lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CANikGpcmGe1PLZjM6t8H6=P93aXg-jdaPFPUtkzLOXaKOprHmA@mail.gmail.com>
Date: Sat, 24 Aug 2024 19:08:10 -0700
From: Juefei Pu <juefei.pu@...il.ucr.edu>
To: mingo@...hat.com, peterz@...radead.org, juri.lelli@...hat.com, 
	vincent.guittot@...aro.org, dietmar.eggemann@....com, rostedt@...dmis.org, 
	bsegall@...gle.com, mgorman@...e.de, bristot@...hat.com, vschneid@...hat.com, 
	linux-kernel@...r.kernel.org
Subject: BUG: unable to handle kernel NULL pointer dereference in wake_up_bit

Hello,
We found the following issue using syzkaller on Linux v6.10.
In `__wake_up_common`, when executing `ret = curr->func(curr, mode,
wake_flags, key);`, a NULL pointer dereference happened. According to
the report, the RIP is 0x0, it seems that the function pointer is used
without checking its value.

Unfortunately, the syzkaller failed to generate a reproducer.
But at least we have the report:

BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 0 P4D 0
Oops: Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 1 Comm: systemd Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000003fc38 EFLAGS: 00010046
RAX: 1ffff920013daf09 RBX: 0000000000000000 RCX: ffffc9000003fce0
RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc90009ed7838
RBP: 0000000000000001 R08: 0000000000000003 R09: fffff52000007f64
R10: dffffc0000000000 R11: 0000000000000000 R12: ffffc90009ed7848
R13: 0000000000000000 R14: ffffc90009ed7838 R15: ffffffff8d80e360
FS:  00007ff4720ac900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000001532c000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 __wake_up_common kernel/sched/wait.c:89 [inline]
 __wake_up_common_lock+0x134/0x1e0 kernel/sched/wait.c:106
 __wake_up kernel/sched/wait.c:127 [inline]
 __wake_up_bit kernel/sched/wait_bit.c:126 [inline]
 wake_up_bit+0x18c/0x1f0 kernel/sched/wait_bit.c:149
 evict+0x487/0x630 fs/inode.c:678
 __dentry_kill+0x1fb/0x610 fs/dcache.c:607
 dput+0x197/0x2b0 fs/dcache.c:849
 __fput+0x5f0/0x8a0 fs/file_table.c:430
 __do_sys_close fs/open.c:1563 [inline]
 __se_sys_close+0x15b/0x1e0 fs/open.c:1548
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7ff472517c6b
Code: 0f 05 48 3d 00 f0 ff ff 77 45 c3 0f 1f 40 00 48 83 ec 18 89 7c
24 0c e8 a3 4d f9 ff 8b 7c 24 0c 41 89 c0 b8 03 00 00 00 0f 05 <48> 3d
00 f0 ff ff 77 35 44 89 c7 89 44 24 0c e8 e1 4d f9 ff 8b 44
RSP: 002b:00007ffd335674a0 EFLAGS: 00000293 ORIG_RAX: 0000000000000003
RAX: ffffffffffffffda RBX: 00007ff4720ac6c8 RCX: 00007ff472517c6b
RDX: 00007ff4725fabe0 RSI: 0000000000000000 RDI: 0000000000000019
RBP: 0000000000000019 R08: 0000000000000000 R09: 000055e07191c838
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000
R13: 00007ffd33567560 R14: 0000000000000001 R15: 0000000000000001
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffffc9000003fc38 EFLAGS: 00010046
RAX: 1ffff920013daf09 RBX: 0000000000000000 RCX: ffffc9000003fce0
RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc90009ed7838
RBP: 0000000000000001 R08: 0000000000000003 R09: fffff52000007f64
R10: dffffc0000000000 R11: 0000000000000000 R12: ffffc90009ed7848
R13: 0000000000000000 R14: ffffc90009ed7838 R15: ffffffff8d80e360
FS:  00007ff4720ac900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000001532c000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ