lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <47e92c2b-c9c5-4c74-70c4-103e70e91630@cumulusnetworks.com>
Date:   Fri, 21 Aug 2020 19:00:18 +0300
From:   Nikolay Aleksandrov <nikolay@...ulusnetworks.com>
To:     syzbot <syzbot+a61aa19b0c14c8770bd9@...kaller.appspotmail.com>,
        davem@...emloft.net, dsahern@...il.com, kuba@...nel.org,
        kuznet@....inr.ac.ru, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        yoshfuji@...ux-ipv6.org
Subject: Re: general protection fault in fib_dump_info (2)

On 8/21/20 6:27 PM, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    da2968ff Merge tag 'pci-v5.9-fixes-1' of git://git.kernel...
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=137316ca900000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=a0437fdd630bee11
> dashboard link: https://syzkaller.appspot.com/bug?extid=a61aa19b0c14c8770bd9
> compiler:       gcc (GCC) 10.1.0-syz 20200507
> userspace arch: i386
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=12707051900000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1150a046900000
> 
> The issue was bisected to:
> 
> commit 0b5e2e39739e861fa5fc84ab27a35dbe62a15330
> Author: David Ahern <dsahern@...il.com>
> Date:   Tue May 26 18:56:16 2020 +0000
> 
>      nexthop: Expand nexthop_is_multipath in a few places
> 

This seems like a much older bug to me, the code allows to pass 0 groups and
thus we end up without any nh_grp_entry pointers. I reproduced it with a
modified iproute2 that sends an empty NHA_GROUP and then just uses the new
nexthop in any way (e.g. add a route with it). This is the same bug as the
earlier report for: "general protection fault in fib_check_nexthop"

I have a patch but I'll be able to send it tomorrow.

Cheers,
  Nik

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ