lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <001a113ea6d880f10e05679064d3@google.com>
Date:   Fri, 16 Mar 2018 16:59:02 -0700
From:   syzbot <syzbot+f14c1ee2dbd16782dcc2@...kaller.appspotmail.com>
To:     davem@...emloft.net, herbert@...dor.apana.org.au,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        steffen.klassert@...unet.com, syzkaller-bugs@...glegroups.com
Subject: general protection fault in xfrm_init_replay

Hello,

syzbot hit the following crash on net-next commit
80d9f3a0fdb8c1129921147780661ed0a2cae2a1 (Thu Mar 15 18:04:57 2018 +0000)
Merge branch '40GbE' of  
git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/next-queue

So far this crash happened 2 times on net-next.
syzkaller reproducer is attached.
Raw console output is attached.
compiler: gcc (GCC) 7.1.1 20170620
.config is attached.

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+f14c1ee2dbd16782dcc2@...kaller.appspotmail.com
It will help syzbot understand when the bug is fixed. See footer for  
details.
If you forward the report, please keep this part and the footer.

audit: type=1400 audit(1521168724.857:11): avc:  denied  { net_admin } for   
pid=4241 comm="syz-executor4" capability=12   
scontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023  
tcontext=unconfined_u:system_r:insmod_t:s0-s0:c0.c1023 tclass=cap_userns  
permissive=1
IPVS: ftp: loaded support on port[0] = 21
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
IPVS: ftp: loaded support on port[0] = 21
general protection fault: 0000 [#1] SMP KASAN
kasan: CONFIG_KASAN_INLINE enabled
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4260 Comm: syz-executor3 Not tainted 4.16.0-rc4+ #267
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
kasan: GPF could be caused by NULL-ptr deref or user memory access
RIP: 0010:xfrm_init_replay+0x60/0x220 net/xfrm/xfrm_replay.c:745
RSP: 0018:ffff8801a9bdf360 EFLAGS: 00010203
RAX: dffffc0000000000 RBX: ffff8801cbd98d80 RCX: ffffffff84ea4c3a
RDX: 0000000000000004 RSI: ffff8801cbd992f4 RDI: 0000000000000024
RBP: ffff8801a9bdf380 R08: 0000000000000000 R09: 1ffff1003537be21
R10: ffff8801a9bdf040 R11: 0000000000000001 R12: 0000000000000010
R13: ffff8801a9bdf598 R14: ffff8801cbd98d80 R15: ffff8801cbd99200
FS:  00007f5382917700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000464b00 CR3: 00000001cbd20001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  xfrm_state_construct net/xfrm/xfrm_user.c:610 [inline]
  xfrm_add_sa+0x1d3e/0x3440 net/xfrm/xfrm_user.c:647
  xfrm_user_rcv_msg+0x41c/0x860 net/xfrm/xfrm_user.c:2595
  netlink_rcv_skb+0x14b/0x380 net/netlink/af_netlink.c:2444
  xfrm_netlink_rcv+0x6f/0x90 net/xfrm/xfrm_user.c:2603
  netlink_unicast_kernel net/netlink/af_netlink.c:1308 [inline]
  netlink_unicast+0x4c4/0x6b0 net/netlink/af_netlink.c:1334
  netlink_sendmsg+0xa4a/0xe60 net/netlink/af_netlink.c:1897
  sock_sendmsg_nosec net/socket.c:629 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:639
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
  __sys_sendmsg+0xe5/0x210 net/socket.c:2081
  SYSC_sendmsg net/socket.c:2092 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2088
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007f5382916c68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f53829176d4 RCX: 0000000000453e69
RDX: 0000000000000000 RSI: 000000002014f000 RDI: 0000000000000003
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c7 R14: 00000000006f7348 R15: 0000000000000000
Code: 4c 8b a3 b8 01 00 00 4d 85 e4 0f 84 49 01 00 00 e8 a6 bd 86 fc 49 8d  
7c 24 14 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02  
48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85
RIP: xfrm_init_replay+0x60/0x220 net/xfrm/xfrm_replay.c:745 RSP:  
ffff8801a9bdf360
general protection fault: 0000 [#2] SMP KASAN
---[ end trace cdf49f9f8c02f82d ]---
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 4255 Comm: syz-executor4 Tainted: G      D          4.16.0-rc4+  
#267


---
This bug is generated by a dumb bot. It may contain errors.
See https://goo.gl/tpsmEJ for details.
Direct all questions to syzkaller@...glegroups.com.

syzbot will keep track of this bug report.
If you forgot to add the Reported-by tag, once the fix for this bug is  
merged
into any tree, please reply to this email with:
#syz fix: exact-commit-title
If you want to test a patch for this bug, please reply with:
#syz test: git://repo/address.git branch
and provide the patch inline or as an attachment.
To mark this as a duplicate of another syzbot report, please reply with:
#syz dup: exact-subject-of-another-report
If it's a one-off invalid bug report, please reply with:
#syz invalid
Note: if the crash happens again, it will cause creation of a new bug  
report.
Note: all commands must start from beginning of the line in the email body.

View attachment "raw.log.txt" of type "text/plain" (12474 bytes)

View attachment "repro.syz.txt" of type "text/plain" (1351 bytes)

View attachment "config.txt" of type "text/plain" (137453 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ