[v5.15] KASAN: slab-out-of-bounds Read in xfrm_policy_inexact_list_reinsert
0 views
Skip to first unread message
syzbot
Jan 31, 2025, 5:56:33 AMJan 31
Hello,
syzbot found the following issue on:
HEAD commit: 003148680b79 Linux 5.15.177
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15859ddf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=27ad1047990e0f7e
dashboard link: https://syzkaller.appspot.com/bug?extid=a430a73ae7688149bfb5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8625d198744/disk-00314868.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b56bdfa2ae/vmlinux-00314868.xz
kernel image: https://storage.googleapis.com/syzbot-assets/640b14c1ba43/Image-00314868.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
Read of size 1 at addr ffff0000d71e5600 by task syz.1.424/5222
CPU: 1 PID: 5222 Comm: syz.1.424 Not tainted 5.15.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
xfrm_policy_inexact_node_merge net/xfrm/xfrm_policy.c:1006 [inline]
xfrm_policy_inexact_insert_node+0x77c/0x924 net/xfrm/xfrm_policy.c:1062
xfrm_policy_inexact_alloc_chain+0x57c/0x1078 net/xfrm/xfrm_policy.c:1178
xfrm_policy_inexact_insert+0xdc/0x1084 net/xfrm/xfrm_policy.c:1221
xfrm_policy_insert+0xd0/0x870 net/xfrm/xfrm_policy.c:1602
xfrm_add_policy+0x424/0x82c net/xfrm/xfrm_user.c:1833
xfrm_user_rcv_msg+0x4a8/0x72c net/xfrm/xfrm_user.c:2979
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2489
xfrm_netlink_rcv+0x80/0x9c net/xfrm/xfrm_user.c:3001
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x584/0x870 net/socket.c:2436
___sys_sendmsg+0x214/0x294 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg net/socket.c:2526 [inline]
__arm64_sys_sendmsg+0x1ac/0x25c net/socket.c:2526
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 5222:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:1866
sk_alloc+0x40/0x3e0 net/core/sock.c:1919
pfkey_create+0xcc/0x53c net/key/af_key.c:152
__sock_create+0x43c/0x8a0 net/socket.c:1486
sock_create net/socket.c:1542 [inline]
__sys_socket+0x168/0x310 net/socket.c:1584
__do_sys_socket net/socket.c:1593 [inline]
__se_sys_socket net/socket.c:1591 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3007 [inline]
call_rcu+0x118/0xb40 kernel/rcu/tree.c:3087
netlink_release+0x1280/0x1834 net/netlink/af_netlink.c:800
__sock_release net/socket.c:649 [inline]
sock_close+0xb8/0x1fc net/socket.c:1336
__fput+0x1c4/0x800 fs/file_table.c:280
____fput+0x20/0x30 fs/file_table.c:308
task_work_run+0x130/0x1e4 kernel/task_work.c:188
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Second to last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3596
drop_sysctl_table+0x274/0x3a0 fs/proc/proc_sysctl.c:1678
unregister_sysctl_table+0x94/0x130 fs/proc/proc_sysctl.c:1716
unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:175
__addrconf_sysctl_unregister net/ipv6/addrconf.c:7120 [inline]
addrconf_sysctl_unregister net/ipv6/addrconf.c:7148 [inline]
addrconf_ifdown+0x1484/0x1814 net/ipv6/addrconf.c:3931
addrconf_notify+0x350/0xc58
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11102
unregister_netdevice_queue+0x2d0/0x31c net/core/dev.c:11035
unregister_netdevice include/linux/netdevice.h:3012 [inline]
__tun_detach+0xb88/0x12dc drivers/net/tun.c:686
tun_detach drivers/net/tun.c:702 [inline]
tun_chr_close+0x118/0x20c drivers/net/tun.c:3440
__fput+0x1c4/0x800 fs/file_table.c:280
____fput+0x20/0x30 fs/file_table.c:308
task_work_run+0x130/0x1e4 kernel/task_work.c:188
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000d71e5000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff0000d71e5000, ffff0000d71e5800)
The buggy address belongs to the page:
page:000000007fdf7894 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1171e0
head:000000007fdf7894 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 0000000400000001 ffff0000c0002900
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d71e5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d71e5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>ffff0000d71e5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000d71e5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d71e5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: 003148680b79 Linux 5.15.177
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=15859ddf980000
kernel config: https://syzkaller.appspot.com/x/.config?x=27ad1047990e0f7e
dashboard link: https://syzkaller.appspot.com/bug?extid=a430a73ae7688149bfb5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
Unfortunately, I don't have any reproducer for this issue yet.
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8625d198744/disk-00314868.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b56bdfa2ae/vmlinux-00314868.xz
kernel image: https://storage.googleapis.com/syzbot-assets/640b14c1ba43/Image-00314868.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
Read of size 1 at addr ffff0000d71e5600 by task syz.1.424/5222
CPU: 1 PID: 5222 Comm: syz.1.424 Not tainted 5.15.177-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024
Call trace:
dump_backtrace+0x0/0x530 arch/arm64/kernel/stacktrace.c:152
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:216
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x108/0x170 lib/dump_stack.c:106
print_address_description+0x7c/0x3f0 mm/kasan/report.c:248
__kasan_report mm/kasan/report.c:434 [inline]
kasan_report+0x174/0x1e4 mm/kasan/report.c:451
__asan_report_load1_noabort+0x44/0x50 mm/kasan/report_generic.c:306
xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
xfrm_policy_inexact_node_merge net/xfrm/xfrm_policy.c:1006 [inline]
xfrm_policy_inexact_insert_node+0x77c/0x924 net/xfrm/xfrm_policy.c:1062
xfrm_policy_inexact_alloc_chain+0x57c/0x1078 net/xfrm/xfrm_policy.c:1178
xfrm_policy_inexact_insert+0xdc/0x1084 net/xfrm/xfrm_policy.c:1221
xfrm_policy_insert+0xd0/0x870 net/xfrm/xfrm_policy.c:1602
xfrm_add_policy+0x424/0x82c net/xfrm/xfrm_user.c:1833
xfrm_user_rcv_msg+0x4a8/0x72c net/xfrm/xfrm_user.c:2979
netlink_rcv_skb+0x20c/0x3b8 net/netlink/af_netlink.c:2489
xfrm_netlink_rcv+0x80/0x9c net/xfrm/xfrm_user.c:3001
netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
netlink_unicast+0x664/0x938 net/netlink/af_netlink.c:1337
netlink_sendmsg+0x844/0xb38 net/netlink/af_netlink.c:1905
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg net/socket.c:716 [inline]
____sys_sendmsg+0x584/0x870 net/socket.c:2436
___sys_sendmsg+0x214/0x294 net/socket.c:2490
__sys_sendmsg net/socket.c:2519 [inline]
__do_sys_sendmsg net/socket.c:2528 [inline]
__se_sys_sendmsg net/socket.c:2526 [inline]
__arm64_sys_sendmsg+0x1ac/0x25c net/socket.c:2526
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Allocated by task 5222:
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:1866
sk_alloc+0x40/0x3e0 net/core/sock.c:1919
pfkey_create+0xcc/0x53c net/key/af_key.c:152
__sock_create+0x43c/0x8a0 net/socket.c:1486
sock_create net/socket.c:1542 [inline]
__sys_socket+0x168/0x310 net/socket.c:1584
__do_sys_socket net/socket.c:1593 [inline]
__se_sys_socket net/socket.c:1591 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:3007 [inline]
call_rcu+0x118/0xb40 kernel/rcu/tree.c:3087
netlink_release+0x1280/0x1834 net/netlink/af_netlink.c:800
__sock_release net/socket.c:649 [inline]
sock_close+0xb8/0x1fc net/socket.c:1336
__fput+0x1c4/0x800 fs/file_table.c:280
____fput+0x20/0x30 fs/file_table.c:308
task_work_run+0x130/0x1e4 kernel/task_work.c:188
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
Second to last potentially related work creation:
kasan_save_stack+0x38/0x68 mm/kasan/common.c:38
kasan_record_aux_stack+0xd4/0x11c mm/kasan/generic.c:348
kvfree_call_rcu+0xb8/0x684 kernel/rcu/tree.c:3596
drop_sysctl_table+0x274/0x3a0 fs/proc/proc_sysctl.c:1678
unregister_sysctl_table+0x94/0x130 fs/proc/proc_sysctl.c:1716
unregister_net_sysctl_table+0x20/0x30 net/sysctl_net.c:175
__addrconf_sysctl_unregister net/ipv6/addrconf.c:7120 [inline]
addrconf_sysctl_unregister net/ipv6/addrconf.c:7148 [inline]
addrconf_ifdown+0x1484/0x1814 net/ipv6/addrconf.c:3931
addrconf_notify+0x350/0xc58
notifier_call_chain kernel/notifier.c:83 [inline]
raw_notifier_call_chain+0xd4/0x164 kernel/notifier.c:391
call_netdevice_notifiers_info net/core/dev.c:2018 [inline]
call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
call_netdevice_notifiers net/core/dev.c:2044 [inline]
unregister_netdevice_many+0xec4/0x189c net/core/dev.c:11102
unregister_netdevice_queue+0x2d0/0x31c net/core/dev.c:11035
unregister_netdevice include/linux/netdevice.h:3012 [inline]
__tun_detach+0xb88/0x12dc drivers/net/tun.c:686
tun_detach drivers/net/tun.c:702 [inline]
tun_chr_close+0x118/0x20c drivers/net/tun.c:3440
__fput+0x1c4/0x800 fs/file_table.c:280
____fput+0x20/0x30 fs/file_table.c:308
task_work_run+0x130/0x1e4 kernel/task_work.c:188
tracehook_notify_resume include/linux/tracehook.h:189 [inline]
do_notify_resume+0x262c/0x32b8 arch/arm64/kernel/signal.c:946
prepare_exit_to_user_mode arch/arm64/kernel/entry-common.c:133 [inline]
exit_to_user_mode arch/arm64/kernel/entry-common.c:138 [inline]
el0_svc+0xfc/0x1f0 arch/arm64/kernel/entry-common.c:609
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000d71e5000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff0000d71e5000, ffff0000d71e5800)
The buggy address belongs to the page:
page:000000007fdf7894 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1171e0
head:000000007fdf7894 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 0000000400000001 ffff0000c0002900
raw: 0000000000000000 0000000000080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000d71e5500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff0000d71e5580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>ffff0000d71e5600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000d71e5680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000d71e5700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at [email protected].
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot
Jan 31, 2025, 7:02:24 AMJan 31
syzbot has found a reproducer for the following issue on:
HEAD commit: 003148680b79 Linux 5.15.177
git tree: linux-5.15.y
console output: https://syzkaller.appspot.com/x/log.txt?x=113c76b0580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167d9ddf980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8625d198744/disk-00314868.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b56bdfa2ae/vmlinux-00314868.xz
kernel image: https://storage.googleapis.com/syzbot-assets/640b14c1ba43/Image-00314868.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
Read of size 1 at addr ffff0000c2abb600 by task syz-executor160/4019
CPU: 0 PID: 4019 Comm: syz-executor160 Not tainted 5.15.177-syzkaller #0
Allocated by task 4019:
head:000000001f79c778 order:3 compound_mapcount:0 compound_pincount:0
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
ffff0000c2abb580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>ffff0000c2abb600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c2abb680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c2abb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
HEAD commit: 003148680b79 Linux 5.15.177
git tree: linux-5.15.y
kernel config: https://syzkaller.appspot.com/x/.config?x=27ad1047990e0f7e
dashboard link: https://syzkaller.appspot.com/bug?extid=a430a73ae7688149bfb5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=14628518580000
dashboard link: https://syzkaller.appspot.com/bug?extid=a430a73ae7688149bfb5
compiler: Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
userspace arch: arm64
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=167d9ddf980000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/c8625d198744/disk-00314868.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/94b56bdfa2ae/vmlinux-00314868.xz
kernel image: https://storage.googleapis.com/syzbot-assets/640b14c1ba43/Image-00314868.gz.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: [email protected]
==================================================================
BUG: KASAN: slab-out-of-bounds in xfrm_policy_inexact_list_reinsert+0x518/0x568 net/xfrm/xfrm_policy.c:874
CPU: 0 PID: 4019 Comm: syz-executor160 Not tainted 5.15.177-syzkaller #0
kasan_save_stack mm/kasan/common.c:38 [inline]
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:1866
sk_alloc+0x40/0x3e0 net/core/sock.c:1919
pfkey_create+0xcc/0x53c net/key/af_key.c:152
__sock_create+0x43c/0x8a0 net/socket.c:1486
sock_create net/socket.c:1542 [inline]
__sys_socket+0x168/0x310 net/socket.c:1584
__do_sys_socket net/socket.c:1593 [inline]
__se_sys_socket net/socket.c:1591 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
The buggy address belongs to the object at ffff0000c2abb000
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
____kasan_kmalloc+0xbc/0xfc mm/kasan/common.c:513
__kasan_kmalloc+0x10/0x1c mm/kasan/common.c:522
kasan_kmalloc include/linux/kasan.h:264 [inline]
__kmalloc+0x29c/0x4c8 mm/slub.c:4407
kmalloc include/linux/slab.h:596 [inline]
sk_prot_alloc+0xc4/0x1f0 net/core/sock.c:1866
sk_alloc+0x40/0x3e0 net/core/sock.c:1919
pfkey_create+0xcc/0x53c net/key/af_key.c:152
__sock_create+0x43c/0x8a0 net/socket.c:1486
sock_create net/socket.c:1542 [inline]
__sys_socket+0x168/0x310 net/socket.c:1584
__do_sys_socket net/socket.c:1593 [inline]
__se_sys_socket net/socket.c:1591 [inline]
__arm64_sys_socket+0x7c/0x94 net/socket.c:1591
__invoke_syscall arch/arm64/kernel/syscall.c:38 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:52
el0_svc_common+0x138/0x258 arch/arm64/kernel/syscall.c:142
do_el0_svc+0x58/0x14c arch/arm64/kernel/syscall.c:181
el0_svc+0x7c/0x1f0 arch/arm64/kernel/entry-common.c:608
el0t_64_sync_handler+0x84/0xe4 arch/arm64/kernel/entry-common.c:626
el0t_64_sync+0x1a0/0x1a4 arch/arm64/kernel/entry.S:584
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1536 bytes inside of
2048-byte region [ffff0000c2abb000, ffff0000c2abb800)
The buggy address is located 1536 bytes inside of
The buggy address belongs to the page:
page:000000001f79c778 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x102ab8
head:000000001f79c778 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x5ffc00000010200(slab|head|node=0|zone=2|lastcpupid=0x7ff)
raw: 05ffc00000010200 0000000000000000 dead000000000122 ffff0000c0002900
raw: 0000000000000000 0000000080080008 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff0000c2abb500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Memory state around the buggy address:
ffff0000c2abb580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc
>ffff0000c2abb600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff0000c2abb680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff0000c2abb700: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
---
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
Reply all
Reply to author
Forward
0 new messages