lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <089e08263e58bb3c0d0560cbbd87@google.com>
Date:   Wed, 20 Dec 2017 12:51:01 -0800
From:   syzbot 
        <bot+cd76df3adeb2edd4836f7b3ef94d32d710c28421@...kaller.appspotmail.com>
To:     davem@...emloft.net, herbert@...dor.apana.org.au,
        linux-crypto@...r.kernel.org, linux-kernel@...r.kernel.org,
        syzkaller-bugs@...glegroups.com
Subject: BUG: unable to handle kernel paging request in socket_file_ops

Hello,

syzkaller hit the following crash on  
6084b576dca2e898f5c101baef151f7bfdbb606d
git://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/master
compiler: gcc (GCC) 7.1.1 20170620
.config is attached
Raw console output is attached.
C reproducer is attached
syzkaller reproducer is attached. See https://goo.gl/kgGztJ
for information about syzkaller reproducers


alloc_fd: slot 80 not NULL!
BUG: unable to handle kernel paging request at ffffffffffffffff
alloc_fd: slot 81 not NULL!
alloc_fd: slot 82 not NULL!
alloc_fd: slot 83 not NULL!
alloc_fd: slot 84 not NULL!
alloc_fd: slot 86 not NULL!
alloc_fd: slot 87 not NULL!
IP: socket_file_ops+0x22/0x4d0
PGD 3021067 P4D 3021067 PUD 3023067 PMD 0
Oops: 0002 [#1] SMP
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3358 Comm: cryptomgr_test Not tainted 4.15.0-rc3-next-20171214+  
#67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:socket_file_ops+0x22/0x4d0
RSP: 0018:ffffc900017fbdf0 EFLAGS: 00010246
RAX: ffff880214e4ca00 RBX: ffff8802156c74a0 RCX: ffffffff81678ac3
RDX: 0000000000000000 RSI: ffff8802156c74a0 RDI: ffff8802156c74a0
RBP: ffffc900017fbe18 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc900017fbeb0 R14: ffffc900017fbeb0 R15: ffffc900017fbeb0
FS:  0000000000000000(0000) GS:ffff88021fd00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffff CR3: 000000000301e002 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  crypto_free_instance+0x2a/0x50 crypto/algapi.c:77
  crypto_destroy_instance+0x1e/0x30 crypto/algapi.c:85
  crypto_alg_put crypto/internal.h:116 [inline]
  crypto_remove_final+0x73/0xa0 crypto/algapi.c:331
  crypto_alg_tested+0x194/0x260 crypto/algapi.c:320
  cryptomgr_test+0x17/0x30 crypto/algboss.c:226
  kthread+0x149/0x170 kernel/kthread.c:238
  ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:524
Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 51 40 81 ff ff  
ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 <09> 82 ff ff  
ff ff 00 26 0a 82 ff ff ff ff 00 00 00 00 00 00 00
RIP: socket_file_ops+0x22/0x4d0 RSP: ffffc900017fbdf0
CR2: ffffffffffffffff
---[ end trace 52c47d77c1a058d5 ]---
BUG: unable to handle kernel NULL pointer dereference at 0000000000000064
IP: __neigh_event_send+0xa8/0x400 net/core/neighbour.c:1006
PGD 0 P4D 0
Oops: 0000 [#2] SMP
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3122 Comm: sshd Tainted: G      D           
4.15.0-rc3-next-20171214+ #67
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
RIP: 0010:__neigh_event_send+0xa8/0x400 net/core/neighbour.c:1006
RSP: 0018:ffffc90000efb8b8 EFLAGS: 00010293
RAX: ffff880214dba640 RBX: ffff8802156c4c00 RCX: ffffffff820e6fa4
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff8802156c4c28
RBP: ffffc90000efb8f8 R08: 0000000000000001 R09: ffffffff820e6f28
R10: ffffc90000efb828 R11: 0000000000000000 R12: ffff8802156c4c28
R13: ffff8802115896e0 R14: 0000000000000000 R15: ffffffff82e2eaf8
FS:  00007f838bacb7c0(0000) GS:ffff88021fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000064 CR3: 0000000213530006 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  neigh_event_send include/net/neighbour.h:435 [inline]
  neigh_resolve_output+0x24a/0x340 net/core/neighbour.c:1334
  neigh_output include/net/neighbour.h:482 [inline]
  ip_finish_output2+0x2cf/0x7b0 net/ipv4/ip_output.c:229
  ip_finish_output+0x2e6/0x490 net/ipv4/ip_output.c:317
  NF_HOOK_COND include/linux/netfilter.h:270 [inline]
  ip_output+0x73/0x2b0 net/ipv4/ip_output.c:405
  dst_output include/net/dst.h:443 [inline]
  ip_local_out+0x54/0xb0 net/ipv4/ip_output.c:124
  ip_queue_xmit+0x27d/0x740 net/ipv4/ip_output.c:504
  tcp_transmit_skb+0x66a/0xd70 net/ipv4/tcp_output.c:1176
  tcp_write_xmit+0x262/0x13a0 net/ipv4/tcp_output.c:2367
  __tcp_push_pending_frames+0x49/0xe0 net/ipv4/tcp_output.c:2540
  tcp_push+0x14e/0x190 net/ipv4/tcp.c:730
  tcp_sendmsg_locked+0x899/0x11a0 net/ipv4/tcp.c:1424
  tcp_sendmsg+0x2f/0x50 net/ipv4/tcp.c:1461
  inet_sendmsg+0x54/0x250 net/ipv4/af_inet.c:763
  sock_sendmsg_nosec net/socket.c:636 [inline]
  sock_sendmsg+0x51/0x70 net/socket.c:646
  sock_write_iter+0xa4/0x100 net/socket.c:915
  call_write_iter include/linux/fs.h:1776 [inline]
  new_sync_write fs/read_write.c:469 [inline]
  __vfs_write+0x15b/0x1e0 fs/read_write.c:482
  vfs_write+0xf0/0x230 fs/read_write.c:544
  SYSC_write fs/read_write.c:589 [inline]
  SyS_write+0x57/0xd0 fs/read_write.c:581
  entry_SYSCALL_64_fastpath+0x1f/0x96
RIP: 0033:0x7f8389e66370
RSP: 002b:00007ffe535b0318 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f8389e66370
RDX: 0000000000000038 RSI: 0000562088cb2460 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000001 R09: 0101010101010101
R10: 0000000000000008 R11: 0000000000000246 R12: 0000562088cbe590
R13: 0000562088167fb4 R14: 0000000000000028 R15: 0000562088169ca0
Code: ff 48 83 c4 18 44 89 e8 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 ab 33 1d  
ff 41 f6 c6 05 0f 85 68 01 00 00 e8 9c 33 1d ff 4c 8b 73 10 <41> 8b 46 64  
41 03 46 5c 0f 84 a8 01 00 00 e8 85 33 1d ff 48 8b
RIP: __neigh_event_send+0xa8/0x400 net/core/neighbour.c:1006 RSP:  
ffffc90000efb8b8
CR2: 0000000000000064
---[ end trace 52c47d77c1a058d6 ]---


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.
Please credit me with: Reported-by: syzbot <syzkaller@...glegroups.com>

syzbot will keep track of this bug report.
Once a fix for this bug is merged into any tree, reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "config.txt" of type "text/plain" (126475 bytes)

Download attachment "raw.log" of type "application/octet-stream" (10506 bytes)

View attachment "repro.txt" of type "text/plain" (522 bytes)

Download attachment "repro.c" of type "application/octet-stream" (1161 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ