lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <_EStAmQIIbOHjwEqqb54KlnJy9ltngO0A__i8T4sJISE0rRSCaa8TlYBrwJ9AJPxJtrp27MNaXRISYfABlCoIWA1bze3-o2Oblw7PcCdxM4=@n8pjl.ca>
Date:   Sun, 20 Nov 2022 00:01:30 +0000
From:   Peter Lafreniere <peter@...jl.ca>
To:     syzbot <syzbot+4643bc868f47ad276452@...kaller.appspotmail.com>
Cc:     davem@...emloft.net, edumazet@...gle.com, jreuter@...na.de,
        kuba@...nel.org, linux-hams@...r.kernel.org,
        linux-kernel@...r.kernel.org, netdev@...r.kernel.org,
        pabeni@...hat.com, ralf@...ux-mips.org,
        syzkaller-bugs@...glegroups.com
Subject: Re: [syzbot] general protection fault in ax25_send_frame (2)

In response to the following syzbot report:

> general protection fault, probably for non-canonical address 0xdffffc000000006c: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
> CPU: 1 PID: 10715 Comm: syz-executor.3 Not tainted 6.0.0-rc4-syzkaller-00136-g0727a9a5fbc1 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
> RIP: 0010:ax25_dev_ax25dev include/net/ax25.h:342 [inline]
> RIP: 0010:ax25_send_frame+0xe4/0x640 net/ax25/ax25_out.c:56
> Code: 00 48 85 c0 49 89 c4 0f 85 fb 03 00 00 e8 34 cb 2b f9 49 8d bd 60 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b1 04 00 00 4d 8b ad 60 03 00 00 4d 85 ed 0f 84
> 
> RSP: 0000:ffffc90004c77a00 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: ffff88814a308008 RCX: 0000000000000100
> RDX: 000000000000006c RSI: ffffffff88503efc RDI: 0000000000000360
> RBP: ffffffff91561460 R08: 0000000000000001 R09: ffffffff908e4a9f
> R10: 0000000000000001 R11: 1ffffffff2020d9a R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000104 R15: 0000000000000000
> FS: 0000555556215400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2f328000 CR3: 0000000050a64000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
>
> rose_send_frame+0xcc/0x2f0 net/rose/rose_link.c:106
> rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255
> rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009
> rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111
> call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
> expire_timers kernel/time/timer.c:1519 [inline]
> __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
> __run_timers kernel/time/timer.c:1768 [inline]
> run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
> [...]
> </TASK>

The null dereference in ax25_dev_ax25dev() must be from a null struct
net_device* dev being passed to ax25_send_frame(). By tracing the call stack,
the null pointer can be shown as coming from the dev field of
rose_loopback_neigh being null.

The null dereference was already mitigated with a fail-silent check by
commit e97c089d7a49 ("rose: Fix NULL pointer dereference in rose_send_frame()")
in response to a previous syzbot report "general protection fault in 
rose_send_frame (2)", which was not closed.

Does anyone object to marking syzbot bugs
"general protection fault in {ax25|rose}_send_frame (2)"
as fixed?

Respectfully,
Peter Lafreniere (N8PJL)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ