lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANikGpd2u3=GH8TLL40UuOJroe0-WdYCjj1vZJyCBgmSRvtNWQ@mail.gmail.com>
Date: Sun, 25 Aug 2024 00:45:30 -0700
From: Juefei Pu <juefei.pu@...il.ucr.edu>
To: davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, 
	pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel paging request in __netif_receive_skb_core

Hello,
We found the following issue using syzkaller on Linux v6.10.
In function `__netif_receive_skb_core`, an error of "unable to handle
kernel paging request" happend when executing `if (ptype->type !=
type)`. It happened because the register $r12 became an unexpected
value 0xffffffffffffffc0, because it was propagated from $r15 whose
value was null. So it's likely that this is an null-pointer
dereference issue.

The full report including the Syzkaller reproducer:
https://gist.github.com/TomAPU/38bb00292b33d52a6dd2d1b629247146/revisions

The brief report is below:

Syzkaller hit 'BUG: unable to handle kernel paging request in
__netif_receive_skb_core' bug.

BUG: unable to handle page fault for address: ffffffffffffffc0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD d936067 P4D d936067 PUD d938067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 8484 Comm: kworker/0:5 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: wg-crypt-wg0 wg_packet_tx_worker
RIP: 0010:deliver_ptype_list_skb net/core/dev.c:2247 [inline]
RIP: 0010:__netif_receive_skb_core+0x3163/0x3ef0 net/core/dev.c:5581
Code: 48 8d 41 10 48 89 44 24 48 4d 8d 67 c0 4c 89 e0 48 c1 e8 03 48
b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 0f 85 61 02 00 00 <41> 0f
b7 1c 24 89 df 44 89 f6 e8 ee f5 b8 f8 66 44 39 f3 0f 85 a0
RSP: 0018:ffffc90000007880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000080000101 RSI: 000000000000dd86 RDI: 0000000000000000
RBP: ffffc90000007a50 R08: ffffffff88d85c72 R09: ffffffff88d82f9b
R10: 0000000000000002 R11: ffff8880244b5a00 R12: ffffffffffffffc0
R13: ffffffff8f260cb0 R14: 000000000000dd86 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffc0 CR3: 000000000d932000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 __netif_receive_skb_one_core net/core/dev.c:5623 [inline]
 __netif_receive_skb+0x11e/0x640 net/core/dev.c:5739
 process_backlog+0x37d/0x7a0 net/core/dev.c:6068
 __napi_poll+0xcc/0x480 net/core/dev.c:6722
 napi_poll net/core/dev.c:6791 [inline]
 net_rx_action+0x7ed/0x1040 net/core/dev.c:6907
 handle_softirqs+0x272/0x750 kernel/softirq.c:554
 do_softirq+0x117/0x1e0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x1b0/0x1f0 kernel/softirq.c:382
 wg_socket_send_skb_to_peer+0x172/0x1d0 drivers/net/wireguard/socket.c:184
 wg_packet_create_data_done drivers/net/wireguard/send.c:251 [inline]
 wg_packet_tx_worker+0x1ba/0x960 drivers/net/wireguard/send.c:276
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
CR2: ffffffffffffffc0
---[ end trace 0000000000000000 ]---
RIP: 0010:deliver_ptype_list_skb net/core/dev.c:2247 [inline]
RIP: 0010:__netif_receive_skb_core+0x3163/0x3ef0 net/core/dev.c:5581
Code: 48 8d 41 10 48 89 44 24 48 4d 8d 67 c0 4c 89 e0 48 c1 e8 03 48
b9 00 00 00 00 00 fc ff df 0f b6 04 08 84 c0 0f 85 61 02 00 00 <41> 0f
b7 1c 24 89 df 44 89 f6 e8 ee f5 b8 f8 66 44 39 f3 0f 85 a0
RSP: 0018:ffffc90000007880 EFLAGS: 00010246
RAX: 0000000000000000 RBX: 0000000000000000 RCX: dffffc0000000000
RDX: 0000000080000101 RSI: 000000000000dd86 RDI: 0000000000000000
RBP: ffffc90000007a50 R08: ffffffff88d85c72 R09: ffffffff88d82f9b
R10: 0000000000000002 R11: ffff8880244b5a00 R12: ffffffffffffffc0
R13: ffffffff8f260cb0 R14: 000000000000dd86 R15: 0000000000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffc0 CR3: 000000000d932000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 48 8d 41 10           lea    0x10(%rcx),%rax
   4: 48 89 44 24 48       mov    %rax,0x48(%rsp)
   9: 4d 8d 67 c0           lea    -0x40(%r15),%r12
   d: 4c 89 e0             mov    %r12,%rax
  10: 48 c1 e8 03           shr    $0x3,%rax
  14: 48 b9 00 00 00 00 00 movabs $0xdffffc0000000000,%rcx
  1b: fc ff df
  1e: 0f b6 04 08           movzbl (%rax,%rcx,1),%eax
  22: 84 c0                 test   %al,%al
  24: 0f 85 61 02 00 00     jne    0x28b
* 2a: 41 0f b7 1c 24       movzwl (%r12),%ebx <-- trapping instruction
  2f: 89 df                 mov    %ebx,%edi
  31: 44 89 f6             mov    %r14d,%esi
  34: e8 ee f5 b8 f8       call   0xf8b8f627
  39: 66 44 39 f3           cmp    %r14w,%bx
  3d: 0f                   .byte 0xf
  3e: 85                   .byte 0x85
  3f: a0                   .byte 0xa0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ