lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Mon, 31 Oct 2022 22:20:53 -0400
From:   Xin Long <lucien.xin@...il.com>
To:     Wei Chen <harperchen1110@...il.com>
Cc:     jmaloy@...hat.com, ying.xue@...driver.com, davem@...emloft.net,
        kuba@...nel.org, netdev@...r.kernel.org,
        tipc-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org
Subject: Re: BUG: unable to handle kernel NULL pointer dereference in tipc_conn_close

On Sun, Oct 30, 2022 at 6:20 AM Wei Chen <harperchen1110@...il.com> wrote:
>
> Dear Linux Developer,
>
> Recently when using our tool to fuzz kernel, the following crash was triggered:
>
> HEAD commit: 64570fbc14f8 Linux 5.15-rc5
> git tree: upstream
> compiler: gcc 8.0.1
> console output:
> https://drive.google.com/file/d/1nDvjcSyhzWncMlR35k1P1dC8rswJ_Zin/view?usp=share_link
> kernel config: https://drive.google.com/file/d/1uDOeEYgJDcLiSOrx9W8v2bqZ6uOA_55t/view?usp=share_link
>
> Unfortunately, I don't have any reproducer for this crash yet.
>
> IMPORTANT: if you fix the bug, please add the following tag to the commit:
> Reported-by: Wei Chen <harperchen1110@...il.com>
>
> BUG: kernel NULL pointer dereference, address: 0000000000000018
> #PF: supervisor read access in kernel mode
> #PF: error_code(0x0000) - not-present page
> PGD 0 P4D 0
> Oops: 0000 [#1] PREEMPT SMP
> CPU: 1 PID: 7336 Comm: kworker/u4:4 Not tainted 5.15.0-rc5 #1
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
> rel-1.13.0-48-gd9c812dda519-prebuilt.qemu.org 04/01/2014
> Workqueue: netns cleanup_net
> RIP: 0010:tipc_conn_close+0x12/0x100
con->sock is set only after tipc_topsrv_accept() is called by awork.
We should do the check under a proper lock.

Will think about it, thanks.

> Code: 02 01 e8 52 74 20 00 e9 c6 fd ff ff 66 90 66 2e 0f 1f 84 00 00
> 00 00 00 41 55 41 54 55 53 48 89 fb e8 82 4f c2 fc 48 8b 43 08 <4c> 8b
> 68 18 4d 8d a5 b0 03 00 00 4c 89 e7 e8 fb 36 44 00 f0 48 0f
> RSP: 0018:ffffc90005137d60 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff88805a9eea00 RCX: ffff88810b035280
> RDX: 0000000000000000 RSI: ffff88810b035280 RDI: 0000000000000002
> RBP: ffffc90005137db0 R08: ffffffff847b23de R09: 0000000000000001
> R10: 0000000000000005 R11: 0000000000000000 R12: ffff88810bdeed40
> R13: 000000000000027b R14: ffff88805a9eea00 R15: ffff88810ebc2058
> FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000018 CR3: 000000010b0e2000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
>  tipc_topsrv_exit_net+0x139/0x320
>  ops_exit_list.isra.9+0x49/0x80
>  cleanup_net+0x31a/0x540
>  process_one_work+0x3fa/0x9f0
>  worker_thread+0x42/0x5c0
>  kthread+0x1a6/0x1e0
>  ret_from_fork+0x1f/0x30
> Modules linked in:
> CR2: 0000000000000018
> ---[ end trace 1524bb8c4ed3c3b4 ]---
> RIP: 0010:tipc_conn_close+0x12/0x100
> Code: 02 01 e8 52 74 20 00 e9 c6 fd ff ff 66 90 66 2e 0f 1f 84 00 00
> 00 00 00 41 55 41 54 55 53 48 89 fb e8 82 4f c2 fc 48 8b 43 08 <4c> 8b
> 68 18 4d 8d a5 b0 03 00 00 4c 89 e7 e8 fb 36 44 00 f0 48 0f
> RSP: 0018:ffffc90005137d60 EFLAGS: 00010246
> RAX: 0000000000000000 RBX: ffff88805a9eea00 RCX: ffff88810b035280
> RDX: 0000000000000000 RSI: ffff88810b035280 RDI: 0000000000000002
> RBP: ffffc90005137db0 R08: ffffffff847b23de R09: 0000000000000001
> R10: 0000000000000005 R11: 0000000000000000 R12: ffff88810bdeed40
> R13: 000000000000027b R14: ffff88805a9eea00 R15: ffff88810ebc2058
> FS:  0000000000000000(0000) GS:ffff88813dc00000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000000000000018 CR3: 000000010b0e2000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> ----------------
> Code disassembly (best guess):
>    0: 02 01                add    (%rcx),%al
>    2: e8 52 74 20 00        callq  0x207459
>    7: e9 c6 fd ff ff        jmpq   0xfffffdd2
>    c: 66 90                xchg   %ax,%ax
>    e: 66 2e 0f 1f 84 00 00 nopw   %cs:0x0(%rax,%rax,1)
>   15: 00 00 00
>   18: 41 55                push   %r13
>   1a: 41 54                push   %r12
>   1c: 55                    push   %rbp
>   1d: 53                    push   %rbx
>   1e: 48 89 fb              mov    %rdi,%rbx
>   21: e8 82 4f c2 fc        callq  0xfcc24fa8
>   26: 48 8b 43 08          mov    0x8(%rbx),%rax
> * 2a: 4c 8b 68 18          mov    0x18(%rax),%r13 <-- trapping instruction
>   2e: 4d 8d a5 b0 03 00 00 lea    0x3b0(%r13),%r12
>   35: 4c 89 e7              mov    %r12,%rdi
>   38: e8 fb 36 44 00        callq  0x443738
>   3d: f0                    lock
>   3e: 48                    rex.W
>   3f: 0f                    .byte 0xf
>
> Best,
> Wei

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ