| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 25 May 2023 10:56:25 -0700
From: Kuniyuki Iwashima <kuniyu@...zon.com>
To: <stephen@...workplumber.org>
CC: <bugzilla-daemon@...nel.org>, <netdev@...r.kernel.org>,
<kuniyu@...zon.com>
Subject: Re: [Bug 217486] New: 'doubel fault' in if_nlmsg_size func by syz-executor fuzz
From: Stephen Hemminger <stephen@...workplumber.org>
Date: Thu, 25 May 2023 08:15:58 -0700
> Not much info in this bug report.
> Blaming if_nlmsg_size() is not right, something is passing bogus data.
>
>
> On Thu, 25 May 2023 12:40:12 +0000
> bugzilla-daemon@...nel.org wrote:
>
> > https://bugzilla.kernel.org/show_bug.cgi?id=217486
> >
> > Bug ID: 217486
> > Summary: 'doubel fault' in if_nlmsg_size func by syz-executor
> > fuzz
> > Product: Networking
> > Version: 2.5
> > Hardware: All
> > OS: Linux
> > Status: NEW
> > Severity: normal
> > Priority: P3
> > Component: IPV4
> > Assignee: stephen@...workplumber.org
> > Reporter: 13151562558@....com
> > Regression: No
> >
> > in syz-executor fuzz test, system panic in "double fault" err.
> > by the kernel log, only get one dump stack info, "if_nlmsg_size+0x4ea/0x7c0".
> > I have vmcore, but don't know how to debug "double fault"? what't first fault ?
> >
> > if_nlmsg_size+0x4ea/0x7c0 code:
> > ```
> > static noinline size_t if_nlmsg_size(const struct net_device *dev,
> > u32 ext_filter_mask)
> > {
> > return NLMSG_ALIGN(sizeof(struct ifinfomsg))
> > + nla_total_size(IFNAMSIZ) /* IFLA_IFNAME */
> > + nla_total_size(IFALIASZ) /* IFLA_IFALIAS */
> >
> > + nla_total_size(4) /* IFLA_MIN_MTU */
> > + nla_total_size(4) /* IFLA_MAX_MTU */
> > + rtnl_prop_list_size(dev) // this
> > line;if_nlmsg_size+0x4ea/0x7c0
> > + nla_total_size(MAX_ADDR_LEN) /* IFLA_PERM_ADDRESS */
> > + 0;
> > }
> > ```
> >
> > dis the code of dump stack, like this:
> > /include/linux/list.h:
> > <if_nlmsg_size+1325>: mov %rbp,%rdx
> > <if_nlmsg_size+1328>: shr $0x3,%rdx
> > <if_nlmsg_size+1332>: cmpb $0x0,(%rdx,%rax,1)
> > <if_nlmsg_size+1336>: jne 0xffffffff8a5b86a6 <if_nlmsg_size+1766>
> > <if_nlmsg_size+1342>: mov 0x10(%r15),%rax
> > <if_nlmsg_size+1346>: cmp %rax,%rbp
> > <if_nlmsg_size+1349>: je 0xffffffff8a5b8659 <if_nlmsg_size+1689>
> >
> >
> > kernel log:
> > [ 3213.317259] CPU: 1 PID: 1830 Comm: syz-executor.6 Tainted: G D
I'd salvage a repro candidate in the syzkaller's log like
HH:MM:SS executing program 6:
....
with syz-prog2c. Even if it does not reproduce the issue,
the syz sequences will give much more hints.
> > 5.10.0 #1
> > [ 3213.317404] RIP: 0010:if_nlmsg_size+0x53e/0x7c0
> > [ 3213.317415] Code: 00 0f 85 2e 02 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8b
> > 7b 10 49 8d 6f 10 48 89 ea 48 c1 ea 03 80 3c 02 00 0f 85 a8 01 00 00 <49> 8b 47
> > 10 48 39 c5 0f 84 4e 01 00 00 e8 90 ff 1a f7 48 89 ea 48
> > [ 3213.317420] RSP: 0018:ffff88809f4ca570 EFLAGS: 00010246
> > [ 3213.317428] RAX: dffffc0000000000 RBX: ffff88803767c000 RCX:
> > ffffc90006714000
> > [ 3213.317433] RDX: 1ffff11008037c92 RSI: ffffffff8a5b84aa RDI:
> > ffff88803767c010
> > [ 3213.317439] RBP: ffff8880401be490 R08: 0000000000000cc0 R09:
> > 0000000000000000
> > [ 3213.317445] R10: ffffffff9287d2e7 R11: fffffbfff250fa5c R12:
> > 0000000000000640
> > [ 3213.317450] R13: 0000000000000950 R14: 0000000000000008 R15:
> > ffff8880401be480
> > [ 3213.317454] ? if_nlmsg_size+0x4ea/0x7c0
> > [ 3213.317457] </#DF>
Powered by blists - more mailing lists