[<prev] [next>] [day] [month] [year] [list]
Message-ID: <dcad6ff7-b777-4fb7-81d6-9e9e7fc88cbf.bugreport@ubisectech.com>
Date: Mon, 01 Apr 2024 14:40:20 +0800
From: "Ubisectech Sirius" <bugreport@...sectech.com>
To: "linux-trace-kernel" <linux-trace-kernel@...r.kernel.org>,
"linux-kernel" <linux-kernel@...r.kernel.org>
Cc: "steffen.klassert" <steffen.klassert@...unet.com>,
"davem" <davem@...emloft.net>,
"herbert" <herbert@...dor.apana.org.au>
Subject: general protection fault in __fib6_update_sernum_upto_root
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue.
Stack dump:
general protection fault, probably for non-canonical address 0xff1f1b1f1f1f1f24: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0xf8f8f8f8f8f8f920-0xf8f8f8f8f8f8f927]
CPU: 1 PID: 9367 Comm: kworker/1:5 Not tainted 6.7.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358
Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc9000631f7c8 EFLAGS: 00010a07
RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: ffffffff89508644
RDX: ffff888051d78000 RSI: ffffffff895085dc RDI: f8f8f8f8f8f8f924
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000186 R14: ffff888052396c00 R15: ffffed100a472d80
FS: 0000000000000000(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f42c8487d00 CR3: 000000004b42c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
__list_add include/linux/list.h:153 [inline]
list_add include/linux/list.h:169 [inline]
fib6_add+0x16c4/0x4410 net/ipv6/ip6_fib.c:1490
__ip6_ins_rt net/ipv6/route.c:1313 [inline]
ip6_ins_rt+0xb6/0x110 net/ipv6/route.c:1323
__ipv6_ifa_notify+0xab3/0xd30 net/ipv6/addrconf.c:6266
ipv6_ifa_notify net/ipv6/addrconf.c:6303 [inline]
addrconf_dad_completed+0x15f/0xef0 net/ipv6/addrconf.c:4317
addrconf_dad_work+0x785/0x14e0 net/ipv6/addrconf.c:4260
process_one_work+0x87b/0x15c0 kernel/workqueue.c:3226
worker_thread+0x855/0x1200 kernel/workqueue.c:3380
kthread+0x2cc/0x3b0 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:256
</TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358
Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RSP: 0018:ffffc9000631f7c8 EFLAGS: 00010a07
RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: ffffffff89508644
RDX: ffff888051d78000 RSI: ffffffff895085dc RDI: f8f8f8f8f8f8f924
RBP: 0000000000000001 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: dffffc0000000000
R13: 0000000000000186 R14: ffff888052396c00 R15: ffffed100a472d80
FS: 0000000000000000(0000) GS:ffff88807ec00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f42c8487d00 CR3: 000000004b42c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: c1 e8 03 shr $0x3,%eax
3: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1)
8: 0f 85 9b 01 00 00 jne 0x1a9
e: 48 8b 1b mov (%rbx),%rbx
11: 48 85 db test %rbx,%rbx
14: 0f 84 d9 00 00 00 je 0xf3
1a: e8 74 70 39 f8 call 0xf8397093
1f: 48 8d 7b 2c lea 0x2c(%rbx),%rdi
23: 48 89 f8 mov %rdi,%rax
26: 48 c1 e8 03 shr $0x3,%rax
* 2a: 42 0f b6 14 20 movzbl (%rax,%r12,1),%edx <-- trapping instruction
2f: 48 89 f8 mov %rdi,%rax
32: 83 e0 07 and $0x7,%eax
35: 83 c0 03 add $0x3,%eax
38: 38 d0 cmp %dl,%al
3a: 7c 08 jl 0x44
3c: 84 d2 test %dl,%dl
3e: 0f .byte 0xf
3f: 85 .byte 0x85
Thank you for taking the time to read this email and we look forward to working with you further.
Download attachment "poc.c" of type "application/octet-stream" (88282 bytes)
Powered by blists - more mailing lists