lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAtVJ=oycBBrcdxrTqZ8yW9dS=dWUU=mxQitJ+f73mGWcQ@mail.gmail.com>
Date: Mon, 2 Dec 2024 12:30:51 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: "David S. Miller" <davem@...emloft.net>, Alexey Kuznetsov <kuznet@....inr.ac.ru>, pekkas@...core.fi, 
	jmorris@...ei.org, yoshfuji@...ux-ipv6.org, kaber@...sh.net
Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: "Kernel Warn in af_inet" in Linux Kernel Version 2.6.26

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 2.6.26.
This issue was discovered using our custom vulnerability discovery
tool.

Affected File:

File: net/ipv4/af_inet.c

Detailed call trace:

[ 1788.473836] KERNEL: assertion (!atomic_read(&sk->sk_wmem_alloc))
failed at net/ipv4/af_inet.c (155)
[ 1788.473836] KERNEL: assertion (!sk->sk_wmem_queued) failed at
net/ipv4/af_inet.c (156)
[ 1788.473836] KERNEL: assertion (!sk->sk_forward_alloc) failed at
net/ipv4/af_inet.c (157)
[ 1788.473836] KERNEL: assertion (!atomic_read(&sk->sk_wmem_alloc))
failed at net/ipv4/af_inet.c (155)
[ 1788.473836] KERNEL: assertion (!sk->sk_wmem_queued) failed at
net/ipv4/af_inet.c (156)
[ 1788.473862] KERNEL: assertion (!sk->sk_forward_alloc) failed at
net/ipv4/af_inet.c (157)

Repro C Source Code: https://pastebin.com/qs5y6Bcy

Root Cause:

The root cause of this bug lies in the improper handling of socket
write memory management in the IPv4 stack, specifically in the
assertions within net/ipv4/af_inet.c. The PoC triggers a sequence of
socket operations, including socket, sendto, listen, and accept, with
crafted input data and parameters. These operations result in
inconsistent states of the sock structure, where critical fields like
sk_wmem_alloc, sk_wmem_queued, and sk_forward_alloc are not properly
cleared or synchronized. The kernel fails to maintain the expected
invariants for these fields, leading to assertion failures that
indicate a logical inconsistency in memory allocation or deallocation
for socket operations. This issue highlights a potential lack of
proper cleanup or state transition checks in the network stack.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ