lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date:   Wed, 8 Aug 2018 17:56:41 +0200
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     randy.dunlap@...il.com
Cc:     syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Eric Van Hensbergen <ericvh@...il.com>,
        Ron Minnich <rminnich@...dia.gov>,
        Latchesar Ionkov <lucho@...kov.net>,
        v9fs-developer@...ts.sourceforge.net,
        LKML <linux-kernel@...r.kernel.org>,
        tomas <tomasbortoli@...il.com>,
        Dominique Martinet <asmadeus@...ewreck.org>
Subject: Re: general protection fault in in_aton

On Wed, Aug 8, 2018 at 12:43 AM,  <randy.dunlap@...il.com> wrote:
>
>
> On Wednesday, July 11, 2018 at 9:48:02 AM UTC-7, Dmitry Vyukov wrote:
>>
>> On Tue, Jul 10, 2018 at 10:15 PM, Linus Torvalds
>> <torv...@...ux-foundation.org> wrote:
>> > On Tue, Jul 10, 2018 at 12:57 PM Dmitry Vyukov <dvy...@...gle.com>
>> > wrote:
>> >>
>> >> Is it really hard to get fault address? I know that userspace
>> >> generally receives fault address in siginfo.
>> >
>> > For an actual page fault it's trivial.
>> >
>> > However, for invalid addresses (aka "non-canonical"), you don't even
>> > get a page fault, you get a GP like in this case. And then the actual
>> > address is not available.
>>
>>
>> I see. Then I don't have any great ideas. Running without KASAN would
>> result in more, much more cryptic crashes.
>>
>> FWIW for these "GPF could be caused by NULL-ptr deref" I first just
>> assume that it's in fact a NULL deref. And in this case it all pretty
>> quickly forms a consistent picture that it's indeed just a missing a
>> NULL pointer check. That dffffc0000000000 in a register also a good
>> hint.
>
>
> The second mount syscall in loop() has a pointer parameter of 0 (null):
>       syscall(__NR_mount, 0, 0x200000c0, 0x20000340, 0, 0x20000180);
> and that NULL is passed from do_mount() to do_new_mount() to
> vfs_kern_mount()
> on to mount_fs() to v9fs_mount() to v9fs_session_init() to
> p9_client_create() to
> rdma_create_trans() and then to in_aton().  Are all of those valid up until
> the
> call to in_aton()?

Hi Randy,

+kernel mailing lists again

Please keep kernel lists and developers and CC, there are no kernel
developers on syzkaller-bugs@ list.

This is almost the same as "general protection fault in
p9_fd_create_unix" just for rdma:
https://syzkaller.appspot.com/bug?extid=1a262da37d3bead15c39
Yes, this function needs to check for NULL.

Tomas, I think it makes sense to include rdma into your "9p: fix NULL
pointer dereferences" patch.

Powered by blists - more mailing lists