lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <53B33381.3010702@oracle.com>
Date:	Tue, 01 Jul 2014 18:17:37 -0400
From:	Sasha Levin <sasha.levin@...cle.com>
To:	acme@...stprotocols.net, "David S. Miller" <davem@...emloft.net>
CC:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
	LKML <linux-kernel@...r.kernel.org>,
	Dave Jones <davej@...hat.com>
Subject: net: llc: skb_panic in llc_sap_action_send_xid_cmd

Hi all,

While fuzzing with trinity inside a KVM tools guest running the latest -next
kernel I've stumbled on the following spew:

[ 1307.646561] kernel BUG at net/core/skbuff.c:99!
[ 1307.647152] invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
[ 1307.648080] Dumping ftrace buffer:
[ 1307.648632]    (ftrace buffer empty)
[ 1307.649287] Modules linked in:
[ 1307.649832] CPU: 8 PID: 16428 Comm: trinity-c172 Not tainted 3.16.0-rc3-next-20140630-sasha-00023-g44434d4-dirty #758
[ 1307.651669] task: ffff880361ef8000 ti: ffff880350c78000 task.ti: ffff880350c78000
[ 1307.653824] RIP: skb_panic (net/core/skbuff.c:99)
[ 1307.654677] RSP: 0018:ffff880350c7bbe8  EFLAGS: 00010296
[ 1307.654677] RAX: 0000000000000083 RBX: ffff8802212661c0 RCX: 00000000e776e776
[ 1307.654677] RDX: 0000000000000001 RSI: ffffffff9552561a RDI: ffffffff921e0537
[ 1307.654677] RBP: ffff880350c7bc08 R08: 0000000000000000 R09: 0000000000000000
[ 1307.662705] R10: 0000000000000001 R11: 65743a7665642030 R12: 00000000000000c8
[ 1307.662705] R13: 0000000000000001 R14: 0000000000000001 R15: 0000000000000000
[ 1307.662705] FS:  00007f5622bc7700(0000) GS:ffff880224e00000(0000) knlGS:0000000000000000
[ 1307.662705] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1307.662705] CR2: 00007f56213a6000 CR3: 0000000361ea6000 CR4: 00000000000006a0
[ 1307.662705] Stack:
[ 1307.662705]  ffff880210802498 00000000000000c2 00000000000000c0 ffff880224768000
[ 1307.662705]  ffff880350c7bc18 ffffffff94f963d7 ffff880350c7bc48 ffffffff94fdc0d5
[ 1307.662705]  ffff88021080249b ffffffff98141880 ffff8802212661c0 ffff88039fe537b0
[ 1307.662705] Call Trace:
[ 1307.662705] skb_put (net/core/skbuff.c:104 net/core/skbuff.c:1278)
[ 1307.662705] llc_sap_action_send_xid_c (net/llc/llc_s_ac.c:83)
[ 1307.662705] llc_sap_state_process (net/llc/llc_sap.c:153 net/llc/llc_sap.c:181 net/llc/llc_sap.c:212)
[ 1307.662705] llc_build_and_send_xid_pkt (net/llc/llc_sap.c:277)
[ 1307.662705] llc_ui_sendmsg (net/llc/af_llc.c:939)
[ 1307.662705] ? lock_release_holdtime (kernel/locking/lockdep.c:273)
[ 1307.662705] ? might_fault (mm/memory.c:3740)
[ 1307.662705] ? lock_release_non_nested (kernel/locking/lockdep.c:3397)
[ 1307.662705] sock_sendmsg (net/socket.c:654)
[ 1307.662705] ? might_fault (mm/memory.c:3741)
[ 1307.662705] ? might_fault (mm/memory.c:3740)
[ 1307.662705] ? move_addr_to_kernel (./arch/x86/include/asm/uaccess.h:713 net/socket.c:197)
[ 1307.662705] SYSC_sendto (net/socket.c:1812)
[ 1307.662705] ? vtime_account_user (kernel/sched/cputime.c:687)
[ 1307.662705] ? trace_hardirqs_on (kernel/locking/lockdep.c:2607)
[ 1307.662705] ? syscall_trace_enter (include/linux/context_tracking.h:27 arch/x86/kernel/ptrace.c:1461)
[ 1307.662705] SyS_sendto (net/socket.c:1779)
[ 1307.662705] tracesys (arch/x86/kernel/entry_64.S:542)
[ 1307.662705] Code: 00 00 48 89 44 24 10 8b 87 c8 00 00 00 48 89 44 24 08 48 8b 87 d8 00 00 00 48 c7 c7 e8 4d cd 96 48 89 04 24 31 c0 e8 e2 4a fb ff <0f> 0b 66 66 66 66 90 55 48 89 e5 41 57 41 56 41 55 41 54 41 89
All code
========
   0:	00 00                	add    %al,(%rax)
   2:	48 89 44 24 10       	mov    %rax,0x10(%rsp)
   7:	8b 87 c8 00 00 00    	mov    0xc8(%rdi),%eax
   d:	48 89 44 24 08       	mov    %rax,0x8(%rsp)
  12:	48 8b 87 d8 00 00 00 	mov    0xd8(%rdi),%rax
  19:	48 c7 c7 e8 4d cd 96 	mov    $0xffffffff96cd4de8,%rdi
  20:	48 89 04 24          	mov    %rax,(%rsp)
  24:	31 c0                	xor    %eax,%eax
  26:	e8 e2 4a fb ff       	callq  0xfffffffffffb4b0d
  2b:*	0f 0b                	ud2    		<-- trapping instruction
  2d:	66 66 66 66 90       	data32 data32 data32 xchg %ax,%ax
  32:	55                   	push   %rbp
  33:	48 89 e5             	mov    %rsp,%rbp
  36:	41 57                	push   %r15
  38:	41 56                	push   %r14
  3a:	41 55                	push   %r13
  3c:	41 54                	push   %r12
  3e:	41 89 00             	mov    %eax,(%r8)

Code starting with the faulting instruction
===========================================
   0:	0f 0b                	ud2
   2:	66 66 66 66 90       	data32 data32 data32 xchg %ax,%ax
   7:	55                   	push   %rbp
   8:	48 89 e5             	mov    %rsp,%rbp
   b:	41 57                	push   %r15
   d:	41 56                	push   %r14
   f:	41 55                	push   %r13
  11:	41 54                	push   %r12
  13:	41 89 00             	mov    %eax,(%r8)
[ 1307.662705] RIP skb_panic (net/core/skbuff.c:99)
[ 1307.662705]  RSP <ffff880350c7bbe8>


Thanks,
sasha
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ