| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Oct 2017 22:34:54 -0700
From: Eric Dumazet <edumazet@...gle.com>
To: Wei Wei <dotweiba@...il.com>
Cc: linux-arm-kernel@...ts.infradead.org,
LKML <linux-kernel@...r.kernel.org>,
netdev <netdev@...r.kernel.org>,
David Miller <davem@...emloft.net>,
Willem de Bruijn <willemb@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: Re: v4.14-rc3/arm64 DABT exception in atomic_inc() / __skb_clone()
On Thu, Oct 19, 2017 at 8:13 PM, Wei Wei <dotweiba@...il.com> wrote:
> Sry. Here it is.
>
> Unable to handle kernel paging request at virtual address ffff80005bfb81ed
> Mem abort info:
> Exception class = DABT (current EL), IL = 32 bits
> SET = 0, FnV = 0
> EA = 0, S1PTW = 0
> Data abort info:
> ISV = 0, ISS = 0x00000033
> CM = 0, WnR = 0
> swapper pgtable: 4k pages, 48-bit VAs, pgd = ffff20000b366000
> [ffff80005bfb81ed] *pgd=00000000beff7003, *pud=00e8000080000711
> Internal error: Oops: 96000021 [#1] PREEMPT SMP
> Modules linked in:
> CPU: 3 PID: 4725 Comm: syz-executor0 Not tainted 4.14.0-rc3 #3
> Hardware name: linux,dummy-virt (DT)
> task: ffff800074409e00 task.stack: ffff800033db0000
> PC is at __skb_clone (/./arch/arm64/include/asm/atomic_ll_sc.h:113 (discriminator 4) /net/core/skbuff.c:873 (discriminator 4))
> LR is at __skb_clone (/net/core/skbuff.c:861 (discriminator 4))
> pc : lr : pstate: 10000145
>
> sp : ffff800033db33d0
> x29: ffff800033db33d0 x28: ffff2000098ac378
> x27: ffff100006a860e1 x26: 1ffff000067b66b6
> x25: ffff8000743340a0 x24: ffff800035430708
> x23: ffff80005bfb80c9 x22: ffff800035430710
> x21: 0000000000000380 x20: ffff800035430640
> x19: ffff8000354312c0 x18: 0000000000000000
> x17: 00000000004af000 x16: ffff20000845e8c8
> x15: 000000001e518060 x14: 0000ffffd8316070
> x13: 0000ffffd8316090 x12: ffffffffffffffff
> x11: 1ffff00006a8626f x10: ffff100006a8626f
> x9 : dfff200000000000 x8 : 0082009000900608
> x7 : 0000000000000000 x6 : ffff800035431380
> x5 : ffff100006a86270 x4 : 0000000000000000
> x3 : 1ffff00006a86273 x2 : 0000000000000000
> x1 : 0000000000000100 x0 : ffff80005bfb81ed
> Process syz-executor0 (pid: 4725, stack limit = 0xffff800033db0000)
> Call trace:
> Exception stack(0xffff800033db3290 to 0xffff800033db33d0)
> 3280: ffff80005bfb81ed 0000000000000100
> 32a0: 0000000000000000 1ffff00006a86273 0000000000000000 ffff100006a86270
> 32c0: ffff800035431380 0000000000000000 0082009000900608 dfff200000000000
> 32e0: ffff100006a8626f 1ffff00006a8626f ffffffffffffffff 0000ffffd8316090
> 3300: 0000ffffd8316070 000000001e518060 ffff20000845e8c8 00000000004af000
> 3320: 0000000000000000 ffff8000354312c0 ffff800035430640 0000000000000380
> 3340: ffff800035430710 ffff80005bfb80c9 ffff800035430708 ffff8000743340a0
> 3360: 1ffff000067b66b6 ffff100006a860e1 ffff2000098ac378 ffff800033db33d0
> 3380: ffff200009705cfc ffff800033db33d0 ffff200009705f50 0000000010000145
> 33a0: ffff8000354312c0 ffff800035430640 0001000000000000 ffff800074334000
> 33c0: ffff800033db33d0 ffff200009705f50
> __skb_clone (/./arch/arm64/include/asm/atomic_ll_sc.h:113 (discriminator 4) /net/core/skbuff.c:873 (discriminator 4))
> skb_clone (/net/core/skbuff.c:1286)
> arp_rcv (/./include/linux/skbuff.h:1518 /net/ipv4/arp.c:946)
> __netif_receive_skb_core (/net/core/dev.c:1859 /net/core/dev.c:1874 /net/core/dev.c:4416)
> __netif_receive_skb (/net/core/dev.c:4466)
> netif_receive_skb_internal (/net/core/dev.c:4539)
> netif_receive_skb (/net/core/dev.c:4564)
> tun_get_user (/./include/linux/bottom_half.h:31 /drivers/net/tun.c:1219 /drivers/net/tun.c:1553)
> tun_chr_write_iter (/drivers/net/tun.c:1579)
> do_iter_readv_writev (/./include/linux/fs.h:1770 /fs/read_write.c:673)
> do_iter_write (/fs/read_write.c:952)
> vfs_writev (/fs/read_write.c:997)
> do_writev (/fs/read_write.c:1032)
> SyS_writev (/fs/read_write.c:1102)
> Exception stack(0xffff800033db3ec0 to 0xffff800033db4000)
> 3ec0: 0000000000000015 0000ffff829985e0 0000000000000001 0000ffff8299851c
> 3ee0: 0000ffff82999068 0000ffff82998f60 0000ffff82999650 0000000000000000
> 3f00: 0000000000000042 0000000000000036 0000000000406608 0000ffff82998400
> 3f20: 0000ffff82998f60 0000ffffd8316090 0000ffffd8316070 000000001e518060
> 3f40: 0000000000000000 00000000004af000 0000000000000000 0000000000000036
> 3f60: 0000000020004fca 0000000020000000 000000000046ccf0 0000000000000530
> 3f80: 000000000046cce8 00000000004ade98 0000000000000000 00000000395fa6f0
> 3fa0: 0000ffff82998f60 0000ffff82998560 0000000000431448 0000ffff82998520
> 3fc0: 000000000043145c 0000000080000000 0000000000000015 0000000000000042
> 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
> el0_svc_naked (/arch/arm64/kernel/entry.S:853)
> Code: f9406680 8b010000 91009000 f9800011 (885f7c01)
> All code
> ========
> 0: 80 66 40 f9 andb $0xf9,0x40(%rsi)
> 4: 00 00 add %al,(%rax)
> 6: 01 8b 00 90 00 91 add %ecx,-0x6eff7000(%rbx)
> c: 11 00 adc %eax,(%rax)
> e: 80 f9 01 cmp $0x1,%cl
> 11: 7c 5f jl 0x72
> 13:* 88 00 mov %al,(%rax) <-- trapping instruction
> 15: 00 00 add %al,(%rax)
> ...
>
> Code starting with the faulting instruction
> ===========================================
> 0: 01 7c 5f 88 add %edi,-0x78(%rdi,%rbx,2)
> 4: 00 00 add %al,(%rax)
> ...
> —[ end trace 261e7ac1458ccc0a ]---
>
I thought it was happening on arm64 ?
This is x86_64 disassembly :/
Thanks.
> Thanks,
> Wei
>
>> On 19 Oct 2017, at 10:53 PM, Eric Dumazet <edumazet@...gle.com> wrote:
>>
>> On Thu, Oct 19, 2017 at 7:16 PM, Wei Wei <dotweiba@...il.com> wrote:
>>> Hi all,
>>>
>>> I have fuzzed v4.14-rc3 using syzkaller and found a bug similar to that one [1].
>>> But the call trace isn’t the same. The atomic_inc() might handle a corrupted
>>> skb_buff.
>>>
>>> The logs and config have been uploaded to my github repo [2].
>>>
>>> [1] https://lkml.org/lkml/2017/10/2/216
>>> [2] https://github.com/dotweiba/skb_clone_atomic_inc_bug
>>>
>>> Thanks,
>>> Wei
>>>
>>> Unable to handle kernel paging request at virtual address ffff80005bfb81ed
>>> Mem abort info:
>>> Exception class = DABT (current EL), IL = 32 bits
>>> SET = 0, FnV = 0
>>> EA = 0, S1PTW = 0
>>> Data abort info:
>>> ISV = 0, ISS = 0x00000033
>>> CM = 0, WnR = 0
>>> swapper pgtable: 4k pages, 48-bit VAs, pgd = ffff20000b366000
>>> [ffff80005bfb81ed] *pgd=00000000beff7003, *pud=00e8000080000711
>>> Internal error: Oops: 96000021 [#1] PREEMPT SMP
>>> Modules linked in:
>>> CPU: 3 PID: 4725 Comm: syz-executor0 Not tainted 4.14.0-rc3 #3
>>> Hardware name: linux,dummy-virt (DT)
>>> task: ffff800074409e00 task.stack: ffff800033db0000
>>> PC is at __skb_clone+0x430/0x5b0
>>> LR is at __skb_clone+0x1dc/0x5b0
>>> pc : [<ffff200009705f50>] lr : [<ffff200009705cfc>] pstate: 10000145
>>> sp : ffff800033db33d0
>>> x29: ffff800033db33d0 x28: ffff2000098ac378
>>> x27: ffff100006a860e1 x26: 1ffff000067b66b6
>>> x25: ffff8000743340a0 x24: ffff800035430708
>>> x23: ffff80005bfb80c9 x22: ffff800035430710
>>> x21: 0000000000000380 x20: ffff800035430640
>>> x19: ffff8000354312c0 x18: 0000000000000000
>>> x17: 00000000004af000 x16: ffff20000845e8c8
>>> x15: 000000001e518060 x14: 0000ffffd8316070
>>> x13: 0000ffffd8316090 x12: ffffffffffffffff
>>> x11: 1ffff00006a8626f x10: ffff100006a8626f
>>> x9 : dfff200000000000 x8 : 0082009000900608
>>> x7 : 0000000000000000 x6 : ffff800035431380
>>> x5 : ffff100006a86270 x4 : 0000000000000000
>>> x3 : 1ffff00006a86273 x2 : 0000000000000000
>>> x1 : 0000000000000100 x0 : ffff80005bfb81ed
>>> Process syz-executor0 (pid: 4725, stack limit = 0xffff800033db0000)
>>> Call trace:
>>> Exception stack(0xffff800033db3290 to 0xffff800033db33d0)
>>> 3280: ffff80005bfb81ed 0000000000000100
>>> 32a0: 0000000000000000 1ffff00006a86273 0000000000000000 ffff100006a86270
>>> 32c0: ffff800035431380 0000000000000000 0082009000900608 dfff200000000000
>>> 32e0: ffff100006a8626f 1ffff00006a8626f ffffffffffffffff 0000ffffd8316090
>>> 3300: 0000ffffd8316070 000000001e518060 ffff20000845e8c8 00000000004af000
>>> 3320: 0000000000000000 ffff8000354312c0 ffff800035430640 0000000000000380
>>> 3340: ffff800035430710 ffff80005bfb80c9 ffff800035430708 ffff8000743340a0
>>> 3360: 1ffff000067b66b6 ffff100006a860e1 ffff2000098ac378 ffff800033db33d0
>>> 3380: ffff200009705cfc ffff800033db33d0 ffff200009705f50 0000000010000145
>>> 33a0: ffff8000354312c0 ffff800035430640 0001000000000000 ffff800074334000
>>> 33c0: ffff800033db33d0 ffff200009705f50
>>> [<ffff200009705f50>] __skb_clone+0x430/0x5b0
>>> [<ffff20000971520c>] skb_clone+0x164/0x2c8
>>> [<ffff2000098ac498>] arp_rcv+0x120/0x488
>>> [<ffff200009741878>] __netif_receive_skb_core+0x11e8/0x18c8
>>> [<ffff2000097479b0>] __netif_receive_skb+0x30/0x198
>>> [<ffff200009751fd8>] netif_receive_skb_internal+0x98/0x370
>>> [<ffff2000097522cc>] netif_receive_skb+0x1c/0x28
>>> [<ffff2000090730e0>] tun_get_user+0x12f0/0x2e40
>>> [<ffff200009074ddc>] tun_chr_write_iter+0xbc/0x140
>>> [<ffff200008457284>] do_iter_readv_writev+0x2d4/0x468
>>> [<ffff20000845a5a0>] do_iter_write+0x148/0x498
>>> [<ffff20000845aac0>] vfs_writev+0x118/0x250
>>> [<ffff20000845acbc>] do_writev+0xc4/0x1e8
>>> [<ffff20000845e8fc>] SyS_writev+0x34/0x48
>>> Exception stack(0xffff800033db3ec0 to 0xffff800033db4000)
>>> 3ec0: 0000000000000015 0000ffff829985e0 0000000000000001 0000ffff8299851c
>>> 3ee0: 0000ffff82999068 0000ffff82998f60 0000ffff82999650 0000000000000000
>>> 3f00: 0000000000000042 0000000000000036 0000000000406608 0000ffff82998400
>>> 3f20: 0000ffff82998f60 0000ffffd8316090 0000ffffd8316070 000000001e518060
>>> 3f40: 0000000000000000 00000000004af000 0000000000000000 0000000000000036
>>> 3f60: 0000000020004fca 0000000020000000 000000000046ccf0 0000000000000530
>>> 3f80: 000000000046cce8 00000000004ade98 0000000000000000 00000000395fa6f0
>>> 3fa0: 0000ffff82998f60 0000ffff82998560 0000000000431448 0000ffff82998520
>>> 3fc0: 000000000043145c 0000000080000000 0000000000000015 0000000000000042
>>> 3fe0: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
>>> [<ffff200008083ef0>] el0_svc_naked+0x24/0x28
>>> Code: f9406680 8b010000 91009000 f9800011 (885f7c01)
>>> ---[ end trace 261e7ac1458ccc0a ]---
>>
>> Please provide proper file:line information in this trace.
>>
>> You can use scripts/decode_stacktrace.sh
>>
>> Thanks.
>
Powered by blists - more mailing lists