lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 7 May 2024 14:49:51 +0800
From: Sam Sun <samsun1006219@...il.com>
To: linux-kernel@...r.kernel.org, linux-wireless@...r.kernel.org
Cc: kvalo@...nel.org, johannes@...solutions.net, 
	syzkaller-bugs@...glegroups.com, xrivendell7@...il.com
Subject: [Linux kernel bug] general protection fault in mac80211_hwsim_tx_frame_no_nl

Dear developers and maintainers,

We encountered a general protection fault in function
mac80211_hwsim_tx_frame_no_nl. It was tested against the latest
upstream linux (tag 6.9-rc7). C repro and kernel config are attached
to this email. Kernel crash log is listed below.
```
general protection fault, probably for non-canonical address
0xee0bea6cc00087aa: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: maybe wild-memory-access in range [0x705f736600043d50-0x705f736600043d57]
CPU: 0 PID: 3 Comm: pool_workqueue_ Not tainted 6.9.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:mac80211_hwsim_tx_frame_no_nl+0x99e/0x15b0
drivers/net/wireless/virtual/mac80211_hwsim.c:1816
Code: b6 04 30 84 c0 0f 85 0d 06 00 00 c6 84 24 18 01 00 00 00 4d 39
ef 0f 84 84 00 00 00 49 8d 9d 08 3d 00 00 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 30 84 c0 0f 85 00 06 00 00 0f b6 1b 31 ff 89 de e8 c9
RSP: 0018:ffffc90000006bc0 EFLAGS: 00010206
RAX: 0e0bee6cc00087aa RBX: 705f736600043d50 RCX: ffff8880152e4a00
RDX: 0000000000000303 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000006d60 R08: ffffffff86b8f262 R09: ffffffff86b8f179
R10: 0000000000000002 R11: ffff8880152e4a00 R12: ffff88807a2c32f8
R13: 705f736600040048 R14: dffffc0000000000 R15: ffff88807a2c3060
FS:  0000000000000000(0000) GS:ffff888044000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff3bddbff8 CR3: 000000002c79a000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 mac80211_hwsim_tx+0x1891/0x2400
drivers/net/wireless/virtual/mac80211_hwsim.c:2072
 drv_tx net/mac80211/driver-ops.h:37 [inline]
 wake_tx_push_queue net/mac80211/util.c:298 [inline]
 ieee80211_handle_wake_tx_queue+0x1ac/0x2d0 net/mac80211/util.c:315
 drv_wake_tx_queue net/mac80211/driver-ops.h:1350 [inline]
 schedule_and_wake_txq net/mac80211/driver-ops.h:1357 [inline]
 ieee80211_queue_skb+0x1ae9/0x2390 net/mac80211/tx.c:1664
 ieee80211_tx+0x2ae/0x450 net/mac80211/tx.c:1966
 __ieee80211_subif_start_xmit+0xd8a/0x1550 net/mac80211/tx.c:4338
 ieee80211_subif_start_xmit+0xdd/0x4f0 net/mac80211/tx.c:4532
 __netdev_start_xmit include/linux/netdevice.h:4903 [inline]
 netdev_start_xmit include/linux/netdevice.h:4917 [inline]
 xmit_one net/core/dev.c:3531 [inline]
 dev_hard_start_xmit+0x1db/0x410 net/core/dev.c:3547
 __dev_queue_xmit+0x1ae1/0x3a60 net/core/dev.c:4341
 dev_queue_xmit include/linux/netdevice.h:3091 [inline]
 neigh_hh_output include/net/neighbour.h:526 [inline]
 neigh_output include/net/neighbour.h:540 [inline]
 ip6_finish_output2+0xf95/0x1600 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x3c8/0x7f0 net/ipv6/ip6_output.c:222
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa39/0xf40 net/ipv6/ndisc.c:509
 addrconf_rs_timer+0x38f/0x630 net/ipv6/addrconf.c:4038
 call_timer_fn+0x101/0x250 kernel/time/timer.c:1793
 expire_timers kernel/time/timer.c:1844 [inline]
 __run_timers kernel/time/timer.c:2418 [inline]
 __run_timer_base+0x726/0x990 kernel/time/timer.c:2429
 run_timer_base kernel/time/timer.c:2438 [inline]
 run_timer_softirq+0xb7/0x170 kernel/time/timer.c:2448
 __do_softirq+0x272/0x734 kernel/softirq.c:554
 invoke_softirq kernel/softirq.c:428 [inline]
 __irq_exit_rcu+0xd5/0x190 kernel/softirq.c:633
 irq_exit_rcu+0x9/0x20 kernel/softirq.c:645
 instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1043 [inline]
 sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1043
 </IRQ>
 <TASK>
 asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
RIP: 0010:synchronize_rcu+0x0/0x3a0 kernel/rcu/tree.c:3601
Code: e9 85 fe ff ff 44 89 f1 80 e1 07 80 c1 03 38 c1 0f 8c 9b fe ff
ff 4c 89 f7 e8 2c 29 79 00 e9 8e fe ff ff 0f 1f 80 00 00 00 00 <f3> 0f
1e fa 55 48 89 e5 41 57 41 56 41 55 41 54 53 48 83 e4 e0 48
RSP: 0018:ffffc9000005fcd8 EFLAGS: 00000206
RAX: 1ffff9200000bfa4 RBX: 1ffff9200000bfa0 RCX: dffffc0000000000
RDX: 0000000000000001 RSI: ffffffff8b6c93e0 RDI: ffffffff8bcdd0a0
RBP: ffffc9000005fdb8 R08: ffffffff92b85bff R09: 1ffffffff2570b7f
R10: dffffc0000000000 R11: fffffbfff2570b80 R12: ffff88806e41b938
R13: 0000000000000a06 R14: ffffc9000005fd20 R15: ffffffff92b84b88
 lockdep_unregister_key+0x494/0x510 kernel/locking/lockdep.c:6475
 wq_unregister_lockdep kernel/workqueue.c:4655 [inline]
 pwq_release_workfn+0x70a/0x860 kernel/workqueue.c:4958
 kthread_worker_fn+0x3fb/0x640 kernel/kthread.c:841
 kthread+0x2ed/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:mac80211_hwsim_tx_frame_no_nl+0x99e/0x15b0
drivers/net/wireless/virtual/mac80211_hwsim.c:1816
Code: b6 04 30 84 c0 0f 85 0d 06 00 00 c6 84 24 18 01 00 00 00 4d 39
ef 0f 84 84 00 00 00 49 8d 9d 08 3d 00 00 48 89 d8 48 c1 e8 03 <42> 0f
b6 04 30 84 c0 0f 85 00 06 00 00 0f b6 1b 31 ff 89 de e8 c9
RSP: 0018:ffffc90000006bc0 EFLAGS: 00010206

RAX: 0e0bee6cc00087aa RBX: 705f736600043d50 RCX: ffff8880152e4a00
RDX: 0000000000000303 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90000006d60 R08: ffffffff86b8f262 R09: ffffffff86b8f179
R10: 0000000000000002 R11: ffff8880152e4a00 R12: ffff88807a2c32f8
R13: 705f736600040048 R14: dffffc0000000000 R15: ffff88807a2c3060
FS:  0000000000000000(0000) GS:ffff888044000000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fff3bddbff8 CR3: 000000002c79a000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:    b6 04                    mov    $0x4,%dh
   2:    30 84 c0 0f 85 0d 06     xor    %al,0x60d850f(%rax,%rax,8)
   9:    00 00                    add    %al,(%rax)
   b:    c6 84 24 18 01 00 00     movb   $0x0,0x118(%rsp)
  12:    00
  13:    4d 39 ef                 cmp    %r13,%r15
  16:    0f 84 84 00 00 00        je     0xa0
  1c:    49 8d 9d 08 3d 00 00     lea    0x3d08(%r13),%rbx
  23:    48 89 d8                 mov    %rbx,%rax
  26:    48 c1 e8 03              shr    $0x3,%rax
* 2a:    42 0f b6 04 30           movzbl (%rax,%r14,1),%eax <--
trapping instruction
  2f:    84 c0                    test   %al,%al
  31:    0f 85 00 06 00 00        jne    0x637
  37:    0f b6 1b                 movzbl (%rbx),%ebx
  3a:    31 ff                    xor    %edi,%edi
  3c:    89 de                    mov    %ebx,%esi
  3e:    e8                       .byte 0xe8
  3f:    c9                       leaveq
```
If you have any questions, please contact us.

Reported by Yue Sun <samsun1006219@...il.com>
Reported by xingwei lee <xrivendell7@...il.com>

Best Regards,
Yue

Download attachment "config" of type "application/octet-stream" (247919 bytes)

View attachment "mac80211_hwsim_tx_frame_no_nl.c" of type "text/x-csrc" (207841 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ