| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sun, 24 Apr 2022 12:57:46 +0900
From: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
To: Santosh Shilimkar <santosh.shilimkar@...cle.com>,
OFED mailing list <linux-rdma@...r.kernel.org>
Cc: syzbot <syzbot+694120e1002c117747ed@...kaller.appspotmail.com>,
andrii@...nel.org, andriin@...com, ast@...nel.org,
daniel@...earbox.net, davem@...emloft.net, dsahern@...nel.org,
edumazet@...gle.com, john.fastabend@...il.com, kafai@...com,
kpsingh@...nel.org, kuba@...nel.org, kuznet@....inr.ac.ru,
netdev@...r.kernel.org, songliubraving@...com,
syzkaller-bugs@...glegroups.com, tpa@...hospital.com, yhs@...com,
yoshfuji@...ux-ipv6.org, bpf@...r.kernel.org
Subject: Re: [syzbot] KASAN: use-after-free Read in tcp_retransmit_timer (5)
OK. I succeeded to reproduce this problem without BPF program.
Just dropping TCP packets is sufficient. That is, this bug should be fixed in RDS code.
------------------------------------------------------------
root@...z:~# unshare -n sh -c '
ip link set lo up
iptables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
ip6tables -A OUTPUT -p tcp --sport 16385 --tcp-flags SYN NONE -m state --state ESTABLISHED,RELATED -j DROP
telnet 127.0.0.1 16385
dmesg -c
netstat -tanpe' < /dev/null
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
Connection closed by foreign host.
[ 54.922280] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State User Inode PID/Program name
tcp 0 1 127.0.0.1:58780 127.0.0.1:16385 FIN_WAIT1 0 0 -
tcp6 0 0 :::16385 :::* LISTEN 0 18301 -
tcp6 1 1 127.0.0.1:16385 127.0.0.1:58780 LAST_ACK 0 0 -
------------------------------------------------------------
------------------------------------------------------------
fuzz login: [ 54.849128][ T2718] ip (2718) used greatest stack depth: 11192 bytes left
[ 54.922280][ T764] accepted family 10 tcp ::ffff:127.0.0.1:16385 -> ::ffff:127.0.0.1:58780 refcnt=0 sock_net=ffff888035c98000 init_net=ffffffff860d89c0
[ 224.330990][ C0] general protection fault, probably for non-canonical address 0x6b6af3ebe92b6bc3: 0000 [#1] PREEMPT SMP
[ 224.344491][ C0] CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.18.0-rc3-00016-gb253435746d9-dirty #767
[ 224.355974][ C0] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 224.361184][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.364559][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.375318][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.378682][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.383253][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.387171][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.389612][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.392646][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.395626][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.398662][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.400880][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.403964][ C0] Call Trace:
[ 224.405212][ C0] <IRQ>
[ 224.406355][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.408259][ C0] tcp_write_wakeup+0x112/0x160
[ 224.409932][ C0] ? ktime_get+0x1cb/0x260
[ 224.411636][ C0] tcp_send_probe0+0x13/0x150
[ 224.413393][ C0] tcp_write_timer_handler+0x248/0x280
[ 224.415433][ C0] tcp_write_timer+0xa5/0x110
[ 224.417040][ C0] ? tcp_write_timer_handler+0x280/0x280
[ 224.419142][ C0] call_timer_fn+0xa6/0x300
[ 224.420949][ C0] __run_timers.part.0+0x209/0x320
[ 224.422915][ C0] run_timer_softirq+0x2c/0x60
[ 224.424791][ C0] __do_softirq+0x174/0x53f
[ 224.426462][ C0] __irq_exit_rcu+0xcb/0x120
[ 224.428188][ C0] irq_exit_rcu+0x5/0x20
[ 224.430176][ C0] sysvec_apic_timer_interrupt+0x8e/0xc0
[ 224.432301][ C0] </IRQ>
[ 224.433394][ C0] <TASK>
[ 224.434514][ C0] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 224.436500][ C0] RIP: 0010:default_idle+0xb/0x10
[ 224.438220][ C0] Code: 8b 04 25 40 af 01 00 f0 80 60 02 df c3 0f ae f0 0f ae 38 0f ae f0 eb b9 0f 1f 80 00 00 00 00 eb 07 0f 00 2d e3 b6 56 00 fb f4 <c3> cc cc cc cc 53 48 89 fb e8 67 fb fe ff 48 8b 15 a0 91 4e 02 89
[ 224.444865][ C0] RSP: 0018:ffffffff83e03ea8 EFLAGS: 00000202
[ 224.447077][ C0] RAX: 00000000000223b5 RBX: ffffffff83e61a00 RCX: 0000000000000001
[ 224.449957][ C0] RDX: 0000000000000000 RSI: ffffffff832e9bf1 RDI: ffffffff83246666
[ 224.452916][ C0] RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000001
[ 224.455677][ C0] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000000
[ 224.458458][ C0] R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
[ 224.461642][ C0] default_idle_call+0x54/0x90
[ 224.463888][ C0] do_idle+0x1f3/0x240
[ 224.465531][ C0] cpu_startup_entry+0x14/0x20
[ 224.467193][ C0] start_kernel+0x69c/0x6c1
[ 224.469040][ C0] secondary_startup_64_no_verify+0xc3/0xcb
[ 224.471179][ C0] </TASK>
[ 224.472438][ C0] Modules linked in:
[ 224.474387][ C0] ---[ end trace 0000000000000000 ]---
[ 224.476521][ C0] RIP: 0010:__tcp_transmit_skb+0x5e5/0xbf0
[ 224.478893][ C0] Code: 0f 84 33 05 00 00 4c 89 2c 24 49 89 c5 48 c7 40 10 00 00 00 00 e9 c0 fa ff ff 49 8b 46 30 41 0f b7 55 30 48 8b 80 b8 02 00 00 <65> 48 01 50 58 e9 8e fe ff ff 41 8b 86 fc 08 00 00 48 69 c0 e8 03
[ 224.485948][ C0] RSP: 0018:ffffc90000003d38 EFLAGS: 00010297
[ 224.488110][ C0] RAX: 6b6b6b6b6b6b6b6b RBX: 000000009e2a2659 RCX: ffff888104a39000
[ 224.491186][ C0] RDX: 0000000000000001 RSI: ffff8881008054e0 RDI: ffff888035340000
[ 224.494378][ C0] RBP: ffff888100805508 R08: 0000000000000000 R09: 0000000000000000
[ 224.497576][ C0] R10: ffff888104a39140 R11: 0000000000000000 R12: 0000000000000001
[ 224.500600][ C0] R13: ffff8881008054e0 R14: ffff888035340000 R15: 0000000000000020
[ 224.503814][ C0] FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
[ 224.507136][ C0] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.509421][ C0] CR2: 000056264812f99c CR3: 000000000a58e000 CR4: 00000000000506f0
[ 224.512699][ C0] Kernel panic - not syncing: Fatal exception in interrupt
[ 224.515847][ C0] Kernel Offset: disabled
[ 224.517636][ C0] Rebooting in 10 seconds..
------------------------------------------------------------
Powered by blists - more mailing lists