lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 20 Nov 2022 00:01:30 +0000 From: Peter Lafreniere <peter@...jl.ca> To: syzbot <syzbot+4643bc868f47ad276452@...kaller.appspotmail.com> Cc: davem@...emloft.net, edumazet@...gle.com, jreuter@...na.de, kuba@...nel.org, linux-hams@...r.kernel.org, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, ralf@...ux-mips.org, syzkaller-bugs@...glegroups.com Subject: Re: [syzbot] general protection fault in ax25_send_frame (2) In response to the following syzbot report: > general protection fault, probably for non-canonical address 0xdffffc000000006c: 0000 [#1] PREEMPT SMP KASAN > KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367] > CPU: 1 PID: 10715 Comm: syz-executor.3 Not tainted 6.0.0-rc4-syzkaller-00136-g0727a9a5fbc1 #0 > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022 > RIP: 0010:ax25_dev_ax25dev include/net/ax25.h:342 [inline] > RIP: 0010:ax25_send_frame+0xe4/0x640 net/ax25/ax25_out.c:56 > Code: 00 48 85 c0 49 89 c4 0f 85 fb 03 00 00 e8 34 cb 2b f9 49 8d bd 60 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b1 04 00 00 4d 8b ad 60 03 00 00 4d 85 ed 0f 84 > > RSP: 0000:ffffc90004c77a00 EFLAGS: 00010206 > RAX: dffffc0000000000 RBX: ffff88814a308008 RCX: 0000000000000100 > RDX: 000000000000006c RSI: ffffffff88503efc RDI: 0000000000000360 > RBP: ffffffff91561460 R08: 0000000000000001 R09: ffffffff908e4a9f > R10: 0000000000000001 R11: 1ffffffff2020d9a R12: 0000000000000000 > R13: 0000000000000000 R14: 0000000000000104 R15: 0000000000000000 > FS: 0000555556215400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 > CR2: 0000001b2f328000 CR3: 0000000050a64000 CR4: 00000000003506e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 > Call Trace: > <TASK> > > rose_send_frame+0xcc/0x2f0 net/rose/rose_link.c:106 > rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255 > rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009 > rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111 > call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474 > expire_timers kernel/time/timer.c:1519 [inline] > __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790 > __run_timers kernel/time/timer.c:1768 [inline] > run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803 > [...] > </TASK> The null dereference in ax25_dev_ax25dev() must be from a null struct net_device* dev being passed to ax25_send_frame(). By tracing the call stack, the null pointer can be shown as coming from the dev field of rose_loopback_neigh being null. The null dereference was already mitigated with a fail-silent check by commit e97c089d7a49 ("rose: Fix NULL pointer dereference in rose_send_frame()") in response to a previous syzbot report "general protection fault in rose_send_frame (2)", which was not closed. Does anyone object to marking syzbot bugs "general protection fault in {ax25|rose}_send_frame (2)" as fixed? Respectfully, Peter Lafreniere (N8PJL)
Powered by blists - more mailing lists