| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAOU40uA0EXVrZMLA76DErFjT4Op5_JUse_Sv=ncX+dgemiGFTg@mail.gmail.com> Date: Fri, 16 May 2025 15:18:32 +0800 From: Harriet W <wangxianying546@...il.com> To: davem@...emloft.net Cc: edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: [BUG] general protection fault in ipv6_renew_options Hi, When I test the Linux kernel (commit 0c3836482481200ead7b416ca80c68a29cfdaabd), I encountered a kernel panic issue related to improper protocol family handling in socket operations, specifically in the sock_kmalloc()function (net/core/sock.c:2686). The issue is that the sendmsg() call interprets the accepted TCPv6 socket as a TIPC socket, and the kernel proceeds without validating the socket's protocol family, leading to access of uninitialized sk_prot fields.This leads to a null-ptr dereference in sock_kmalloc(). This crash can be triggered by executing the C reproducer for multiple times.The full crash report is attached to this email. Please feel free to contact me for additional information or steps to reproduce. This can be reproduced on: HEAD commit: 0c3836482481200ead7b416ca80c68a29cfdaabd report: https://pastebin.com/raw/Fh27JF8p console output : https://pastebin.com/raw/46Gj5gPm kernel config : https://pastebin.com/raw/cdj4sjkD C reproducer : https://pastebin.com/raw/R5AQ1PG4
Powered by blists - more mailing lists