lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date:   Sun, 18 Feb 2018 14:59:03 -0800
From:   syzbot <syzbot+f62e0f2a0ef578703946@...kaller.appspotmail.com>
To:     davem@...emloft.net, jon.maloy@...csson.com,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com,
        tipc-discussion@...ts.sourceforge.net, ying.xue@...driver.com
Subject: general protection fault in tipc_conn_close

Hello,

syzbot hit the following crash on net-next commit
1ec010e705934c8acbe7dbf31afc81e60e3d828b (Fri Feb 16 10:03:07 2018 +0000)
tun: export flags, uid, gid, queue information over netlink

So far this crash happened 2 times on net-next.
C reproducer is attached.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f62e0f2a0ef578703946@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

Subscription rejected, no memory
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4074 Comm: syzkaller787570 Not tainted 4.16.0-rc1+ #231
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:tipc_conn_close+0x4c/0x130 net/tipc/topsrv.c:165
RSP: 0018:ffff8801d82a78e8 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff8801c5f54580 RCX: ffffffff856e9b57
RDX: 0000000000000004 RSI: 1ffff1003b054e9d RDI: 0000000000000020
RBP: ffff8801d82a7908 R08: 1ffff1003b054e34 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff8801d82a79e0 R14: ffff8801c5f54588 R15: ffff8801d1cb1a00
FS:  0000000001763880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000056422776e110 CR3: 00000001c51bc003 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  tipc_topsrv_kern_subscr+0x7e1/0x9e0 net/tipc/topsrv.c:584
  tipc_group_create+0x6be/0x940 net/tipc/group.c:193
  tipc_sk_join net/tipc/socket.c:2759 [inline]
  tipc_setsockopt+0x28a/0xcf0 net/tipc/socket.c:2874
  SYSC_setsockopt net/socket.c:1850 [inline]
  SyS_setsockopt+0x189/0x360 net/socket.c:1829
  do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x26/0x9b
RIP: 0033:0x440419
RSP: 002b:00007ffcb9e1d588 EFLAGS: 00000246 ORIG_RAX: 0000000000000036
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440419
RDX: 0000000000000087 RSI: 000000000000010f RDI: 0000000000000003
RBP: 00000000006cb018 R08: 0000000000000010 R09: 0000000000000033
R10: 0000000020265000 R11: 0000000000000246 R12: 0000000000000004
R13: ffffffffffffffff R14: 0000000000000000 R15: 0000000000000000
Code: fc ff df 48 c1 ea 03 80 3c 02 00 0f 85 f1 00 00 00 4c 8b 63 08 48 b8  
00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02 00  
0f 85 c3 00 00 00 4d 8b 6c 24 20 4d 8d a5 58 03 00
RIP: tipc_conn_close+0x4c/0x130 net/tipc/topsrv.c:165 RSP: ffff8801d82a78e8
---[ end trace 39a5075916eff3f7 ]---
Kernel panic - not syncing: Fatal exception
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (9120 bytes)

View attachment "repro.syz.txt" of type "text/plain" (451 bytes)

View attachment "repro.c.txt" of type "text/plain" (2033 bytes)

View attachment "config.txt" of type "text/plain" (136427 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ