lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Mon, 4 Dec 2017 17:34:34 +0800
From:   idaifish <idaifish@...il.com>
To:     davem@...emloft.net, Alexey Kuznetsov <kuznet@....inr.ac.ru>,
        yoshfuji@...ux-ipv6.org, netdev@...r.kernel.org,
        syzkaller@...glegroups.com
Subject: net/ipv4: general protection fault in inet_csk_listen_stop

Hi,

Got the following report while fuzzing the 4.9.66  with syzkaller.
This bug can be triggered by the attached program on Ubuntu16.04
(4.4.0-101-generic)


================================================================
Syzkaller hit 'general protection fault in inet_csk_listen_stop' bug
on commit 4.9.66..

kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 0 PID: 8157 Comm: syzkaller674855 Not tainted 4.9.66 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
task: ffff880073e2f080 task.stack: ffff880073f78000
RIP: 0010:[<ffffffff829e8aaf>]  [<ffffffff829e8aaf>]
inet_csk_listen_stop+0x2bf/0x5b0 net/ipv4/inet_connection_sock.c:874
RSP: 0018:ffff880073f7fb48  EFLAGS: 00010207
RAX: 0000000000000111 RBX: dffffc0000000000 RCX: 00000000000601a8
RDX: 0000000000000000 RSI: 0000000000000200 RDI: 000000000000088f
RBP: ffff880073f7fb98 R08: 0000000000000286 R09: 0000000000000003
R10: 000000005bb54075 R11: 00000000ff0b3bcc R12: ffff8800741bb9b8
R13: ffff8800741bb600 R14: dffffc0000000000 R15: 0000000000000807
FS:  0000000000000000(0000) GS:ffff88007fc00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffb227a8db8 CR3: 000000000360c000 CR4: 00000000000006f0
Stack:
 ffff8800741bb9a0 ffffed000e837734 ffff8800741bb7b8 ffff8800741bb998
 ffff8800741bb980 ffff8800741bb600 ffff8800741bb612 ffff8800741bb628
 0000000000000000 ffffffff8282b170 ffff880073f7fc10 ffffffff829ff2e1
Call Trace:
 [<ffffffff829ff2e1>] tcp_close+0xb1/0xf60 net/ipv4/tcp.c:2079
 [<ffffffff82aa551d>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [<ffffffff82bcd500>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [<ffffffff8282b02d>] sock_release+0x8d/0x1d0 net/socket.c:585
 [<ffffffff8282b186>] sock_close+0x16/0x20 net/socket.c:1032
 [<ffffffff815433a6>] __fput+0x276/0x6e0 fs/file_table.c:208
 [<ffffffff81543895>] ____fput+0x15/0x20 fs/file_table.c:244
 [<ffffffff81241653>] task_work_run+0xf3/0x160 kernel/task_work.c:116
 [<ffffffff811f936d>] exit_task_work include/linux/task_work.h:21 [inline]
 [<ffffffff811f936d>] do_exit+0x6fd/0x2900 kernel/exit.c:828
 [<ffffffff811fb6d6>] do_group_exit+0xf6/0x340 kernel/exit.c:932
 [<ffffffff811fb93d>] SYSC_exit_group kernel/exit.c:943 [inline]
 [<ffffffff811fb93d>] SyS_exit_group+0x1d/0x20 kernel/exit.c:941
 [<ffffffff82f79fbb>] entry_SYSCALL_64_fastpath+0x1e/0xad
Code: 75 16 e9 72 01 00 00 e8 d0 95 9d fe 4d 85 e4 4d 89 e7 0f 84 61
01 00 00 e8 bf 95 9d fe 49 8d bf 88 00 00 00 48 89 f8 48 c1 e8 03 <80>
3c 18 00 0f 85 7c 02 00 00 4d 8b a7 88 00 00 00 4d 8d b7 80
RIP  [<ffffffff829e8aaf>] inet_csk_listen_stop+0x2bf/0x5b0
net/ipv4/inet_connection_sock.c:874
 RSP <ffff880073f7fb48>
---[ end trace 5d4d9621d097214d ]---
Kernel panic - not syncing: Fatal exception
Kernel Offset: disabled
Rebooting in 86400 seconds..








-- 
Regards,
idaifish

View attachment "poc.c" of type "text/x-csrc" (9950 bytes)

Powered by blists - more mailing lists