| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Jul 2018 12:44:14 -0700
From: Linus Torvalds <torvalds@...ux-foundation.org>
To: syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com,
Eric Van Hensbergen <ericvh@...il.com>,
Ron Minnich <rminnich@...dia.gov>,
Latchesar Ionkov <lucho@...kov.net>
Cc: Jens Axboe <axboe@...nel.dk>,
Bart Van Assche <bart.vanassche@....com>,
David Miller <davem@...emloft.net>,
Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
Network Development <netdev@...r.kernel.org>,
Sagi Grimberg <sagi@...mberg.me>,
syzkaller-bugs@...glegroups.com
Subject: Re: general protection fault in in_aton
On Tue, Jul 10, 2018 at 12:19 PM syzbot
<syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com> wrote:
> RIP: 0010:in_aton+0x3e/0x180 net/core/utils.c:63
That's
if (*str != '\0') {
in in_aton().
The code disassembles to
movzbl (%rax,%r15,1),%eax
which is a bit odd, because
> RAX: 0000000000000000
Ok, NULL pointer, looks sane, but:
> R15: dffffc0000000000
Yeah, that's unusual. But I'm guessing it's some KASAN artifact. One
of the big problemns with KASAN is that it makes the generated code
completely illegible because 90% of the code is just KASAN overhead.
> Call Trace:
> rdma_create_trans+0xdbe/0x1ed0 net/9p/trans_rdma.c:678
Well, rdma_create_trans() certainly doesn't verify 'addr' before using it.
> p9_client_create+0x915/0x16c9 net/9p/client.c:1062
p9_client_create() just blindly passes on "dev_name"
> v9fs_session_init+0x21a/0x1a80 fs/9p/v9fs.c:400
> v9fs_mount+0x7c/0x900 fs/9p/vfs_super.c:135
.. as does v9fs_session_init() and v9fs_mount()
> mount_fs+0xae/0x328 fs/super.c:1277
> vfs_kern_mount.part.34+0xdc/0x4e0 fs/namespace.c:1037
> vfs_kern_mount fs/namespace.c:1027 [inline]
> do_new_mount fs/namespace.c:2518 [inline]
> do_mount+0x581/0x30e0 fs/namespace.c:2848
This is "name" in mount_fs(), vfs_kern_mount(), do_new_mount() and
do_mount(), also just passed through.
> __do_compat_sys_mount fs/compat.c:125 [inline]
> __se_compat_sys_mount fs/compat.c:92 [inline]
> __ia32_compat_sys_mount+0x5d5/0x860 fs/compat.c:92
And here we have the source:
kernel_dev = copy_mount_string(dev_name);
Note that copy_mount_string() just passes a NULL user space pointer
through as a NULL kernel pointer (otherwise it does a
"strndup_user()".
And no, this is not a compat issue. The native mount does the same thing.
So yes. The device name can trivially be NULL, and either rdma or the
p9 code should check for NULL.
Adding in the 9p people, because I think it's for them. Note the
syzbot info below.
Linus
--
syzbot found the following crash on:
HEAD commit: 092150a25cb7 Merge branch 'for-linus' of git://git.kernel...
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=1687b168400000
kernel config: https://syzkaller.appspot.com/x/.config?x=25856fac4e580aa7
dashboard link: https://syzkaller.appspot.com/bug?extid=2a831e062bb4aebd8755
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
userspace arch: i386
syzkaller repro:https://syzkaller.appspot.com/x/repro.syz?x=158cc2c2400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16e7ef48400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+2a831e062bb4aebd8755@...kaller.appspotmail.com
Powered by blists - more mailing lists