lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CACT4Y+ZffGEj=V_grytXCHfUgF4saV_rj5JwuiFTjCus9Ur1gg@mail.gmail.com>
Date:   Thu, 8 Dec 2016 12:14:58 +0100
From:   Dmitry Vyukov <dvyukov@...gle.com>
To:     David Miller <davem@...emloft.net>,
        Matti Vaittinen <matti.vaittinen@...ia.com>,
        Tycho Andersen <tycho.andersen@...onical.com>,
        stephen hemminger <stephen@...workplumber.org>,
        Cong Wang <xiyou.wangcong@...il.com>,
        Florian Westphal <fw@...len.de>,
        netdev <netdev@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>,
        Eric Dumazet <edumazet@...gle.com>
Cc:     syzkaller <syzkaller@...glegroups.com>
Subject: netlink: GPF in netlink_dump

Hello,

The following program triggers GPF in netlink_dump:

// autogenerated by syzkaller (http://github.com/google/syzkaller)
#include <unistd.h>
#include <sys/syscall.h>
#include <sys/uio.h>

int main()
{
  syscall(__NR_mmap, 0x20000000ul, 0xd25000ul, 0x3ul, 0x32ul, -1, 0);
  int fd = syscall(__NR_socket, 0x10ul, 0x3ul, 0x10ul);
  struct iovec iov;
  iov.iov_base = "\x16\x00\x00\x00\x23\x00\x19\x07\x00\x00\x00\x46"
                    "\xf1\xff\xff\xe8\x03\x00\x04\xff\xff\x75";
  iov.iov_len = 22;
  syscall(__NR_writev, fd, &iov, 1);
  return 0;
}


kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
Modules linked in:
CPU: 0 PID: 6913 Comm: a.out Not tainted 4.9.0-rc7+ #76
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
task: ffff88006716a840 task.stack: ffff880063a38000
RIP: 0010:[<ffffffff81567f65>]  [<ffffffff81567f65>]
__lock_acquire+0xb35/0x3380 kernel/locking/lockdep.c:3221
RSP: 0018:ffff880063a3e578  EFLAGS: 00010006
RAX: dffffc0000000000 RBX: dffffc0000000000 RCX: 0000000000000000
RDX: 000000000000000c RSI: 0000000000000000 RDI: 1ffff1000c747d09
RBP: ffff880063a3eab0 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000060 R11: 0000000000000000 R12: ffff88006716a840
R13: 0000000000000001 R14: ffffffff8baba1a0 R15: 0000000000000001
FS:  000000000082a880(0000) GS:ffff88003ec00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000004b20e0 CR3: 000000003dd5d000 CR4: 00000000000006f0
Stack:
 ffff88006716b060 ffff880063a3e5f0 ffff88006716b088 0000000041b58ab3
 ffffffff894ee650 ffffffff81562600 ffff88006716b058 ffff880063a3e930
 00000000894d005b 1ffff1000c747cbe 0000000100000000 ffffffff81557640
Call Trace:
 [<ffffffff8156b682>] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3746
 [<     inline     >] __mutex_lock_common kernel/locking/mutex.c:521
 [<ffffffff88193a3f>] mutex_lock_nested+0x23f/0xf20 kernel/locking/mutex.c:621
 [<ffffffff86cb2228>] netlink_dump+0xd8/0xd70 net/netlink/af_netlink.c:2067
 [<ffffffff86cb6e8a>] __netlink_dump_start+0x4ea/0x760
net/netlink/af_netlink.c:2200
 [<ffffffff86cc12e7>] genl_family_rcv_msg+0xa77/0x1070
net/netlink/genetlink.c:597
 [<ffffffff86cc1a90>] genl_rcv_msg+0x1b0/0x260 net/netlink/genetlink.c:660
 [<ffffffff86cbf66c>] netlink_rcv_skb+0x2bc/0x3a0 net/netlink/af_netlink.c:2281
 [<ffffffff86cc085d>] genl_rcv+0x2d/0x40 net/netlink/genetlink.c:671
 [<     inline     >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
 [<ffffffff86cbde8a>] netlink_unicast+0x51a/0x740 net/netlink/af_netlink.c:1240
 [<ffffffff86cbeb54>] netlink_sendmsg+0xaa4/0xe50 net/netlink/af_netlink.c:1786
 [<     inline     >] sock_sendmsg_nosec net/socket.c:621
 [<ffffffff86a7517f>] sock_sendmsg+0xcf/0x110 net/socket.c:631
 [<ffffffff86a754eb>] sock_write_iter+0x32b/0x620 net/socket.c:829
 [<ffffffff81a6ef33>] do_iter_readv_writev+0x363/0x670 fs/read_write.c:695
 [<ffffffff81a71981>] do_readv_writev+0x431/0x9b0 fs/read_write.c:872
 [<ffffffff81a724bc>] vfs_writev+0x8c/0xc0 fs/read_write.c:911
 [<ffffffff81a72605>] do_writev+0x115/0x2d0 fs/read_write.c:944
 [<     inline     >] SYSC_writev fs/read_write.c:1017
 [<ffffffff81a75dbc>] SyS_writev+0x2c/0x40 fs/read_write.c:1014
 [<ffffffff881a3d05>] entry_SYSCALL_64_fastpath+0x23/0xc6
arch/x86/entry/entry_64.S:209
Code: e9 03 f3 48 ab 48 81 c4 10 05 00 00 44 89 e8 5b 41 5c 41 5d 41
5e 41 5f 5d c3 4c 89 d2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80>
3c 02 00 0f 85 00 26 00 00 49 81 3a c0 64 e2 8a 41 bf 00 00
RIP  [<ffffffff81567f65>] __lock_acquire+0xb35/0x3380
kernel/locking/lockdep.c:3221
 RSP <ffff880063a3e578>
---[ end trace 8d9cfd5e00f7ff0c ]---
==================================================================



On commit 2caceb3294a78c389b462e7e236a4e744a53a474 (Dec 1).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ