lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Mon, 13 Feb 2017 16:14:39 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     David Miller <davem@...emloft.net>,
        Tom Herbert <tom@...bertland.com>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Alexei Starovoitov <ast@...nel.org>,
        Al Viro <viro@...iv.linux.org.uk>,
        Daniel Borkmann <daniel@...earbox.net>,
        Eric Dumazet <edumazet@...gle.com>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: net/kcm: GPF in kcm_sendmsg

Hello,

The following program triggers GPF in kcm_sendmsg:


// autogenerated by syzkaller (http://github.com/google/syzkaller)
#define _GNU_SOURCE
#include <sys/socket.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <stddef.h>
#include <string.h>
#include <unistd.h>

int main()
{
  int sock = socket(41 /*AF_KCM*/, SOCK_SEQPACKET, 0);
  struct mmsghdr msg;
  memset(&msg, 0, sizeof(msg));
  sendmmsg(sock, &msg, 1, 0);
  return 0;
}


general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 2 PID: 2935 Comm: a.out Not tainted 4.10.0-rc8+ #218
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006b506440 task.stack: ffff8800662b8000
RIP: 0010:kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048
RSP: 0018:ffff8800662bf720 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000008 RSI: ffff88006b506c38 RDI: 0000000000000040
RBP: ffff8800662bfa00 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000006 R11: 0000000000000000 R12: 7fffffffffffffff
R13: dffffc0000000000 R14: 0000000000000000 R15: ffff88006af12040
FS:  0000000001077880(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b2140 CR3: 00000000651b7000 CR4: 00000000001406e0
Call Trace:
 sock_sendmsg_nosec net/socket.c:635 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:645
 ___sys_sendmsg+0x4a3/0x9f0 net/socket.c:1985
 __sys_sendmmsg+0x25c/0x750 net/socket.c:2075
 SYSC_sendmmsg net/socket.c:2106 [inline]
 SyS_sendmmsg+0x35/0x60 net/socket.c:2101
 entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x436dc9
RSP: 002b:00007ffe84e1a938 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000401730 RCX: 0000000000436dc9
RDX: 0000000000000001 RSI: 00007ffe84e1a950 RDI: 0000000000000003
RBP: 0000000000000000 R08: 000000000000000b R09: 0000000000000004
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000004002b0
R13: 00007ffe84e1aa88 R14: 0000000000000002 R15: 0000000000000000
Code: 02 00 0f 85 d4 14 00 00 48 8b 85 c0 fd ff ff 48 8d 78 40 49 89
87 30 05 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80>
3c 02 00 0f 85 9d 14 00 00 48 8b 85 c0 fd ff ff 4c 89 70 40
RIP: kcm_sendmsg+0x92e/0x2240 net/kcm/kcmsock.c:1048 RSP: ffff8800662bf720
---[ end trace 62093774c8609871 ]---


On commit 7089db84e356562f8ba737c29e472cc42d530dbc (4.10-rc8).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ