| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKHoSAuCLyh5JWVkYbEzwphX_fyKNP5PyBWsyq+V9jP7Vy4=kA@mail.gmail.com> Date: Mon, 2 Dec 2024 12:30:37 +0800 From: cheung wall <zzqq0103.hey@...il.com> To: "David S. Miller" <davem@...emloft.net> Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: "bug description: kernel warn in p9_trans_create_unix" in Linux Kernel Version 2.6.26 Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 2.6.26. This issue was discovered using our custom vulnerability discovery tool. Affected File: File: net/9p/trans_fd.c Function: p9_trans_create_unix Detailed call trace: [ 1126.740669] RIP: 0010:[<ffffffffa0219318>] [<ffffffffa0219318>] :9pnet:p9_trans_create_unix+0x64/0x180 [ 1126.740669] RSP: 0018:ffff81018ec3fb68 EFLAGS: 00000246 [ 1126.740669] RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffffffffffff [ 1126.740669] RDX: ffff81023bcee000 RSI: ffff81022e5bcfc0 RDI: 0000000000000000 [ 1126.740669] RBP: 0000000000000000 R08: ffff81022b98a000 R09: ffff8102318e5ef6 [ 1126.740669] R10: 0000000000000000 R11: ffffffff802f20a6 R12: ffff81022e5bcfc0 [ 1126.740669] R13: ffff81022e5bcfc0 R14: 0000000000002000 R15: 0000000000000001 [ 1126.740669] FS: 00007f20dd7116e0(0000) GS:ffff81023bce97c0(0000) knlGS:0000000000000000 [ 1126.740669] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1126.740669] CR2: 0000000000000000 CR3: 000000019d47d000 CR4: 00000000000006e0 [ 1126.740669] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1126.740669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1126.740669] Process a.out (pid: 15058, threadinfo ffff81018ec3e000, task ffff8101f6502750) [ 1126.740669] Stack: ffff81023b9c0550 0000000000000000 ffffffffa0116aa0 ffffffffa00f6899 [ 1126.740669] 0000000000000000 ffff810223007c60 ffff81022c95b7b0 ffff81022996dd70 [ 1126.740669] 00000000000b1943 ffff810238190c00 0000000000001000 ffffffff803208fb [ 1126.740669] Call Trace: [ 1126.740669] [<ffffffffa00f6899>] :jbd:do_get_write_access+0x378/0x3be [ 1126.740933] [<ffffffff803208fb>] match_token+0x6d/0x1d2 [ 1126.740933] [<ffffffffa0215610>] :9pnet:p9_client_create+0x181/0x2b3 [ 1126.740933] [<ffffffff80276423>] get_page_from_freelist+0x45a/0x603 [ 1126.740933] [<ffffffff80320a44>] match_token+0x1b6/0x1d2 [ 1126.740933] [<ffffffffa022475a>] :9p:v9fs_session_init+0x289/0x32f [ 1126.740933] [<ffffffffa02230ec>] :9p:v9fs_get_sb+0x6d/0x1d9 [ 1126.740933] [<ffffffff8029cbbc>] vfs_kern_mount+0x93/0x11b [ 1126.740933] [<ffffffff8029cc97>] do_kern_mount+0x43/0xdc [ 1126.740933] [<ffffffff802b16a9>] do_new_mount+0x5b/0x95 [ 1126.740933] [<ffffffff802b18a0>] do_mount+0x1bd/0x1e7 [ 1126.740933] [<ffffffff8027684e>] __alloc_pages_internal+0xd6/0x3bf [ 1126.740933] [<ffffffff802b1954>] sys_mount+0x8a/0xce [ 1126.740933] [<ffffffff8020beca>] system_call_after_swapgs+0x8a/0x8f [ 1126.740933] [ 1126.740933] [ 1126.740933] Code: 07 e0 48 85 c0 49 89 c5 0f 84 24 01 00 00 fc 48 c7 40 20 20 8d 21 a0 48 c7 40 18 30 81 21 a0 48 83 c9 ff 49 89 c4 48 89 ef 31 c0 <f2> ae 48 f7 d1 48 ff c9 48 83 f9 6c 76 31 65 48 8b 04 25 00 00 [ 1126.740933] RIP [<ffffffffa0219318>] :9pnet:p9_trans_create_unix+0x64/0x180 [ 1126.740933] RSP <ffff81018ec3fb68> [ 1126.740933] CR2: 0000000000000000 [ 1126.745832] ---[ end trace 9deab910d1f789fc ]--- Repro C Source Code: https://pastebin.com/jirvRhYm Root Cause: The root cause of this bug lies in the insufficient validation of mount options passed to the p9_trans_create_unix function in the 9P filesystem's Unix transport mechanism. Specifically, malformed or incomplete options, such as "trans=unix,access=client,nodevmap,aname=vboxnet1:em0+cpuset", lead to unhandled edge cases during option parsing and socket initialization. This causes the kernel to dereference an invalid or null pointer, triggering a general protection fault. The lack of proper input checks and error handling in the function results in memory corruption and kernel instability when processing user-controlled mount requests. Thank you for your time and attention. Best regards Wall
Powered by blists - more mailing lists