lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <50215A7E.8000701@linaro.org>
Date:	Tue, 07 Aug 2012 11:12:14 -0700
From:	John Stultz <john.stultz@...aro.org>
To:	lkml <linux-kernel@...r.kernel.org>
CC:	"Serge E. Hallyn" <serge@...lyn.com>,
	James Morris <james.l.morris@...cle.com>
Subject: NULL pointer dereference in selinux_ip_postroute_compat

Hi,
     With my kvm environment using 3.6-rc1+, I'm seeing NULL pointer 
dereferences in selinux_ip_postroute_compat(). It looks like the sksec 
value is null and we die in the following line:

     if (selinux_xfrm_postroute_last(sksec->sid, skb, &ad, proto))

This triggers every time I shutdown the machine, but has also triggered 
randomly after a few hours.

This is on an ubuntu 12.04 image, not using selinux.

Running with the following kvm line:
kvm -nographic -smp 4 -m 1G -hda disk.img -net user -net 
nic,model=virtio -redir tcp:4400::22 -kernel ./bzImage -initrd 
initrd.img-1-jstultz  -append 
"root=UUID=b08aa86a-4b16-488f-a3de-33c2cf335bf0 ro console=ttyS0,115200n8"

Two different traces below. Config attached.

thanks
-john

Trace1 @ shutdown:

[   69.272927] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[   69.273374] IP: [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[   69.273374] PGD 3a85b067 PUD 3f50b067 PMD 0
[   69.273374] Oops: 0000 [#1] PREEMPT SMP
[   69.273374] CPU 3
[   69.273374] Pid: 2392, comm: hwclock Not tainted 3.6.0-rc1john+ #106 Bochs Bochs
[   69.273374] RIP: 0010:[<ffffffff8132e7c4>]  [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[   69.273374] RSP: 0018:ffff88003f003720  EFLAGS: 00010246
[   69.273374] RAX: 0000000000000000 RBX: ffff88003f5fa9d8 RCX: 0000000000000006
[   69.273374] RDX: ffff88003f003740 RSI: ffff88003c6b256c RDI: ffff88003f5fa9d8
                                                                          [ OK ]
[   69.273374] RBP: ffff88003f0037a0 R08: 0000000000000000 R09: ffff88003f1d0cc0
[   69.273374] R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
[   69.273374] R13: 0000000000000002 R14: ffff88003f0037c0 R15: 0000000000000004
[   69.273374] FS:  00007fa398211700(0000) GS:ffff88003f000000(0000) knlGS:0000000000000000
[   69.273374] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   69.273374] CR2: 0000000000000010 CR3: 000000003b52a000 CR4: 00000000000006e0
[   69.273374] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   69.273374] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   69.273374] Process hwclock (pid: 2392, threadinfo ffff88003a0ee000, task ffff88003fa82b80)
[   69.273374] Stack:
[   69.273374]  ffff88003c6b2558 0000000000000006 0000000000000000 0000160067d70002
[   69.273374]  0f02000a0202000a 0000000000000000 0000000000000000 0000000000000000
[   69.273374]  ffff88003f003802 ffff88003f003728 ffff88003f1d42d0 ffff88003d6c3560
[   69.273374] Call Trace:
[   69.273374]  <IRQ>
[   69.273374]  [<ffffffff8132eaab>] selinux_ip_postroute+0x2ab/0x3e0
[   69.273374]  [<ffffffff8132ec1c>] selinux_ipv4_postroute+0x1c/0x20
[   69.273374]  [<ffffffff8198265c>] nf_iterate+0xac/0x140
[   69.273374]  [<ffffffff8199be00>] ? ip_fragment+0xa20/0xa20
[   69.273374]  [<ffffffff819827a5>] nf_hook_slow+0xb5/0x210
[   69.273374]  [<ffffffff8199be00>] ? ip_fragment+0xa20/0xa20
[   69.273374]  [<ffffffff8199cbba>] ip_output+0xaa/0x150
[   69.273374]  [<ffffffff8199a9af>] ip_local_out+0x7f/0x110
[   69.273374]  [<ffffffff8199d82e>] ip_send_skb+0xe/0x40
[   69.273374]  [<ffffffff8199d88b>] ip_push_pending_frames+0x2b/0x30
[   69.273374]  [<ffffffff8199dc97>] ip_send_unicast_reply+0x2c7/0x3c0
[   69.273374]  [<ffffffff8117e275>] ? kmem_cache_free+0x285/0x3e0
[   69.273374]  [<ffffffff819bb215>] tcp_v4_send_reset+0x1f5/0x3f0
[   69.273374]  [<ffffffff819bf04b>] tcp_v4_rcv+0x2bb/0x1080
[   69.273374]  [<ffffffff81994d73>] ip_local_deliver_finish+0x133/0x4d0
[   69.273374]  [<ffffffff81994c9c>] ? ip_local_deliver_finish+0x5c/0x4d0
[   69.273374]  [<ffffffff819953e0>] ip_local_deliver+0x90/0xa0
[   69.273374]  [<ffffffff819945b2>] ip_rcv_finish+0x262/0x8f0
[   69.273374]  [<ffffffff81995742>] ip_rcv+0x352/0x3a0
[   69.323844]  [<ffffffff81925244>] __netif_receive_skb+0xcb4/0x10e0
[   69.323844]  [<ffffffff81924899>] ? __netif_receive_skb+0x309/0x10e0
[   69.323844]  [<ffffffff8117c176>] ? kmem_cache_alloc+0x256/0x4e0
[   69.323844]  [<ffffffff81917c24>] ? build_skb+0x34/0x1c0
[   69.323844]  [<ffffffff8192ba5d>] netif_receive_skb+0x18d/0x230
[   69.323844]  [<ffffffff81951da8>] ? eth_type_trans+0x168/0x190
[   69.323844]  [<ffffffff81746abc>] virtnet_poll+0x58c/0x7b0
[   69.323844]  [<ffffffff8192cf59>] net_rx_action+0x289/0x550
[   69.323844]  [<ffffffff8105846a>] __do_softirq+0x1da/0x560
[   69.323844]  [<ffffffff810ed8fb>] ? handle_edge_irq+0x12b/0x190
[   69.323844]  [<ffffffff81b5c2bc>] call_softirq+0x1c/0x30
[   69.323844]  [<ffffffff81004d75>] do_softirq+0x105/0x1e0
[   69.323844]  [<ffffffff81058bbe>] irq_exit+0x9e/0x100
[   69.323844]  [<ffffffff81b5c9d3>] do_IRQ+0x63/0xd0
[   69.323844]  [<ffffffff81b5a56f>] common_interrupt+0x6f/0x6f
[   69.323844]  <EOI>
[   69.323844]  [<ffffffff810b964e>] ? put_lock_stats.isra.19+0xe/0x40
[   69.323844]  [<ffffffff81115363>] ? ftrace_likely_update+0xf3/0x250
[   69.323844]  [<ffffffff810993ad>] __might_sleep+0x1cd/0x280
[   69.323844]  [<ffffffff810ad6fc>] ? getnstimeofday+0xdc/0x150
[   69.323844]  [<ffffffff81160e74>] might_fault+0x34/0xb0
[   69.323844]  [<ffffffff8105657e>] sys_gettimeofday+0xbe/0xf0
[   69.323844]  [<ffffffff81b5afe9>] system_call_fastpath+0x16/0x1b
[   69.323844] Code: c0 45 31 c9 b1 01 ba 2a 00 00 00 e8 a7 89 ff ff 85 c0 b9 00 00 6f 00 74 0e 48 83 c4 70 89 c8 5b 41 5c 5d c3 0f 1f 00 0f b6 4d ef <41> 8b 7c 24 10 48 8d 55 c0 48 89 de e8 ab 6d 01 00 83 f8 01 19
[   69.323844] RIP  [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[   69.323844]  RSP <ffff88003f003720>
[   69.323844] CR2: 0000000000000010
[   69.357489] ---[ end trace 0cd3e1a60dee6096 ]---
[   69.358353] Kernel panic - not syncing: Fatal exception in interrupt


Trace2: After some uptime

[17169.735267] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[17169.738338] IP: [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[17169.738338] PGD 39a97067 PUD 3cc09067 PMD 0
[17169.738338] Oops: 0000 [#1] PREEMPT SMP
[17169.738338] CPU 3
[17169.738338] Pid: 0, comm: swapper/3 Not tainted 3.6.0-rc1john+ #106 Bochs Bochs
[17169.738338] RIP: 0010:[<ffffffff8132e7c4>]  [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[17169.738338] RSP: 0018:ffff88003f003700  EFLAGS: 00010246
[17169.738338] RAX: 0000000000000000 RBX: ffff88003a0ffd98 RCX: 0000000000000006
[17169.738338] RDX: ffff88003f003720 RSI: ffff88003980c2d4 RDI: ffff88003a0ffd98
[17169.738338] RBP: ffff88003f003780 R08: 0000000000000000 R09: ffff88003f1d0cc0
[17169.738338] R10: 0000000000000003 R11: 0000000000000000 R12: 0000000000000000
[17169.738338] R13: 0000000000000002 R14: ffff88003f0037a0 R15: 0000000000000004
[17169.738338] FS:  0000000000000000(0000) GS:ffff88003f000000(0000) knlGS:0000000000000000
[17169.738338] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[17169.738338] CR2: 0000000000000010 CR3: 0000000039bb7000 CR4: 00000000000006e0
[17169.738338] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[17169.738338] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[17169.738338] Process swapper/3 (pid: 0, threadinfo ffff88003d4da000, task ffff88003d4d82c0)
[17169.738338] Stack:
[17169.738338]  ffff88003980c2c0 0000000000000006 0000000000000000 000034b450000002
[17169.738338]  0f02000a1e5bbd5b 0000000000000000 0000000000000000 0000000000000000
[17169.738338]  ffff88003f003802 ffff88003f003708 ffff88003f1d42d0 ffff88003d719db0
[17169.738338] Call Trace:
[17169.738338]  <IRQ>
[17169.738338]  [<ffffffff8132eaab>] selinux_ip_postroute+0x2ab/0x3e0
[17169.738338]  [<ffffffff8132ec1c>] selinux_ipv4_postroute+0x1c/0x20
[17169.738338]  [<ffffffff8198265c>] nf_iterate+0xac/0x140
[17169.738338]  [<ffffffff8199be00>] ? ip_fragment+0xa20/0xa20
[17169.738338]  [<ffffffff819827a5>] nf_hook_slow+0xb5/0x210
[17169.738338]  [<ffffffff8199be00>] ? ip_fragment+0xa20/0xa20
[17169.738338]  [<ffffffff8199cbba>] ip_output+0xaa/0x150
[17169.738338]  [<ffffffff8199a9af>] ip_local_out+0x7f/0x110
[17169.738338]  [<ffffffff8199d82e>] ip_send_skb+0xe/0x40
[17169.738338]  [<ffffffff8199d88b>] ip_push_pending_frames+0x2b/0x30
[17169.738338]  [<ffffffff8199dc97>] ip_send_unicast_reply+0x2c7/0x3c0
[17169.738338]  [<ffffffff810b9744>] ? lock_release_holdtime.part.20+0xc4/0x160
[17169.738338]  [<ffffffff819bd1f6>] tcp_v4_send_ack.isra.33+0x176/0x280
[17169.738338]  [<ffffffff8191f90a>] ? __skb_checksum_complete_head+0x8a/0xc0
[17169.738338]  [<ffffffff819bf191>] tcp_v4_rcv+0x401/0x1080
[17169.738338]  [<ffffffff81994d73>] ip_local_deliver_finish+0x133/0x4d0
[17169.738338]  [<ffffffff81994c9c>] ? ip_local_deliver_finish+0x5c/0x4d0
[17169.738338]  [<ffffffff819953e0>] ip_local_deliver+0x90/0xa0
[17169.738338]  [<ffffffff819945b2>] ip_rcv_finish+0x262/0x8f0
[17169.738338]  [<ffffffff81995742>] ip_rcv+0x352/0x3a0
[17169.738338]  [<ffffffff81925244>] __netif_receive_skb+0xcb4/0x10e0
[17169.738338]  [<ffffffff81924899>] ? __netif_receive_skb+0x309/0x10e0
[17169.738338]  [<ffffffff8192ba5d>] netif_receive_skb+0x18d/0x230
[17169.738338]  [<ffffffff81951da8>] ? eth_type_trans+0x168/0x190
[17169.738338]  [<ffffffff81746abc>] virtnet_poll+0x58c/0x7b0
[17169.738338]  [<ffffffff8192cf59>] net_rx_action+0x289/0x550
[17169.738338]  [<ffffffff8105846a>] __do_softirq+0x1da/0x560
[17169.738338]  [<ffffffff81b5c2bc>] call_softirq+0x1c/0x30
[17169.738338]  [<ffffffff81004d75>] do_softirq+0x105/0x1e0
[17169.738338]  [<ffffffff81058bbe>] irq_exit+0x9e/0x100
[17169.738338]  [<ffffffff81b5caab>] smp_apic_timer_interrupt+0x6b/0x98
[17169.738338]  [<ffffffff81b5bb2f>] apic_timer_interrupt+0x6f/0x80
[17169.738338]  <EOI>
[17169.738338]  [<ffffffff81037d66>] ? native_safe_halt+0x6/0x10
[17169.738338]  [<ffffffff8100e5af>] default_idle+0x76f/0x780
[17169.738338]  [<ffffffff8100f3e6>] cpu_idle+0x136/0x140
[17169.738338]  [<ffffffff81b3aab2>] start_secondary+0x1cf/0x1d4
[17169.738338] Code: c0 45 31 c9 b1 01 ba 2a 00 00 00 e8 a7 89 ff ff 85 c0 b9 00 00 6f 00 74 0e 48 83 c4 70 89 c8 5b 41 5c 5d c3 0f 1f 00 0f b6 4d ef <41> 8b 7c 24 10 48 8d 55 c0 48 89 de e8 ab 6d 01 00 83 f8 01 19
[17169.738338] RIP  [<ffffffff8132e7c4>] selinux_ip_postroute_compat+0xa4/0xe0
[17169.738338]  RSP <ffff88003f003700>
[17169.738338] CR2: 0000000000000010
[17169.829670] ---[ end trace a3af16e2baf5b40e ]---
[17169.830629] Kernel panic - not syncing: Fatal exception in interrupt


View attachment ".config" of type "text/plain" (83695 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ