lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACkBjsbS6DQCgSz4c6gYS1CqgmF7=OCwm9=4vRxLHc3_uRbBRA@mail.gmail.com>
Date:   Thu, 18 Nov 2021 11:14:56 +0800
From:   Hao Sun <sunhao.th@...il.com>
To:     davem@...emloft.net, kuba@...nel.org, netdev@...r.kernel.org,
        jiapeng.chong@...ux.alibaba.com, l4stpr0gr4m@...il.com,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>
Subject: general protection fault in mpls_dev_sysctl_unregister

Hello,

When using Healer to fuzz the latest Linux kernel, the following crash
was triggered.

HEAD commit: 8ab774587903 Merge tag 'trace-v5.16-5'
git tree: upstream
console output: https://paste.ubuntu.com/p/47pQmsD3xY/plain/
kernel config: https://paste.ubuntu.com/p/cFf8tS9V8w/plain/
C reproducer: https://paste.ubuntu.com/p/Pkh4d4d9T4/plain/
Syzlang reproducer: https://paste.ubuntu.com/p/hBQDn8Kth7/plain/

If you fix this issue, please add the following tag to the commit:
Reported-by: Hao Sun <sunhao.th@...il.com>

FAULT_INJECTION: forcing a failure.
name failslab, interval 1, probability 0, space 0, times 0
CPU: 2 PID: 1118 Comm: syz-executor Not tainted 5.16.0-rc1+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
 fail_dump lib/fault-inject.c:52 [inline]
 should_fail.cold+0x5/0xa lib/fault-inject.c:146
 should_failslab+0x5/0x10 mm/slab_common.c:1320
 slab_pre_alloc_hook mm/slab.h:494 [inline]
 slab_alloc_node mm/slub.c:3148 [inline]
 slab_alloc mm/slub.c:3242 [inline]
 __kmalloc+0x7e/0x3d0 mm/slub.c:4419
 kmalloc include/linux/slab.h:595 [inline]
 kzalloc include/linux/slab.h:724 [inline]
 __register_sysctl_table+0xc3/0x1000 fs/proc/proc_sysctl.c:1318
 mpls_dev_sysctl_register+0x1b7/0x2d0 net/mpls/af_mpls.c:1421
 mpls_dev_notify+0x37c/0x730 net/mpls/af_mpls.c:1632
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info net/core/dev.c:2002 [inline]
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1987
 call_netdevice_notifiers_extack net/core/dev.c:2014 [inline]
 call_netdevice_notifiers net/core/dev.c:2028 [inline]
 dev_change_name+0x439/0x690 net/core/dev.c:1285
 do_setlink+0x2d8c/0x39d0 net/core/rtnetlink.c:2699
 __rtnl_newlink+0xb07/0x1600 net/core/rtnetlink.c:3391
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2491
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x533/0x740 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x86d/0xda0 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0x100/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fcfbc2f9c4d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcfb9861c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fcfbc4200a0 RCX: 00007fcfbc2f9c4d
RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 000000000000000b
RBP: 00007fcfb9861c90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000002f
R13: 00007ffd59fb09df R14: 00007ffd59fb0b80 R15: 00007fcfb9861dc0
 </TASK>
general protection fault, probably for non-canonical address
0xdffffc0000000004: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000020-0x0000000000000027]
CPU: 2 PID: 1118 Comm: syz-executor Not tainted 5.16.0-rc1+ #7
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:mpls_dev_sysctl_unregister+0x6e/0xc0 net/mpls/af_mpls.c:1440
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 b8 00 00 00
00 00 fc ff df 49 8b 6c 24 18 48 8d 7d 20 48 89 fa 48 c1 ea 03 <80> 3c
02 00 75 35 4c 8b 75 20 48 89 ef e8 e0 1f df ff 4c 89 f7 e8
RSP: 0018:ffffc9000798ecd0 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88810b7be000 RCX: 0000000000040000
RDX: 0000000000000004 RSI: ffff88802b3b9cc0 RDI: 0000000000000020
RBP: 0000000000000000 R08: ffffffff88fd2d73 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff1b210c2 R12: ffff8880220cf480
R13: ffff888107523480 R14: ffff8880220cf480 R15: ffffffff8d76fb20
FS:  00007fcfb9862700(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9511730358 CR3: 0000000104e4e000 CR4: 0000000000350ee0
Call Trace:
 <TASK>
 mpls_dev_notify+0x371/0x730 net/mpls/af_mpls.c:1631
 notifier_call_chain+0xb5/0x200 kernel/notifier.c:83
 call_netdevice_notifiers_info net/core/dev.c:2002 [inline]
 call_netdevice_notifiers_info+0xb5/0x130 net/core/dev.c:1987
 call_netdevice_notifiers_extack net/core/dev.c:2014 [inline]
 call_netdevice_notifiers net/core/dev.c:2028 [inline]
 dev_change_name+0x439/0x690 net/core/dev.c:1285
 do_setlink+0x2d8c/0x39d0 net/core/rtnetlink.c:2699
 __rtnl_newlink+0xb07/0x1600 net/core/rtnetlink.c:3391
 rtnl_newlink+0x64/0xa0 net/core/rtnetlink.c:3506
 rtnetlink_rcv_msg+0x413/0xb80 net/core/rtnetlink.c:5571
 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2491
 netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]
 netlink_unicast+0x533/0x740 net/netlink/af_netlink.c:1345
 netlink_sendmsg+0x86d/0xda0 net/netlink/af_netlink.c:1916
 sock_sendmsg_nosec net/socket.c:704 [inline]
 sock_sendmsg+0xcf/0x120 net/socket.c:724
 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2409
 ___sys_sendmsg+0x100/0x170 net/socket.c:2463
 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2492
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fcfbc2f9c4d
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fcfb9861c58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007fcfbc4200a0 RCX: 00007fcfbc2f9c4d
RDX: 0000000000000000 RSI: 00000000200005c0 RDI: 000000000000000b
RBP: 00007fcfb9861c90 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 000000000000002f
R13: 00007ffd59fb09df R14: 00007ffd59fb0b80 R15: 00007fcfb9861dc0
 </TASK>
Modules linked in:
Dumping ftrace buffer:
   (ftrace buffer empty)
---[ end trace 7b6ee0d94ba006f4 ]---
RIP: 0010:mpls_dev_sysctl_unregister+0x6e/0xc0 net/mpls/af_mpls.c:1440
Code: fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 75 5c 48 b8 00 00 00
00 00 fc ff df 49 8b 6c 24 18 48 8d 7d 20 48 89 fa 48 c1 ea 03 <80> 3c
02 00 75 35 4c 8b 75 20 48 89 ef e8 e0 1f df ff 4c 89 f7 e8
RSP: 0018:ffffc9000798ecd0 EFLAGS: 00010212
RAX: dffffc0000000000 RBX: ffff88810b7be000 RCX: 0000000000040000
RDX: 0000000000000004 RSI: ffff88802b3b9cc0 RDI: 0000000000000020
RBP: 0000000000000000 R08: ffffffff88fd2d73 R09: 0000000000000000
R10: 0000000000000001 R11: fffffbfff1b210c2 R12: ffff8880220cf480
R13: ffff888107523480 R14: ffff8880220cf480 R15: ffffffff8d76fb20
FS:  00007fcfb9862700(0000) GS:ffff888063f00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9511730358 CR3: 0000000104e4e000 CR4: 0000000000350ee0
----------------
Code disassembly (best guess), 2 bytes skipped:
   0:    df 48 89                 fisttps -0x77(%rax)
   3:    fa                       cli
   4:    48 c1 ea 03              shr    $0x3,%rdx
   8:    80 3c 02 00              cmpb   $0x0,(%rdx,%rax,1)
   c:    75 5c                    jne    0x6a
   e:    48 b8 00 00 00 00 00     movabs $0xdffffc0000000000,%rax
  15:    fc ff df
  18:    49 8b 6c 24 18           mov    0x18(%r12),%rbp
  1d:    48 8d 7d 20              lea    0x20(%rbp),%rdi
  21:    48 89 fa                 mov    %rdi,%rdx
  24:    48 c1 ea 03              shr    $0x3,%rdx
* 28:    80 3c 02 00              cmpb   $0x0,(%rdx,%rax,1) <--
trapping instruction
  2c:    75 35                    jne    0x63
  2e:    4c 8b 75 20              mov    0x20(%rbp),%r14
  32:    48 89 ef                 mov    %rbp,%rdi
  35:    e8 e0 1f df ff           callq  0xffdf201a
  3a:    4c 89 f7                 mov    %r14,%rdi
  3d:    e8                       .byte 0xe8

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ