From: syzbot <syzbot+85490c30c260afff22f2@syzkaller.appspotmail.com>
To: davem@davemloft.net, linux-kernel@vger.kernel.org,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
nhorman@tuxdriver.com, syzkaller-bugs@googlegroups.com,
vyasevich@gmail.com
Subject: KMSAN: uninit-value in __sctp_v6_cmp_addr
Date: Tue, 15 May 2018 09:25:01 -0700 [thread overview]
Message-ID: <0000000000004f4075056c410b96@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: 74ee2200b89f kmsan: bump .config.example to v4.17-rc3
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x=169efb5b800000
kernel config: https://syzkaller.appspot.com/x/.config?x=4ca1e57bafa8ab1f
dashboard link: https://syzkaller.appspot.com/bug?extid=85490c30c260afff22f2
compiler: clang version 7.0.0 (trunk 329391)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=157e9237800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10fe5de7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85490c30c260afff22f2@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
==================================================================
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x49a/0x850
net/sctp/ipv6.c:580
CPU: 0 PID: 4453 Comm: syz-executor325 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
__sctp_v6_cmp_addr+0x49a/0x850 net/sctp/ipv6.c:580
sctp_inet6_cmp_addr+0x3dc/0x400 net/sctp/ipv6.c:898
sctp_bind_addr_match+0x18b/0x2f0 net/sctp/bind_addr.c:330
sctp_addrs_lookup_transport+0x904/0xa20 net/sctp/input.c:942
__sctp_lookup_association net/sctp/input.c:985 [inline]
__sctp_rcv_lookup net/sctp/input.c:1249 [inline]
sctp_rcv+0x15e6/0x4d30 net/sctp/input.c:170
ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0xa36/0x1d00 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0x118f/0x16d0 net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4592
__netif_receive_skb net/core/dev.c:4657 [inline]
process_backlog+0x62d/0xe20 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7c1/0x1a70 net/core/dev.c:5801
__do_softirq+0x56d/0x93d kernel/softirq.c:285
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
</IRQ>
do_softirq kernel/softirq.c:329 [inline]
__local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
ip_finish_output2+0x135a/0x1470 net/ipv4/ip_output.c:231
ip_finish_output+0xcb2/0xff0 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip_output+0x505/0x5d0 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:444 [inline]
ip_local_out net/ipv4/ip_output.c:124 [inline]
ip_queue_xmit+0x1a1e/0x1d10 net/ipv4/ip_output.c:504
sctp_v4_xmit+0x188/0x210 net/sctp/protocol.c:983
sctp_packet_transmit+0x3eaa/0x4350 net/sctp/output.c:650
sctp_outq_flush+0x1a7a/0x6320 net/sctp/outqueue.c:1197
sctp_outq_uncork+0xd2/0xf0 net/sctp/outqueue.c:776
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x8707/0x8d20 net/sctp/sm_sideeffect.c:1191
sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:200
sctp_apply_peer_addr_params+0x207/0x1670 net/sctp/socket.c:2487
sctp_setsockopt_peer_addr_params net/sctp/socket.c:2683 [inline]
sctp_setsockopt+0x10e5f/0x11600 net/sctp/socket.c:4258
sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039
__sys_setsockopt+0x4af/0x560 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fef9
RSP: 002b:00007ffc00d9bfd8 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9
RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000098 R09: 000000000000001c
R10: 0000000020000180 R11: 0000000000000207 R12: 0000000000401820
R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000
Local variable description: ----dest@sctp_rcv
Variable was created at:
sctp_rcv+0x13d/0x4d30 net/sctp/input.c:97
ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
==================================================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
WARNING: multiple messages have this Message-ID (diff)
From: syzbot <syzbot+85490c30c260afff22f2@syzkaller.appspotmail.com>
To: davem@davemloft.net, linux-kernel@vger.kernel.org,
linux-sctp@vger.kernel.org, netdev@vger.kernel.org,
nhorman@tuxdriver.com, syzkaller-bugs@googlegroups.com,
vyasevich@gmail.com
Subject: KMSAN: uninit-value in __sctp_v6_cmp_addr
Date: Tue, 15 May 2018 16:25:01 +0000 [thread overview]
Message-ID: <0000000000004f4075056c410b96@google.com> (raw)
Hello,
syzbot found the following crash on:
HEAD commit: 74ee2200b89f kmsan: bump .config.example to v4.17-rc3
git tree: https://github.com/google/kmsan.git/master
console output: https://syzkaller.appspot.com/x/log.txt?x\x169efb5b800000
kernel config: https://syzkaller.appspot.com/x/.config?xLa1e57bafa8ab1f
dashboard link: https://syzkaller.appspot.com/bug?extid…490c30c260afff22f2
compiler: clang version 7.0.0 (trunk 329391)
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x\x157e9237800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x\x10fe5de7800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+85490c30c260afff22f2@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
=================================
BUG: KMSAN: uninit-value in __sctp_v6_cmp_addr+0x49a/0x850
net/sctp/ipv6.c:580
CPU: 0 PID: 4453 Comm: syz-executor325 Not tainted 4.17.0-rc3+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:113
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
__sctp_v6_cmp_addr+0x49a/0x850 net/sctp/ipv6.c:580
sctp_inet6_cmp_addr+0x3dc/0x400 net/sctp/ipv6.c:898
sctp_bind_addr_match+0x18b/0x2f0 net/sctp/bind_addr.c:330
sctp_addrs_lookup_transport+0x904/0xa20 net/sctp/input.c:942
__sctp_lookup_association net/sctp/input.c:985 [inline]
__sctp_rcv_lookup net/sctp/input.c:1249 [inline]
sctp_rcv+0x15e6/0x4d30 net/sctp/input.c:170
ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:256
dst_input include/net/dst.h:450 [inline]
ip_rcv_finish+0xa36/0x1d00 net/ipv4/ip_input.c:396
NF_HOOK include/linux/netfilter.h:288 [inline]
ip_rcv+0x118f/0x16d0 net/ipv4/ip_input.c:492
__netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4592
__netif_receive_skb net/core/dev.c:4657 [inline]
process_backlog+0x62d/0xe20 net/core/dev.c:5337
napi_poll net/core/dev.c:5735 [inline]
net_rx_action+0x7c1/0x1a70 net/core/dev.c:5801
__do_softirq+0x56d/0x93d kernel/softirq.c:285
do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1046
</IRQ>
do_softirq kernel/softirq.c:329 [inline]
__local_bh_enable_ip+0x114/0x140 kernel/softirq.c:182
local_bh_enable+0x36/0x40 include/linux/bottom_half.h:32
rcu_read_unlock_bh include/linux/rcupdate.h:728 [inline]
ip_finish_output2+0x135a/0x1470 net/ipv4/ip_output.c:231
ip_finish_output+0xcb2/0xff0 net/ipv4/ip_output.c:317
NF_HOOK_COND include/linux/netfilter.h:277 [inline]
ip_output+0x505/0x5d0 net/ipv4/ip_output.c:405
dst_output include/net/dst.h:444 [inline]
ip_local_out net/ipv4/ip_output.c:124 [inline]
ip_queue_xmit+0x1a1e/0x1d10 net/ipv4/ip_output.c:504
sctp_v4_xmit+0x188/0x210 net/sctp/protocol.c:983
sctp_packet_transmit+0x3eaa/0x4350 net/sctp/output.c:650
sctp_outq_flush+0x1a7a/0x6320 net/sctp/outqueue.c:1197
sctp_outq_uncork+0xd2/0xf0 net/sctp/outqueue.c:776
sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1820 [inline]
sctp_side_effects net/sctp/sm_sideeffect.c:1220 [inline]
sctp_do_sm+0x8707/0x8d20 net/sctp/sm_sideeffect.c:1191
sctp_primitive_REQUESTHEARTBEAT+0x175/0x1a0 net/sctp/primitive.c:200
sctp_apply_peer_addr_params+0x207/0x1670 net/sctp/socket.c:2487
sctp_setsockopt_peer_addr_params net/sctp/socket.c:2683 [inline]
sctp_setsockopt+0x10e5f/0x11600 net/sctp/socket.c:4258
sock_common_setsockopt+0x136/0x170 net/core/sock.c:3039
__sys_setsockopt+0x4af/0x560 net/socket.c:1903
__do_sys_setsockopt net/socket.c:1914 [inline]
__se_sys_setsockopt net/socket.c:1911 [inline]
__x64_sys_setsockopt+0x15c/0x1c0 net/socket.c:1911
do_syscall_64+0x154/0x220 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x43fef9
RSP: 002b:00007ffc00d9bfd8 EFLAGS: 00000207 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fef9
RDX: 0000000000000009 RSI: 0000000000000084 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000000000098 R09: 000000000000001c
R10: 0000000020000180 R11: 0000000000000207 R12: 0000000000401820
R13: 00000000004018b0 R14: 0000000000000000 R15: 0000000000000000
Local variable description: ----dest@sctp_rcv
Variable was created at:
sctp_rcv+0x13d/0x4d30 net/sctp/input.c:97
ip_local_deliver_finish+0x874/0xec0 net/ipv4/ip_input.c:215
=================================
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
next reply other threads:[~2018-05-15 16:25 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-15 16:25 syzbot [this message]
2018-05-15 16:25 ` KMSAN: uninit-value in __sctp_v6_cmp_addr syzbot
2018-05-16 7:17 ` Xin Long
2018-05-16 7:17 ` Xin Long
2018-05-16 9:08 ` Alexander Potapenko
2018-05-16 9:08 ` Alexander Potapenko
2018-05-16 9:42 ` Alexander Potapenko
2018-05-16 9:42 ` Alexander Potapenko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0000000000004f4075056c410b96@google.com \
--to=syzbot+85490c30c260afff22f2@syzkaller.appspotmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.