Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2587229imm; Fri, 20 Jul 2018 01:01:49 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe+TKUlwcj8i+7mqStWh/hJDvjQMss3T2nCjWKHohEK8Gqp5H3swjo6I2Jiti2ZX+wvM+vt X-Received: by 2002:a17:902:7896:: with SMTP id q22-v6mr1095174pll.47.1532073709771; Fri, 20 Jul 2018 01:01:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532073709; cv=none; d=google.com; s=arc-20160816; b=XxUF/k1kG90sUFGObqsXZjaO6DGRf3dBqfXSzyrcafwecH/EA3vzEkq9cVx9tzzSQa yYApg83DU5YgB2jgy6elLosUWS5HtmpazFTrlpDwzRXKpASkKQof7HbDxF1Hwy5s3WIa Mp05Az8UFmBViicLFFzilmRevqdbd+OzZ9ElJNXtjcsIiy0ee+O/nR1mEta+HRCO7WkY 4VniEq2c2mYP0YuVlGgFEo8OJ9lsZ+pSjWqO1PEfkpmo3XSgVzguhHd+tmM3gS1HboSb 0juz8a6fULr8KQAy8IBUX5btgMKWlrSL9zcP2maW8aiQm/QL8+vj5F8ehKWYtCi6wH3a kfIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature :arc-authentication-results; bh=9OrkAI2WCqnErQDMqjriKhlNmhH9el594q9+DOMfd2Y=; b=FFvwCIc8Gp+ydlROhbyPjE74Mg/nxRmv8a1qcne9TtRmo1+eJkvq0B9arkw81q4Xc9 YWN1tj7mAqZmuvtx7USQVxVGq5qWxOGtqKksczg+vcN1VpFucItvw7MP8uJuQhbYFS6y tuGsXq+iu/ynLbVOjiNlhPoiWYiu3s04zjAxSAabzMCYh5WF1FixJ/F2GSDm7bu0PCHq pC+7jkQgf80G2Pc8FxbrV/BMkNfN6KW2YZ+aUmNoqzBE917UhwYanqERHq7/vhZbFTE3 9w8BX4InVVoh0TlaApdD5MrbmvJ9erAsVVB6tSHU4/SSUDRV1M7llBXySAliLzKlxmyW e7HA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=azU6IMz9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w63-v6si1254665pgw.317.2018.07.20.01.01.34; Fri, 20 Jul 2018 01:01:48 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=azU6IMz9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727984AbeGTIr6 (ORCPT + 99 others); Fri, 20 Jul 2018 04:47:58 -0400 Received: from mail-pg1-f193.google.com ([209.85.215.193]:40045 "EHLO mail-pg1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727198AbeGTIr6 (ORCPT ); Fri, 20 Jul 2018 04:47:58 -0400 Received: by mail-pg1-f193.google.com with SMTP id x5-v6so6172327pgp.7 for ; Fri, 20 Jul 2018 01:00:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=9OrkAI2WCqnErQDMqjriKhlNmhH9el594q9+DOMfd2Y=; b=azU6IMz9xFpvLRxfbv80ZWRF5PLTUCeKHD4Jrj5XAwlfuxPJznLZDufoOqWS7jTBXk Fr842uNIgLPROzx29VIqOJldoStybNLfLm4Botw84cnuw9d3b/AmdgWUZpMlOQI97pC4 A9VZ8KjXQkop5dJAtdskHv0AoEAWfsvhYR69L9Xo/lxLziU5YRWYOD0CHeV/KacdRJll mwjhwvD1p4wq4plyUY7XwjNpJQyCfi0eRYfhm8O3F0MaKXYe8zfXYixSPqMwKfNs7yBg QzaZeKQBzFyEJ9RRf9bR1ydUcsnl3o55TVN/mRLXr6CKaxCi5U7dbVWypRaRH2J+jJu8 hiIA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=9OrkAI2WCqnErQDMqjriKhlNmhH9el594q9+DOMfd2Y=; b=tPXqVMpz/2OVzI6B8ZldSK/azFSvBWW5HKbHNJGHO0MR7DN4LsGBcMHKktuXGinoKj 9ahnxQ5AAfNx0xXTq8cB6893+2o3TcXcKE3+8lQX8w+9NoSpMX9xOE6TlMKN1CIe5xxy rJtW2jYZ+v30BpDFUt+EcRDlLlYO+9b3cCgfaTcwEUYuCHuioaOW88eKYKhQpu4N9DAP A6s8bhUDp+bsPPJ3+9Xd8PYHZbVseZR7UNviO22W7V7Xxkq9xOfFYxbPJf9FixsXqgkS 1nlVNePluZm6Em1o4v/BIbFDiYGDjX8R99FY9zs/0oBhVAPbk6+jJkWzvXU1GRAFdjZv s5MA== X-Gm-Message-State: AOUpUlFVqMYt13T21BjF84YeKR9ShnmOK/SkLp89CLCLsAroJHgqc4Y8 tPW0DZgpSLhSiXX/kzxhuPcr+AtTwrxsMcPD1IYMxw== X-Received: by 2002:a65:58c8:: with SMTP id e8-v6mr1071104pgu.96.1532073654704; Fri, 20 Jul 2018 01:00:54 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a17:90a:ac14:0:0:0:0 with HTTP; Fri, 20 Jul 2018 01:00:34 -0700 (PDT) In-Reply-To: <5308835b-b5ef-51e4-2e4f-05a9636dff55@katalix.com> References: <001a11405130a984300562e8e7b3@google.com> <5308835b-b5ef-51e4-2e4f-05a9636dff55@katalix.com> From: Dmitry Vyukov Date: Fri, 20 Jul 2018 10:00:34 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in l2tp_session_create To: James Chapman Cc: David Miller , "Reshetova, Elena" , Hans Liljestrand , Kees Cook , LKML , netdev , syzkaller-bugs , Greg Hackmann , syzbot , Guillaume Nault , Greg Kroah-Hartman Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Jul 20, 2018 at 9:53 AM, James Chapman wrote: > On 18/07/18 12:00, Dmitry Vyukov wrote: >> On Tue, Jan 16, 2018 at 7:29 PM, syzbot >> wrote: >>> Hello, >>> >>> syzkaller hit the following crash on >>> a8750ddca918032d6349adbf9a4b6555e7db20da >>> git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/master >>> compiler: gcc (GCC) 7.1.1 20170620 >>> .config is attached >>> Raw console output is attached. >>> Unfortunately, I don't have any reproducer for this bug yet. >>> >>> >>> IMPORTANT: if you fix the bug, please add the following tag to the commit: >>> Reported-by: syzbot+065d0fc357520c8f6039@syzkaller.appspotmail.com >>> It will help syzbot understand when the bug is fixed. See footer for >>> details. >>> If you forward the report, please keep this part and the footer. >> >> James, >> >> Did you fix this? You asked syzbot to test a fix for this bug some time ago. >> If yes, did you include the Reported-by tag in the commit? This bug is >> still considered open by syzbot. But it stopped happening ~4 months >> ago: > > Yes, I think this has been fixed now. I think it was fixed by > Guillaume's 6b9f34239b00e6956a267abed2bc559ede556ad6 that was actually > to fix another syzbot bug fbeeb5c3b538e8545644 which looks similar to > this one. > >> https://syzkaller.appspot.com/bug?id=6fed0854381422329e78d7e16fb9cf4af8c9aef1 >> We are also seeing these crashes in 4.4 and 4.9, it would be good to >> backport the fix. > > It looks like 6b9f34239b00e6956a267abed2bc559ede556ad6 hasn't made it to > 4.9 or 4.4. Thanks for the update! Let's tell syzbot that this is fixed: #syz fix: l2tp: fix races in tunnel creation Greg H: so this is probably the patch we need. +Greg KH: I think we need this in stable, we hit this in both 4.4 and 4.9. >>> ================================================================== >>> BUG: KASAN: use-after-free in l2tp_session_create+0xa6d/0xc60 >>> net/l2tp/l2tp_core.c:1757 >>> Read of size 4 at addr ffff8801d80ad868 by task syz-executor3/5462 >>> >>> CPU: 0 PID: 5462 Comm: syz-executor3 Not tainted 4.15.0-rc8+ #263 >>> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS >>> Google 01/01/2011 >>> Call Trace: >>> __dump_stack lib/dump_stack.c:17 [inline] >>> dump_stack+0x194/0x257 lib/dump_stack.c:53 >>> print_address_description+0x73/0x250 mm/kasan/report.c:252 >>> kasan_report_error mm/kasan/report.c:351 [inline] >>> kasan_report+0x25b/0x340 mm/kasan/report.c:409 >>> __asan_report_load4_noabort+0x14/0x20 mm/kasan/report.c:429 >>> l2tp_session_create+0xa6d/0xc60 net/l2tp/l2tp_core.c:1757 >>> pppol2tp_connect+0xed7/0x1dd0 net/l2tp/l2tp_ppp.c:748 >>> SYSC_connect+0x213/0x4a0 net/socket.c:1621 >>> SyS_connect+0x24/0x30 net/socket.c:1602 >>> entry_SYSCALL_64_fastpath+0x29/0xa0 >>> RIP: 0033:0x452df9 >>> RSP: 002b:00007f93ec47fc58 EFLAGS: 00000212 ORIG_RAX: 000000000000002a >>> RAX: ffffffffffffffda RBX: 000000000071bea0 RCX: 0000000000452df9 >>> RDX: 000000000000002e RSI: 00000000205fafd2 RDI: 0000000000000018 >>> RBP: 00000000000005a9 R08: 0000000000000000 R09: 0000000000000000 >>> R10: 0000000000000000 R11: 0000000000000212 R12: 00000000006f6878 >>> R13: 00000000ffffffff R14: 00007f93ec4806d4 R15: 0000000000000000 >>> >>> Allocated by task 5462: >>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447 >>> set_track mm/kasan/kasan.c:459 [inline] >>> kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:551 >>> kmem_cache_alloc_trace+0x136/0x750 mm/slab.c:3610 >>> kmalloc include/linux/slab.h:499 [inline] >>> kzalloc include/linux/slab.h:688 [inline] >>> l2tp_tunnel_create+0x5e1/0x17f0 net/l2tp/l2tp_core.c:1554 >>> pppol2tp_connect+0x14b7/0x1dd0 net/l2tp/l2tp_ppp.c:707 >>> SYSC_connect+0x213/0x4a0 net/socket.c:1621 >>> SyS_connect+0x24/0x30 net/socket.c:1602 >>> entry_SYSCALL_64_fastpath+0x29/0xa0 >>> >>> Freed by task 5484: >>> save_stack+0x43/0xd0 mm/kasan/kasan.c:447 >>> set_track mm/kasan/kasan.c:459 [inline] >>> kasan_slab_free+0x71/0xc0 mm/kasan/kasan.c:524 >>> __cache_free mm/slab.c:3488 [inline] >>> kfree+0xd6/0x260 mm/slab.c:3803 >>> __rcu_reclaim kernel/rcu/rcu.h:190 [inline] >>> rcu_do_batch kernel/rcu/tree.c:2758 [inline] >>> invoke_rcu_callbacks kernel/rcu/tree.c:3012 [inline] >>> __rcu_process_callbacks kernel/rcu/tree.c:2979 [inline] >>> rcu_process_callbacks+0xe94/0x17f0 kernel/rcu/tree.c:2996 >>> __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 >>> >>> The buggy address belongs to the object at ffff8801d80ad780 >>> which belongs to the cache kmalloc-512 of size 512 >>> The buggy address is located 232 bytes inside of >>> 512-byte region [ffff8801d80ad780, ffff8801d80ad980) >>> The buggy address belongs to the page: >>> page:ffffea0007602b40 count:1 mapcount:0 mapping:ffff8801d80ad000 index:0x0 >>> flags: 0x2fffc0000000100(slab) >>> raw: 02fffc0000000100 ffff8801d80ad000 0000000000000000 0000000100000006 >>> raw: ffffea00070e8760 ffffea00070f8ca0 ffff8801dac00940 0000000000000000 >>> page dumped because: kasan: bad access detected >>> >>> Memory state around the buggy address: >>> ffff8801d80ad700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >>> ffff8801d80ad780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>>> ffff8801d80ad800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>> ^ >>> ffff8801d80ad880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>> ffff8801d80ad900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >>> ================================================================== >>> >>> >>> --- >>> This bug is generated by a dumb bot. It may contain errors. >>> See https://goo.gl/tpsmEJ for details. >>> Direct all questions to syzkaller@googlegroups.com. >>> >>> syzbot will keep track of this bug report. >>> If you forgot to add the Reported-by tag, once the fix for this bug is >>> merged >>> into any tree, please reply to this email with: >>> #syz fix: exact-commit-title >>> To mark this as a duplicate of another syzbot report, please reply with: >>> #syz dup: exact-subject-of-another-report >>> If it's a one-off invalid bug report, please reply with: >>> #syz invalid >>> Note: if the crash happens again, it will cause creation of a new bug >>> report. >>> Note: all commands must start from beginning of the line in the email body. >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "syzkaller-bugs" group. >>> To unsubscribe from this group and stop receiving emails from it, send an >>> email to syzkaller-bugs+unsubscribe@googlegroups.com. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/syzkaller-bugs/001a11405130a984300562e8e7b3%40google.com. >>> For more options, visit https://groups.google.com/d/optout. > >