lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <20260113160436.GMaWZtFMWnrjERYYQH@fat_crate.local>
Date: Tue, 13 Jan 2026 17:04:36 +0100
From: Borislav Petkov <bp@...en8.de>
To: Mario Limonciello <mario.limonciello@....com>
Cc: Marek Marczykowski-Górecki <marmarek@...isiblethingslab.com>,
	Yazen Ghannam <yazen.ghannam@....com>,
	"maintainer:X86 ARCHITECTURE (32-BIT AND 64-BIT)" <x86@...nel.org>,
	"open list:AMD NODE DRIVER" <linux-kernel@...r.kernel.org>,
	regressions@...ts.linux.dev
Subject: Re: kernel NULL pointer dereference in
 quirk_clear_strap_no_soft_reset_dev2_f0 -> amd_smn_read

On Mon, Jan 12, 2026 at 08:47:50PM -0600, Mario Limonciello wrote:
> Is this perhaps a case that only the USB controller was passed through but
> that the root controller wasn't?  That would lead to a case that
> amd_smn_init() was never called and thus amd_roots was not initialized
> properly.
> 
> So it would be a NULL pointer deref.

Yah, looks like a NULL ptr:

   0:   05 bd 44 b8 01          add    $0x1b844bd,%eax
   5:   66 0f af 05 2d 44 b8    imul   0x1b8442d(%rip),%ax        # 0x1b8443a
   c:   01 
   d:   41 57                   push   %r15
   f:   41 56                   push   %r14
  11:   41 55                   push   %r13
  13:   41 54                   push   %r12
  15:   55                      push   %rbp
  16:   53                      push   %rbx


  17:   66 39 c2                cmp    %ax,%dx
  1a:   0f 83 c0 00 00 00       jae    0xe0

That's 

        if (node >= amd_num_nodes())
                return err;


  20:   48 8b 05 c3 61 d7 02    mov    0x2d761c3(%rip),%rax        # 0x2d761ea

That's fetching amd_roots. Which is 0, see RAX below.

  27:   0f b7 d2                movzwl %dx,%edx

Zero-extending the "node" var.

  2a:*  4c 8b 34 d0             mov    (%rax,%rdx,8),%r14               <-- trapping instruction

Get the root ptr.

Boom.

> >      [    0.302571] pci 0000:00:08.0: quirk_usb_early_handoff+0x0/0x180 took 16590 usecs
> >      [    0.303172] BUG: kernel NULL pointer dereference, address: 0000000000000000
> >      [    0.303189] #PF: supervisor read access in kernel mode
> >      [    0.303202] #PF: error_code(0x0000) - not-present page
> >      [    0.303216] PGD 0 P4D 0
> >      [    0.303225] Oops: Oops: 0000 [#1] SMP NOPTI
> >      [    0.303236] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Not tainted 6.17.9-1.qubes.fc41.x86_64 #1 PREEMPT(full)
> >      [    0.303258] Hardware name: Xen HVM domU, BIOS 4.19.3 08/26/2025
> >      [    0.303273] RIP: 0010:__amd_smn_rw+0x30/0x100
> >      [    0.303288] Code: 05 bd 44 b8 01 66 0f af 05 2d 44 b8 01 41 57 41 56 41 55 41 54 55 53 66 39 c2 0f 83 c0 00 00 00 48 8b 05 c3 61 d7 02 0f b7 d2 <4c> 8b 34 d0 4d 85 f6 0f 84 a9 00 00 00 80 3d a4 61 d7 02 00 0f 84
> >      [    0.303327] RSP: 0018:ffffcdd30001fd68 EFLAGS: 00010297
> >      [    0.303341] RAX: 0000000000000000 RBX: ffffcdd30001fdb4 RCX: 0000000010136008
> >      [    0.303359] RDX: 0000000000000000 RSI: 0000000000000064 RDI: 0000000000000060

-- 
Regards/Gruss,
    Boris.

https://people.kernel.org/tglx/notes-about-netiquette

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ