lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAJNGr6st-3Y3SKtrAxtKTBoH0fwTm5SV60rPxYSm9jVA5hNC+Q@mail.gmail.com>
Date: Wed, 14 May 2025 17:10:44 +0800
From: Guoyu Yin <y04609127@...il.com>
To: tj@...nel.org, jiangshanlai@...il.com, linux-kernel@...r.kernel.org
Subject: general protection fault in pwq_dec_nr_in_flight

Hi,

I discovered a kernel crash described as "general protection fault in
pwq_dec_nr_in_flight." The crash occurs in the workqueue subsystem,
specifically in the function pwq_dec_nr_in_flight
(kernel/workqueue.c:1994), due to accessing a non-canonical pointer,
resulting in a general protection fault.

According to the crash report, the faulty pointer is
0x0b249150ffff8809 (register R15), which is a non-canonical address.
KASAN, while checking this address, computed the shadow address (R15
>> 3 = 0x0164922a1ffff101) and triggered the fault when attempting to
access it. The offending instruction is cmpb $0x0,(%rax,%rbp,1), where
RAX = 0x0164922a1ffff101.

This indicates memory corruption in the workqueue structure (e.g., pwq
or worker->current_pwq), possibly due to use-after-free or buffer
overflow. The crash was triggered by a specific Syzkaller workload,
potentially involving interactions between the workqueue and other
subsystems (e.g., networking).

I suggest reviewing the workqueue code and related subsystems to
identify the source of the memory corruption. The full crash report is
attached to this email. Please feel free to contact me for additional
information or steps to reproduce.

This can be reproduced on:

HEAD commit:

38fec10eb60d687e30c8c6b5420d86e8149f7557

report:

console output : https://pastebin.com/raw/tqUrvZZs

kernel config : https://pastebin.com/raw/u0Efyj5P

C reproducer :
part1: https://pastebin.com/raw/w4GawVue
part2: https://pastebin.com/raw/Ux0XFRbF

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ