lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAEkJfYOoJZZnXioMsaHNHVj8e77Ch8UqKhNcR_UrzU9tJUKoSg@mail.gmail.com>
Date: Tue, 7 May 2024 15:00:38 +0800
From: Sam Sun <samsun1006219@...il.com>
To: linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Cc: Eric Dumazet <edumazet@...gle.com>, davem@...emloft.net, dsahern@...nel.org, 
	kuba@...nel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com, 
	xrivendell7@...il.com
Subject: [Linux kernel bug] general protection fault in nexthop_is_blackhole

Dear developers and maintainers,

We encountered a general protection fault in function
nexthop_is_blackhole. It was tested against the latest upstream linux
(tag 6.9-rc7). C repro and kernel config are attached to this email.
Kernel crash log is listed below.
```
general protection fault, probably for non-canonical address
0xdffffc0080008015: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: probably user-memory-access in range
[0x00000004000400a8-0x00000004000400af]
CPU: 1 PID: 7959 Comm: kworker/u8:2 Not tainted 6.9.0-rc6 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
Workqueue: ipv6_addrconf addrconf_dad_work
RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203
RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <IRQ>
 __find_rr_leaf+0x521/0x890 net/ipv6/route.c:817
 find_rr_leaf net/ipv6/route.c:861 [inline]
 rt6_select net/ipv6/route.c:896 [inline]
 fib6_table_lookup+0x56f/0xbb0 net/ipv6/route.c:2193
 ip6_pol_route+0x272/0x1580 net/ipv6/route.c:2229
 pol_lookup_func include/net/ip6_fib.h:614 [inline]
 fib6_rule_lookup+0x571/0x780 net/ipv6/fib6_rules.c:116
 ip6_route_input_lookup net/ipv6/route.c:2298 [inline]
 ip6_route_input+0x839/0xd10 net/ipv6/route.c:2594
 ip6_rcv_finish net/ipv6/ip6_input.c:77 [inline]
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ipv6_rcv+0x1dc/0x200 net/ipv6/ip6_input.c:310
 __netif_receive_skb_one_core net/core/dev.c:5544 [inline]
 __netif_receive_skb+0x1dc/0x640 net/core/dev.c:5658
 process_backlog+0x361/0x790 net/core/dev.c:5987
 __napi_poll+0xca/0x480 net/core/dev.c:6638
 napi_poll net/core/dev.c:6707 [inline]
 net_rx_action+0x7c0/0x10a0 net/core/dev.c:6822
 __do_softirq+0x272/0x734 kernel/softirq.c:554
 do_softirq+0xfe/0x1b0 kernel/softirq.c:455
 </IRQ>
 <TASK>
 __local_bh_enable_ip+0x18a/0x1c0 kernel/softirq.c:382
 local_bh_enable include/linux/bottom_half.h:33 [inline]
 rcu_read_unlock_bh include/linux/rcupdate.h:851 [inline]
 __dev_queue_xmit+0x1d13/0x3a60 net/core/dev.c:4368
 neigh_output include/net/neighbour.h:542 [inline]
 ip6_finish_output2+0xfcf/0x1600 net/ipv6/ip6_output.c:137
 ip6_finish_output+0x3c8/0x7f0 net/ipv6/ip6_output.c:222
 NF_HOOK include/linux/netfilter.h:314 [inline]
 ndisc_send_skb+0xa39/0xf40 net/ipv6/ndisc.c:509
 addrconf_dad_completed+0x734/0xc60 net/ipv6/addrconf.c:4358
 addrconf_dad_work+0xd82/0x16b0
 process_one_work kernel/workqueue.c:3254 [inline]
 process_scheduled_works+0x9c9/0x14a0 kernel/workqueue.c:3335
 worker_thread+0x85c/0xd50 kernel/workqueue.c:3416
 kthread+0x2ed/0x390 kernel/kthread.c:388
 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
 ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:244
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:nexthop_is_blackhole+0x23/0x2a0 include/net/nexthop.h:370
Code: 00 00 00 0f 1f 40 00 55 41 57 41 56 53 48 89 fb 49 bf 00 00 00
00 00 fc ff df e8 58 c1 b6 f7 4c 8d 73 66 4c 89 f0 48 c1 e8 03 <42> 8a
04 38 84 c0 0f 85 17 02 00 00 41 0f b6 2e 31 ff 89 ee e8 44
RSP: 0018:ffffc900001d81f8 EFLAGS: 00010203

RAX: 0000000080008015 RBX: 0000000400040048 RCX: ffff88801cbfa500
RDX: 0000000080000101 RSI: 0000000000000000 RDI: 0000000400040048
RBP: ffffc900001d8398 R08: ffffffff89d8fd23 R09: 0000000000000021
R10: ffffc900001d84c0 R11: fffffbfff2273299 R12: ffff88807857e800
R13: 1ffff1100f0afd0c R14: 00000004000400ae R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff8880be400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa8a2420630 CR3: 00000000264f6000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess), 1 bytes skipped:
   0: 00 00                 add    %al,(%rax)
   2: 0f 1f 40 00           nopl   0x0(%rax)
   6: 55                   push   %rbp
   7: 41 57                 push   %r15
   9: 41 56                 push   %r14
   b: 53                   push   %rbx
   c: 48 89 fb             mov    %rdi,%rbx
   f: 49 bf 00 00 00 00 00 movabs $0xdffffc0000000000,%r15
  16: fc ff df
  19: e8 58 c1 b6 f7       callq  0xf7b6c176
  1e: 4c 8d 73 66           lea    0x66(%rbx),%r14
  22: 4c 89 f0             mov    %r14,%rax
  25: 48 c1 e8 03           shr    $0x3,%rax
* 29: 42 8a 04 38           mov    (%rax,%r15,1),%al <-- trapping instruction
  2d: 84 c0                 test   %al,%al
  2f: 0f 85 17 02 00 00     jne    0x24c
  35: 41 0f b6 2e           movzbl (%r14),%ebp
  39: 31 ff                 xor    %edi,%edi
  3b: 89 ee                 mov    %ebp,%esi
  3d: e8                   .byte 0xe8
  3e: 44                   rex.R
```
If you have any questions, please contact us.

Reported by Yue Sun <samsun1006219@...il.com>
Reported by xingwei lee <xrivendell7@...il.com>

Best Regards,
Yue

Download attachment "config" of type "application/octet-stream" (247919 bytes)

View attachment "nexthop_is_blackhole.c" of type "text/x-csrc" (85382 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ