lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALAgD-6=bRtF++chjMwgTyMssCqyPzhXyY=zjB6w5SorVxuCcw@mail.gmail.com>
Date: Sat, 24 Aug 2024 21:53:29 -0700
From: Xingyu Li <xli399@....edu>
To: peterz@...radead.org, mingo@...hat.com, will@...nel.org, 
	longman@...hat.com, boqun.feng@...il.com, linux-kernel@...r.kernel.org
Subject: BUG: general protection fault in kernfs_remove_by_name_ns

Hi,

We found a bug in linux 6.10. It is probably a null pointer dereference bug.
The bug report is as follows, but unfortunately there is no generated
syzkaller reproducer.

netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2
family 0 port 6081 - 0
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000029: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000148-0x000000000000014f]
CPU: 0 PID: 10054 Comm: kworker/u4:29 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005
Code: 85 5d 20 00 00 83 3d 14 d2 b5 0d 00 48 89 9c 24 18 01 00 00 0f
84 00 10 00 00 83 3d 33 3a 31 0c 00 74 31 48 89 d0 48 c1 e8 03 <42> 80
3c 00 00 74 17 48 89 d7 e8 fb 9c 85 00 48 8b 54 24 10 49 b8
RSP: 0018:ffffc9000a0bf540 EFLAGS: 00010002
RAX: 0000000000000029 RBX: 1ffff92001417ecc RCX: 0000000000000000
RDX: 0000000000000148 RSI: 0000000000000000 RDI: 0000000000000148
RBP: ffffc9000a0bf808 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801fc31e00
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6fba84cd0 CR3: 0000000020224000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 lock_acquire+0x1a9/0x400 kernel/locking/lockdep.c:5754
 down_write+0x36/0x50 kernel/locking/rwsem.c:1579
 kernfs_remove_by_name_ns+0x76/0x150 fs/kernfs/dir.c:1689
 del_nbp+0xa6/0xb50 net/bridge/br_if.c:338
 br_dev_delete+0x76/0x110 net/bridge/br_if.c:386
 br_net_exit_batch_rtnl+0xee/0x1a0 net/bridge/br.c:369
 cleanup_net+0x712/0xcd0 net/core/net_namespace.c:633
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:__lock_acquire+0x106/0x8050 kernel/locking/lockdep.c:5005
Code: 85 5d 20 00 00 83 3d 14 d2 b5 0d 00 48 89 9c 24 18 01 00 00 0f
84 00 10 00 00 83 3d 33 3a 31 0c 00 74 31 48 89 d0 48 c1 e8 03 <42> 80
3c 00 00 74 17 48 89 d7 e8 fb 9c 85 00 48 8b 54 24 10 49 b8
RSP: 0018:ffffc9000a0bf540 EFLAGS: 00010002
RAX: 0000000000000029 RBX: 1ffff92001417ecc RCX: 0000000000000000
RDX: 0000000000000148 RSI: 0000000000000000 RDI: 0000000000000148
RBP: ffffc9000a0bf808 R08: dffffc0000000000 R09: 0000000000000000
R10: dffffc0000000000 R11: fffffbfff1e48be6 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff88801fc31e00
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fc6fba84cd0 CR3: 0000000020224000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 85 5d 20             test   %ebx,0x20(%rbp)
   3: 00 00                 add    %al,(%rax)
   5: 83 3d 14 d2 b5 0d 00 cmpl   $0x0,0xdb5d214(%rip)        # 0xdb5d220
   c: 48 89 9c 24 18 01 00 mov    %rbx,0x118(%rsp)
  13: 00
  14: 0f 84 00 10 00 00     je     0x101a
  1a: 83 3d 33 3a 31 0c 00 cmpl   $0x0,0xc313a33(%rip)        # 0xc313a54
  21: 74 31                 je     0x54
  23: 48 89 d0             mov    %rdx,%rax
  26: 48 c1 e8 03           shr    $0x3,%rax
* 2a: 42 80 3c 00 00       cmpb   $0x0,(%rax,%r8,1) <-- trapping instruction
  2f: 74 17                 je     0x48
  31: 48 89 d7             mov    %rdx,%rdi
  34: e8 fb 9c 85 00       call   0x859d34
  39: 48 8b 54 24 10       mov    0x10(%rsp),%rdx
  3e: 49                   rex.WB
  3f: b8                   .byte 0xb8


-- 
Yours sincerely,
Xingyu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ