lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20230525081558.38ee5cde@hermes.local>
Date: Thu, 25 May 2023 08:15:58 -0700
From: Stephen Hemminger <stephen@...workplumber.org>
To: netdev@...r.kernel.org
Cc: bugzilla-daemon@...nel.org
Subject: Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by
 syz-executor fuzz

Not much info in this bug report.
Blaming if_nlmsg_size() is not right, something is passing bogus data.


On Thu, 25 May 2023 12:40:12 +0000
bugzilla-daemon@...nel.org wrote:

> https://bugzilla.kernel.org/show_bug.cgi?id=217486
> 
>             Bug ID: 217486
>            Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
>                     fuzz
>            Product: Networking
>            Version: 2.5
>           Hardware: All
>                 OS: Linux
>             Status: NEW
>           Severity: normal
>           Priority: P3
>          Component: IPV4
>           Assignee: stephen@...workplumber.org
>           Reporter: 13151562558@....com
>         Regression: No
> 
> in syz-executor fuzz test, system panic in "double fault" err.
> by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> I have vmcore, but don't know how to debug "double fault"? what't first fault ?
> 
> if_nlmsg_size+0x4ea/0x7c0 code:
> ```
> static noinline size_t if_nlmsg_size(const struct net_device *dev,
>                                      u32 ext_filter_mask)
> {
>         return NLMSG_ALIGN(sizeof(struct ifinfomsg))
>                + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
>                + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
> 
>                + nla_total_size(4)  /* IFLA_MIN_MTU */
>                + nla_total_size(4)  /* IFLA_MAX_MTU */
>                + rtnl_prop_list_size(dev) // this
> line;if_nlmsg_size+0x4ea/0x7c0
>                + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
>                + 0;
> }
> ```
> 
> dis the code of dump stack, like this:
> /include/linux/list.h: 
>  <if_nlmsg_size+1325>:        mov    %rbp,%rdx
>  <if_nlmsg_size+1328>:        shr    $0x3,%rdx
>  <if_nlmsg_size+1332>:        cmpb   $0x0,(%rdx,%rax,1)
>  <if_nlmsg_size+1336>:        jne    0xffffffff8a5b86a6 <if_nlmsg_size+1766>
>  <if_nlmsg_size+1342>:        mov    0x10(%r15),%rax
>  <if_nlmsg_size+1346>:        cmp    %rax,%rbp
>  <if_nlmsg_size+1349>:        je     0xffffffff8a5b8659 <if_nlmsg_size+1689>
> 
> 
> kernel log:
> [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G      D         
>  5.10.0 #1
> [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> ffffc90006714000
> [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> ffff88803767c010
> [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> 0000000000000000
> [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> 0000000000000640
> [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> ffff8880401be480
> [ 3213.317454]  ? if_nlmsg_size+0x4ea/0x7c0
> [ 3213.317457]  </#DF>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ