| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAKHoSAtO1vE+_-Fo9Gc9Tv2bgtubkBYk6uEOddJr79DNQvmSQQ@mail.gmail.com> Date: Mon, 2 Dec 2024 12:31:18 +0800 From: cheung wall <zzqq0103.hey@...il.com> To: paul@...l-moore.com, "David S. Miller" <davem@...emloft.net> Cc: netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: "general protection fault in netlbl_unlhsh_add" in Linux Kernel Version 4.9 Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 4.9 This issue was discovered using our custom vulnerability discovery tool. Affected File: netlabel_unlabeled.c File: netlabel_unlabeled.c Function: netlbl_unlhsh_add_addr4 Detailed call trace: sr 1:0:0:0: [sr0] unaligned transfer tmpfs: Bad mount option nr_)nodes 9pnet: Insufficient options for proto=fd kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN Modules linked in: CPU: 1 PID: 6915 Comm: syz.2.719 Not tainted 4.9.0+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 task: ffff88006b952940 task.stack: ffff88005d920000 RIP: 0010:[<ffffffff82f4e3e6>] [<ffffffff82f4e3e6>] netlbl_unlhsh_add_addr4 net/netlabel/netlabel_unlabeled.c:262 [inline] RIP: 0010:[<ffffffff82f4e3e6>] [<ffffffff82f4e3e6>] netlbl_unlhsh_add+0x8e6/0xf00 net/netlabel/netlabel_unlabeled.c:430 RSP: 0018:ffff88005d9274c8 EFLAGS: 00010257 RAX: 000000000100007f RBX: 0000000000000004 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000202 RDI: 0000000000000000 RBP: ffff88005d9275b8 R08: 00000000000000a0 R09: ffff88005d80c000 R10: 00000000e8d5b47c R11: 0000000097bb816a R12: ffff88006abcd680 R13: 0000000000000000 R14: ffff88005d9bcae0 R15: ffff88006879542c FS: 00007f7c96bb1640(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7c96baff88 CR3: 0000000069138000 CR4: 00000000003406e0 Stack: ffffffff81946e40 ffff88006abcd680 1ffff1000bb24e9e 0000012b83476cad 0000000000000000 0000000041b58ab3 ffffffff834b7a00 ffffffff82f4db00 ffff88005d927638 00000000024000c0 0000000000000022 ffff88005d927550 Call Trace: [<ffffffff82f4ed95>] netlbl_unlabel_staticadddef+0x395/0x460 net/netlabel/netlabel_unlabeled.c:980 [<ffffffff82915b6c>] genl_family_rcv_msg+0x69c/0xc30 net/netlink/genetlink.c:636 [<ffffffff829162ab>] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:660 [<ffffffff82914477>] netlink_rcv_skb+0x297/0x390 net/netlink/af_netlink.c:2298 [<ffffffff829154b8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:671 [<ffffffff82912e84>] netlink_unicast_kernel net/netlink/af_netlink.c:1231 [inline] [<ffffffff82912e84>] netlink_unicast+0x4c4/0x6e0 net/netlink/af_netlink.c:1257 [<ffffffff82913a17>] netlink_sendmsg+0x977/0xca0 net/netlink/af_netlink.c:1803 [<ffffffff8280164a>] sock_sendmsg_nosec net/socket.c:621 [inline] [<ffffffff8280164a>] sock_sendmsg+0xca/0x110 net/socket.c:631 [<ffffffff82803480>] ___sys_sendmsg+0x730/0x870 net/socket.c:1954 [<ffffffff82804cf1>] __sys_sendmsg+0xd1/0x170 net/socket.c:1988 [<ffffffff82804dbd>] SYSC_sendmsg net/socket.c:1999 [inline] [<ffffffff82804dbd>] SyS_sendmsg+0x2d/0x50 net/socket.c:1995 [<ffffffff82f8f937>] entry_SYSCALL_64_fastpath+0x1a/0xa9 Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 f4 02 00 00 48 89 d9 48 ba 00 00 00 00 00 fc ff df 41 8b 07 48 c1 e9 03 <0f> b6 0c 11 48 89 da 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85 RIP [<ffffffff82f4e3e6>] netlbl_unlhsh_add_addr4 net/netlabel/netlabel_unlabeled.c:262 [inline] RIP [<ffffffff82f4e3e6>] netlbl_unlhsh_add+0x8e6/0xf00 net/netlabel/netlabel_unlabeled.c:430 RSP <ffff88005d9274c8> ---[ end trace ec99797c85dd42d0 ]--- Repro C Source Code: https://pastebin.com/aHhVhbJ4 Root Cause: The root cause appears to be a NULL pointer dereference or improper memory handling within the netlbl_unlhsh_add function, likely due to misconfigurations or faulty memory accesses. This could be exacerbated by incorrect kernel options or mounting configurations, such as unaligned transfers or missing options for 9pnet. Thank you for your time and attention. Best regards Wall
Powered by blists - more mailing lists