Hi,
We encountered a bug labelled “KASAN: slab-out-of-bounds Write in ops_init” while fuzzing kernel version 5.15.124 with Syzkaller (lines exist in 5.15.154 as well). In the net_namespace.c file, we have an if condition at line 89. Subsequently, Syzkaller encounters the bug at line 90. 89 if (old_ng->s.len > id) { 90 old_ng->ptr[id] = data; 91 return 0; 92 } Upon inspecting the net_generic struct, we noticed that this struct uses union which puts the array and the header (including the array length information) together. We suspect that with this union, modifying the ng->ptr[0] is essentially modifying ng->s.len, which might fail the check in 89. This might be the cause for Syzkaller detecting this slab-out-of-bound. Since we are CS PhD students and Linux hobbyists, we do not have a full understanding of what could lead to this. We would really appreciate if you guys can share some insights into this matter : ) We attached the syzkaller’s bug report below. ================================================================== BUG: KASAN: slab-out-of-bounds in net_assign_generic usr/src/kernel/net/core/net_namespace.c:90 [inline] BUG: KASAN: slab-out-of-bounds in ops_init+0x44b/0x4d0 usr/src/kernel/net/core/net_namespace.c:129 Write of size 8 at addr ffff888043c62ae8 by task (coredump)/5424 CPU: 1 PID: 5424 Comm: (coredump) Not tainted 5.15.124-yocto-standard #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 Call Trace: <TASK> __dump_stack usr/src/kernel/lib/dump_stack.c:88 [inline] dump_stack_lvl+0x51/0x70 usr/src/kernel/lib/dump_stack.c:106 print_address_description.constprop.0+0x24/0x140 usr/src/kernel/mm/kasan/report.c:248 __kasan_report usr/src/kernel/mm/kasan/report.c:434 [inline] kasan_report.cold+0x7d/0x117 usr/src/kernel/mm/kasan/report.c:451 __asan_report_store8_noabort+0x17/0x20 usr/src/kernel/mm/kasan/report_generic.c:314 net_assign_generic usr/src/kernel/net/core/net_namespace.c:90 [inline] ops_init+0x44b/0x4d0 usr/src/kernel/net/core/net_namespace.c:129 setup_net+0x40a/0x970 usr/src/kernel/net/core/net_namespace.c:329 copy_net_ns+0x2ac/0x680 usr/src/kernel/net/core/net_namespace.c:473 create_new_namespaces+0x390/0xa50 usr/src/kernel/kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xb0/0x1d0 usr/src/kernel/kernel/nsproxy.c:226 ksys_unshare+0x30c/0x850 usr/src/kernel/kernel/fork.c:3094 __do_sys_unshare usr/src/kernel/kernel/fork.c:3168 [inline] __se_sys_unshare usr/src/kernel/kernel/fork.c:3166 [inline] __x64_sys_unshare+0x36/0x50 usr/src/kernel/kernel/fork.c:3166 do_syscall_x64 usr/src/kernel/arch/x86/entry/common.c:50 [inline] do_syscall_64+0x40/0x90 usr/src/kernel/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb RIP: 0033:0x7fbafce1b39b Code: 73 01 c3 48 8b 0d 85 2a 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa b8 10 01 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 55 2a 0e 00 f7 d8 64 89 01 48 RSP: 002b:00007ffddc8dfda8 EFLAGS: 00000246 ORIG_RAX: 0000000000000110 RAX: ffffffffffffffda RBX: 0000557e645dd018 RCX: 00007fbafce1b39b RDX: 0000000000000000 RSI: 00007ffddc8dfd10 RDI: 0000000040000000 RBP: 00007ffddc8dfde0 R08: 0000000000000000 R09: 00007ffd00000067 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000fffffff5 R13: 00007fbafd26ba60 R14: 0000000040000000 R15: 0000000000000000 </TASK> Allocated by task 5424: kasan_save_stack+0x26/0x60 usr/src/kernel/mm/kasan/common.c:38 kasan_set_track usr/src/kernel/mm/kasan/common.c:46 [inline] set_alloc_info usr/src/kernel/mm/kasan/common.c:434 [inline] ____kasan_kmalloc usr/src/kernel/mm/kasan/common.c:513 [inline] ____kasan_kmalloc usr/src/kernel/mm/kasan/common.c:472 [inline] __kasan_kmalloc+0xae/0xe0 usr/src/kernel/mm/kasan/common.c:522 kasan_kmalloc usr/src/kernel/include/linux/kasan.h:264 [inline] __kmalloc+0x308/0x560 usr/src/kernel/mm/slub.c:4407 kmalloc usr/src/kernel/include/linux/slab.h:596 [inline] kzalloc usr/src/kernel/include/linux/slab.h:721 [inline] net_alloc_generic+0x28/0x80 usr/src/kernel/net/core/net_namespace.c:74 net_alloc usr/src/kernel/net/core/net_namespace.c:401 [inline] copy_net_ns+0xc3/0x680 usr/src/kernel/net/core/net_namespace.c:460 create_new_namespaces+0x390/0xa50 usr/src/kernel/kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xb0/0x1d0 usr/src/kernel/kernel/nsproxy.c:226 ksys_unshare+0x30c/0x850 usr/src/kernel/kernel/fork.c:3094 __do_sys_unshare usr/src/kernel/kernel/fork.c:3168 [inline] __se_sys_unshare usr/src/kernel/kernel/fork.c:3166 [inline] __x64_sys_unshare+0x36/0x50 usr/src/kernel/kernel/fork.c:3166 do_syscall_x64 usr/src/kernel/arch/x86/entry/common.c:50 [inline] do_syscall_64+0x40/0x90 usr/src/kernel/arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x61/0xcb The buggy address belongs to the object at ffff888043c62a00 which belongs to the cache kmalloc-256 of size 256 The buggy address is located 232 bytes inside of 256-byte region [ffff888043c62a00, ffff888043c62b00) The buggy address belongs to the page: page:000000008dd0a6b6 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x43c62 head:000000008dd0a6b6 order:1 compound_mapcount:0 flags: 0x4000000000010200(slab|head|zone=1) raw: 4000000000010200 ffffea0001108f00 0000000700000007 ffff888001041b40 raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff888043c62980: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888043c62a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff888043c62a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc
^ ffff888043c62b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff888043c62b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ================================================================== kmemleak: 2 new suspected memory leaks (see /sys/kernel/debug/kmemleak) Best
linux-stable-mirror@lists.linaro.org