lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <cfea6086-4416-7e3c-f456-26ff44bf55a5@gmail.com>
Date:   Wed, 5 Jun 2019 09:53:06 -0600
From:   David Ahern <dsahern@...il.com>
To:     syzbot <syzbot+1b2927fda48c5bf2e931@...kaller.appspotmail.com>,
        davem@...emloft.net, kuznet@....inr.ac.ru,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        syzkaller-bugs@...glegroups.com, yoshfuji@...ux-ipv6.org
Subject: Re: general protection fault in fib6_nh_init

On 6/3/19 11:10 PM, syzbot wrote:
> 
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 4498 Comm: syz-executor.4 Not tainted 5.2.0-rc2+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:ipv6_addr_any include/net/ipv6.h:626 [inline]
> RIP: 0010:ip6_route_check_nh_onlink net/ipv6/route.c:2910 [inline]
> RIP: 0010:ip6_validate_gw net/ipv6/route.c:3013 [inline]
> RIP: 0010:fib6_nh_init+0x47e/0x1c80 net/ipv6/route.c:3121
> Code: 89 de e8 45 9f 4e fb 48 85 db 0f 84 fb 10 00 00 e8 97 9d 4e fb 48
> 8d 7b 40 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 bf 16 00 00 48 8d 7b 48 48 8b 4b 40 48 b8 00 00
> RSP: 0018:ffff888060e277c0 EFLAGS: 00010a02
> RAX: dffffc0000000000 RBX: ff8880a43d5cc000 RCX: ffffc90012a9f000
> RDX: 1ff1101487ab9808 RSI: ffffffff86220829 RDI: ff8880a43d5cc040

This one to me is falls into the corruption of the rt6_info in pcpu memory.

ip6_route_check_nh_onlink has already checked that 'from' is non-NULL
and fib6_dst falls within that memory.

RDI is the first input arg and appears to point to an invalid memory
address. In my tests all mallocs (f6i, nexthops, pcpu routesm etc) start
with 0xffff but RDI is 0xff88 which seems wrong.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ