lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 02 Jul 2019 14:37:24 +0100
From:   David Howells <dhowells@...hat.com>
To:     syzbot <syzbot+1e0edc4b8b7494c28450@...kaller.appspotmail.com>,
        ebiggers@...nel.org
Cc:     dhowells@...hat.com, davem@...emloft.net,
        linux-afs@...ts.infradead.org, linux-kernel@...r.kernel.org,
        netdev@...r.kernel.org, syzkaller-bugs@...glegroups.com
Subject: Re: kernel BUG at net/rxrpc/local_object.c:LINE!

syzbot <syzbot+1e0edc4b8b7494c28450@...kaller.appspotmail.com> wrote:

I *think* the reproducer boils down to the attached, but I can't get syzkaller
to work and the attached sample does not cause the oops to occur.  Can you try
it in your environment?

> The bug was bisected to:
> 
> commit 46894a13599a977ac35411b536fb3e0b2feefa95
> Author: David Howells <dhowells@...hat.com>
> Date:   Thu Oct 4 08:32:28 2018 +0000
> 
>     rxrpc: Use IPv4 addresses throught the IPv6

This might not be the correct bisection point.  If you look at the attached
sample, you're mixing AF_INET and AF_INET6.  If you try AF_INET throughout,
that might get a different point.  On the other hand, since you've bound the
socket, the AF_INET6 passed to socket() should be ignored.

David
---
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>
#include <linux/rxrpc.h>

static const unsigned char inet4_addr[4] = {
	0xe0, 0x00, 0x00, 0x01
};

int main(void)
{
	struct sockaddr_rxrpc srx;
	int fd;

	memset(&srx, 0, sizeof(srx));
	srx.srx_family			= AF_RXRPC;
	srx.srx_service			= 0;
	srx.transport_type		= AF_INET;
	srx.transport_len		= sizeof(srx.transport.sin);
	srx.transport.sin.sin_family	= AF_INET;
	srx.transport.sin.sin_port	= htons(0x4e21);
	memcpy(&srx.transport.sin.sin_addr, inet4_addr, 4);

	fd = socket(AF_RXRPC, SOCK_DGRAM, AF_INET6);
	if (fd == -1) {
		perror("socket");
		exit(1);
	}

	if (bind(fd, (struct sockaddr *)&srx, sizeof(srx)) == -1) {
		perror("bind");
		exit(1);
	}

	sleep(20);

	// Whilst sleeping, hit with:
	// echo -e '\0\0\0\0\0\0\0\0' | ncat -4u --send-only 224.0.0.1 20001
	
	return 0;
}

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ