lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAsyjaRewcXsoj+8vrRYG+92gb+SKPWT2cmFCq_wFPQr+Q@mail.gmail.com>
Date: Fri, 3 Jan 2025 16:25:03 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: linux-kernel@...r.kernel.org
Subject: "INFO: rcu detected stall in ip_list_rcv" in Linux kernel version 6.13.0-rc2

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.

HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)

Affected File: kernel/stacktrace.c

File: kernel/stacktrace.c

Function: stack_trace_consume_entry

Detailed Call Stack:

------------[ cut here begin]------------

RIP: 0010:stack_trace_consume_entry+0x0/0x170 kernel/stacktrace.c:83
Code: 75 0a e8 33 97 0f 00 e9 56 ff ff ff 49 c7 c4 ea ff ff ff eb d4
e8 c0 68 cf 02 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 <f3> 0f
1e fa 48 b8 00 00 00 00 00 fc ff df 55 53 48 89 fb 48 83 c7
RSP: 0018:ffff88811b208b20 EFLAGS: 00000282
RAX: ffffffffb5f8d175 RBX: ffff88811b208b28 RCX: ffffffffba3d6401
RDX: 1ffff11023641170 RSI: ffffffffb5f8d175 RDI: ffff88811b208bf8
RBP: ffff88811b208bc8 R08: ffffffffba3d6502 R09: ffff88811b208b68
R10: ffff88811b208b28 R11: 0000000000003767 R12: ffffffffb5b76480
R13: ffff88811b208bf8 R14: 0000000000000000 R15: ffff8881041ca200
arch_stack_walk+0x89/0x100 arch/x86/kernel/stacktrace.c:27
stack_trace_save+0x8f/0xc0 kernel/stacktrace.c:122
set_track_prepare+0x45/0x80 mm/kmemleak.c:641
__alloc_object+0xc2/0x1f0 mm/kmemleak.c:687
__create_object+0x1d/0x80 mm/kmemleak.c:759
kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
slab_post_alloc_hook mm/slub.c:4108 [inline]
slab_alloc_node mm/slub.c:4153 [inline]
kmem_cache_alloc_node_noprof+0x303/0x390 mm/slub.c:4205
kmalloc_reserve+0x15d/0x270 net/core/skbuff.c:587
pskb_expand_head+0x1fe/0x1160 net/core/skbuff.c:2275
__skb_unclone_keeptruesize+0x91/0x250 net/core/skbuff.c:2375
skb_unclone_keeptruesize include/linux/skbuff.h:1998 [inline]
tcp_trim_head+0x31c/0x580 net/ipv4/tcp_output.c:1732
tcp_tso_acked net/ipv4/tcp_input.c:3306 [inline]
tcp_clean_rtx_queue net/ipv4/tcp_input.c:3372 [inline]
tcp_ack+0x1b0b/0x4e50 net/ipv4/tcp_input.c:4032
tcp_rcv_established+0xdd6/0x1bf0 net/ipv4/tcp_input.c:6173
tcp_v4_do_rcv+0x58f/0x970 net/ipv4/tcp_ipv4.c:1916
tcp_v4_rcv+0x30cd/0x4050 net/ipv4/tcp_ipv4.c:2351
ip_protocol_deliver_rcu+0x6f/0xab0 net/ipv4/ip_input.c:205
ip_local_deliver_finish+0x290/0x380 net/ipv4/ip_input.c:233
NF_HOOK include/linux/netfilter.h:314 [inline]
NF_HOOK include/linux/netfilter.h:308 [inline]
ip_local_deliver+0x1aa/0x2f0 net/ipv4/ip_input.c:254
dst_input include/net/dst.h:460 [inline]
ip_sublist_rcv_finish+0x15f/0x1e0 net/ipv4/ip_input.c:578
ip_list_rcv_finish net/ipv4/ip_input.c:628 [inline]
ip_sublist_rcv+0x386/0x5a0 net/ipv4/ip_input.c:636
ip_list_rcv+0x2a8/0x3b0 net/ipv4/ip_input.c:670
__netif_receive_skb_list_ptype net/core/dev.c:5715 [inline]
__netif_receive_skb_list_core+0x673/0x860 net/core/dev.c:5762
__netif_receive_skb_list net/core/dev.c:5814 [inline]
netif_receive_skb_list_internal+0x620/0xb00 net/core/dev.c:5905
gro_normal_list include/net/gro.h:515 [inline]
gro_normal_one include/net/gro.h:528 [inline]
napi_skb_finish net/core/gro.c:605 [inline]
napi_gro_receive+0x74e/0x960 net/core/gro.c:635
e1000_receive_skb drivers/net/ethernet/intel/e1000/e1000_main.c:4012 [inline]
e1000_clean_rx_irq+0x4fe/0x10b0
drivers/net/ethernet/intel/e1000/e1000_main.c:4465
e1000_clean+0x8ba/0x22d0 drivers/net/ethernet/intel/e1000/e1000_main.c:3807
__napi_poll+0xab/0x590 net/core/dev.c:6883
napi_poll net/core/dev.c:6952 [inline]
net_rx_action+0x9c8/0xed0 net/core/dev.c:7074
handle_softirqs+0x1b8/0x5c0 kernel/softirq.c:561
__do_softirq kernel/softirq.c:595 [inline]
invoke_softirq kernel/softirq.c:435 [inline]
__irq_exit_rcu kernel/softirq.c:662 [inline]
irq_exit_rcu+0xaf/0xe0 kernel/softirq.c:678
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1049 [inline]
sysvec_apic_timer_interrupt+0x6c/0x80 arch/x86/kernel/apic/apic.c:1049
</IRQ>
<TASK>

------------[ cut here end]------------

Root Cause:

The kernel crash was triggered by a memory corruption issue detected
during the processing of a stack trace entry within the
stack_trace_consume_entry function in kernel/stacktrace.c. This
corruption likely stems from improper memory management or
synchronization flaws in the Kernel Memory Leak Detector (KMEMLEAK)
subsystem, specifically when handling network stack operations. During
the handling of TCP packets (tcp_rcv_established, tcp_ack, etc.),
KMEMLEAK attempted to allocate and track memory objects. However, due
to the corrupted memory state, stack_trace_consume_entry encountered
invalid or inconsistent stack trace data, leading to a kernel panic.
This failure disrupts the normal operation of memory tracking and leak
detection mechanisms, ultimately compromising system stability and
potentially allowing for undefined behavior or security
vulnerabilities.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ