lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <4929185C-F2F9-41E5-95A1-9225AF36A6A2@gmail.com>
Date:   Sun, 25 Jul 2021 09:53:19 +0200
From:   Adrien G <adrien.ml.list@...il.com>
To:     linux-kernel@...r.kernel.org
Subject: Kernel NULL pointer dereference (UAF) with kblockd
 blk_mq_timeout_work

Hi,

I upgraded from 5.11.17 to 5.13.2 kernel few days ago.
Today I got this bug:

```
BUG: kernel NULL pointer dereference, address: 00000000000000d8
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 21 PID: 6427 Comm: kworker/21:1H Not tainted 5.13.2-stackhero #1
Hardware name: Dell Inc. PowerEdge R720/0020HJ, BIOS 2.9.0 12/06/2019
Workqueue: kblockd blk_mq_timeout_work
RIP: 0010:blk_mq_put_rq_ref+0xd/0x4b
Code: 44 24 07 48 8b 4c 24 08 65 48 2b 0c 25 28 00 00 00 74 05 e8 79 65 9e 00 48 83 c4 10 c3 0f 1f 44 00 00 55 48 8b 47 10 48 89 fd <48> 8b 80 d8 00 00 00 48 3b 78 40 75 0f 48 8b 87 00 01 00 00 31 f6
RSP: 0018:ffffb1dd98b07d80 EFLAGS: 00010206
RAX: 0000000000000000 RBX: ffffb1dd98b07e10 RCX: ffff89a55330adc0
RDX: 0000000000000001 RSI: 0000000000000202 RDI: ffff89bcc1432400
RBP: ffff89bcc1432400 R08: 0000000000000000 R09: 0000000000000000
R10: 000000000000000b R11: fefefefefefefeff R12: 00000000000003e4
R13: ffff89bcc1bbd000 R14: ffffb1dd98b07e00 R15: ffff89a54dea0118
FS:  0000000000000000(0000) GS:ffff89d45fa80000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000d8 CR3: 000000270be0c002 CR4: 00000000001726e0
Call Trace:
 bt_iter+0x6a/0x76
 __sbitmap_for_each_set.constprop.0+0xa4/0xe2
 ? bt_tags_iter+0x8a/0x8a
```

Following this bug, the server disk activity stopped and I had to hard reboot the server.

I have found this patch, not published yet, that could be related but not sure at all:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b407bf68af325786b5f572a5e38d51206914f91b

I have filled an issue here: https://bugzilla.kernel.org/show_bug.cgi?id=213841

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ