lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Tue, 4 Apr 2017 15:44:51 +0200
From:   Andrey Konovalov <andreyknvl@...gle.com>
To:     Gerrit Renker <gerrit@....abdn.ac.uk>,
        "David S. Miller" <davem@...emloft.net>, dccp@...r.kernel.org,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        Kostya Serebryany <kcc@...gle.com>,
        Eric Dumazet <edumazet@...gle.com>,
        syzkaller <syzkaller@...glegroups.com>
Subject: net/dccp: BUG in tfrc_rx_hist_sample_rtt

Hi,

I've got the following error report while fuzzing the kernel with syzkaller.

On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5).

I'm able to reproduce it by executing the attached syzkaller prog, but
there's no simple C reproducer. My .config is attached.

BUG: please report to dccp@...r.kernel.org => prev = 0, last = 0 at
net/dccp/ccids/lib/packet_history.c:427/tfrc_rx_hist_sample_rtt()
CPU: 1 PID: 4049 Comm: syz-executor Not tainted 4.11.0-rc5+ #199
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
Call Trace:
 <IRQ>
 __dump_stack lib/dump_stack.c:16
 dump_stack+0x292/0x398 lib/dump_stack.c:52
 tfrc_rx_hist_sample_rtt+0x407/0x4d0 net/dccp/ccids/lib/packet_history.c:424
 ccid3_hc_rx_packet_recv+0x6a3/0xfb0 net/dccp/ccids/ccid3.c:764
 ccid_hc_rx_packet_recv net/dccp/ccid.h:185
 dccp_deliver_input_to_ccids+0xd9/0x250 net/dccp/input.c:180
 dccp_rcv_established+0x88/0xb0 net/dccp/input.c:378
 dccp_v6_do_rcv+0x2af/0x350 net/dccp/ipv6.c:600
 sk_backlog_rcv ./include/net/sock.h:898
 __sk_receive_skb+0x368/0xcb0 net/core/sock.c:469
 dccp_v6_rcv+0xba2/0x1cf0 net/dccp/ipv6.c:744
 ip6_input_finish+0x468/0x17b0 net/ipv6/ip6_input.c:279
 NF_HOOK ./include/linux/netfilter.h:257
 ip6_input+0xdb/0x590 net/ipv6/ip6_input.c:322
 dst_input ./include/net/dst.h:492
 ip6_rcv_finish+0x289/0x890 net/ipv6/ip6_input.c:69
 NF_HOOK ./include/linux/netfilter.h:257
 ipv6_rcv+0x12f1/0x23a0 net/ipv6/ip6_input.c:203
 __netif_receive_skb_core+0x1ad1/0x3400 net/core/dev.c:4207
 __netif_receive_skb+0x2a/0x170 net/core/dev.c:4245
 process_backlog+0xe5/0x6c0 net/core/dev.c:4865
 napi_poll net/core/dev.c:5267
 net_rx_action+0xe70/0x1900 net/core/dev.c:5332
 __do_softirq+0x2fb/0xb7d kernel/softirq.c:284
 do_softirq_own_stack+0x1c/0x30 arch/x86/entry/entry_64.S:902
 </IRQ>
 do_softirq.part.17+0x1e8/0x230 kernel/softirq.c:328
 do_softirq kernel/softirq.c:176
 __local_bh_enable_ip+0x1f2/0x200 kernel/softirq.c:181
 local_bh_enable ./include/linux/bottom_half.h:31
 rcu_read_unlock_bh ./include/linux/rcupdate.h:931
 ip6_finish_output2+0xc4e/0x2560 net/ipv6/ip6_output.c:124
 ip6_finish_output+0x302/0x960 net/ipv6/ip6_output.c:149
 NF_HOOK_COND ./include/linux/netfilter.h:246
 ip6_output+0x1cb/0x8d0 net/ipv6/ip6_output.c:163
 ip6_xmit+0xd38/0x2210 ./include/net/dst.h:486
 inet6_csk_xmit+0x331/0x610 net/ipv6/inet6_connection_sock.c:139
 dccp_transmit_skb+0xb09/0x1120 net/dccp/output.c:142
 dccp_xmit_packet+0x215/0x760 net/dccp/output.c:281
 dccp_write_xmit+0x168/0x1d0 net/dccp/output.c:363
 dccp_sendmsg+0x79c/0xb10 net/dccp/proto.c:796
 inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:762
 sock_sendmsg_nosec net/socket.c:633
 sock_sendmsg+0xca/0x110 net/socket.c:643
 SYSC_sendto+0x660/0x810 net/socket.c:1696
 SyS_sendto+0x40/0x50 net/socket.c:1664
 entry_SYSCALL_64_fastpath+0x1f/0xc2 arch/x86/entry/entry_64.S:204
RIP: 0033:0x4458d9
RSP: 002b:00007f4a98d8ab58 EFLAGS: 00000282 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000000015 RCX: 00000000004458d9
RDX: 000000000000007a RSI: 00000000203c4000 RDI: 0000000000000015
RBP: 00000000006e2fa0 R08: 0000000020e6f000 R09: 000000000000000a
R10: 0000000000004000 R11: 0000000000000282 R12: 0000000000708150
R13: 0000000000000000 R14: 00007f4a98d8b9c0 R15: 00007f4a98d8b700
dccp_close: ABORT with 1 bytes unread

Download attachment ".config" of type "application/octet-stream" (96030 bytes)

Download attachment "dccp-history-bug-log" of type "application/octet-stream" (3938 bytes)

Powered by blists - more mailing lists