lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20171110021145.GB22329@gondor.apana.org.au>
Date:   Fri, 10 Nov 2017 13:11:45 +1100
From:   Herbert Xu <herbert@...dor.apana.org.au>
To:     Dmitry Vyukov <dvyukov@...gle.com>
Cc:     syzbot 
        <bot+413384116f7f7dab7903d54c53fc4af6a4441965@...kaller.appspotmail.com>,
        David Miller <davem@...emloft.net>,
        LKML <linux-kernel@...r.kernel.org>,
        netdev <netdev@...r.kernel.org>,
        Steffen Klassert <steffen.klassert@...unet.com>,
        syzkaller-bugs@...glegroups.com
Subject: Re: kernel BUG at net/key/af_key.c:LINE!

On Fri, Nov 10, 2017 at 01:04:59PM +1100, Herbert Xu wrote:
> 
> By castrating the reproducer to not perform a pfkey dump I have
> captured the corrupted policy via xfrm:
> 
> src ???/0 dst ???/0 uid 0
>         socket in action allow index 2083 priority 0 ptype main share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-11-10 09:58:17 use 2017-11-10 09:58:20
>         tmpl src ac14:bb:: dst ::
>                 proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
>                 level 5 share any 
>                 enc-mask 00000000 auth-mask 00000000 comp-mask 00000000
> 
> For comparison here is a good policy that was also created by the
> reproducer:
> 
> src fe80::bb/0 dst ::/0 uid 0
>         socket in action allow index 2083 priority 0 ptype main share any flag  (0x00000000)
>         lifetime config:
>           limit: soft 0(bytes), hard 0(bytes)
>           limit: soft 0(packets), hard 0(packets)
>           expire add: soft 0(sec), hard 0(sec)
>           expire use: soft 0(sec), hard 0(sec)
>         lifetime current:
>           0(bytes), 0(packets)
>           add 2017-11-10 09:58:17 use 2017-11-10 09:58:17
>         tmpl src ac14:bb:: dst ::
>                 proto 0 spi 0x00000000(0) reqid 0(0x00000000) mode transport
>                 level 5 share any 
>                 enc-mask 00000000 auth-mask 00000000 comp-mask 00000000

Oh and this is an important clue.  We have two policies with
identical index values.  The index value is meant to be unique
so clearly something funny is going on.

Cheers,
-- 
Email: Herbert Xu <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ