lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 27 Oct 2012 20:48:25 -0400
From:	Sasha Levin <sasha.levin@...cle.com>
To:	Sasha Levin <sasha.levin@...cle.com>
CC:	Andrew Morton <akpm@...ux-foundation.org>,
	Dave Jones <davej@...hat.com>,
	"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
	skinsbursky@...allels.com
Subject: Re: ipc, msgqueue: NULL ptr deref in msgrcv

On 10/25/2012 08:43 PM, Sasha Levin wrote:
> Hi all,
> 
> While fuzzing with trinity inside a KVM tools (lkvm) guest running latest -next,
> I've stumbled on the follwing:
> 
> [   80.110944] NULL pointer dereference at 0000000000000011
> [   80.110944] IP: [<ffffffff8190cf90>] testmsg.isra.5+0x40/0x70
> [   80.110944] PGD 23812067 PUD 23811067 PMD 0
> [   80.110944] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
> [   80.110944] Dumping ftrace buffer:
> [   80.110944]    (ftrace buffer empty)
> [   80.110944] CPU 1
> [   80.110944] Pid: 6452, comm: trinity-child84 Tainted: G        W    3.7.0-rc2-next-20121025-sasha-00001-g673f98e-dirty #77
> [   80.110944] RIP: 0010:[<ffffffff8190cf90>]  [<ffffffff8190cf90>] testmsg.isra.5+0x40/0x70
> [   80.110944] RSP: 0018:ffff88004dda9e78  EFLAGS: 00010246
> [   80.110944] RAX: 0000000000000000 RBX: 0000000000000002 RCX: 000000000000000f
> [   80.110944] RDX: 0000000000000002 RSI: 00000000282c796a RDI: 0000000000000011
> [   80.110944] RBP: ffff88004dda9e78 R08: 0000000000000000 R09: 0000000000000000
> [   80.110944] R10: 0000000000000001 R11: 0000000000000001 R12: 00000000282c796a
> [   80.110944] R13: ffff8800621ab7c0 R14: 0000000000000001 R15: ffff8800621ab710
> [   80.110944] FS:  00007f777fd4d700(0000) GS:ffff880027800000(0000) knlGS:0000000000000000
> [   80.110944] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   80.110944] CR2: 0000000000000011 CR3: 0000000024bf9000 CR4: 00000000000406e0
> [   80.110944] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [   80.110944] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
> [   80.110944] Process trinity-child84 (pid: 6452, threadinfo ffff88004dda8000, task ffff88004dd9b000)
> [   80.110944] Stack:
> [   80.110944]  ffff88004dda9f68 ffffffff8190e2ce 00000000001d7840 ffff88004dd9b000
> [   80.110944]  ffff88004dd9b000 ffff88004dd9b000 0000000000000000 ffffffff8190cda0
> [   80.110944]  0000000000000000 ffffffff854e3160 0000000000000000 0000000000000000
> [   80.110944] Call Trace:
> [   80.110944]  [<ffffffff8190e2ce>] do_msgrcv+0x1ae/0x640
> [   80.110944]  [<ffffffff8190cda0>] ? load_msg+0x190/0x190
> [   80.110944]  [<ffffffff8107dc30>] ? syscall_trace_enter+0x20/0x2e0
> [   80.110944]  [<ffffffff8190e770>] sys_msgrcv+0x10/0x20
> [   80.110944]  [<ffffffff83aee198>] tracesys+0xe1/0xe6
> [   80.110944] Code: eb 51 66 0f 1f 84 00 00 00 00 00 83 fa 03 74 2b 83 fa 04 75 2e 48 39 37 b8 01 00 00 00 7f 24 eb 32 66 2e 0f
> 1f 84 00 00 00 00 00 <48> 3b 37 75 13 eb 19 66 0f 1f 84 00 00 00 00 00 48 3b 37 75 0b
> [   80.110944] RIP  [<ffffffff8190cf90>] testmsg.isra.5+0x40/0x70
> [   80.110944]  RSP <ffff88004dda9e78>
> [   80.110944] CR2: 0000000000000011
> [   80.246961] ---[ end trace 1d24d488413d3159 ]---
> 
> 	case SEARCH_EQUAL:
> 		if (msg->m_type == type) <--- here
> 			return 1;
> 
> My guess is that we managed to get testmsg() called without INIT_LIST_HEAD() somehow,
> but I'm still not sure why.
> 
> 
> Thanks,
> Sasha
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 

My auto-bisect script just finished running. Looks like it's caused by:

e32811fe04c759faf63c93b470e787b2328ceb04 is the first bad commit
commit e32811fe04c759faf63c93b470e787b2328ceb04
Author: Stanislav Kinsbursky <skinsbursky@...allels.com>
Date:   Thu Oct 25 12:15:18 2012 +1100

    ipc: message queue copy feature introduced


Thanks,
Sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ