lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20250406032819.65634-1-kuniyu@amazon.com>
Date: Sat, 5 Apr 2025 20:28:06 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <guohui.study@...il.com>
CC: <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>,
	<horms@...nel.org>, <kuba@...nel.org>, <kuniyu@...zon.com>,
	<linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
	<pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>, <willemb@...gle.com>
Subject: Re: general protection fault in addrconf_add_ifaddr

From: Hui Guo <guohui.study@...il.com>
Date: Sun, 6 Apr 2025 10:31:00 +0800
> Hi Kernel Maintainers,
> we found a crash "general protection fault in addrconf_add_ifaddr" (it
> is a KASAN and makes the kernel reboot) in upstream, we also have
> successfully reproduced it manually:
> 
> HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
> kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config
> 
> console output:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.log
> repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.report
> syz reproducer:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.prog
> c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.cprog
> 
> Please let me know if there is anything I can help with.
> Best,
> Hui Guo
> 
> This is the crash log I got by reproducing the bug based on the above
> environment,
> I have piped this log through decode_stacktrace.sh to better
> understand the cause of the bug.
[...]
> [ 90.201985][T12032] Oops: general protection fault, probably for
> non-canonical address 0xdffffc0000000198: 0000 [#1] SMP KASAN NOPTI
> [ 90.204525][T12032] KASAN: null-ptr-deref in range
> [0x0000000000000cc0-0x0000000000000cc7]
> [ 90.206275][T12032] CPU: 3 UID: 0 PID: 12032 Comm: syz.0.15 Not
> tainted 6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
> [ 90.208522][T12032] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.15.0-1 04/01/2014
> [90.210452][T12032] RIP: 0010:addrconf_add_ifaddr
> (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:30
> /data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:41
> /data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3157)

Thanks for the report.

netdev_lock_ops() needs to be moved:

---8<---
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c3b908fccbc1..9c52ed23ff23 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3154,12 +3154,13 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)
 
 	rtnl_net_lock(net);
 	dev = __dev_get_by_index(net, ireq.ifr6_ifindex);
-	netdev_lock_ops(dev);
-	if (dev)
+	if (dev) {
+		netdev_lock_ops(dev);
 		err = inet6_addr_add(net, dev, &cfg, 0, 0, NULL);
-	else
+		netdev_unlock_ops(dev);
+	} else {
 		err = -ENODEV;
-	netdev_unlock_ops(dev);
+	}
 	rtnl_net_unlock(net);
 	return err;
 }
---8<---

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ