| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <451f45a0-4db4-40a7-ba22-d2a7dd1a1c7d@redhat.com> Date: Mon, 26 May 2025 12:48:40 +0200 From: Paolo Abeni <pabeni@...hat.com> To: John <john.cs.hey@...il.com>, "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org> Cc: Simon Horman <horms@...nel.org>, netdev@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [Bug] "WARNING in corrupted" in Linux Kernel v6.15-rc5 On 5/26/25 9:11 AM, John wrote: > I am writing to report a potential vulnerability I encountered during > testing of the Linux Kernel version v6.15-rc5. > > Git Commit: 92a09c47464d040866cf2b4cd052bc60555185fb (tag: v6.15-rc5) > > Bug Location: 20628 at net/ipv4/ipmr.c:440 ipmr_free_table > net/ipv4/ipmr.c:440 [inline] > > Bug report: https://hastebin.com/share/idudaveten.yaml > > Complete log: https://hastebin.com/share/ojonatucos.perl > > Entire kernel config: https://hastebin.com/share/padecilimo.ini > > Root Cause Analysis: > A kernel warning is triggered during the execution of > ipmr_rules_exit() at line 440 of net/ipv4/ipmr.c, when attempting to > free a multicast routing (mr) table that may have already been > released or was never correctly initialized. > This function is called as part of the ipmr_net_exit_batch() logic > when a network namespace is being torn down (copy_net_ns() → > create_new_namespaces() → unshare() syscall). > The crash is accompanied by a FAULT_INJECTION trace involving > copy_from_user_iter, suggesting this might be a fuzzing-induced fault > where the data passed via netlink_sendmsg() is malformed. > However, the primary issue lies in ipmr_free_table() dereferencing a > potentially invalid pointer—either due to a race condition during > namespace teardown or improper error handling during netns > initialization. > > At present, I have not yet obtained a minimal reproducer for this > issue. However, I am actively working on reproducing it, and I will > promptly share any additional findings or a working reproducer as soon > as it becomes available. > > Thank you very much for your time and attention to this matter. I > truly appreciate the efforts of the Linux kernel community. Should be fixed by commit c46286fdd6aa, which landed in 6.15 /P
Powered by blists - more mailing lists