lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANikGpfU7oa_P3MzYjh2B4L=FnsDamhaiaNgQYB_BgUAE9JzRg@mail.gmail.com>
Date: Wed, 28 Aug 2024 23:40:31 -0700
From: Juefei Pu <juefei.pu@...il.ucr.edu>
To: James.Bottomley@...senpartnership.com, martin.petersen@...cle.com, 
	linux-scsi@...r.kernel.org, linux-kernel@...r.kernel.org, 
	Yu Hao <yhao016@....edu>
Subject: BUG: general protection fault in batadv_iv_send_outstanding_bat_ogm_packet

Hello,
We found the following issue using syzkaller on Linux v6.10.
The PoC generated by Syzkaller can cause the kernel to report memory
corruption related errors.
The C reproducer:
https://gist.github.com/TomAPU/3079772ea493ad008f9a837e63be87bb
kernel config:
https://gist.github.com/TomAPU/64f5db0fe976a3e94a6dd2b621887cdd

It seems that the task corrupted is `kworker`, not `syz-executor`. It
seems that there exists a bug in `/dev/sg0`, allowing a program to
tamper the memory without being caught by KASAN.

The report is below:

Syzkaller hit 'general protection fault in
batadv_iv_send_outstanding_bat_ogm_packet' bug.

veth1_vlan: left promiscuous mode
veth0_vlan: left promiscuous mode
team0 (unregistering): Port device team_slave_1 removed
team0 (unregistering): Port device team_slave_0 removed
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000002: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000010-0x0000000000000017]
CPU: 0 PID: 40 Comm: kworker/u4:3 Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Workqueue: bat_events batadv_iv_send_outstanding_bat_ogm_packet
RIP: 0010:batadv_iv_ogm_aggr_packet net/batman-adv/bat_iv_ogm.c:325 [inline]
RIP: 0010:batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:352 [inline]
RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x2bd/0x800
net/batman-adv/bat_iv_ogm.c:1700
Code: 3c 41 be 18 00 00 00 31 c0 48 89 44 24 50 31 ed 48 89 5c 24 58
49 8d 55 16 49 89 d4 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 0f
b6 04 04 84 c0 48 89 54 24 08 0f 85 b9 01 00 00 0f b7 02 66
RSP: 0018:ffffc900008bfb30 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff88801ec1083c RCX: dffffc0000000000
RDX: 0000000000000016 RSI: 0000000000000018 RDI: 0000000000000018
RBP: 0000000000000000 R08: ffffffff8abf0ffc R09: 1ffff11006e56994
R10: dffffc0000000000 R11: ffffed1006e56995 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000018 R15: 0000000000000018
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563601fc9418 CR3: 000000000d932000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 process_one_work kernel/workqueue.c:3248 [inline]
 process_scheduled_works+0x977/0x1410 kernel/workqueue.c:3329
 worker_thread+0xaa0/0x1020 kernel/workqueue.c:3409
 kthread+0x2eb/0x380 kernel/kthread.c:389
 ret_from_fork+0x49/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:batadv_iv_ogm_aggr_packet net/batman-adv/bat_iv_ogm.c:325 [inline]
RIP: 0010:batadv_iv_ogm_send_to_if net/batman-adv/bat_iv_ogm.c:352 [inline]
RIP: 0010:batadv_iv_ogm_emit net/batman-adv/bat_iv_ogm.c:420 [inline]
RIP: 0010:batadv_iv_send_outstanding_bat_ogm_packet+0x2bd/0x800
net/batman-adv/bat_iv_ogm.c:1700
Code: 3c 41 be 18 00 00 00 31 c0 48 89 44 24 50 31 ed 48 89 5c 24 58
49 8d 55 16 49 89 d4 49 c1 ec 03 48 b8 00 00 00 00 00 fc ff df <41> 0f
b6 04 04 84 c0 48 89 54 24 08 0f 85 b9 01 00 00 0f b7 02 66
RSP: 0018:ffffc900008bfb30 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff88801ec1083c RCX: dffffc0000000000
RDX: 0000000000000016 RSI: 0000000000000018 RDI: 0000000000000018
RBP: 0000000000000000 R08: ffffffff8abf0ffc R09: 1ffff11006e56994
R10: dffffc0000000000 R11: ffffed1006e56995 R12: 0000000000000002
R13: 0000000000000000 R14: 0000000000000018 R15: 0000000000000018
FS:  0000000000000000(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563601fc9418 CR3: 00000000203c0000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 3c 41                 cmp    $0x41,%al
   2: be 18 00 00 00       mov    $0x18,%esi
   7: 31 c0                 xor    %eax,%eax
   9: 48 89 44 24 50       mov    %rax,0x50(%rsp)
   e: 31 ed                 xor    %ebp,%ebp
  10: 48 89 5c 24 58       mov    %rbx,0x58(%rsp)
  15: 49 8d 55 16           lea    0x16(%r13),%rdx
  19: 49 89 d4             mov    %rdx,%r12
  1c: 49 c1 ec 03           shr    $0x3,%r12
  20: 48 b8 00 00 00 00 00 movabs $0xdffffc0000000000,%rax
  27: fc ff df
* 2a: 41 0f b6 04 04       movzbl (%r12,%rax,1),%eax <-- trapping instruction
  2f: 84 c0                 test   %al,%al
  31: 48 89 54 24 08       mov    %rdx,0x8(%rsp)
  36: 0f 85 b9 01 00 00     jne    0x1f5
  3c: 0f b7 02             movzwl (%rdx),%eax
  3f: 66                   data16

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ