| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 13 Feb 2017 20:54:58 +0100
From: Andrey Konovalov <andreyknvl@...gle.com>
To: "David S. Miller" <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Cc: Dmitry Vyukov <dvyukov@...gle.com>,
Kostya Serebryany <kcc@...gle.com>,
Eric Dumazet <edumazet@...gle.com>,
syzkaller <syzkaller@...glegroups.com>
Subject: net: BUG in __skb_gso_segment
Hi,
I've got the following error report while fuzzing the kernel with syzkaller.
A reproducer and .config are attached.
On commit 926af6273fc683cd98cd0ce7bf0d04a02eed6742.
kernel BUG at ./include/linux/skbuff.h:1942!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 5922 Comm: syz-executor5 Not tainted 4.10.0-rc7+ #127
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88003ba72dc0 task.stack: ffff880033ed0000
RIP: 0010:__skb_pull include/linux/skbuff.h:1942 [inline]
RIP: 0010:skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634
RSP: 0018:ffff880033ed6c48 EFLAGS: 00010216
RAX: 0000000000010000 RBX: 000000000000113e RCX: ffffc90003f74000
RDX: 0000000000000223 RSI: ffffffff833cfbfe RDI: ffff88003e305244
RBP: ffff880033ed6d98 R08: 0000000000000000 R09: 0000000000000000
R10: c66e14bf8d4328e9 R11: 0000000000000000 R12: 000000000000000e
R13: ffff88003e3051c0 R14: ffff880033ed6d70 R15: 0000000000000000
FS: 00007faa035db700(0000) GS:ffff88003ed00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000203dd000 CR3: 000000003c165000 CR4: 00000000000006e0
Call Trace:
__skb_gso_segment+0x3d2/0x780 net/core/dev.c:2710
skb_gso_segment include/linux/netdevice.h:3914 [inline]
validate_xmit_skb+0x5c9/0xc20 net/core/dev.c:2944
__dev_queue_xmit+0x102e/0x2860 net/core/dev.c:3364
dev_queue_xmit+0x17/0x20 net/core/dev.c:3405
packet_snd net/packet/af_packet.c:2872 [inline]
packet_sendmsg+0x40bc/0x58b0 net/packet/af_packet.c:2897
sock_sendmsg_nosec net/socket.c:635 [inline]
sock_sendmsg+0xca/0x110 net/socket.c:645
___sys_sendmsg+0x4a3/0xae0 net/socket.c:1985
__sys_sendmmsg+0x25c/0x750 net/socket.c:2075
SYSC_sendmmsg net/socket.c:2106 [inline]
SyS_sendmmsg+0x35/0x60 net/socket.c:2101
entry_SYSCALL_64_fastpath+0x1f/0xc2
RIP: 0033:0x4458b9
RSP: 002b:00007faa035dab58 EFLAGS: 00000292 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 0000000000000016 RCX: 00000000004458b9
RDX: 0000000000000001 RSI: 0000000020bc7fc8 RDI: 0000000000000016
RBP: 00000000006e1ad0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000292 R12: 0000000000708000
R13: 0000000020fcc000 R14: 0000000000001000 R15: 0000000000000003
Code: 00 00 48 c7 c7 00 4b 23 85 c6 05 b6 6f b2 02 01 e8 58 7a 04 fe
e9 ae fc ff ff 48 c7 c3 ea ff ff ff e9 dc fe ff ff e8 82 f0 1d fe <0f>
0b 48 8b bd e0 fe ff ff e8 a4 30 48 fe e9 ef fd ff ff e8 9a
RIP: __skb_pull include/linux/skbuff.h:1942 [inline] RSP: ffff880033ed6c48
RIP: skb_mac_gso_segment+0x5ae/0x690 net/core/dev.c:2634 RSP: ffff880033ed6c48
---[ end trace 2214c8475331c97c ]---
Kernel panic - not syncing: Fatal exception in interrupt
Dumping ftrace buffer:
(ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
View attachment "skb-gso-null-poc.c" of type "text/x-csrc" (26654 bytes)
Download attachment ".config" of type "application/octet-stream" (124975 bytes)
Powered by blists - more mailing lists