Hello,
syzkaller hit the following crash on
50c4c4e268a2d7a3e58ebb698ac74da0de40ae36
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
audit: type=1400 audit(1513021744.055:7): avc: denied { map } for
pid=3149 comm="syzkaller428285" path="/root/syzkaller428285483" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:341 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state
net/key/af_key.c:1212 [inline]
BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270
net/key/af_key.c:1491
Read of size 8192 at addr ffff8801c5197318 by task syzkaller428285/3149
CPU: 0 PID: 3149 Comm: syzkaller428285 Not tainted 4.15.0-rc3+ #127
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
check_memory_region_inline mm/kasan/kasan.c:260 [inline]
check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
memcpy+0x23/0x50 mm/kasan/kasan.c:302
memcpy include/linux/string.h:341 [inline]
pfkey_msg2xfrm_state net/key/af_key.c:1212 [inline]
pfkey_add+0x1634/0x3270 net/key/af_key.c:1491
pfkey_process+0x60b/0x720 net/key/af_key.c:2809
pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3648
sock_sendmsg_nosec net/socket.c:636 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:646
___sys_sendmsg+0x75b/0x8a0 net/socket.c:2026
__sys_sendmsg+0xe5/0x210 net/socket.c:2060
C_SYSC_sendmsg net/compat.c:739 [inline]
compat_SyS_sendmsg+0x2a/0x40 net/compat.c:737
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7fd4c79
RSP: 002b:00000000ff9d7c1c EFLAGS: 00000203 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000
RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f
RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
Allocated by task 3149:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551
__do_kmalloc_node mm/slab.c:3675 [inline]
__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3689
__kmalloc_reserve.isra.41+0x41/0xd0 net/core/skbuff.c:137
__alloc_skb+0x13b/0x780 net/core/skbuff.c:205
alloc_skb include/linux/skbuff.h:983 [inline]
pfkey_sendmsg+0x20f/0x9f0 net/key/af_key.c:3635
sock_sendmsg_nosec net/socket.c:636 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:646
___sys_sendmsg+0x75b/0x8a0 net/socket.c:2026
__sys_sendmsg+0xe5/0x210 net/socket.c:2060
C_SYSC_sendmsg net/compat.c:739 [inline]
compat_SyS_sendmsg+0x2a/0x40 net/compat.c:737
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
Freed by task 1636:
save_stack+0x43/0xd0 mm/kasan/kasan.c:447
set_track mm/kasan/kasan.c:459 [inline]
kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524
__cache_free mm/slab.c:3491 [inline]
kfree+0xca/0x250 mm/slab.c:3806
kernfs_fop_release+0x13f/0x180 fs/kernfs/file.c:783
__fput+0x333/0x7f0 fs/file_table.c:210
____fput+0x15/0x20 fs/file_table.c:244
task_work_run+0x199/0x270 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:191 [inline]
exit_to_usermode_loop+0x296/0x310 arch/x86/entry/common.c:162
prepare_exit_to_usermode arch/x86/entry/common.c:195 [inline]
syscall_return_slowpath+0x490/0x550 arch/x86/entry/common.c:264
entry_SYSCALL_64_fastpath+0x94/0x96
The buggy address belongs to the object at ffff8801c5197300
which belongs to the cache kmalloc-512 of size 512
The buggy address is located 24 bytes inside of
512-byte region [ffff8801c5197300, ffff8801c5197500)
The buggy address belongs to the page:
page:00000000ea98bd6b count:1 mapcount:0 mapping:000000003ab76c13 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffff8801c5197080 0000000000000000 0000000100000006
raw: ffffea0007146520 ffffea0007147960 ffff8801db000940 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c5197400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801c5197480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801c5197500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff8801c5197580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8801c5197600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].
Please credit me with: Reported-by: syzbot <[email protected]>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
On Fri, Dec 15, 2017 at 11:51:01PM -0800, syzbot wrote:
> Hello,
>
> syzkaller hit the following crash on
> 50c4c4e268a2d7a3e58ebb698ac74da0de40ae36
> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
> compiler: gcc (GCC) 7.1.1 20170620
> .config is attached
> Raw console output is attached.
> C reproducer is attached
> syzkaller reproducer is attached. See https://goo.gl/kgGztJ
> for information about syzkaller reproducers
>
>
> audit: type=1400 audit(1513021744.055:7): avc: denied { map } for
> pid=3149 comm="syzkaller428285" path="/root/syzkaller428285483" dev="sda1"
> ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:341 [inline]
> BUG: KASAN: slab-out-of-bounds in pfkey_msg2xfrm_state net/key/af_key.c:1212
> [inline]
> BUG: KASAN: slab-out-of-bounds in pfkey_add+0x1634/0x3270
> net/key/af_key.c:1491
> Read of size 8192 at addr ffff8801c5197318 by task syzkaller428285/3149
>
> CPU: 0 PID: 3149 Comm: syzkaller428285 Not tainted 4.15.0-rc3+ #127
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
> __dump_stack lib/dump_stack.c:17 [inline]
> dump_stack+0x194/0x257 lib/dump_stack.c:53
> print_address_description+0x73/0x250 mm/kasan/report.c:252
> kasan_report_error mm/kasan/report.c:351 [inline]
> kasan_report+0x25b/0x340 mm/kasan/report.c:409
> check_memory_region_inline mm/kasan/kasan.c:260 [inline]
> check_memory_region+0x137/0x190 mm/kasan/kasan.c:267
> memcpy+0x23/0x50 mm/kasan/kasan.c:302
> memcpy include/linux/string.h:341 [inline]
> pfkey_msg2xfrm_state net/key/af_key.c:1212 [inline]
> pfkey_add+0x1634/0x3270 net/key/af_key.c:1491
> pfkey_process+0x60b/0x720 net/key/af_key.c:2809
> pfkey_sendmsg+0x4d6/0x9f0 net/key/af_key.c:3648
> sock_sendmsg_nosec net/socket.c:636 [inline]
> sock_sendmsg+0xca/0x110 net/socket.c:646
> ___sys_sendmsg+0x75b/0x8a0 net/socket.c:2026
> __sys_sendmsg+0xe5/0x210 net/socket.c:2060
> C_SYSC_sendmsg net/compat.c:739 [inline]
> compat_SyS_sendmsg+0x2a/0x40 net/compat.c:737
> do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
> do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
> entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
> RIP: 0023:0xf7fd4c79
> RSP: 002b:00000000ff9d7c1c EFLAGS: 00000203 ORIG_RAX: 0000000000000172
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00000000205f5000
> RDX: 0000000000000000 RSI: 0000000000000167 RDI: 000000000000000f
> RBP: 0000000000000003 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
>
Looks like this is going to be fixed by
https://patchwork.kernel.org/patch/10327883/ ("af_key: Always verify length of
provided sadb_key"), but it's not applied yet to the ipsec tree yet. Kevin, for
future reference, for syzbot bugs it would be helpful to reply to the original
bug report and say that a patch was sent out, or even better send the patch as a
reply to the bug report email, e.g.
git format-patch --in-reply-to="<[email protected]>"
for this one (and the Message ID can be found in the syzkaller-bugs archive even
if the email isn't in your inbox). Otherwise people may not know that a patch
was sent out and do redundant work. Thanks!
I also simplified the reproducer for this, so here it is just in case someone
wants it anyway:
#include <sys/socket.h>
#include <unistd.h>
int main()
{
int fd = socket(AF_KEY, SOCK_RAW, 2);
char msg[96] =
"\x02\x03\x00\x02\x0c\x00\x00\x00\x00\x00\x00\x01\x02\x00\x00\x00"
"\x03\x00\x05\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x03\x00\x06\x00\x00\x00\x00\x00\x02\x00\x00\x00\x00\x00\x00\x00"
"\x00\x00\x00\x00\x00\x00\x00\x00"
"\x02\x00\x01\x00\x00\x00\x00\x00\x00\x00\xfb\x00\x00\x00\x00\x00"
"\x02\x00\x08\x00\xff\xff\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
write(fd, msg, sizeof(msg));
}
It causes a 8192-byte out-of-bounds read.
Eric
On Sun, Apr 08, 2018 at 09:04:33PM -0700, Eric Biggers wrote:
...
>
> Looks like this is going to be fixed by
> https://patchwork.kernel.org/patch/10327883/ ("af_key: Always verify length of
> provided sadb_key"), but it's not applied yet to the ipsec tree yet. Kevin, for
> future reference, for syzbot bugs it would be helpful to reply to the original
> bug report and say that a patch was sent out, or even better send the patch as a
> reply to the bug report email, e.g.
>
> git format-patch --in-reply-to="<[email protected]>"
>
> for this one (and the Message ID can be found in the syzkaller-bugs archive even
> if the email isn't in your inbox).
Sure, I can do that.
- Kevin
On Mon, Apr 09, 2018 at 01:56:36AM -0400, Kevin Easton wrote:
> On Sun, Apr 08, 2018 at 09:04:33PM -0700, Eric Biggers wrote:
> ...
> >
> > Looks like this is going to be fixed by
> > https://patchwork.kernel.org/patch/10327883/ ("af_key: Always verify length of
> > provided sadb_key"), but it's not applied yet to the ipsec tree yet. Kevin, for
> > future reference, for syzbot bugs it would be helpful to reply to the original
> > bug report and say that a patch was sent out, or even better send the patch as a
> > reply to the bug report email, e.g.
> >
> > git format-patch --in-reply-to="<[email protected]>"
> >
> > for this one (and the Message ID can be found in the syzkaller-bugs archive even
> > if the email isn't in your inbox).
>
> Sure, I can do that.
I recalled one reason I _didn't_ do this - the message ID is retrievable
from the archived email, but because the archive is Google Groups the
message recipients aren't (only masked).
- Kevin
On Wed, Apr 11, 2018 at 8:18 AM, Kevin Easton <[email protected]> wrote:
> On Mon, Apr 09, 2018 at 01:56:36AM -0400, Kevin Easton wrote:
>> On Sun, Apr 08, 2018 at 09:04:33PM -0700, Eric Biggers wrote:
>> ...
>> >
>> > Looks like this is going to be fixed by
>> > https://patchwork.kernel.org/patch/10327883/ ("af_key: Always verify length of
>> > provided sadb_key"), but it's not applied yet to the ipsec tree yet. Kevin, for
>> > future reference, for syzbot bugs it would be helpful to reply to the original
>> > bug report and say that a patch was sent out, or even better send the patch as a
>> > reply to the bug report email, e.g.
>> >
>> > git format-patch --in-reply-to="<[email protected]>"
>> >
>> > for this one (and the Message ID can be found in the syzkaller-bugs archive even
>> > if the email isn't in your inbox).
>>
>> Sure, I can do that.
>
> I recalled one reason I _didn't_ do this - the message ID is retrievable
> from the archived email, but because the archive is Google Groups the
> message recipients aren't (only masked).
>
> - Kevin
>
Hi Kevin,
This was mailed to other lists too:
To: davem@, herbert@, [email protected],
[email protected], steffen.klassert@,
[email protected]
In the groups UI there is a drop down menu with "Show Original" option
which shows raw email which include Message-ID: header.