Hello,
syzkaller hit the following crash on
968edbd93c0cbb40ab48aca972392d377713a0c3
git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
==================================================================
BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
[inline]
BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
net/rds/send.c:1066
Read of size 8 at addr ffff8801cbda7a60 by task syz-executor0/3092
CPU: 0 PID: 3092 Comm: syz-executor0 Not tainted 4.15.0-rc2+ #121
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
rds_rdma_bytes net/rds/send.c:1013 [inline]
rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
sock_sendmsg_nosec net/socket.c:632 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:642
___sys_sendmsg+0x75b/0x8a0 net/socket.c:2048
__sys_sendmsg+0xe5/0x210 net/socket.c:2082
C_SYSC_sendmsg net/compat.c:739 [inline]
compat_SyS_sendmsg+0x2a/0x40 net/compat.c:737
do_syscall_32_irqs_on arch/x86/entry/common.c:327 [inline]
do_fast_syscall_32+0x3ee/0xf9d arch/x86/entry/common.c:389
entry_SYSENTER_compat+0x51/0x60 arch/x86/entry/entry_64_compat.S:125
RIP: 0023:0xf7f36c79
RSP: 002b:00000000ffdc503c EFLAGS: 00000292 ORIG_RAX: 0000000000000172
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 000000002048cfe4
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:000000007727554a count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801cbda7900: 00 00 f2 f2 f2 f3 f3 f3 f3 00 00 00 00 00 00 00
ffff8801cbda7980: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
> ffff8801cbda7a00: 00 f2 f2 f2 f2 f2 f2 f2 00 00 00 00 04 f2 f2 f2
^
ffff8801cbda7a80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
ffff8801cbda7b00: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
==================================================================
---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to [email protected].
Please credit me with: Reported-by: syzbot <[email protected]>
syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug
report.
Note: all commands must start from beginning of the line in the email body.
syzkaller has found reproducer for the following crash on
8f36e00065436412a02d1f50ad77375bdb506300
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers
audit: type=1400 audit(1513847224.110:7): avc: denied { map } for
pid=3157 comm="syzkaller455006" path="/root/syzkaller455006870" dev="sda1"
ino=16481 scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
==================================================================
BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
[inline]
BUG: KASAN: stack-out-of-bounds in rds_sendmsg+0x1f02/0x1f90
net/rds/send.c:1066
Read of size 8 at addr ffff8801c928fb70 by task syzkaller455006/3157
CPU: 0 PID: 3157 Comm: syzkaller455006 Not tainted 4.15.0-rc3+ #161
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x257 lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:252
kasan_report_error mm/kasan/report.c:351 [inline]
kasan_report+0x25b/0x340 mm/kasan/report.c:409
__asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:430
rds_rdma_bytes net/rds/send.c:1013 [inline]
rds_sendmsg+0x1f02/0x1f90 net/rds/send.c:1066
sock_sendmsg_nosec net/socket.c:628 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:638
___sys_sendmsg+0x320/0x8b0 net/socket.c:2018
__sys_sendmmsg+0x1ee/0x620 net/socket.c:2108
SYSC_sendmmsg net/socket.c:2139 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2134
entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x43fe49
RSP: 002b:00007fffbe244ad8 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fe49
RDX: 0000000000000001 RSI: 000000002020c000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000217 R12: 00000000004017b0
R13: 0000000000401840 R14: 0000000000000000 R15: 0000000000000000
The buggy address belongs to the page:
page:00000000b09dc24e count:0 mapcount:0 mapping: (null) index:0x0
flags: 0x2fffc0000000000()
raw: 02fffc0000000000 0000000000000000 0000000000000000 00000000ffffffff
raw: 0000000000000000 0000000100000001 0000000000000000 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8801c928fa00: 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2
ffff8801c928fa80: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
> ffff8801c928fb00: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 04 f2
^
ffff8801c928fb80: f2 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00
ffff8801c928fc00: 00 00 00 00 00 00 f3 f3 f3 f3 00 00 00 00 00 00
==================================================================
+Avinash
On 12/21/2017 1:10 AM, syzbot wrote:
> syzkaller has found reproducer for the following crash on
[..]
>
> audit: type=1400 audit(1513847224.110:7): avc: denied { map } for
> pid=3157 comm="syzkaller455006" path="/root/syzkaller455006870"
> dev="sda1" ino=16481
> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> ==================================================================
> BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
> [inline]
Could you please post the discussed fix if you are ready with it ?
This new report is same as last one and cmesg length check should
address it.
Regards,
Santosh
On Thu, Dec 21, 2017 at 08:44:32AM -0800, Santosh Shilimkar wrote:
> +Avinash
>
> On 12/21/2017 1:10 AM, syzbot wrote:
> > syzkaller has found reproducer for the following crash on
>
> [..]
>
> >
> > audit: type=1400 audit(1513847224.110:7): avc:? denied? { map } for
> > pid=3157 comm="syzkaller455006" path="/root/syzkaller455006870"
> > dev="sda1" ino=16481
> > scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
> > tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
> > ==================================================================
> > BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
> > [inline]
>
> Could you please post the discussed fix if you are ready with it ?
> This new report is same as last one and cmesg length check should
> address it.
>
> Regards,
> Santosh
>
This crash seems to have stopped occurring. I assume it was fixed by commit
14e138a86f63 (thanks Avinash!), so let's tell syzbot so that it can start
reporting crashes in the same place again:
#syz fix: RDS: Check cmsg_len before dereferencing CMSG_DATA
- Eric
On 1/30/2018 6:16 PM, Eric Biggers wrote:
> On Thu, Dec 21, 2017 at 08:44:32AM -0800, Santosh Shilimkar wrote:
>> +Avinash
>>
>> On 12/21/2017 1:10 AM, syzbot wrote:
>>> syzkaller has found reproducer for the following crash on
>>
>> [..]
>>
>>>
>>> audit: type=1400 audit(1513847224.110:7): avc: denied { map } for
>>> pid=3157 comm="syzkaller455006" path="/root/syzkaller455006870"
>>> dev="sda1" ino=16481
>>> scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023
>>> tcontext=unconfined_u:object_r:user_home_t:s0 tclass=file permissive=1
>>> ==================================================================
>>> BUG: KASAN: stack-out-of-bounds in rds_rdma_bytes net/rds/send.c:1013
>>> [inline]
>>
>> Could you please post the discussed fix if you are ready with it ?
>> This new report is same as last one and cmesg length check should
>> address it.
>>
[...]
>
> This crash seems to have stopped occurring. I assume it was fixed by commit
> 14e138a86f63 (thanks Avinash!), so let's tell syzbot so that it can start
> reporting crashes in the same place again:
>
> #syz fix: RDS: Check cmsg_len before dereferencing CMSG_DATA
>
Thanks Eric for confirmation !!
Regards,
Santosh