[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2b9bbcf0-869b-4dc5-99f9-41cf5f1c125d.bugreport@valiantsec.com>
Date: Tue, 30 Jul 2024 14:13:56 +0800
From: "Ubisectech Sirius" <bugreport@...iantsec.com>
To: "linux-kernel" <linux-kernel@...r.kernel.org>
Cc: "herbert" <herbert@...dor.apana.org.au>,
"davem" <davem@...emloft.net>
Subject: BUG unable to handle kernel paging request in michael_update
Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.8. Attached to the email were a PoC file of the issue.
Stack dump:
BUG: unable to handle page fault for address: ffff8880549788c0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 14601067 P4D 14601067 PUD 14604067 PMD 5d656063 PTE 800fffffab687060
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 10418 Comm: syz.2.73 Not tainted 6.8.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:memcpy_orig+0x115/0x140 arch/x86/lib/memcpy_64.S:160
Code: 0f 1f 44 00 00 83 fa 04 72 1b 8b 0e 44 8b 44 16 fc 89 0f 44 89 44 17 fc c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 83 ea 01 72 19 <0f> b6 0e 74 12 4c 0f b6 46 01 4c 0f b6 0c 16 44 88 47 01 44 88 0c
RSP: 0018:ffffc90001ba77f0 EFLAGS: 00010246
RAX: ffff888058eb3b00 RBX: 0000000000000001 RCX: ffffc90007921000
RDX: 0000000000000000 RSI: ffff8880549788c0 RDI: ffff888058eb3b00
RBP: ffff888058eb3b08 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff81e23f44 R12: 0000000000000001
R13: ffff888058eb3af8 R14: 000000000000001d R15: 0000000000000000
FS: 00007fa947932640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880549788c0 CR3: 0000000054a6c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
michael_update+0x334/0x3d0 crypto/michael_mic.c:90
shash_ahash_update+0x178/0x1c0 crypto/ahash.c:71
crypto_ahash_update+0x7b/0x120 crypto/ahash.c:350
hash_sendmsg+0x354/0xfb0 crypto/algif_hash.c:149
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0xaaf/0xc70 net/socket.c:2584
___sys_sendmsg+0x11d/0x1c0 net/socket.c:2638
__sys_sendmmsg+0x18c/0x460 net/socket.c:2724
__do_sys_sendmmsg net/socket.c:2753 [inline]
__se_sys_sendmmsg net/socket.c:2750 [inline]
__x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2750
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fa946b958cd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa947931fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fa946d33f60 RCX: 00007fa946b958cd
RDX: 0000000000000001 RSI: 0000000020000e40 RDI: 000000000000000b
RBP: 00007fa946c1bb06 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000008084 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa946d33f60 R15: 00007fa947912000
</TASK>
Modules linked in:
CR2: ffff8880549788c0
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_orig+0x115/0x140 arch/x86/lib/memcpy_64.S:160
Code: 0f 1f 44 00 00 83 fa 04 72 1b 8b 0e 44 8b 44 16 fc 89 0f 44 89 44 17 fc c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 83 ea 01 72 19 <0f> b6 0e 74 12 4c 0f b6 46 01 4c 0f b6 0c 16 44 88 47 01 44 88 0c
RSP: 0018:ffffc90001ba77f0 EFLAGS: 00010246
RAX: ffff888058eb3b00 RBX: 0000000000000001 RCX: ffffc90007921000
RDX: 0000000000000000 RSI: ffff8880549788c0 RDI: ffff888058eb3b00
RBP: ffff888058eb3b08 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff81e23f44 R12: 0000000000000001
R13: ffff888058eb3af8 R14: 000000000000001d R15: 0000000000000000
FS: 00007fa947932640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880549788c0 CR3: 0000000054a6c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
5: 83 fa 04 cmp $0x4,%edx
8: 72 1b jb 0x25
a: 8b 0e mov (%rsi),%ecx
c: 44 8b 44 16 fc mov -0x4(%rsi,%rdx,1),%r8d
11: 89 0f mov %ecx,(%rdi)
13: 44 89 44 17 fc mov %r8d,-0x4(%rdi,%rdx,1)
18: c3 ret
19: cc int3
1a: cc int3
1b: cc int3
1c: cc int3
1d: 0f 1f 84 00 00 00 00 nopl 0x0(%rax,%rax,1)
24: 00
25: 83 ea 01 sub $0x1,%edx
28: 72 19 jb 0x43
* 2a: 0f b6 0e movzbl (%rsi),%ecx <-- trapping instruction
2d: 74 12 je 0x41
2f: 4c 0f b6 46 01 movzbq 0x1(%rsi),%r8
34: 4c 0f b6 0c 16 movzbq (%rsi,%rdx,1),%r9
39: 44 88 47 01 mov %r8b,0x1(%rdi)
3d: 44 rex.R
3e: 88 .byte 0x88
3f: 0c .byte 0xc
Thank you for taking the time to read this email and we look forward to working with you further.
Download attachment "poc.c" of type "application/octet-stream" (5549 bytes)
Powered by blists - more mailing lists