lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALAgD-5236x-7bVxVzuv9DGqAVj+UT6pJL8QBd-CHAHPNd1n5Q@mail.gmail.com>
Date: Wed, 28 Aug 2024 16:11:28 -0700
From: Xingyu Li <xli399@....edu>
To: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, 
	kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Cc: Yu Hao <yhao016@....edu>
Subject: BUG: general protection fault in fib6_walk_continue

Hi,

We found a bug in Linux 6.10 using syzkaller. It is possibly a null
pointer dereference  bug.
The bug report is as follows, but unfortunately there is no generated
syzkaller reproducer.

Bug report:

Oops: general protection fault, probably for non-canonical address
0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 14197 Comm: syz-executor Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:fib6_walk_continue+0x485/0x8e0 net/ipv6/ip6_fib.c:2145
Code: 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 e7 e8 ff 94 4b
f8 4d 8b 34 24 e8 86 c9 4e 01 49 8d 7e 08 48 89 f8 48 c1 e8 03 <42> 80
3c 38 00 74 05 e8 df 94 4b f8 4d 8b 6e 08 e8 66 c9 4e 01 49
RSP: 0000:ffffc900046b6f70 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff88801c35da00
RDX: 0000000000000000 RSI: ffffffff8ee6fe40 RDI: 0000000000000008
RBP: ffff88803f4451a0 R08: 0000000000000005 R09: ffffffff89a8c42a
R10: 0000000000000005 R11: ffff88801c35da00 R12: ffff88803f445180
R13: ffffc900046b70f8 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f226a135b70 CR3: 000000002d330000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 fib6_walk+0x148/0x280 net/ipv6/ip6_fib.c:2179
 fib6_clean_tree net/ipv6/ip6_fib.c:2259 [inline]
 __fib6_clean_all+0x31b/0x4b0 net/ipv6/ip6_fib.c:2275
 rt6_sync_down_dev net/ipv6/route.c:4910 [inline]
 rt6_disable_ip+0x151/0x810 net/ipv6/route.c:4915
 addrconf_ifdown+0x170/0x1b50 net/ipv6/addrconf.c:3855
 addrconf_notify+0x3c4/0x1000
 notifier_call_chain kernel/notifier.c:93 [inline]
 raw_notifier_call_chain+0xe0/0x180 kernel/notifier.c:461
 call_netdevice_notifiers_extack net/core/dev.c:2030 [inline]
 call_netdevice_notifiers net/core/dev.c:2044 [inline]
 dev_close_many+0x352/0x4e0 net/core/dev.c:1585
 unregister_netdevice_many_notify+0x542/0x16d0 net/core/dev.c:11194
 unregister_netdevice_many net/core/dev.c:11277 [inline]
 unregister_netdevice_queue+0x2ff/0x370 net/core/dev.c:11156
 unregister_netdevice include/linux/netdevice.h:3119 [inline]
 __tun_detach+0x6ad/0x15e0 drivers/net/tun.c:685
 tun_detach drivers/net/tun.c:701 [inline]
 tun_chr_close+0x104/0x1b0 drivers/net/tun.c:3500
 __fput+0x24a/0x8a0 fs/file_table.c:422
 task_work_run+0x239/0x2f0 kernel/task_work.c:180
 exit_task_work include/linux/task_work.h:38 [inline]
 do_exit+0xa13/0x2560 kernel/exit.c:876
 do_group_exit+0x1fd/0x2b0 kernel/exit.c:1025
 get_signal+0x1697/0x1730 kernel/signal.c:2909
 arch_do_signal_or_restart+0x92/0x7f0 arch/x86/kernel/signal.c:310
 exit_to_user_mode_loop kernel/entry/common.c:111 [inline]
 exit_to_user_mode_prepare include/linux/entry-common.h:328 [inline]
 __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]
 syscall_exit_to_user_mode+0x95/0x280 kernel/entry/common.c:218
 do_syscall_64+0x8a/0x150 arch/x86/entry/common.c:89
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f9aeb77f3fc
Code: Unable to access opcode bytes at 0x7f9aeb77f3d2.
RSP: 002b:00007ffd2d9a0320 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
RAX: fffffffffffffe00 RBX: 0000000000000003 RCX: 00007f9aeb77f3fc
RDX: 0000000000000028 RSI: 00007ffd2d9a03d0 RDI: 00000000000000f9
RBP: 00007ffd2d9a037c R08: 0000000000000000 R09: 0079746972756365
R10: 00007f9aeb9147e0 R11: 0000000000000246 R12: 0000555564b1a5eb
R13: 0000555564b1a590 R14: 0000000000058bc3 R15: 00007ffd2d9a03d0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:fib6_walk_continue+0x485/0x8e0 net/ipv6/ip6_fib.c:2145
Code: 4c 89 e0 48 c1 e8 03 42 80 3c 38 00 74 08 4c 89 e7 e8 ff 94 4b
f8 4d 8b 34 24 e8 86 c9 4e 01 49 8d 7e 08 48 89 f8 48 c1 e8 03 <42> 80
3c 38 00 74 05 e8 df 94 4b f8 4d 8b 6e 08 e8 66 c9 4e 01 49
RSP: 0000:ffffc900046b6f70 EFLAGS: 00010202
RAX: 0000000000000001 RBX: 0000000000000000 RCX: ffff88801c35da00
RDX: 0000000000000000 RSI: ffffffff8ee6fe40 RDI: 0000000000000008
RBP: ffff88803f4451a0 R08: 0000000000000005 R09: ffffffff89a8c42a
R10: 0000000000000005 R11: ffff88801c35da00 R12: ffff88803f445180
R13: ffffc900046b70f8 R14: 0000000000000000 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f226a135b70 CR3: 000000002d330000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 4c 89 e0             mov    %r12,%rax
   3: 48 c1 e8 03           shr    $0x3,%rax
   7: 42 80 3c 38 00       cmpb   $0x0,(%rax,%r15,1)
   c: 74 08                 je     0x16
   e: 4c 89 e7             mov    %r12,%rdi
  11: e8 ff 94 4b f8       call   0xf84b9515
  16: 4d 8b 34 24           mov    (%r12),%r14
  1a: e8 86 c9 4e 01       call   0x14ec9a5
  1f: 49 8d 7e 08           lea    0x8(%r14),%rdi
  23: 48 89 f8             mov    %rdi,%rax
  26: 48 c1 e8 03           shr    $0x3,%rax
* 2a: 42 80 3c 38 00       cmpb   $0x0,(%rax,%r15,1) <-- trapping instruction
  2f: 74 05                 je     0x36
  31: e8 df 94 4b f8       call   0xf84b9515
  36: 4d 8b 6e 08           mov    0x8(%r14),%r13
  3a: e8 66 c9 4e 01       call   0x14ec9a5
  3f: 49                   rex.WB


-- 
Yours sincerely,
Xingyu

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ