Re: KASAN: slab-out-of-bounds Read in _decode_session6

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Alexei Starovoitov]

On Thu, Sep 6, 2018 at 12:17 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>
>> but I have a hard time reproducing the issue, so will appreciate
>> if somebody can test the following patch:
>
> syzbot can:
> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

was the patch tested?

it seems to me syzbot doesn't care about kernel quality but rather
about the number of issues syzbot can find.

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Dmitry Vyukov]

On Fri, Sep 21, 2018 at 8:21 AM, Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> On Thu, Sep 6, 2018 at 12:17 PM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>
>>> but I have a hard time reproducing the issue, so will appreciate
>>> if somebody can test the following patch:
>>
>> syzbot can:
>> https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches
>
> was the patch tested?

Hi Alexei,

syzbot tests patches on request. I don't see anybody requested any
testing for this bug. When testing is requested syzbot replies with
results generally within 30 mins. You can read more about patch
testing here:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches

> it seems to me syzbot doesn't care about kernel quality but rather
> about the number of issues syzbot can find.

Finding and reporting bugs is a prerequisite for fixing them and
improving kernel quality. syzbot simply automates that part of bug
handling process, something that otherwise would needed to be done by
kernel developers. But active developer involvement and interest are
still required as not all parts are automatable.

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Dmitry Vyukov]

On Thu, Sep 6, 2018 at 7:27 PM, Alexei Starovoitov
<alexei.starovoitov@gmail.com> wrote:
> On Thu, Sep 06, 2018 at 12:00:26AM -0700, Eric Dumazet wrote:
>>
>>
>> On 09/05/2018 08:17 PM, syzbot wrote:
>> > syzbot has found a reproducer for the following crash on:
>> >
>> > HEAD commit:ááá b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
>> > git tree:áááááá upstream
>> > console output: https://syzkaller.appspot.com/x/log.txt?x=164938d1400000
>> > kernel config:á https://syzkaller.appspot.com/x/.config?x=4c7e83258d6e0156
>> > dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
>> > compiler:áááááá gcc (GCC) 8.0.1 20180413 (experimental)
>> > syz repro:ááááá https://syzkaller.appspot.com/x/repro.syz?x=115f172e400000
>> > C reproducer:áá https://syzkaller.appspot.com/x/repro.c?x=16399be1400000
>> >
>> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
>> > Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
>> >
>> > IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
>> > IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
>> > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
>> > 8021q: adding VLAN 0 to HW filter on device team0
>> > ==================================================================
>> > BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
>> > Read of size 1 at addr ffff8801d4a67f07 by task syz-executor092/4673
>> >
>> > CPU: 1 PID: 4673 Comm: syz-executor092 Not tainted 4.19.0-rc2+ #223
>> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
>> > Call Trace:
>> > á__dump_stack lib/dump_stack.c:77 [inline]
>> > ádump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
>> > áprint_address_description+0x6c/0x20b mm/kasan/report.c:256
>> > ákasan_report_error mm/kasan/report.c:354 [inline]
>> > ákasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
>> > á__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
>> > á_decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
>> > á__xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
>> > áxfrm_decode_session include/net/xfrm.h:1232 [inline]
>> > ávti6_tnl_xmit+0x3fc/0x1bb1 net/ipv6/ip6_vti.c:542
>> > á__netdev_start_xmit include/linux/netdevice.h:4287 [inline]
>> > ánetdev_start_xmit include/linux/netdevice.h:4296 [inline]
>> > áxmit_one net/core/dev.c:3216 [inline]
>> > ádev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3232
>> > á__dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3802
>> > ádev_queue_xmit+0x17/0x20 net/core/dev.c:3835
>> > á__bpf_tx_skb net/core/filter.c:2012 [inline]
>> > á__bpf_redirect_common net/core/filter.c:2050 [inline]
>> > á__bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
>> > á____bpf_clone_redirect net/core/filter.c:2090 [inline]
>> > ábpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
>> > ábpf_prog_c39d1ba309a769f7+0xe9e/0x1000
>> >
>> > Allocated by task 4673:
>> > ásave_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> > áset_track mm/kasan/kasan.c:460 [inline]
>> > ákasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
>> > á__do_kmalloc_node mm/slab.c:3682 [inline]
>> > á__kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
>> > á__kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
>> > ápskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
>> > áskb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
>> > á__bpf_try_make_writable net/core/filter.c:1633 [inline]
>> > ábpf_try_make_writable net/core/filter.c:1639 [inline]
>> > ábpf_try_make_head_writable net/core/filter.c:1647 [inline]
>> > á____bpf_clone_redirect net/core/filter.c:2084 [inline]
>> > ábpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
>> > ábpf_prog_c39d1ba309a769f7+0xe9e/0x1000
>> >
>> > Freed by task 3286:
>> > ásave_stack+0x43/0xd0 mm/kasan/kasan.c:448
>> > áset_track mm/kasan/kasan.c:460 [inline]
>> > á__kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>> > ákasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>> > á__cache_free mm/slab.c:3498 [inline]
>> > ákfree+0xd9/0x210 mm/slab.c:3813
>> > áload_elf_binary+0x2569/0x5610 fs/binfmt_elf.c:1118
>> > ásearch_binary_handler+0x17d/0x570 fs/exec.c:1653
>> > áexec_binprm fs/exec.c:1695 [inline]
>> > á__do_execve_file.isra.35+0x15ff/0x2460 fs/exec.c:1819
>> > ádo_execveat_common fs/exec.c:1866 [inline]
>> > ádo_execve fs/exec.c:1883 [inline]
>> > á__do_sys_execve fs/exec.c:1964 [inline]
>> > á__se_sys_execve fs/exec.c:1959 [inline]
>> > á__x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
>> > ádo_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
>> > áentry_SYSCALL_64_after_hwframe+0x49/0xbe
>> >
>> > The buggy address belongs to the object at ffff8801d4a67d00
>> > áwhich belongs to the cache kmalloc-512 of size 512
>> > The buggy address is located 7 bytes to the right of
>> > á512-byte region [ffff8801d4a67d00, ffff8801d4a67f00)
>> > The buggy address belongs to the page:
>> > page:ffffea00075299c0 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
>> > flags: 0x2fffc0000000100(slab)
>> > raw: 02fffc0000000100 ffffea0007529988 ffffea0007529a48 ffff8801dac00940
>> > raw: 0000000000000000 ffff8801d4a67080 0000000100000006 0000000000000000
>> > page dumped because: kasan: bad access detected
>> >
>> > Memory state around the buggy address:
>> > áffff8801d4a67e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> > áffff8801d4a67e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> >> ffff8801d4a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > áááááááááááááááááá ^
>> > áffff8801d4a67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>> > áffff8801d4a68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> > ==================================================================
>> >
>>
>>
>> What about :
>>
>> diff --git a/net/core/filter.c b/net/core/filter.c
>> index aecdeba052d3f0ff3d4f0a33ec36891f9738052c..a662f59786bd0677850c1c60a2c92faa6fb6c5bb 100644
>> --- a/net/core/filter.c
>> +++ b/net/core/filter.c
>> @@ -2081,7 +2081,7 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
>>          * here, we need to free the just generated clone to unclone once
>>          * again.
>>          */
>> -       ret = bpf_try_make_head_writable(skb);
>> +       ret = bpf_try_make_head_writable(clone);
>
> This part is fine. I think the bug is in _decode_session6,

Eric, you arrived to roughly the same conclusion, right?

> but I have a hard time reproducing the issue, so will appreciate
> if somebody can test the following patch:

syzbot can:
https://github.com/google/syzkaller/blob/master/docs/syzbot.md#testing-patches


> From 291f80f212461670d1e0140d06eee3071cf3e1ee Mon Sep 17 00:00:00 2001
> From: Alexei Starovoitov <ast@kernel.org>
> Date: Thu, 6 Sep 2018 10:23:29 -0700
> Subject: [PATCH] net/xfrm: fix out-of-bounds packet access
>
> BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
> net/ipv6/xfrm6_policy.c:161
> Read of size 1 at addr ffff8801d882eec7 by task syz-executor1/6667
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
>   print_address_description+0x6c/0x20b mm/kasan/report.c:256
>   kasan_report_error mm/kasan/report.c:354 [inline]
>   kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
>   __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
>   _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
>   __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
>   xfrm_decode_session include/net/xfrm.h:1232 [inline]
>   vti6_tnl_xmit+0x3c3/0x1bc1 net/ipv6/ip6_vti.c:542
>   __netdev_start_xmit include/linux/netdevice.h:4313 [inline]
>   netdev_start_xmit include/linux/netdevice.h:4322 [inline]
>   xmit_one net/core/dev.c:3217 [inline]
>   dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3233
>   __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3803
>   dev_queue_xmit+0x17/0x20 net/core/dev.c:3836
>
> Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> ---
>  net/ipv6/xfrm6_policy.c | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
> index ef3defaf43b9..d35bcf92969c 100644
> --- a/net/ipv6/xfrm6_policy.c
> +++ b/net/ipv6/xfrm6_policy.c
> @@ -146,8 +146,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
>         fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
>         fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
>
> -       while (nh + offset + 1 < skb->data ||
> -              pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
> +       while (nh + offset + sizeof(*exthdr) < skb->data ||
> +              pskb_may_pull(skb, nh + offset + sizeof(*exthdr) - skb->data)) {
>                 nh = skb_network_header(skb);
>                 exthdr = (struct ipv6_opt_hdr *)(nh + offset);
>
> --
> 2.17.1
>
> --
> You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/20180906172713.cxjoazoo7asqggb3%40ast-mbp.dhcp.thefacebook.com.
> For more options, visit https://groups.google.com/d/optout.

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Alexei Starovoitov]

On Thu, Sep 06, 2018 at 12:00:26AM -0700, Eric Dumazet wrote:
> 
> 
> On 09/05/2018 08:17 PM, syzbot wrote:
> > syzbot has found a reproducer for the following crash on:
> > 
> > HEAD commit:    b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=164938d1400000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=4c7e83258d6e0156
> > dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
> > compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=115f172e400000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16399be1400000
> > 
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
> > 
> > IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
> > IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
> > IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
> > 8021q: adding VLAN 0 to HW filter on device team0
> > ==================================================================
> > BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
> > Read of size 1 at addr ffff8801d4a67f07 by task syz-executor092/4673
> > 
> > CPU: 1 PID: 4673 Comm: syz-executor092 Not tainted 4.19.0-rc2+ #223
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > Call Trace:
> >  __dump_stack lib/dump_stack.c:77 [inline]
> >  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
> >  print_address_description+0x6c/0x20b mm/kasan/report.c:256
> >  kasan_report_error mm/kasan/report.c:354 [inline]
> >  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
> >  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
> >  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
> >  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
> >  xfrm_decode_session include/net/xfrm.h:1232 [inline]
> >  vti6_tnl_xmit+0x3fc/0x1bb1 net/ipv6/ip6_vti.c:542
> >  __netdev_start_xmit include/linux/netdevice.h:4287 [inline]
> >  netdev_start_xmit include/linux/netdevice.h:4296 [inline]
> >  xmit_one net/core/dev.c:3216 [inline]
> >  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3232
> >  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3802
> >  dev_queue_xmit+0x17/0x20 net/core/dev.c:3835
> >  __bpf_tx_skb net/core/filter.c:2012 [inline]
> >  __bpf_redirect_common net/core/filter.c:2050 [inline]
> >  __bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
> >  ____bpf_clone_redirect net/core/filter.c:2090 [inline]
> >  bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
> >  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
> > 
> > Allocated by task 4673:
> >  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
> >  set_track mm/kasan/kasan.c:460 [inline]
> >  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
> >  __do_kmalloc_node mm/slab.c:3682 [inline]
> >  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
> >  __kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
> >  pskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
> >  skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
> >  __bpf_try_make_writable net/core/filter.c:1633 [inline]
> >  bpf_try_make_writable net/core/filter.c:1639 [inline]
> >  bpf_try_make_head_writable net/core/filter.c:1647 [inline]
> >  ____bpf_clone_redirect net/core/filter.c:2084 [inline]
> >  bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
> >  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
> > 
> > Freed by task 3286:
> >  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
> >  set_track mm/kasan/kasan.c:460 [inline]
> >  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
> >  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
> >  __cache_free mm/slab.c:3498 [inline]
> >  kfree+0xd9/0x210 mm/slab.c:3813
> >  load_elf_binary+0x2569/0x5610 fs/binfmt_elf.c:1118
> >  search_binary_handler+0x17d/0x570 fs/exec.c:1653
> >  exec_binprm fs/exec.c:1695 [inline]
> >  __do_execve_file.isra.35+0x15ff/0x2460 fs/exec.c:1819
> >  do_execveat_common fs/exec.c:1866 [inline]
> >  do_execve fs/exec.c:1883 [inline]
> >  __do_sys_execve fs/exec.c:1964 [inline]
> >  __se_sys_execve fs/exec.c:1959 [inline]
> >  __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
> >  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > The buggy address belongs to the object at ffff8801d4a67d00
> >  which belongs to the cache kmalloc-512 of size 512
> > The buggy address is located 7 bytes to the right of
> >  512-byte region [ffff8801d4a67d00, ffff8801d4a67f00)
> > The buggy address belongs to the page:
> > page:ffffea00075299c0 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
> > flags: 0x2fffc0000000100(slab)
> > raw: 02fffc0000000100 ffffea0007529988 ffffea0007529a48 ffff8801dac00940
> > raw: 0000000000000000 ffff8801d4a67080 0000000100000006 0000000000000000
> > page dumped because: kasan: bad access detected
> > 
> > Memory state around the buggy address:
> >  ffff8801d4a67e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >  ffff8801d4a67e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> >> ffff8801d4a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >                    ^
> >  ffff8801d4a67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> >  ffff8801d4a68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> > ==================================================================
> > 
> 
> 
> What about :
> 
> diff --git a/net/core/filter.c b/net/core/filter.c
> index aecdeba052d3f0ff3d4f0a33ec36891f9738052c..a662f59786bd0677850c1c60a2c92faa6fb6c5bb 100644
> --- a/net/core/filter.c
> +++ b/net/core/filter.c
> @@ -2081,7 +2081,7 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
>          * here, we need to free the just generated clone to unclone once
>          * again.
>          */
> -       ret = bpf_try_make_head_writable(skb);
> +       ret = bpf_try_make_head_writable(clone);

This part is fine. I think the bug is in _decode_session6,
but I have a hard time reproducing the issue, so will appreciate
if somebody can test the following patch:

From 291f80f212461670d1e0140d06eee3071cf3e1ee Mon Sep 17 00:00:00 2001
From: Alexei Starovoitov <ast@kernel.org>
Date: Thu, 6 Sep 2018 10:23:29 -0700
Subject: [PATCH] net/xfrm: fix out-of-bounds packet access

BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
net/ipv6/xfrm6_policy.c:161
Read of size 1 at addr ffff8801d882eec7 by task syz-executor1/6667
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
  print_address_description+0x6c/0x20b mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
  xfrm_decode_session include/net/xfrm.h:1232 [inline]
  vti6_tnl_xmit+0x3c3/0x1bc1 net/ipv6/ip6_vti.c:542
  __netdev_start_xmit include/linux/netdevice.h:4313 [inline]
  netdev_start_xmit include/linux/netdevice.h:4322 [inline]
  xmit_one net/core/dev.c:3217 [inline]
  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3233
  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3803
  dev_queue_xmit+0x17/0x20 net/core/dev.c:3836

Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 net/ipv6/xfrm6_policy.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv6/xfrm6_policy.c b/net/ipv6/xfrm6_policy.c
index ef3defaf43b9..d35bcf92969c 100644
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -146,8 +146,8 @@ _decode_session6(struct sk_buff *skb, struct flowi *fl, int reverse)
 	fl6->daddr = reverse ? hdr->saddr : hdr->daddr;
 	fl6->saddr = reverse ? hdr->daddr : hdr->saddr;
 
-	while (nh + offset + 1 < skb->data ||
-	       pskb_may_pull(skb, nh + offset + 1 - skb->data)) {
+	while (nh + offset + sizeof(*exthdr) < skb->data ||
+	       pskb_may_pull(skb, nh + offset + sizeof(*exthdr) - skb->data)) {
 		nh = skb_network_header(skb);
 		exthdr = (struct ipv6_opt_hdr *)(nh + offset);
 
-- 
2.17.1

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Eric Dumazet]

On 09/05/2018 08:17 PM, syzbot wrote:
> syzbot has found a reproducer for the following crash on:
> 
> HEAD commit:    b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=164938d1400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4c7e83258d6e0156
> dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=115f172e400000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16399be1400000
> 
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
> 
> IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
> IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
> Read of size 1 at addr ffff8801d4a67f07 by task syz-executor092/4673
> 
> CPU: 1 PID: 4673 Comm: syz-executor092 Not tainted 4.19.0-rc2+ #223
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
>  print_address_description+0x6c/0x20b mm/kasan/report.c:256
>  kasan_report_error mm/kasan/report.c:354 [inline]
>  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
>  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
>  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
>  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
>  xfrm_decode_session include/net/xfrm.h:1232 [inline]
>  vti6_tnl_xmit+0x3fc/0x1bb1 net/ipv6/ip6_vti.c:542
>  __netdev_start_xmit include/linux/netdevice.h:4287 [inline]
>  netdev_start_xmit include/linux/netdevice.h:4296 [inline]
>  xmit_one net/core/dev.c:3216 [inline]
>  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3232
>  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3802
>  dev_queue_xmit+0x17/0x20 net/core/dev.c:3835
>  __bpf_tx_skb net/core/filter.c:2012 [inline]
>  __bpf_redirect_common net/core/filter.c:2050 [inline]
>  __bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
>  ____bpf_clone_redirect net/core/filter.c:2090 [inline]
>  bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
>  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
> 
> Allocated by task 4673:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>  set_track mm/kasan/kasan.c:460 [inline]
>  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
>  __do_kmalloc_node mm/slab.c:3682 [inline]
>  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
>  __kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
>  pskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
>  skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
>  __bpf_try_make_writable net/core/filter.c:1633 [inline]
>  bpf_try_make_writable net/core/filter.c:1639 [inline]
>  bpf_try_make_head_writable net/core/filter.c:1647 [inline]
>  ____bpf_clone_redirect net/core/filter.c:2084 [inline]
>  bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
>  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000
> 
> Freed by task 3286:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>  set_track mm/kasan/kasan.c:460 [inline]
>  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>  __cache_free mm/slab.c:3498 [inline]
>  kfree+0xd9/0x210 mm/slab.c:3813
>  load_elf_binary+0x2569/0x5610 fs/binfmt_elf.c:1118
>  search_binary_handler+0x17d/0x570 fs/exec.c:1653
>  exec_binprm fs/exec.c:1695 [inline]
>  __do_execve_file.isra.35+0x15ff/0x2460 fs/exec.c:1819
>  do_execveat_common fs/exec.c:1866 [inline]
>  do_execve fs/exec.c:1883 [inline]
>  __do_sys_execve fs/exec.c:1964 [inline]
>  __se_sys_execve fs/exec.c:1959 [inline]
>  __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
>  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> 
> The buggy address belongs to the object at ffff8801d4a67d00
>  which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 7 bytes to the right of
>  512-byte region [ffff8801d4a67d00, ffff8801d4a67f00)
> The buggy address belongs to the page:
> page:ffffea00075299c0 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
> flags: 0x2fffc0000000100(slab)
> raw: 02fffc0000000100 ffffea0007529988 ffffea0007529a48 ffff8801dac00940
> raw: 0000000000000000 ffff8801d4a67080 0000000100000006 0000000000000000
> page dumped because: kasan: bad access detected
> 
> Memory state around the buggy address:
>  ffff8801d4a67e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff8801d4a67e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>> ffff8801d4a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>                    ^
>  ffff8801d4a67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff8801d4a68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
> 


What about :

diff --git a/net/core/filter.c b/net/core/filter.c
index aecdeba052d3f0ff3d4f0a33ec36891f9738052c..a662f59786bd0677850c1c60a2c92faa6fb6c5bb 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -2081,7 +2081,7 @@ BPF_CALL_3(bpf_clone_redirect, struct sk_buff *, skb, u32, ifindex, u64, flags)
         * here, we need to free the just generated clone to unclone once
         * again.
         */
-       ret = bpf_try_make_head_writable(skb);
+       ret = bpf_try_make_head_writable(clone);
        if (unlikely(ret)) {
                kfree_skb(clone);
                return -ENOMEM;

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[syzbot]

syzbot has found a reproducer for the following crash on:

HEAD commit:    b36fdc6853a3 Merge tag 'gpio-v4.19-2' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=164938d1400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4c7e83258d6e0156
dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=115f172e400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16399be1400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com

IPv6: ADDRCONF(NETDEV_UP): veth1: link is not ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth1: link becomes ready
IPv6: ADDRCONF(NETDEV_CHANGE): veth0: link becomes ready
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0  
net/ipv6/xfrm6_policy.c:161
Read of size 1 at addr ffff8801d4a67f07 by task syz-executor092/4673

CPU: 1 PID: 4673 Comm: syz-executor092 Not tainted 4.19.0-rc2+ #223
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
  print_address_description+0x6c/0x20b mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
  xfrm_decode_session include/net/xfrm.h:1232 [inline]
  vti6_tnl_xmit+0x3fc/0x1bb1 net/ipv6/ip6_vti.c:542
  __netdev_start_xmit include/linux/netdevice.h:4287 [inline]
  netdev_start_xmit include/linux/netdevice.h:4296 [inline]
  xmit_one net/core/dev.c:3216 [inline]
  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3232
  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3802
  dev_queue_xmit+0x17/0x20 net/core/dev.c:3835
  __bpf_tx_skb net/core/filter.c:2012 [inline]
  __bpf_redirect_common net/core/filter.c:2050 [inline]
  __bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
  ____bpf_clone_redirect net/core/filter.c:2090 [inline]
  bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000

Allocated by task 4673:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
  __do_kmalloc_node mm/slab.c:3682 [inline]
  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
  __kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
  pskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
  skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
  __bpf_try_make_writable net/core/filter.c:1633 [inline]
  bpf_try_make_writable net/core/filter.c:1639 [inline]
  bpf_try_make_head_writable net/core/filter.c:1647 [inline]
  ____bpf_clone_redirect net/core/filter.c:2084 [inline]
  bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
  bpf_prog_c39d1ba309a769f7+0xe9e/0x1000

Freed by task 3286:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xd9/0x210 mm/slab.c:3813
  load_elf_binary+0x2569/0x5610 fs/binfmt_elf.c:1118
  search_binary_handler+0x17d/0x570 fs/exec.c:1653
  exec_binprm fs/exec.c:1695 [inline]
  __do_execve_file.isra.35+0x15ff/0x2460 fs/exec.c:1819
  do_execveat_common fs/exec.c:1866 [inline]
  do_execve fs/exec.c:1883 [inline]
  __do_sys_execve fs/exec.c:1964 [inline]
  __se_sys_execve fs/exec.c:1959 [inline]
  __x64_sys_execve+0x8f/0xc0 fs/exec.c:1959
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d4a67d00
  which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
  512-byte region [ffff8801d4a67d00, ffff8801d4a67f00)
The buggy address belongs to the page:
page:ffffea00075299c0 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea0007529988 ffffea0007529a48 ffff8801dac00940
raw: 0000000000000000 ffff8801d4a67080 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801d4a67e00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8801d4a67e80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801d4a67f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
                    ^
  ffff8801d4a67f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801d4a68000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================

Re: KASAN: slab-out-of-bounds Read in _decode_session6

[Dmitry Vyukov]

On Sun, Sep 2, 2018 at 6:41 AM, syzbot
<syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com> wrote:
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    93ee30f3e8b4 xsk: i40e: get rid of useless struct xdp_umem..
> git tree:       bpf-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=11f2115a400000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
> dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
> compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=116b3492400000

Potentially this is bpf-related because the repro just runs a bpf
program. +bpf maintainers.


> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com
>
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> 8021q: adding VLAN 0 to HW filter on device team0
> ==================================================================
> BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0
> net/ipv6/xfrm6_policy.c:161
> Read of size 1 at addr ffff8801d882eec7 by task syz-executor1/6667
>
> CPU: 0 PID: 6667 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #86
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>  __dump_stack lib/dump_stack.c:77 [inline]
>  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
>  print_address_description+0x6c/0x20b mm/kasan/report.c:256
>  kasan_report_error mm/kasan/report.c:354 [inline]
>  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
>  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
>  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
>  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
>  xfrm_decode_session include/net/xfrm.h:1232 [inline]
>  vti6_tnl_xmit+0x3c3/0x1bc1 net/ipv6/ip6_vti.c:542
>  __netdev_start_xmit include/linux/netdevice.h:4313 [inline]
>  netdev_start_xmit include/linux/netdevice.h:4322 [inline]
>  xmit_one net/core/dev.c:3217 [inline]
>  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3233
>  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3803
>  dev_queue_xmit+0x17/0x20 net/core/dev.c:3836
>  __bpf_tx_skb net/core/filter.c:2012 [inline]
>  __bpf_redirect_common net/core/filter.c:2050 [inline]
>  __bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
>  ____bpf_clone_redirect net/core/filter.c:2090 [inline]
>  bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
>  bpf_prog_c39d1ba309a769f7+0x749/0x1000
>
> Allocated by task 6667:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>  set_track mm/kasan/kasan.c:460 [inline]
>  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
>  __do_kmalloc_node mm/slab.c:3682 [inline]
>  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
>  __kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
>  pskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
>  skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
>  __bpf_try_make_writable net/core/filter.c:1633 [inline]
>  bpf_try_make_writable net/core/filter.c:1639 [inline]
>  bpf_try_make_head_writable net/core/filter.c:1647 [inline]
>  ____bpf_clone_redirect net/core/filter.c:2084 [inline]
>  bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
>  bpf_prog_c39d1ba309a769f7+0x749/0x1000
>
> Freed by task 5493:
>  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
>  set_track mm/kasan/kasan.c:460 [inline]
>  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
>  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
>  __cache_free mm/slab.c:3498 [inline]
>  kfree+0xd9/0x210 mm/slab.c:3813
>  skb_free_head+0x99/0xc0 net/core/skbuff.c:550
>  skb_release_data+0x6a4/0x880 net/core/skbuff.c:570
>  skb_release_all+0x4a/0x60 net/core/skbuff.c:627
>  __kfree_skb net/core/skbuff.c:641 [inline]
>  consume_skb+0x190/0x4e0 net/core/skbuff.c:701
>  netlink_dump+0xb14/0xd50 net/netlink/af_netlink.c:2269
>  netlink_recvmsg+0xf84/0x1490 net/netlink/af_netlink.c:1991
>  sock_recvmsg_nosec net/socket.c:794 [inline]
>  sock_recvmsg+0xd0/0x110 net/socket.c:801
>  ___sys_recvmsg+0x2b6/0x680 net/socket.c:2276
>  __sys_recvmsg+0x11a/0x290 net/socket.c:2325
>  __do_sys_recvmsg net/socket.c:2335 [inline]
>  __se_sys_recvmsg net/socket.c:2332 [inline]
>  __x64_sys_recvmsg+0x78/0xb0 net/socket.c:2332
>  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
>  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> The buggy address belongs to the object at ffff8801d882ecc0
>  which belongs to the cache kmalloc-512 of size 512
> The buggy address is located 7 bytes to the right of
>  512-byte region [ffff8801d882ecc0, ffff8801d882eec0)
> The buggy address belongs to the page:
> page:ffffea0007620b80 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
> flags: 0x2fffc0000000100(slab)
> raw: 02fffc0000000100 ffffea00070fc048 ffffea00075f9c08 ffff8801dac00940
> raw: 0000000000000000 ffff8801d882e040 0000000100000006 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
>  ffff8801d882ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>  ffff8801d882ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
>>
>> ffff8801d882ee80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
>
>                                            ^
>  ffff8801d882ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>  ffff8801d882ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with
> syzbot.
> syzbot can test patches for this bug, for details see:
> https://goo.gl/tpsmEJ#testing-patches
>
> --
> You received this message because you are subscribed to the Google Groups
> "syzkaller-bugs" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to syzkaller-bugs+unsubscribe@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/syzkaller-bugs/0000000000003658b00574dc08cc%40google.com.
> For more options, visit https://groups.google.com/d/optout.

KASAN: slab-out-of-bounds Read in _decode_session6

[syzbot]

Hello,

syzbot found the following crash on:

HEAD commit:    93ee30f3e8b4 xsk: i40e: get rid of useless struct xdp_umem..
git tree:       bpf-next
console output: https://syzkaller.appspot.com/x/log.txt?x=11f2115a400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
dashboard link: https://syzkaller.appspot.com/bug?extid=acffccec848dc13fe459
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=116b3492400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+acffccec848dc13fe459@syzkaller.appspotmail.com

8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
8021q: adding VLAN 0 to HW filter on device team0
==================================================================
BUG: KASAN: slab-out-of-bounds in _decode_session6+0x1331/0x14e0  
net/ipv6/xfrm6_policy.c:161
Read of size 1 at addr ffff8801d882eec7 by task syz-executor1/6667

CPU: 0 PID: 6667 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #86
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
  print_address_description+0x6c/0x20b mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.7+0x242/0x30d mm/kasan/report.c:412
  __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
  _decode_session6+0x1331/0x14e0 net/ipv6/xfrm6_policy.c:161
  __xfrm_decode_session+0x71/0x140 net/xfrm/xfrm_policy.c:2299
  xfrm_decode_session include/net/xfrm.h:1232 [inline]
  vti6_tnl_xmit+0x3c3/0x1bc1 net/ipv6/ip6_vti.c:542
  __netdev_start_xmit include/linux/netdevice.h:4313 [inline]
  netdev_start_xmit include/linux/netdevice.h:4322 [inline]
  xmit_one net/core/dev.c:3217 [inline]
  dev_hard_start_xmit+0x272/0xc10 net/core/dev.c:3233
  __dev_queue_xmit+0x2ab2/0x3870 net/core/dev.c:3803
  dev_queue_xmit+0x17/0x20 net/core/dev.c:3836
  __bpf_tx_skb net/core/filter.c:2012 [inline]
  __bpf_redirect_common net/core/filter.c:2050 [inline]
  __bpf_redirect+0x5b7/0xae0 net/core/filter.c:2057
  ____bpf_clone_redirect net/core/filter.c:2090 [inline]
  bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2062
  bpf_prog_c39d1ba309a769f7+0x749/0x1000

Allocated by task 6667:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553
  __do_kmalloc_node mm/slab.c:3682 [inline]
  __kmalloc_node_track_caller+0x47/0x70 mm/slab.c:3696
  __kmalloc_reserve.isra.41+0x3a/0xe0 net/core/skbuff.c:137
  pskb_expand_head+0x230/0x10e0 net/core/skbuff.c:1463
  skb_ensure_writable+0x3dd/0x640 net/core/skbuff.c:5129
  __bpf_try_make_writable net/core/filter.c:1633 [inline]
  bpf_try_make_writable net/core/filter.c:1639 [inline]
  bpf_try_make_head_writable net/core/filter.c:1647 [inline]
  ____bpf_clone_redirect net/core/filter.c:2084 [inline]
  bpf_clone_redirect+0x14a/0x490 net/core/filter.c:2062
  bpf_prog_c39d1ba309a769f7+0x749/0x1000

Freed by task 5493:
  save_stack+0x43/0xd0 mm/kasan/kasan.c:448
  set_track mm/kasan/kasan.c:460 [inline]
  __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521
  kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
  __cache_free mm/slab.c:3498 [inline]
  kfree+0xd9/0x210 mm/slab.c:3813
  skb_free_head+0x99/0xc0 net/core/skbuff.c:550
  skb_release_data+0x6a4/0x880 net/core/skbuff.c:570
  skb_release_all+0x4a/0x60 net/core/skbuff.c:627
  __kfree_skb net/core/skbuff.c:641 [inline]
  consume_skb+0x190/0x4e0 net/core/skbuff.c:701
  netlink_dump+0xb14/0xd50 net/netlink/af_netlink.c:2269
  netlink_recvmsg+0xf84/0x1490 net/netlink/af_netlink.c:1991
  sock_recvmsg_nosec net/socket.c:794 [inline]
  sock_recvmsg+0xd0/0x110 net/socket.c:801
  ___sys_recvmsg+0x2b6/0x680 net/socket.c:2276
  __sys_recvmsg+0x11a/0x290 net/socket.c:2325
  __do_sys_recvmsg net/socket.c:2335 [inline]
  __se_sys_recvmsg net/socket.c:2332 [inline]
  __x64_sys_recvmsg+0x78/0xb0 net/socket.c:2332
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

The buggy address belongs to the object at ffff8801d882ecc0
  which belongs to the cache kmalloc-512 of size 512
The buggy address is located 7 bytes to the right of
  512-byte region [ffff8801d882ecc0, ffff8801d882eec0)
The buggy address belongs to the page:
page:ffffea0007620b80 count:1 mapcount:0 mapping:ffff8801dac00940 index:0x0
flags: 0x2fffc0000000100(slab)
raw: 02fffc0000000100 ffffea00070fc048 ffffea00075f9c08 ffff8801dac00940
raw: 0000000000000000 ffff8801d882e040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected

Memory state around the buggy address:
  ffff8801d882ed80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  ffff8801d882ee00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
> ffff8801d882ee80: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
                                            ^
  ffff8801d882ef00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
  ffff8801d882ef80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================


---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#bug-status-tracking for how to communicate with  
syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches