lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 11 Jun 2019 14:39:01 +0200
From:   Arnd Bergmann <arnd@...db.de>
To:     syzbot <syzbot+777a2aab6ffd397407b5@...kaller.appspotmail.com>
Cc:     allison@...utok.net, Andrew Hendry <andrew.hendry@...il.com>,
        David Miller <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        linux-x25@...r.kernel.org, ms@....tdt.de,
        Networking <netdev@...r.kernel.org>,
        Neil Horman <nhorman@...driver.com>,
        syzkaller-bugs@...glegroups.com,
        Thomas Gleixner <tglx@...utronix.de>
Subject: Re: KASAN: null-ptr-deref Read in x25_connect

On Tue, Jun 11, 2019 at 9:18 AM syzbot
<syzbot+777a2aab6ffd397407b5@...kaller.appspotmail.com> wrote:
>
> Hello,
>
> syzbot found the following crash on:
>
> HEAD commit:    f4cfcfbd net: dsa: sja1105: Fix link speed not working at ..
> git tree:       net
> console output: https://syzkaller.appspot.com/x/log.txt?x=16815cd2a00000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4f721a391cd46ea
> dashboard link: https://syzkaller.appspot.com/bug?extid=777a2aab6ffd397407b5
> compiler:       gcc (GCC) 9.0.0 20181231 (experimental)
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: syzbot+777a2aab6ffd397407b5@...kaller.appspotmail.com

Not sure why I was on Cc on this (I know nothing about x25), but I had
a brief look and found that this is in the error path of x25_connect,
after "goto out_put_neigh", with x25->neighbour==NULL.

This would indicate that either 'x25' is being freed between the
"if (!x25->neighbour)" check in that function and the
x25_neigh_put(x25->neighbour), or that there are two concurrent
calls to x25_connect, with both failing, so one sets
x25->neighbour=NULL before the other one checks it.

    Arnd

> ==================================================================
> BUG: KASAN: null-ptr-deref in atomic_read
> include/asm-generic/atomic-instrumented.h:26 [inline]
> BUG: KASAN: null-ptr-deref in refcount_sub_and_test_checked+0x87/0x200
> lib/refcount.c:182
> Read of size 4 at addr 00000000000000c8 by task syz-executor.2/16959
>
> CPU: 0 PID: 16959 Comm: syz-executor.2 Not tainted 5.2.0-rc2+ #40
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> Call Trace:
>   __dump_stack lib/dump_stack.c:77 [inline]
>   dump_stack+0x172/0x1f0 lib/dump_stack.c:113
>   __kasan_report.cold+0x5/0x40 mm/kasan/report.c:321
>   kasan_report+0x12/0x20 mm/kasan/common.c:614
>   check_memory_region_inline mm/kasan/generic.c:185 [inline]
>   check_memory_region+0x123/0x190 mm/kasan/generic.c:191
>   kasan_check_read+0x11/0x20 mm/kasan/common.c:94
>   atomic_read include/asm-generic/atomic-instrumented.h:26 [inline]
>   refcount_sub_and_test_checked+0x87/0x200 lib/refcount.c:182
>   refcount_dec_and_test_checked+0x1b/0x20 lib/refcount.c:220
>   x25_neigh_put include/net/x25.h:252 [inline]
>   x25_connect+0x8d8/0xea0 net/x25/af_x25.c:820
>   __sys_connect+0x264/0x330 net/socket.c:1840
>   __do_sys_connect net/socket.c:1851 [inline]
>   __se_sys_connect net/socket.c:1848 [inline]
>   __x64_sys_connect+0x73/0xb0 net/socket.c:1848
>   do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
>   entry_SYSCALL_64_after_hwframe+0x49/0xbe
> RIP: 0033:0x459279
> Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
> 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
> ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
> RSP: 002b:00007f09776b4c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a
> RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000459279
> RDX: 0000000000000012 RSI: 0000000020000280 RDI: 0000000000000004
> RBP: 000000000075bfc0 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 00007f09776b56d4
> R13: 00000000004bf854 R14: 00000000004d0e08 R15: 00000000ffffffff
> ==================================================================
>
>
> ---
> This bug is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@...glegroups.com.
>
> syzbot will keep track of this bug report. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ