| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 19 Apr 2018 22:13:17 +0900
From: Jean-Baptiste Theou <jb@...ential.com>
To: davem@...emloft.net, gregkh@...uxfoundation.org, Jason@...c4.com,
johannes@...solutions.net, edumazet@...gle.com,
netdev@...r.kernel.org
Subject: BUG: unable to handle kernel NULL pointer dereference in
netlink_getsockbyportid
Hi,
syzkaller found a null pointer in read_pnet on 4.4.128 (Latest LTS).
Unfortunately I don't have a repo code for now. Will post and test
on the top of the tree if available.
Due to my testing env (Android), cannot run Linus top of the tree.
Could be related to https://www.spinics.net/lists/netdev/msg473130.html,
even if the fact that the null pointer is in read_pnet seems to indicate
a memory corruption more than an actual null pointer.
Please let me know if I can provide more information.
Thanks a lot,
==================================================================
BUG: KASAN: null-ptr-deref on address 0000000000000030
Read of size 8 by task syz-executor/4540
CPU: 0 PID: 4540 Comm: syz-executor Not tainted 4.4.128-perf+ #10
Hardware name: Essential Mata EVT4_F (DT)
Call trace:
[<ffffffa8e3a8c8a4>] dump_backtrace+0x0/0x27c arch/arm64/kernel/traps.c:108
[<ffffffa8e3a8cb3c>] show_stack+0x1c/0x24 arch/arm64/kernel/traps.c:231
[<ffffffa8e3f07140>] __dump_stack lib/dump_stack.c:15 [inline]
[<ffffffa8e3f07140>] dump_stack+0xb8/0xec lib/dump_stack.c:51
[<ffffffa8e3c78f24>] kasan_report_error mm/kasan/report.c:285 [inline]
[<ffffffa8e3c78f24>] kasan_report+0x118/0x4e8 mm/kasan/report.c:310
[<ffffffa8e3c77c7c>] check_memory_region_inline mm/kasan/kasan.c:292 [inline]
[<ffffffa8e3c77c7c>] __asan_load8+0x78/0x80 mm/kasan/kasan.c:724
[<ffffffa8e4d7a77c>] read_pnet include/net/net_namespace.h:266 [inline]
[<ffffffa8e4d7a77c>] sock_net include/net/sock.h:2233 [inline]
[<ffffffa8e4d7a77c>] netlink_getsockbyportid net/netlink/af_netlink.c:1085 [inline]
[<ffffffa8e4d7a77c>] netlink_unicast+0xbc/0x348 net/netlink/af_netlink.c:1270
[<ffffffa8e4d7b254>] netlink_ack+0x204/0x224 net/netlink/af_netlink.c:2305
[<ffffffa8e4d82120>] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:319 [inline]
[<ffffffa8e4d82120>] nfnetlink_rcv+0x3cc/0x718 net/netfilter/nfnetlink.c:477
[<ffffffa8e4d7a904>] netlink_unicast_kernel net/netlink/af_netlink.c:1250 [inline]
[<ffffffa8e4d7a904>] netlink_unicast+0x244/0x348 net/netlink/af_netlink.c:1276
[<ffffffa8e4d7b024>] netlink_sendmsg+0x520/0x54c net/netlink/af_netlink.c:1830
[<ffffffa8e4ce9c10>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffa8e4ce9c10>] sock_sendmsg+0x70/0x9c net/socket.c:648
[<ffffffa8e4cec984>] ___sys_sendmsg+0x330/0x414 net/socket.c:2008
[<ffffffa8e4cee684>] __sys_sendmsg+0x60/0xb4 net/socket.c:2042
[<ffffffa8e4cee710>] SYSC_sendmsg net/socket.c:2053 [inline]
[<ffffffa8e4cee710>] SyS_sendmsg+0x38/0x50 net/socket.c:2049
[<ffffffa8e3a83270>] el0_svc_naked+0x24/0x28
==================================================================
-----------[ cut here ]-----------
Kernel BUG at ffffffa8e4d7a77c [verbose debug info unavailable]
Internal error: Oops - BUG: 96000005 1 PREEMPT SMP
Modules linked in:
CPU: 0 PID: 4540 Comm: syz-executor Tainted: G B 4.4.128-perf+ #10
Hardware name: Essential Mata EVT4_F (DT)
task: ffffffdc5c326200 ti: ffffffdc47d80000 task.ti: ffffffdc47d80000
PC is at read_pnet include/net/net_namespace.h:266 [inline]
PC is at sock_net include/net/sock.h:2233 [inline]
PC is at netlink_getsockbyportid net/netlink/af_netlink.c:1085 [inline]
PC is at netlink_unicast+0xbc/0x348 net/netlink/af_netlink.c:1270
LR is at read_pnet include/net/net_namespace.h:266 [inline]
LR is at sock_net include/net/sock.h:2233 [inline]
LR is at netlink_getsockbyportid net/netlink/af_netlink.c:1085 [inline]
LR is at netlink_unicast+0xbc/0x348 net/netlink/af_netlink.c:1270
pc : [<ffffffa8e4d7a77c>] lr : [<ffffffa8e4d7a77c>] pstate: 60400145
sp : ffffffdc47d83910
x29: ffffffdc47d83910 x28: 00000000000002a8
x27: 0000000000000148 x26: 0000000000000030
x25: 00000000000000f0 x24: ffffffdc47d83980
x23: ffffffa8e5e06000 x22: 0000000000000000
x21: 00000000000011bb x20: ffffffdc6f6ab7c0
x19: 0000000000000000 x18: 0000007fca8a87ff
x17: 0000000000000000 x16: ffffffa8e3b70a70
x15: 000000000000000a x14: 3d3d3d3d3d3d3d3d
x13: 3d3d3d3d3d3d3d3d x12: 3d3d3d3d3d3d3d3d
x11: 3d3d3d3d3d3d3d3d x10: 3d3d3d3d3d3d3d3d
x9 : ffffff8b9296b007 x8 : ffffffa8e3e2a764
x7 : ffffffa8e5e4df08 x6 : 000000000000003c
x5 : 0000000000000000 x4 : ffffff8b88fb0000
x3 : ffffffa8e506c818 x2 : dfffff9000000000
x1 : 77d7e7890cbc6c61 x0 : 77d7e7890cbc6c61
\x0aPC: 0xffffffa8e4d7a73c:
a73c 97ffe9e3 aa0003f4 350000b8 97b8f916 910762c0 97bbf52d f940eed3 910203b8
a75c 97b8f911 9100c2da 910522db 910aa2dc f81f0f13 97b8f90c aa1a03e0 97bbf523
a77c f9401ad3 aa1b03e0 97bbf4de 394526c1 aa1303e0 2a1503e2 97fff341 aa0003f3
a79c b40003a0 97b8f900 91004a60 97bbf46f 39404a60 53001c00 7100041f 540002e1
\x0aLR: 0xffffffa8e4d7a73c:
a73c 97ffe9e3 aa0003f4 350000b8 97b8f916 910762c0 97bbf52d f940eed3 910203b8
a75c 97b8f911 9100c2da 910522db 910aa2dc f81f0f13 97b8f90c aa1a03e0 97bbf523
a77c f9401ad3 aa1b03e0 97bbf4de 394526c1 aa1303e0 2a1503e2 97fff341 aa0003f3
a79c b40003a0 97b8f900 91004a60 97bbf46f 39404a60 53001c00 7100041f 540002e1
\x0aSP: 0xffffffdc47d838d0:
38d0 e4d7a77c ffffffa8 47d83910 ffffffdc e4d7a77c ffffffa8 60400145 00000000
38f0 00000000 00000000 0cbc6c61 77d7e789 00000000 00000080 e4d7a77c ffffffa8
3910 47d83990 ffffffdc e4d7b254 ffffffa8 00000000 00000000 7adcc814 ffffffdc
3930 7adc9f80 ffffffdc 6f6ab680 ffffffdc 6f6ab6a8 ffffffdc 6f6ab7c0 ffffffdc
Process syz-executor (pid: 4540, stack limit = 0xffffffdc47d80028)
Call trace:
Exception stack(0xffffffdc47d83710 to 0xffffffdc47d83840)
3700: 0000000000000000 0000008000000000
3720: 00000000830c5000 ffffffa8e4d7a77c 0000000060400145 0000000000000025
3740: 00000000000000f0 ffffffa8e3ab275c 0000000000000005 ffffffdc47d80000
3760: ffffffa8e5e06000 0000000000000000 0000000000000008 0000000000000000
3780: ffffffdc47d83810 ffffffdc47d83810 ffffffdc47d837d0 00000000ffffffc8
37a0: 0000000000000008 ffffffdc47d83810 ffffffdc47d83810 ffffffdc47d837d0
37c0: 00000000ffffffc8 77d7e7890cbc6c61 0000000000000000 77d7e7890cbc6c61
37e0: 77d7e7890cbc6c61 77d7e7890cbc6c61 dfffff9000000000 ffffffa8e506c818
3800: ffffff8b88fb0000 0000000000000000 000000000000003c ffffffa8e5e4df08
3820: ffffffa8e3e2a764 ffffff8b9296b007 3d3d3d3d3d3d3d3d 3d3d3d3d3d3d3d3d
[<ffffffa8e4d7a77c>] read_pnet include/net/net_namespace.h:266 [inline]
[<ffffffa8e4d7a77c>] sock_net include/net/sock.h:2233 [inline]
[<ffffffa8e4d7a77c>] netlink_getsockbyportid net/netlink/af_netlink.c:1085 [inline]
[<ffffffa8e4d7a77c>] netlink_unicast+0xbc/0x348 net/netlink/af_netlink.c:1270
[<ffffffa8e4d7b254>] netlink_ack+0x204/0x224 net/netlink/af_netlink.c:2305
[<ffffffa8e4d82120>] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:319 [inline]
[<ffffffa8e4d82120>] nfnetlink_rcv+0x3cc/0x718 net/netfilter/nfnetlink.c:477
[<ffffffa8e4d7a904>] netlink_unicast_kernel net/netlink/af_netlink.c:1250 [inline]
[<ffffffa8e4d7a904>] netlink_unicast+0x244/0x348 net/netlink/af_netlink.c:1276
[<ffffffa8e4d7b024>] netlink_sendmsg+0x520/0x54c net/netlink/af_netlink.c:1830
[<ffffffa8e4ce9c10>] sock_sendmsg_nosec net/socket.c:638 [inline]
[<ffffffa8e4ce9c10>] sock_sendmsg+0x70/0x9c net/socket.c:648
[<ffffffa8e4cec984>] ___sys_sendmsg+0x330/0x414 net/socket.c:2008
[<ffffffa8e4cee684>] __sys_sendmsg+0x60/0xb4 net/socket.c:2042
[<ffffffa8e4cee710>] SYSC_sendmsg net/socket.c:2053 [inline]
[<ffffffa8e4cee710>] SyS_sendmsg+0x38/0x50 net/socket.c:2049
[<ffffffa8e3a83270>] el0_svc_naked+0x24/0x28
Code: f81f0f13 97b8f90c aa1a03e0 97bbf523 (f9401ad3)
Powered by blists - more mailing lists