lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+-ZZ_hgYZJTJiVV1xONi0t2suBEKa_Tp2qhnj5Man0qV=siaA@mail.gmail.com>
Date: Tue, 24 Sep 2024 12:12:53 -0400
From: reveliofuzzing <reveliofuzzing@...il.com>
To: jesse.brandeburg@...el.com, anthony.l.nguyen@...el.com, 
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	intel-wired-lan@...ts.osuosl.org, netdev@...r.kernel.org
Subject: Report "BUG: unable to handle kernel NULL pointer dereference in e1000_clean_rx_irq"

Hello,

We found the following crash when fuzzing^1 the Linux kernel 6.10 and
we are able
to reproduce it. To our knowledge, this crash has not been observed by SyzBot so
we would like to report it for your reference.

- Crash
BUG: kernel NULL pointer dereference, address: 000000000000006a
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 800000000859a067 P4D 800000000859a067 PUD 9526067 PMD 0
Oops: Oops: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:memcpy_orig+0x64/0x140 linux-6.10/arch/x86/lib/memcpy_64.S:94
Code: 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 4c 48 01 d6 48
01 d7 48 83 ea 20 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 ea 20 <4c> 8b
46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
RSP: 0018:ffff88806d209bb8 EFLAGS: 00010202
RAX: ffff888024a13c40 RBX: ffff888007898000 RCX: 1ffff11000f5ad7f
RDX: 0000000000000032 RSI: 0000000000000072 RDI: ffff888024a13cb2
RBP: ffff888007ad6b40 R08: 0000000000000001 R09: ffffed10049427dd
R10: ffffed10049427dc R11: ffff888024a13ee3 R12: 0000000000000072
R13: 0000000000000072 R14: ffff8880098d4920 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000006a CR3: 000000000cf9a004 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 skb_put_data linux-6.10/include/linux/skbuff.h:2689 [inline]
 e1000_copybreak
linux-6.10/drivers/net/ethernet/intel/e1000/e1000_main.c:4333 [inline]
 e1000_clean_rx_irq+0x715/0x1020
linux-6.10/drivers/net/ethernet/intel/e1000/e1000_main.c:4378
 e1000_clean+0x831/0x22c0
linux-6.10/drivers/net/ethernet/intel/e1000/e1000_main.c:3801
 __napi_poll+0xa7/0x590 linux-6.10/net/core/dev.c:6722
 napi_poll linux-6.10/net/core/dev.c:6791 [inline]
 net_rx_action+0x877/0xc30 linux-6.10/net/core/dev.c:6907
 handle_softirqs+0x162/0x520 linux-6.10/kernel/softirq.c:554
 __do_softirq linux-6.10/kernel/softirq.c:588 [inline]
 invoke_softirq linux-6.10/kernel/softirq.c:428 [inline]
 __irq_exit_rcu linux-6.10/kernel/softirq.c:637 [inline]
 irq_exit_rcu+0x7f/0xb0 linux-6.10/kernel/softirq.c:649
 common_interrupt+0x98/0xb0 linux-6.10/arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 linux-6.10/arch/x86/include/asm/idtentry.h:693
RIP: 0010:native_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0x1e/0x30 linux-6.10/arch/x86/kernel/process.c:743
Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00
66 90 0f 1f 44 00 00 0f 00 2d 79 d9 3f 00 0f 1f 44 00 00 fb f4 <fa> c3
cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffffff84e07e18 EFLAGS: 00000242
RAX: ffff88806d200000 RBX: 0000000000000000 RCX: ffffffff83e26864
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 00000000000446e4
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed100da46a99
R10: ffffed100da46a98 R11: ffff88806d2354c3 R12: ffffffff856175d0
R13: 1ffffffff09c0fc8 R14: 0000000000000000 R15: 0000000000000000
 default_idle_call+0x38/0x60 linux-6.10/kernel/sched/idle.c:117
 cpuidle_idle_call linux-6.10/kernel/sched/idle.c:191 [inline]
 do_idle+0x2e8/0x3a0 linux-6.10/kernel/sched/idle.c:332
 cpu_startup_entry+0x4f/0x60 linux-6.10/kernel/sched/idle.c:430
 rest_init+0x116/0x140 linux-6.10/init/main.c:747
 start_kernel+0x355/0x450 linux-6.10/init/main.c:1103
 x86_64_start_reservations+0x18/0x30 linux-6.10/arch/x86/kernel/head64.c:507
 x86_64_start_kernel+0x92/0xa0 linux-6.10/arch/x86/kernel/head64.c:488
 common_startup_64+0x12c/0x138
 </TASK>
Modules linked in:
CR2: 000000000000006a
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_orig+0x64/0x140 linux-6.10/arch/x86/lib/memcpy_64.S:94
Code: 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 4c 48 01 d6 48
01 d7 48 83 ea 20 66 66 2e 0f 1f 84 00 00 00 00 00 48 83 ea 20 <4c> 8b
46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
RSP: 0018:ffff88806d209bb8 EFLAGS: 00010202
RAX: ffff888024a13c40 RBX: ffff888007898000 RCX: 1ffff11000f5ad7f
RDX: 0000000000000032 RSI: 0000000000000072 RDI: ffff888024a13cb2
RBP: ffff888007ad6b40 R08: 0000000000000001 R09: ffffed10049427dd
R10: ffffed10049427dc R11: ffff888024a13ee3 R12: 0000000000000072
R13: 0000000000000072 R14: ffff8880098d4920 R15: dffffc0000000000
FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000000006a CR3: 000000000cf9a004 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 57                    push   %rdi
   1: 10 4c 89 5f          adc    %cl,0x5f(%rcx,%rcx,4)
   5: 18 48 8d              sbb    %cl,-0x73(%rax)
   8: 7f 20                jg     0x2a
   a: 73 d4                jae    0xffffffe0
   c: 83 c2 20              add    $0x20,%edx
   f: eb 4c                jmp    0x5d
  11: 48 01 d6              add    %rdx,%rsi
  14: 48 01 d7              add    %rdx,%rdi
  17: 48 83 ea 20          sub    $0x20,%rdx
  1b: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
  22: 00 00 00 00
  26: 48 83 ea 20          sub    $0x20,%rdx
* 2a: 4c 8b 46 f8          mov    -0x8(%rsi),%r8 <-- trapping instruction
  2e: 4c 8b 4e f0          mov    -0x10(%rsi),%r9
  32: 4c 8b 56 e8          mov    -0x18(%rsi),%r10
  36: 4c 8b 5e e0          mov    -0x20(%rsi),%r11
  3a: 48 8d 76 e0          lea    -0x20(%rsi),%rsi
  3e: 4c                    rex.WR
  3f: 89                    .byte 0x89


- reproducer
syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff)
r0 = syz_open_dev$usbmon(&(0x7f00000004c0), 0x0, 0x0)
mmap(&(0x7f0000fff000/0x1000)=nil, 0x1000, 0x0, 0x12, r0, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
r1 = openat$null(0xffffffffffffff9c, &(0x7f0000001180), 0x0, 0x0)
r2 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
read(r2, &(0x7f0000000000), 0x2000)
shutdown(0xffffffffffffffff, 0x0)
mknodat$null(r1, &(0x7f0000000080)='./file0\x00', 0x0, 0x103)
r3 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r3, 0x1,
&(0x7f0000000000)=ANY=[@ANYBLOB="000000001d00000085", @ANYRES8=r3])


- kernel config
https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing


[^1] We used a customized Syzkaller but did not change the guest kernel or the
hypervisor.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ