Received: by 2002:a05:6a10:22f:0:0:0:0 with SMTP id 15csp894022pxk; Thu, 10 Sep 2020 01:05:58 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwNUkbqy4ircdGX7Pcxk13JoZNLS2JYXFZSc5YC2CcNk8AbHhFSgYRv+geRycUU0VGeGCQm X-Received: by 2002:a50:b081:: with SMTP id j1mr7723136edd.291.1599725158179; Thu, 10 Sep 2020 01:05:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1599725158; cv=none; d=google.com; s=arc-20160816; b=KAFeCdb1d664vKMUH9Y/r0RXbFForMF7dptQ0rV2nmZfXBZBQdIghdrR1DE5SQjlEa W8C6rCAJy/mRp5+Nvli3qlwVyRwAW0um3dOuNPkrac1MBL91DQLsKsSszUEWf4Jxzww6 cC7lOCC2lOK76O0i9U/JNaWTY4lvgMzZeQTy8LzVfk6AQ+cIvzVjscTwn6uouh6N31zh CO+1IYbAyHkzl9TrOWshQxpU2s/SDXgl6YMrK3tspwjLWzLLfV2ZWnKcPdzdV+6euoQn kVLPvtdJ4rTXgmr1jdBXccF6pecaWIQ400JKp5YV4l/a/Ap1aCnEbELN8UKIZ2wXVoxk YBBA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=mqx508GlNH305t+huy/P2XWTYWigHnebDd4f7p3IM8A=; b=nffcvWfBOR9rZAg1zU8H+oY6Svvkn+BfTPwQPpxLaaViQpWYWdWDgu55L8zZl+Xqbf fXrOz62WatSpRfvAYWT6TQdjD1KwqdSbBF1MFEERnOgC0AMQ8EZwOrN6TORa17PWAr2F uPfECgQ+TGo1Wmf/TcBycOFdFj17OenFYk5lEyZw+z+UiUGRyAh7vh/Rth+PMc/B7Shj 225OCyJWgKf2cJoraB/PchQHhyl4ArkTBULeSTSWZfumUDOaCCltedw+Ig0VB7KT3sK7 vN8bml+e6yoBk4fBjKxkkkdPswg2iWBwnhq5rYBS4G0RJsrYVsLYyXDFeaNCgKsyKvus XnJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=wE8f2dDy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id e12si2914492ejq.375.2020.09.10.01.05.34; Thu, 10 Sep 2020 01:05:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=wE8f2dDy; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728709AbgIJIDG (ORCPT + 99 others); Thu, 10 Sep 2020 04:03:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52040 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728463AbgIJICZ (ORCPT ); Thu, 10 Sep 2020 04:02:25 -0400 Received: from mail-qt1-x842.google.com (mail-qt1-x842.google.com [IPv6:2607:f8b0:4864:20::842]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BF215C061756 for ; Thu, 10 Sep 2020 01:02:21 -0700 (PDT) Received: by mail-qt1-x842.google.com with SMTP id p65so4211909qtd.2 for ; Thu, 10 Sep 2020 01:02:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=mqx508GlNH305t+huy/P2XWTYWigHnebDd4f7p3IM8A=; b=wE8f2dDyy03YYoQrVPLOCmBuMRhMvI0vOD/+ojfTsW9Sd3e25riKD+rCNVQrcnpCin claTi7IoVBPQg6v3V5Jk5azwpUK2vzfB6ZRJmPmyZi3dmJZIxVsRGC+vuFSuJ/aRBD3W qE3GwJz44YJQkffmvsu08vtkYotsvGU/twjsJw7j+EuCCQDN1j8jvxAJ+JD1gsKJiJJ2 kW8s4elsh+Dy6nXc+Fd2xHLeCJXMU4kX4G/eA4W1Ep73ffzLbJCTc2IZ0xDIW9kUJZuk +2W6ByFqCCKJQjaN8fXcAGybJ0FVcCt7MeSFma7ycD9d7WzC7GnmTzw98uW4mSe4yebS QCGA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=mqx508GlNH305t+huy/P2XWTYWigHnebDd4f7p3IM8A=; b=JQKR7CqRdmXu6RgXCYdrd2sYAcPDz+H/6dmV22QqrnyXDb7mKJr1a1eGTubLshlhKv fDCKTfBh4vTx254Rzs5I1ZP/tkjNF1Ybbeb1vqpfeXuo2qAyhWnoN+RQ+iqB8d960jH1 ChPIzqzZGNfzFNMwuyns44n85R3evexJygdx28C6U3V3r25RLXxJ7c29ogutMxkACSV/ f4fL68nQAWxPtkCbhdolupvHTNFLlAbxOs1Buky9ldQ/iieOebU2/FQbnreNbC26plVA dhU4viRsyz0iX7yYqQU1ODa6a4VkKCOByF0vVkUW7hDRnqwjlv4AKNWF2n9l8y6DkNO8 rtng== X-Gm-Message-State: AOAM532Q/4P+u8w8o0DvOfRNJJV/Ya5czf9cn/Qd7AG34WZ4uDyHQy0R jZDrpdCMFpVk6WIcxJ6SZi82Cc0W4ZTRcQWDEVyP0Q== X-Received: by 2002:aed:26a7:: with SMTP id q36mr6650449qtd.57.1599724940623; Thu, 10 Sep 2020 01:02:20 -0700 (PDT) MIME-Version: 1.0 References: <000000000000059b7205aa7f906f@google.com> <00000000000026751605aa857914@google.com> In-Reply-To: <00000000000026751605aa857914@google.com> From: Dmitry Vyukov Date: Thu, 10 Sep 2020 10:02:09 +0200 Message-ID: Subject: Re: KASAN: use-after-free Read in __xfrm6_tunnel_spi_lookup To: syzbot , Anant Thazhemadam , B K Karthik Cc: David Miller , Herbert Xu , Jakub Kicinski , Alexey Kuznetsov , LKML , netdev , Steffen Klassert , syzkaller-bugs , Hideaki YOSHIFUJI Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Sep 10, 2020 at 9:20 AM Anant Thazhemadam wrote: > Looks like this bug is no longer valid. I'm not sure which commit seems to have fixed it. Can this be marked as invalid or closed yet? You can see on the dashboard (or in mailing list archives) that B K Karthik tested a patch for this bug in July: https://syzkaller.appspot.com/bug?extid=72ff2fa98097767b5a27 So perhaps that patch fixes it? Karthik, did you send it? Was it merged? Did the commit include the syzbot Reported-by tag? On Thu, Jul 16, 2020 at 4:05 AM syzbot wrote: > > syzbot has found a reproducer for the following issue on: > > HEAD commit: ca0e494a Add linux-next specific files for 20200715 > git tree: linux-next > console output: https://syzkaller.appspot.com/x/log.txt?x=175099bf100000 > kernel config: https://syzkaller.appspot.com/x/.config?x=2c76d72659687242 > dashboard link: https://syzkaller.appspot.com/bug?extid=72ff2fa98097767b5a27 > compiler: gcc (GCC) 10.1.0-syz 20200507 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=112e8dbf100000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=109429bf100000 > > IMPORTANT: if you fix the issue, please add the following tag to the commit: > Reported-by: syzbot+72ff2fa98097767b5a27@syzkaller.appspotmail.com > > netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 > netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 > netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 > ================================================================== > BUG: KASAN: use-after-free in __xfrm6_tunnel_spi_lookup+0x3a9/0x3b0 net/ipv6/xfrm6_tunnel.c:79 > Read of size 8 at addr ffff8880934578a8 by task syz-executor437/6811 > CPU: 0 PID: 6811 Comm: syz-executor437 Not tainted 5.8.0-rc5-next-20200715-syzkaller #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:77 [inline] > dump_stack+0x18f/0x20d lib/dump_stack.c:118 > print_address_description.constprop.0.cold+0xae/0x497 mm/kasan/report.c:383 > __kasan_report mm/kasan/report.c:513 [inline] > kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 > __xfrm6_tunnel_spi_lookup+0x3a9/0x3b0 net/ipv6/xfrm6_tunnel.c:79 > xfrm6_tunnel_spi_lookup+0x8a/0x1d0 net/ipv6/xfrm6_tunnel.c:95 > xfrmi6_rcv_tunnel+0xb9/0x100 net/xfrm/xfrm_interface.c:824 > tunnel6_rcv+0xef/0x2b0 net/ipv6/tunnel6.c:148 > ip6_protocol_deliver_rcu+0x2e8/0x1670 net/ipv6/ip6_input.c:433 > ip6_input_finish+0x7f/0x160 net/ipv6/ip6_input.c:474 > NF_HOOK include/linux/netfilter.h:307 [inline] > NF_HOOK include/linux/netfilter.h:301 [inline] > ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:483 > dst_input include/net/dst.h:449 [inline] > ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] > NF_HOOK include/linux/netfilter.h:307 [inline] > NF_HOOK include/linux/netfilter.h:301 [inline] > ipv6_rcv+0x28e/0x3c0 net/ipv6/ip6_input.c:307 > __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5287 > __netif_receive_skb+0x27/0x1c0 net/core/dev.c:5401 > netif_receive_skb_internal net/core/dev.c:5503 [inline] > netif_receive_skb+0x159/0x990 net/core/dev.c:5562 > tun_rx_batched.isra.0+0x460/0x720 drivers/net/tun.c:1518 > tun_get_user+0x23b2/0x35b0 drivers/net/tun.c:1972 > tun_chr_write_iter+0xba/0x151 drivers/net/tun.c:2001 > call_write_iter include/linux/fs.h:1879 [inline] > new_sync_write+0x422/0x650 fs/read_write.c:515 > vfs_write+0x59d/0x6b0 fs/read_write.c:595 > ksys_write+0x12d/0x250 fs/read_write.c:648 > do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > RIP: 0033:0x403d50 > Code: Bad RIP value. > RSP: 002b:00007ffe8fe93368 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 > RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000403d50 > RDX: 000000000000005e RSI: 00000000200007c0 RDI: 00000000000000f0 > RBP: 00007ffe8fe93390 R08: 0000000000000000 R09: 0000000000000000 > R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffe8fe93380 > R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000 > Allocated by task 6811: > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > kasan_set_track mm/kasan/common.c:56 [inline] > __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:461 > __do_kmalloc mm/slab.c:3655 [inline] > __kmalloc+0x1a8/0x320 mm/slab.c:3664 > kmalloc include/linux/slab.h:559 [inline] > kzalloc include/linux/slab.h:666 [inline] > tomoyo_init_log+0x1335/0x1e50 security/tomoyo/audit.c:275 > tomoyo_supervisor+0x32f/0xeb0 security/tomoyo/common.c:2097 > tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] > tomoyo_path_number_perm+0x3ed/0x4d0 security/tomoyo/file.c:734 > security_file_ioctl+0x50/0xb0 security/security.c:1489 > ksys_ioctl+0x50/0x180 fs/ioctl.c:747 > __do_sys_ioctl fs/ioctl.c:762 [inline] > __se_sys_ioctl fs/ioctl.c:760 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760 > do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > Freed by task 6811: > kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 > kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 > kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 > __kasan_slab_free+0xd8/0x120 mm/kasan/common.c:422 > __cache_free mm/slab.c:3418 [inline] > kfree+0x103/0x2c0 mm/slab.c:3756 > tomoyo_supervisor+0x350/0xeb0 security/tomoyo/common.c:2149 > tomoyo_audit_path_number_log security/tomoyo/file.c:235 [inline] > tomoyo_path_number_perm+0x3ed/0x4d0 security/tomoyo/file.c:734 > security_file_ioctl+0x50/0xb0 security/security.c:1489 > ksys_ioctl+0x50/0x180 fs/ioctl.c:747 > __do_sys_ioctl fs/ioctl.c:762 [inline] > __se_sys_ioctl fs/ioctl.c:760 [inline] > __x64_sys_ioctl+0x6f/0xb0 fs/ioctl.c:760 > do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:384 > entry_SYSCALL_64_after_hwframe+0x44/0xa9 > The buggy address belongs to the object at ffff888093457800 > which belongs to the cache kmalloc-512 of size 512 > The buggy address is located 168 bytes inside of > 512-byte region [ffff888093457800, ffff888093457a00) > The buggy address belongs to the page: > page:000000005c2b5911 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x93457 > flags: 0xfffe0000000200(slab) > raw: 00fffe0000000200 ffffea00028d4308 ffffea0002834c88 ffff8880aa000600 > raw: 0000000000000000 ffff888093457000 0000000100000004 0000000000000000 > page dumped because: kasan: bad access detected > Memory state around the buggy address: > ffff888093457780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff888093457800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > >ffff888093457880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ^ > ffff888093457900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ffff888093457980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb > ==================================================================