lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAsdOYRU2BzqyURmfsKqaCLGXnsXGZ=kj+zkt5wjYVAg0g@mail.gmail.com>
Date: Fri, 3 Jan 2025 15:46:43 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: Jens Axboe <axboe@...nel.dk>
Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: "WARNING in del_gendisk" in Linux kernel version 5.15.169

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 5.15.169. This issue was discovered using our
custom vulnerability discovery tool.

Affected File: block/genhd.c

File: block/genhd.c

Function: del_gendisk

Detailed Call Stack:

------------[ cut here begin]------------

RIP: 0010:del_gendisk+0x63b/0x830 block/genhd.c:586
Code: 3c 03 0f 8e df 01 00 00 8b ab a0 00 00 00 31 ff 81 e5 00 04 00
00 89 ee e8 82 fe 54 ff 85 ed 0f 85 a8 fa ff ff e8 d5 fb 54 ff <0f> 0b
e9 71 ff ff ff e8 c9 fb 54 ff 48 8b 14 24 48 b8 00 00 00 00
netlink: 'syz.4.3926': attribute type 4 has an invalid length.
RSP: 0018:ffff888113ff7df8 EFLAGS: 00010216
RAX: 000000000000008c RBX: ffff88810af7c800 RCX: ffffc9000749c000
RDX: 0000000000040000 RSI: ffffffff81ed737b RDI: 0000000000000005
RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888113ff7dbf
R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810af7c8a0
R13: ffff88810b351400 R14: ffff88810b351000 R15: ffff88810a70b1c0
FS: 00007f620e2b66c0(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001090f6000 CR4: 0000000000350ee0
Call Trace:
<TASK>
loop_remove+0x39/0xf0 drivers/block/loop.c:2452
loop_control_remove drivers/block/loop.c:2509 [inline]
loop_control_ioctl+0x44d/0x4d0 drivers/block/loop.c:2547
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:874 [inline]
__se_sys_ioctl fs/ioctl.c:860 [inline]
__x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:860
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6c/0xd6
RIP: 0033:0x7f620f6e89c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f620e2b6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f620f904f80 RCX: 00007f620f6e89c9
RDX: 0000000020002540 RSI: 0000000000004c81 RDI: 0000000000000003
RBP: 00007f620f7951b6 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f620f904f80 R15: 00007ffe5d3a2638
</TASK>
irq event stamp: 553
hardirqs last enabled at (559): [<ffffffff812b32ca>]
console_trylock_spinning kernel/printk/printk.c:1891 [inline]
hardirqs last enabled at (559): [<ffffffff812b32ca>]
vprintk_emit+0x3da/0x420 kernel/printk/printk.c:2273
hardirqs last disabled at (710): [<ffffffff812acf9d>]
__up_console_sem+0x5d/0x80 kernel/printk/printk.c:255
softirqs last enabled at (244): [<ffffffff81166c99>] __do_softirq
kernel/softirq.c:592 [inline]
softirqs last enabled at (244): [<ffffffff81166c99>] invoke_softirq
kernel/softirq.c:432 [inline]
softirqs last enabled at (244): [<ffffffff81166c99>] __irq_exit_rcu
kernel/softirq.c:641 [inline]
softirqs last enabled at (244): [<ffffffff81166c99>]
irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653
softirqs last disabled at (187): [<ffffffff81166c99>] __do_softirq
kernel/softirq.c:592 [inline]
softirqs last disabled at (187): [<ffffffff81166c99>] invoke_softirq
kernel/softirq.c:432 [inline]
softirqs last disabled at (187): [<ffffffff81166c99>] __irq_exit_rcu
kernel/softirq.c:641 [inline]
softirqs last disabled at (187): [<ffffffff81166c99>]
irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653

------------[ cut here end]------------

Root Cause:

The kernel crash is triggered by the del_gendisk function within the
block/genhd.c file at line 586. The root cause appears to be an
improperly formatted netlink message, specifically an attribute of
type 4 that has an invalid length. This malformed netlink message is
processed by the loop device driver (drivers/block/loop.c),
particularly during the removal of a loop device (loop_remove and
loop_control_remove functions). The invalid attribute leads to
incorrect handling within the loop device's ioctl operations
(loop_control_ioctl), ultimately causing del_gendisk to malfunction.
This sequence results in a kernel oops, crashing the system. The issue
likely stems from the loop device driver not adequately validating the
length of netlink message attributes before processing them, allowing
malformed data to disrupt kernel operations.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ