netdev - net: GPF in __netlink_ns

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [thread-next>] [day] [month] [year] [list]

Date:	Fri, 15 Jan 2016 23:31:37 +0100
From:	Dmitry Vyukov <dvyukov@...gle.com>
To:	"David S. Miller" <davem@...emloft.net>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Thomas Graf <tgraf@...g.ch>,
	Daniel Borkmann <daniel@...earbox.net>,
	Ken-ichirou MATSUZAWA <chamaken@...il.com>,
	Nicolas Dichtel <nicolas.dichtel@...nd.com>,
	Florian Westphal <fw@...len.de>,
	netdev <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>
Cc:	syzkaller <syzkaller@...glegroups.com>,
	Kostya Serebryany <kcc@...gle.com>,
	Alexander Potapenko <glider@...gle.com>,
	Sasha Levin <sasha.levin@...cle.com>,
	Eric Dumazet <edumazet@...gle.com>
Subject: net: GPF in __netlink_ns_capable

Hello,

The following program causes GPF in __netlink_ns_capable:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <stdint.h>
#include <string.h>
#include <sys/syscall.h>
#include <unistd.h>

int main()
{
  syscall(SYS_mmap, 0x20000000ul, 0xd000ul, 0x3ul, 0x32ul,
          0xfffffffffffffffful, 0x0ul);
  int fd = syscall(SYS_socket, 0x10ul, 0x3ul, 0x14ul, 0, 0, 0);
  *(uint32_t*)0x200067bb = (uint32_t)0x12;
  *(uint32_t*)0x200067bf = (uint32_t)0xffffffffffff1000;
  *(uint64_t*)0x200067c3 = (uint64_t)0x0;
  *(uint16_t*)0x200067cb = (uint16_t)0x4;
  syscall(SYS_write, fd, 0x200067bbul, 0x12ul, 0, 0, 0);
  return 0;
}

general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 3 PID: 7448 Comm: syz-executor Not tainted 4.4.0+ #255
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006a534740 ti: ffff880063240000 task.ti: ffff880063240000
RIP: 0010:[<ffffffff8529bfbb>]  [<ffffffff8529bfbb>]
__netlink_ns_capable+0x8b/0x120
RSP: 0018:ffff880063247578  EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000079 RSI: ffffffff87597ba0 RDI: 00000000000003c8
RBP: ffff880063247590 R08: ffffed000c4c8f3d R09: ffff8800626479d0
R10: ffffed000c4c8f3e R11: 1ffff1000c4c8f3a R12: ffffffff87597ba0
R13: 000000000000000c R14: ffff880065895400 R15: ffff880063e4d338
FS:  0000000002638880(0063) GS:ffff88006d700000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 00000000200067bb CR3: 0000000063149000 CR4: 00000000000006e0
Stack:
 ffff880063752100 000000000000000c ffff880065895381 ffff8800632475b0
 ffffffff8529c0a5 00000000ffffffff dffffc0000000000 ffff880063247700
 ffffffff84986fef 1ffff1000c648ebf ffff880062646b10 0000000000000000
Call Trace:
 [<     inline     >] netlink_ns_capable net/netlink/af_netlink.c:1417
 [<ffffffff8529c0a5>] netlink_capable+0x25/0x30 net/netlink/af_netlink.c:1432
 [<ffffffff84986fef>] ib_nl_handle_resolve_resp+0xbf/0x910
drivers/infiniband/core/sa_query.c:792
 [<ffffffff852a34bd>] netlink_dump+0x38d/0xb20 net/netlink/af_netlink.c:2837
 [<ffffffff852a5844>] __netlink_dump_start+0x554/0x7e0
net/netlink/af_netlink.c:2934
 [<     inline     >] netlink_dump_start include/linux/netlink.h:175
 [<ffffffff8495ce63>] ibnl_rcv_msg+0x3c3/0x4b0
drivers/infiniband/core/netlink.c:184
 [<ffffffff852aded7>] netlink_rcv_skb+0x297/0x390 net/netlink/af_netlink.c:3016
 [<ffffffff8495d1ab>] ibnl_rcv+0x25b/0x300 drivers/infiniband/core/netlink.c:226
 [<     inline     >] netlink_unicast_kernel net/netlink/af_netlink.c:1834
 [<ffffffff852abd3a>] netlink_unicast+0x47a/0x700 net/netlink/af_netlink.c:1860
 [<ffffffff852ad046>] netlink_sendmsg+0x1086/0x1760
net/netlink/af_netlink.c:2511
 [<     inline     >] sock_sendmsg_nosec net/socket.c:611
 [<ffffffff85103bba>] sock_sendmsg+0xca/0x110 net/socket.c:621
 [<ffffffff85103e16>] sock_write_iter+0x216/0x3a0 net/socket.c:820
 [<     inline     >] new_sync_write fs/read_write.c:517
 [<ffffffff8178d122>] __vfs_write+0x302/0x480 fs/read_write.c:530
 [<ffffffff8178e9c7>] vfs_write+0x167/0x4a0 fs/read_write.c:577
 [<     inline     >] SYSC_write fs/read_write.c:624
 [<ffffffff81791cb1>] SyS_write+0x111/0x220 fs/read_write.c:616
 [<ffffffff8626be76>] entry_SYSCALL_64_fastpath+0x16/0x7a
arch/x86/entry/entry_64.S:185
Code: fa 48 c1 ea 03 80 3c 02 00 0f 85 9f 00 00 00 48 8b 5b 18 48 b8
00 00 00 00 00 fc ff df 48 8d bb c8 03 00 00 48 89 fa 48 c1 ea 03 <80>
3c 02 00 75 76 48 8b 9b c8 03 00 00 48 b8 00 00 00 00 00 fc
RIP  [<ffffffff8529bfbb>] __netlink_ns_capable+0x8b/0x120
net/netlink/af_netlink.c:1399
 RSP <ffff880063247578>
---[ end trace 53f9276d885fafc4 ]---

On commit 67990608c8b95d2b8ccc29932376ae73d5818727.