| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADUsjNminHYSgMt37jcbTNYo0K+6TyPEH0gPqkiKD+Qcw4X--Q@mail.gmail.com>
Date: Mon, 4 Dec 2017 17:34:34 +0800
From: idaifish <idaifish@...il.com>
To: davem@...emloft.net, Alexey Kuznetsov <kuznet@....inr.ac.ru>,
yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org,
syzkaller@...glegroups.com
Subject: net/ipv4: general protection fault in inet_csk_listen_stop
Hi,
Got the following report while fuzzing the 4.9.66 with syzkaller.
This bug can be triggered by the attached program on Ubuntu16.04
(4.4.0-101-generic)
================================================================
Syzkaller hit 'general protection fault in inet_csk_listen_stop' bug
on commit 4.9.66..
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 8157 Comm: syzkaller674855 Not tainted 4.9.66 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880073e2f080 task.stack: ffff880073f78000
RIP: 0010:[<ffffffff829e8aaf>] [<ffffffff829e8aaf>]
inet_csk_listen_stop+0x2bf/0x5b0 net/ipv4/inet_connection_sock.c:874
RSP: 0018:ffff880073f7fb48 EFLAGS: 00010207
RAX: 0000000000000111 RBX: dffffc0000000000 RCX: 00000000000601a8
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 000000000000088f
RBP: ffff880073f7fb98 R08: 0000000000000286 R09: 0000000000000003
R10: 000000005bb54075 R11: 00000000ff0b3bcc R12: ffff8800741bb9b8
R13: ffff8800741bb600 R14: dffffc0000000000 R15: 0000000000000807
FS: 0000000000000000(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffb227a8db8 CR3: 000000000360c000 CR4: 00000000000006f0
Stack:
ffff8800741bb9a0 ffffed000e837734 ffff8800741bb7b8 ffff8800741bb998
ffff8800741bb980 ffff8800741bb600 ffff8800741bb612 ffff8800741bb628
0000000000000000 ffffffff8282b170 ffff880073f7fc10 ffffffff829ff2e1
Call Trace:
[<ffffffff829ff2e1>] tcp_close+0xb1/0xf60 net/ipv4/tcp.c:2079
[<ffffffff82aa551d>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[<ffffffff82bcd500>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[<ffffffff8282b02d>] sock_release+0x8d/0x1d0 net/socket.c:585
[<ffffffff8282b186>] sock_close+0x16/0x20 net/socket.c:1032
[<ffffffff815433a6>] __fput+0x276/0x6e0 fs/file_table.c:208
[<ffffffff81543895>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff81241653>] task_work_run+0xf3/0x160 kernel/task_work.c:116
[<ffffffff811f936d>] exit_task_work include/linux/task_work.h:21 [inline]
[<ffffffff811f936d>] do_exit+0x6fd/0x2900 kernel/exit.c:828
[<ffffffff811fb6d6>] do_group_exit+0xf6/0x340 kernel/exit.c:932
[<ffffffff811fb93d>] SYSC_exit_group kernel/exit.c:943 [inline]
[<ffffffff811fb93d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:941
[<ffffffff82f79fbb>] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 75 16 e9 72 01 00 00 e8 d0 95 9d fe 4d 85 e4 4d 89 e7 0f 84 61
01 00 00 e8 bf 95 9d fe 49 8d bf 88 00 00 00 48 89 f8 48 c1 e8 03 <80>
3c 18 00 0f 85 7c 02 00 00 4d 8b a7 88 00 00 00 4d 8d b7 80
RIP [<ffffffff829e8aaf>] inet_csk_listen_stop+0x2bf/0x5b0
net/ipv4/inet_connection_sock.c:874
RSP <ffff880073f7fb48>
---[ end trace 5d4d9621d097214d ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..
--
Regards,
idaifish
View attachment "poc.c" of type "text/x-csrc" (9950 bytes)
Powered by blists - more mailing lists