lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6700f123.050a0220.49194.04b5.GAE@google.com>
Date: Sat, 05 Oct 2024 00:56:19 -0700
From: syzbot <syzbot+80b36e60457a005e0530@...kaller.appspotmail.com>
To: 42.hyeyoo@...il.com, akpm@...ux-foundation.org, andrii@...nel.org, 
	ast@...nel.org, bpf@...r.kernel.org, cl@...ux.com, daniel@...earbox.net, 
	davem@...emloft.net, eddyz87@...il.com, edumazet@...gle.com, 
	feng.tang@...el.com, haoluo@...gle.com, iamjoonsoo.kim@....com, 
	john.fastabend@...il.com, jolsa@...nel.org, kpsingh@...nel.org, 
	kuba@...nel.org, linux-kernel@...r.kernel.org, linux-mm@...ck.org, 
	martin.lau@...ux.dev, netdev@...r.kernel.org, pabeni@...hat.com, 
	penberg@...nel.org, rientjes@...gle.com, roman.gushchin@...ux.dev, 
	sdf@...ichev.me, song@...nel.org, syzkaller-bugs@...glegroups.com, 
	vbabka@...e.cz, yonghong.song@...ux.dev
Subject: [syzbot] [bpf?] [net?] KFENCE: memory corruption in pskb_expand_head

Hello,

syzbot found the following issue on:

HEAD commit:    c02d24a5af66 Add linux-next specific files for 20241003
git tree:       linux-next
console+strace: https://syzkaller.appspot.com/x/log.txt?x=1404ab9f980000
kernel config:  https://syzkaller.appspot.com/x/.config?x=94f9caf16c0af42d
dashboard link: https://syzkaller.appspot.com/bug?extid=80b36e60457a005e0530
compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f633d0580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1204ab9f980000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/641e642c9432/disk-c02d24a5.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/98aaf20c29e0/vmlinux-c02d24a5.xz
kernel image: https://storage.googleapis.com/syzbot-assets/c23099f2d86b/bzImage-c02d24a5.xz

The issue was bisected to:

commit d0a38fad51cc70ab3dd3c59b54d8079ac19220b9
Author: Feng Tang <feng.tang@...el.com>
Date:   Wed Sep 11 06:45:34 2024 +0000

    mm/slub: Improve redzone check and zeroing for krealloc()

bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=16da4d27980000
final oops:     https://syzkaller.appspot.com/x/report.txt?x=15da4d27980000
console output: https://syzkaller.appspot.com/x/log.txt?x=11da4d27980000

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+80b36e60457a005e0530@...kaller.appspotmail.com
Fixes: d0a38fad51cc ("mm/slub: Improve redzone check and zeroing for krealloc()")

==================================================================
BUG: KFENCE: memory corruption in skb_kfree_head net/core/skbuff.c:1086 [inline]
BUG: KFENCE: memory corruption in skb_free_head net/core/skbuff.c:1098 [inline]
BUG: KFENCE: memory corruption in pskb_expand_head+0x4fc/0x1380 net/core/skbuff.c:2307

Corrupted memory at 0xffff88823be221c0 [ 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 ] (in kfence-#16):
 skb_kfree_head net/core/skbuff.c:1086 [inline]
 skb_free_head net/core/skbuff.c:1098 [inline]
 pskb_expand_head+0x4fc/0x1380 net/core/skbuff.c:2307
 __skb_cow include/linux/skbuff.h:3702 [inline]
 skb_cow_head include/linux/skbuff.h:3736 [inline]
 __vlan_insert_inner_tag include/linux/if_vlan.h:354 [inline]
 __vlan_insert_tag include/linux/if_vlan.h:400 [inline]
 skb_vlan_push+0x319/0x8d0 net/core/skbuff.c:6324
 ____bpf_skb_vlan_push net/core/filter.c:3193 [inline]
 bpf_skb_vlan_push+0x215/0x8e0 net/core/filter.c:3183
 bpf_prog_73b0c961a278ad0e+0x5b/0x60
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x4f0/0xa90 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0xc97/0x1820 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4247
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

kfence-#16: 0xffff88823be22000-0xffff88823be221bf, size=448, cache=kmalloc-512

allocated by task 5407 on cpu 0 at 90.755534s (0.100574s ago):
 kmalloc_noprof include/linux/slab.h:882 [inline]
 kzalloc_noprof include/linux/slab.h:1014 [inline]
 bpf_test_init+0xe1/0x180 net/bpf/test_run.c:669
 bpf_prog_test_run_skb+0x2bb/0x1820 net/bpf/test_run.c:1000
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4247
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

freed by task 5407 on cpu 0 at 90.755621s (0.144394s ago):
 skb_kfree_head net/core/skbuff.c:1086 [inline]
 skb_free_head net/core/skbuff.c:1098 [inline]
 pskb_expand_head+0x4fc/0x1380 net/core/skbuff.c:2307
 __skb_cow include/linux/skbuff.h:3702 [inline]
 skb_cow_head include/linux/skbuff.h:3736 [inline]
 __vlan_insert_inner_tag include/linux/if_vlan.h:354 [inline]
 __vlan_insert_tag include/linux/if_vlan.h:400 [inline]
 skb_vlan_push+0x319/0x8d0 net/core/skbuff.c:6324
 ____bpf_skb_vlan_push net/core/filter.c:3193 [inline]
 bpf_skb_vlan_push+0x215/0x8e0 net/core/filter.c:3183
 bpf_prog_73b0c961a278ad0e+0x5b/0x60
 bpf_dispatcher_nop_func include/linux/bpf.h:1257 [inline]
 __bpf_prog_run include/linux/filter.h:701 [inline]
 bpf_prog_run include/linux/filter.h:708 [inline]
 bpf_test_run+0x4f0/0xa90 net/bpf/test_run.c:433
 bpf_prog_test_run_skb+0xc97/0x1820 net/bpf/test_run.c:1094
 bpf_prog_test_run+0x2e4/0x360 kernel/bpf/syscall.c:4247
 __sys_bpf+0x48d/0x810 kernel/bpf/syscall.c:5652
 __do_sys_bpf kernel/bpf/syscall.c:5741 [inline]
 __se_sys_bpf kernel/bpf/syscall.c:5739 [inline]
 __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5739
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

CPU: 0 UID: 0 PID: 5407 Comm: syz-executor182 Not tainted 6.12.0-rc1-next-20241003-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
==================================================================


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@...glegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ