lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 25 Feb 2020 15:46:23 +0100
From:   Paolo Abeni <pabeni@...hat.com>
To:     Dmitry Vyukov <dvyukov@...gle.com>,
        Paul Moore <paul@...l-moore.com>
Cc:     syzbot <syzbot+f4dfece964792d80b139@...kaller.appspotmail.com>,
        cpaasch@...le.com, David Miller <davem@...emloft.net>,
        Davide Caratti <dcaratti@...hat.com>,
        Florian Westphal <fw@...len.de>, kuba@...nel.org,
        Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        LKML <linux-kernel@...r.kernel.org>,
        linux-security-module <linux-security-module@...r.kernel.org>,
        matthieu.baerts@...sares.net, netdev <netdev@...r.kernel.org>,
        peter.krystad@...ux.intel.com,
        syzkaller-bugs <syzkaller-bugs@...glegroups.com>,
        Hideaki YOSHIFUJI <yoshfuji@...ux-ipv6.org>
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in
 cipso_v4_sock_setattr

On Tue, 2020-02-25 at 15:27 +0100, Dmitry Vyukov wrote:
> On Tue, Feb 25, 2020 at 3:20 PM Paul Moore <paul@...l-moore.com> wrote:
> > On Tue, Feb 25, 2020 at 3:19 AM syzbot
> > <syzbot+f4dfece964792d80b139@...kaller.appspotmail.com> wrote:
> > > Hello,
> > > 
> > > syzbot found the following crash on:
> > > 
> > > HEAD commit:    ca7e1fd1 Merge tag 'linux-kselftest-5.6-rc3' of git://git...
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=179f0931e00000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=a61f2164c515c07f
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=f4dfece964792d80b139
> > > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14fdfdede00000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17667de9e00000
> > > 
> > > The bug was bisected to:
> > > 
> > > commit 2303f994b3e187091fd08148066688b08f837efc
> > > Author: Peter Krystad <peter.krystad@...ux.intel.com>
> > > Date:   Wed Jan 22 00:56:17 2020 +0000
> > > 
> > >     mptcp: Associate MPTCP context with TCP socket
> > > 
> > > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14fbec81e00000
> > > final crash:    https://syzkaller.appspot.com/x/report.txt?x=16fbec81e00000
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=12fbec81e00000
> > > 
> > > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > > Reported-by: syzbot+f4dfece964792d80b139@...kaller.appspotmail.com
> > > Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket")
> > > 
> > > BUG: kernel NULL pointer dereference, address: 0000000000000000
> > > #PF: supervisor instruction fetch in kernel mode
> > > #PF: error_code(0x0010) - not-present page
> > > PGD 8e171067 P4D 8e171067 PUD 93fa2067 PMD 0
> > > Oops: 0010 [#1] PREEMPT SMP KASAN
> > > CPU: 0 PID: 8984 Comm: syz-executor066 Not tainted 5.6.0-rc2-syzkaller #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > RIP: 0010:0x0
> > > Code: Bad RIP value.
> > > RSP: 0018:ffffc900020b7b80 EFLAGS: 00010246
> > > RAX: 1ffff110124ba600 RBX: 0000000000000000 RCX: ffff88809fefa600
> > > RDX: ffff8880994cdb18 RSI: 0000000000000000 RDI: ffff8880925d3140
> > > RBP: ffffc900020b7bd8 R08: ffffffff870225be R09: fffffbfff140652a
> > > R10: fffffbfff140652a R11: 0000000000000000 R12: ffff8880925d35d0
> > > R13: ffff8880925d3140 R14: dffffc0000000000 R15: 1ffff110124ba6ba
> > > FS:  0000000001a0b880(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
> > > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > > CR2: ffffffffffffffd6 CR3: 00000000a6d6f000 CR4: 00000000001406f0
> > > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > > Call Trace:
> > >  cipso_v4_sock_setattr+0x34b/0x470 net/ipv4/cipso_ipv4.c:1888
> > >  netlbl_sock_setattr+0x2a7/0x310 net/netlabel/netlabel_kapi.c:989
> > >  smack_netlabel security/smack/smack_lsm.c:2425 [inline]
> > >  smack_inode_setsecurity+0x3da/0x4a0 security/smack/smack_lsm.c:2716
> > >  security_inode_setsecurity+0xb2/0x140 security/security.c:1364
> > >  __vfs_setxattr_noperm+0x16f/0x3e0 fs/xattr.c:197
> > >  vfs_setxattr fs/xattr.c:224 [inline]
> > >  setxattr+0x335/0x430 fs/xattr.c:451
> > >  __do_sys_fsetxattr fs/xattr.c:506 [inline]
> > >  __se_sys_fsetxattr+0x130/0x1b0 fs/xattr.c:495
> > >  __x64_sys_fsetxattr+0xbf/0xd0 fs/xattr.c:495
> > >  do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> > >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
> > 
> > Netdev folks, I'm not very familiar with the multipath TCP code so I
> > was wondering if you might help me out a bit with this report.  Based
> > on the stack trace above it looks like for a given AF_INET sock "sk",
> > inet_sk(sk)->is_icsk is true but inet_csk(sk) is NULL; should this be
> > possible under normal conditions or is there an issue somewhere?
> 
> Paolo has submitted some patch for testing for this bug, not sure if
> you have seen it, just in case:
> https://groups.google.com/forum/#!msg/syzkaller-bugs/dqwnTBh-MQw/LhgSZYGsBgAJ

I sent the patch to the syzbot ML only, for testing before posting on
netdev, so Paul likely have not seen it yet, sorry.

@Dmitry: I did not get any reply yet from syzbot, are there any
problems or is this the usual time-frame?

Thank you!

Paolo

Powered by blists - more mailing lists