| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20250406032819.65634-1-kuniyu@amazon.com>
Date: Sat, 5 Apr 2025 20:28:06 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <guohui.study@...il.com>
CC: <davem@...emloft.net>, <dsahern@...nel.org>, <edumazet@...gle.com>,
<horms@...nel.org>, <kuba@...nel.org>, <kuniyu@...zon.com>,
<linux-kernel@...r.kernel.org>, <netdev@...r.kernel.org>,
<pabeni@...hat.com>, <syzkaller-bugs@...glegroups.com>, <willemb@...gle.com>
Subject: Re: general protection fault in addrconf_add_ifaddr
From: Hui Guo <guohui.study@...il.com>
Date: Sun, 6 Apr 2025 10:31:00 +0800
> Hi Kernel Maintainers,
> we found a crash "general protection fault in addrconf_add_ifaddr" (it
> is a KASAN and makes the kernel reboot) in upstream, we also have
> successfully reproduced it manually:
>
> HEAD Commit: 9f867ba24d3665d9ac9d9ef1f51844eb4479b291
> kernel config: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/.config
>
> console output:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.log
> repro report: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.report
> syz reproducer:
> https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.prog
> c reproducer: https://raw.githubusercontent.com/androidAppGuard/KernelBugs/refs/heads/main/9f867ba24d3665d9ac9d9ef1f51844eb4479b291/b4f94e7f408c53ff0bac07a7b69ecfe48ab5575d/repro.cprog
>
> Please let me know if there is anything I can help with.
> Best,
> Hui Guo
>
> This is the crash log I got by reproducing the bug based on the above
> environment,
> I have piped this log through decode_stacktrace.sh to better
> understand the cause of the bug.
[...]
> [ 90.201985][T12032] Oops: general protection fault, probably for
> non-canonical address 0xdffffc0000000198: 0000 [#1] SMP KASAN NOPTI
> [ 90.204525][T12032] KASAN: null-ptr-deref in range
> [0x0000000000000cc0-0x0000000000000cc7]
> [ 90.206275][T12032] CPU: 3 UID: 0 PID: 12032 Comm: syz.0.15 Not
> tainted 6.14.0-13408-g9f867ba24d36 #1 PREEMPT(full)
> [ 90.208522][T12032] Hardware name: QEMU Standard PC (i440FX + PIIX,
> 1996), BIOS 1.15.0-1 04/01/2014
> [90.210452][T12032] RIP: 0010:addrconf_add_ifaddr
> (/data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:30
> /data/ghui/docker_data/linux_kernel/upstream/linux/./include/net/netdev_lock.h:41
> /data/ghui/docker_data/linux_kernel/upstream/linux/net/ipv6/addrconf.c:3157)
Thanks for the report.
netdev_lock_ops() needs to be moved:
---8<---
diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c
index c3b908fccbc1..9c52ed23ff23 100644
--- a/net/ipv6/addrconf.c
+++ b/net/ipv6/addrconf.c
@@ -3154,12 +3154,13 @@ int addrconf_add_ifaddr(struct net *net, void __user *arg)
rtnl_net_lock(net);
dev = __dev_get_by_index(net, ireq.ifr6_ifindex);
- netdev_lock_ops(dev);
- if (dev)
+ if (dev) {
+ netdev_lock_ops(dev);
err = inet6_addr_add(net, dev, &cfg, 0, 0, NULL);
- else
+ netdev_unlock_ops(dev);
+ } else {
err = -ENODEV;
- netdev_unlock_ops(dev);
+ }
rtnl_net_unlock(net);
return err;
}
---8<---
Powered by blists - more mailing lists