:2574
>  udp_sendmsg+0x2289/0x33f0 net/ipv4/udp.c:1006
>  udpv6_sendmsg+0x1291/0x3f40 net/ipv6/udp.c:1175
>  inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:798
>  sock_sendmsg_nosec net/socket.c:629 [inline]
>  sock_sendmsg net/socket.c:639 [inline]
>  ___sys_sendmsg+0xec0/0x1310 net/socket.c:2117
>  __sys_sendmmsg+0x490/0x850 net/socket.c:2212
>  __do_sys_sendmmsg net/socket.c:2241 [inline]
>  __se_sys_sendmmsg net/socket.c:2238 [inline]
>  __x64_sys_sendmmsg+0x11c/0x170 net/socket.c:2238
>  do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> RIP: 0033:0x4419c9
> RSP: 002b:00007ffdb3fa4608 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000004419c9
> RDX: 0000000000000001 RSI: 0000000020002000 RDI: 0000000000000003
> RBP: 00000000006cd018 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004026c0
> R13: 0000000000402750 R14: 0000000000000000 R15: 0000000000000000
>
> Local variable description: ----fl4_stack@..._sendmsg
> Variable was created at:
>  udp_sendmsg+0xe5/0x33f0 net/ipv4/udp.c:841
>  udpv6_sendmsg+0x1291/0x3f40 net/ipv6/udp.c:1175
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ