lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20190117093413.579b95eb@hermes.lan>
Date:   Thu, 17 Jan 2019 09:34:13 -0800
From:   Stephen Hemminger <stephen@...workplumber.org>
To:     netdev@...r.kernel.org
Subject: Fw: [Bug 202309] New: Possible regression kernel null ptr deref in
 receive path



Begin forwarded message:

Date: Thu, 17 Jan 2019 00:43:53 +0000
From: bugzilla-daemon@...zilla.kernel.org
To: stephen@...workplumber.org
Subject: [Bug 202309] New: Possible regression kernel null ptr deref in receive path


https://bugzilla.kernel.org/show_bug.cgi?id=202309

            Bug ID: 202309
           Summary: Possible regression kernel null ptr deref in receive
                    path
           Product: Networking
           Version: 2.5
    Kernel Version: 4.14.92
          Hardware: All
                OS: Linux
              Tree: Mainline
            Status: NEW
          Severity: normal
          Priority: P1
         Component: IPV4
          Assignee: stephen@...workplumber.org
          Reporter: vishnu.rangayyan@...il.com
        Regression: No

I don't see this with 4.14.52 or 4.14.74 LTS built out of kernel.org. I see it
on 4.14.92.
Not sure of the exact traffic or packets that triggers this. There are no
custom net namespaces created on this system.

[ 9460.729925] BUG: unable to handle kernel NULL pointer dereference at        
  (null)
[ 9460.823645] IP: tcp_v4_rcv+0x315/0x9c0
[ 9460.868466] PGD 8000001fe4ace067 P4D 8000001fe4ace067 PUD 1fe4acf067 PMD 0 
[ 9460.951773] Oops: 0000 [#1] SMP PTI
[ 9460.993474] Modules linked in: 8021q garp stp llc nf_log_ipv4 nf_log_common
xt_LOG xt_limit xt_multiport iptable_filter ip_tables xt_comment
ip6table_filter ip6_tables iTCO_wdt iTCO_vendor_support ipmi_devintf ipmi_si
ipmi_msghandler ixgbe dca ptp pps_core hwmon mdio i2c_i801 i2c_core sg lpc_ich
mfd_core wmi pcc_cpufreq tcp_bbr isci libsas scsi_transport_sas sd_mod
dm_mirror dm_region_hash dm_log dm_mod dax ahci libahci
[ 9461.438712] CPU: 3 PID: 7933 Comm: nginx Not tainted 4.14.92 #1
[ 9461.618840] task: ffff889fe1b5dac0 task.stack: ffffc9002494c000
[ 9461.689670] RIP: 0010:tcp_v4_rcv+0x315/0x9c0
[ 9461.740730] RSP: 0000:ffff889fffac3c18 EFLAGS: 00010246
[ 9461.803235] RAX: 0000000000000000 RBX: ffff889feacd6f00 RCX:
00000000d73392bf
[ 9461.888624] RDX: ffff889fd9e2e8ce RSI: ffffffff82676e40 RDI:
00000000000000d4
[ 9461.974009] RBP: ffffffff820883c0 R08: 0000000000022b40 R09:
ffffffff8153fa79
[ 9462.059394] R10: ffff88bff5077200 R11: ffff889ff50707e0 R12:
ffff889fd9e2e8ce
[ 9462.144779] R13: ffff889fd9e2e8f6 R14: 0000000000000004 R15:
0000000000000000
[ 9462.230166] FS:  00007f86baafa740(0000) GS:ffff889fffac0000(0000)
knlGS:0000000000000000
[ 9462.326990] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9462.395737] CR2: 0000000000000000 CR3: 0000001fe8764002 CR4:
00000000001606e0
[ 9462.481122] Call Trace:
[ 9462.510347]  <IRQ>
[ 9462.534378]  ip_local_deliver_finish+0x58/0x1e0
[ 9462.588562]  ip_local_deliver+0x56/0xc0
[ 9462.634427]  ? ip_rcv_finish+0x3a0/0x3a0
[ 9462.681331]  ip_rcv+0x267/0x330
[ 9462.718873]  ? packet_rcv+0x3c/0x420
[ 9462.761620]  ? __build_skb+0x20/0xe0
[ 9462.804363]  __netif_receive_skb_core+0x416/0xad0
[ 9462.860631]  ? ip_rcv+0x267/0x330
[ 9462.900254]  ? netif_receive_skb_internal+0x1f/0xa0
[ 9462.958601]  netif_receive_skb_internal+0x1f/0xa0
[ 9463.014865]  napi_gro_receive+0x6a/0x80
[ 9463.060735]  ixgbe_clean_rx_irq+0x3db/0xc10 [ixgbe]
[ 9463.119078]  ixgbe_poll+0x25a/0x740 [ixgbe]
[ 9463.169101]  net_rx_action+0x128/0x320
[ 9463.213924]  __do_softirq+0xcb/0x20a
[ 9463.256669]  irq_exit+0xe4/0xf0
[ 9463.294215]  do_IRQ+0x84/0xd0
[ 9463.329680]  common_interrupt+0x84/0x84
[ 9463.375541]  </IRQ>
[ 9463.400606] RIP: 0033:0x62db1c
[ 9463.437107] RSP: 002b:00007fff6ae59000 EFLAGS: 00000286 ORIG_RAX:
ffffffffffffff46
[ 9463.527693] RAX: 26dbccaa2510e7d4 RBX: b3b6246dbf7e995d RCX:
0000000001820140
[ 9463.613079] RDX: be939e9af863f331 RSI: 0000000004206e40 RDI:
daa9470e74920648
[ 9463.698467] RBP: dfa7d50834d1f8a9 R08: de0967ebf339c627 R09:
0000000000000010
[ 9463.783851] R10: 8507145f04d8176d R11: 5993ffac119f960e R12:
0000000004206ac0
[ 9463.869238] R13: d44af7942e55384f R14: 000000000000000c R15:
0000000000000010
[ 9463.954622] Code: 03 93 d0 00 00 00 48 83 e0 fe 74 0c 44 8b b0 ac 00 00 00
45 85 f6 75 07 44 8b b3 a0 00 00 00 41 0f b6 7d 0c 48 c7 c6 40 6e 67 82 <48> 8b
00 44 8b 42 10 41 0f b7 4d 00 40 c0 ef 04 8b 52 0c 40 88 
[ 9464.180416] RIP: tcp_v4_rcv+0x315/0x9c0 RSP: ffff889fffac3c18
[ 9464.249155] CR2: 0000000000000000

(gdb) list *(tcp_v4_rcv+0x315)
0xffffffff81563375 is in tcp_v4_rcv (./include/net/net_namespace.h:281).
276     }
277     
278     static inline struct net *read_pnet(const possible_net_t *pnet)
279     {
280     #ifdef CONFIG_NET_NS
281             return pnet->net;
282     #else
283             return &init_net;
284     #endif
285     }

-- 
You are receiving this mail because:
You are the assignee for the bug.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ