lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <4308c0dd-2c42-4792-8264-4109913fc443@kernel.dk>
Date: Fri, 3 Jan 2025 08:24:55 -0700
From: Jens Axboe <axboe@...nel.dk>
To: cheung wall <zzqq0103.hey@...il.com>
Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: "WARNING in del_gendisk" in Linux kernel version 5.15.169

On 1/3/25 12:46 AM, cheung wall wrote:
> Hello,
> 
> I am writing to report a potential vulnerability identified in the
> Linux Kernel version 5.15.169. This issue was discovered using our
> custom vulnerability discovery tool.
> 
> Affected File: block/genhd.c
> 
> File: block/genhd.c
> 
> Function: del_gendisk
> 
> Detailed Call Stack:
> 
> ------------[ cut here begin]------------
> 
> RIP: 0010:del_gendisk+0x63b/0x830 block/genhd.c:586
> Code: 3c 03 0f 8e df 01 00 00 8b ab a0 00 00 00 31 ff 81 e5 00 04 00
> 00 89 ee e8 82 fe 54 ff 85 ed 0f 85 a8 fa ff ff e8 d5 fb 54 ff <0f> 0b
> e9 71 ff ff ff e8 c9 fb 54 ff 48 8b 14 24 48 b8 00 00 00 00
> netlink: 'syz.4.3926': attribute type 4 has an invalid length.
> RSP: 0018:ffff888113ff7df8 EFLAGS: 00010216
> RAX: 000000000000008c RBX: ffff88810af7c800 RCX: ffffc9000749c000
> RDX: 0000000000040000 RSI: ffffffff81ed737b RDI: 0000000000000005
> RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888113ff7dbf
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810af7c8a0
> R13: ffff88810b351400 R14: ffff88810b351000 R15: ffff88810a70b1c0
> FS: 00007f620e2b66c0(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000000 CR3: 00000001090f6000 CR4: 0000000000350ee0
> Call Trace:
> <TASK>
> loop_remove+0x39/0xf0 drivers/block/loop.c:2452
> loop_control_remove drivers/block/loop.c:2509 [inline]
> loop_control_ioctl+0x44d/0x4d0 drivers/block/loop.c:2547
> vfs_ioctl fs/ioctl.c:51 [inline]
> __do_sys_ioctl fs/ioctl.c:874 [inline]
> __se_sys_ioctl fs/ioctl.c:860 [inline]
> __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:860
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x6c/0xd6
> RIP: 0033:0x7f620f6e89c9
> Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
> 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007f620e2b6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007f620f904f80 RCX: 00007f620f6e89c9
> RDX: 0000000020002540 RSI: 0000000000004c81 RDI: 0000000000000003
> RBP: 00007f620f7951b6 R08: 0000000000000000 R09: 0000000000000000
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
> R13: 0000000000000000 R14: 00007f620f904f80 R15: 00007ffe5d3a2638
> </TASK>
> irq event stamp: 553
> hardirqs last enabled at (559): [<ffffffff812b32ca>]
> console_trylock_spinning kernel/printk/printk.c:1891 [inline]
> hardirqs last enabled at (559): [<ffffffff812b32ca>]
> vprintk_emit+0x3da/0x420 kernel/printk/printk.c:2273
> hardirqs last disabled at (710): [<ffffffff812acf9d>]
> __up_console_sem+0x5d/0x80 kernel/printk/printk.c:255
> softirqs last enabled at (244): [<ffffffff81166c99>] __do_softirq
> kernel/softirq.c:592 [inline]
> softirqs last enabled at (244): [<ffffffff81166c99>] invoke_softirq
> kernel/softirq.c:432 [inline]
> softirqs last enabled at (244): [<ffffffff81166c99>] __irq_exit_rcu
> kernel/softirq.c:641 [inline]
> softirqs last enabled at (244): [<ffffffff81166c99>]
> irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653
> softirqs last disabled at (187): [<ffffffff81166c99>] __do_softirq
> kernel/softirq.c:592 [inline]
> softirqs last disabled at (187): [<ffffffff81166c99>] invoke_softirq
> kernel/softirq.c:432 [inline]
> softirqs last disabled at (187): [<ffffffff81166c99>] __irq_exit_rcu
> kernel/softirq.c:641 [inline]
> softirqs last disabled at (187): [<ffffffff81166c99>]
> irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653
> 
> ------------[ cut here end]------------
> 
> Root Cause:
> 
> The kernel crash is triggered by the del_gendisk function within the
> block/genhd.c file at line 586. The root cause appears to be an
> improperly formatted netlink message, specifically an attribute of
> type 4 that has an invalid length. This malformed netlink message is
> processed by the loop device driver (drivers/block/loop.c),
> particularly during the removal of a loop device (loop_remove and
> loop_control_remove functions). The invalid attribute leads to
> incorrect handling within the loop device's ioctl operations
> (loop_control_ioctl), ultimately causing del_gendisk to malfunction.
> This sequence results in a kernel oops, crashing the system. The issue
> likely stems from the loop device driver not adequately validating the
> length of netlink message attributes before processing them, allowing
> malformed data to disrupt kernel operations.

What kind of nonsense is this? It reads very much like it was
auto-generated, it definitely did not have a real human try and
understand what could possibly be going on here.

If this is the level of effort put into your "custom vulnerability
discovery" tool, then please just don't bother.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ