lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CA+55aFyEZR=v2GySzWWF3uh9ZB53CFFv460Wzg4n8DGze8GFfw@mail.gmail.com>
Date:   Tue, 10 Jul 2018 12:44:14 -0700
From:   Linus Torvalds <torvalds@...ux-foundation.org>
To:     syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com,
        Eric Van Hensbergen <ericvh@...il.com>,
        Ron Minnich <rminnich@...dia.gov>,
        Latchesar Ionkov <lucho@...kov.net>
Cc:     Jens Axboe <axboe@...nel.dk>,
        Bart Van Assche <bart.vanassche@....com>,
        David Miller <davem@...emloft.net>,
        Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
        Network Development <netdev@...r.kernel.org>,
        Sagi Grimberg <sagi@...mberg.me>,
        syzkaller-bugs@...glegroups.com
Subject: Re: general protection fault in in_aton

On Tue, Jul 10, 2018 at 12:19 PM syzbot
<syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com> wrote:
> RIP: 0010:in_aton+0x3e/0x180 net/core/utils.c:63

That's

                if (*str != '\0') {

in in_aton().

The code disassembles to

        movzbl (%rax,%r15,1),%eax

which is a bit odd, because

> RAX: 0000000000000000

Ok, NULL pointer, looks sane, but:

> R15: dffffc0000000000

Yeah, that's unusual. But I'm guessing it's some KASAN artifact. One
of the big problemns with KASAN is that it makes the generated code
completely illegible because 90% of the code is just KASAN overhead.

> Call Trace:
>   rdma_create_trans+0xdbe/0x1ed0 net/9p/trans_rdma.c:678

Well, rdma_create_trans() certainly doesn't verify 'addr' before using it.

>   p9_client_create+0x915/0x16c9 net/9p/client.c:1062

p9_client_create() just blindly passes on "dev_name"

>   v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
>   v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135

.. as does v9fs_session_init() and v9fs_mount()

>   mount_fs+0xae/0x328 fs/super.c:1277
>   vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
>   vfs_kern_mount fs/namespace.c:1027 [inline]
>   do_new_mount fs/namespace.c:2518 [inline]
>   do_mount+0x581/0x30e0 fs/namespace.c:2848

This is "name" in mount_fs(), vfs_kern_mount(), do_new_mount() and
do_mount(), also just passed through.

>   __do_compat_sys_mount fs/compat.c:125 [inline]
>   __se_compat_sys_mount fs/compat.c:92 [inline]
>   __ia32_compat_sys_mount+0x5d5/0x860 fs/compat.c:92

And here we have the source:

        kernel_dev = copy_mount_string(dev_name);

Note that copy_mount_string() just passes a NULL user space pointer
through as a NULL kernel pointer (otherwise it does a
"strndup_user()".

And no, this is not a compat issue. The native mount does the same thing.

So yes. The device name can trivially be NULL, and either rdma or the
p9 code should check for NULL.

Adding in the 9p people, because I think it's for them. Note the
syzbot info below.

               Linus

--

syzbot found the following crash on:

HEAD commit:    092150a25cb7 Merge branch 'for-linus' of git://git.kernel...
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1687b168400000
kernel config:  https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=2a831e062bb4aebd8755
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158cc2c2400000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=16e7ef48400000

IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ