lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CA+-ZZ_g+VqQn6-SQoRgh8u4TBw1uNTy46wjOcAuyniBM6JUYzg@mail.gmail.com>
Date: Tue, 24 Sep 2024 12:19:57 -0400
From: reveliofuzzing <reveliofuzzing@...il.com>
To: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, 
	kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org
Subject: Report "BUG: unable to handle kernel NULL pointer dereference in ip6_sublist_rcv_finish"

Hello,

We found the following crash when fuzzing^1 the Linux kernel 6.10 and
we are able
to reproduce it. To our knowledge, this crash has not been observed by SyzBot so
we would like to report it for your reference.

- Crash
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 800000000ff97067 P4D 800000000ff97067 PUD 8944067 PMD 0
Oops: Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffff88806d209728 EFLAGS: 00010246
RAX: ffffffff84e14440 RBX: ffff88806d2097e8 RCX: 1ffff11001879283
RDX: 0000000000000000 RSI: ffffffff837b2033 RDI: ffff88800c3c93c0
RBP: ffff88800c3c93c0 R08: 0000000000000001 R09: ffff88800c3c93c0
R10: ffff88800c3c93e8 R11: ffff88800c3c949f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88806d2097e8 R15: ffff88806d2097e8
FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000fea4006 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <IRQ>
 dst_input linux-6.10/include/net/dst.h:460 [inline]
 ip6_sublist_rcv_finish+0x179/0x1f0 linux-6.10/net/ipv6/ip6_input.c:88
 ip6_list_rcv_finish linux-6.10/net/ipv6/ip6_input.c:146 [inline]
 ip6_sublist_rcv+0x55e/0x830 linux-6.10/net/ipv6/ip6_input.c:320
 ipv6_list_rcv+0x2cd/0x3c0 linux-6.10/net/ipv6/ip6_input.c:355
 __netif_receive_skb_list_ptype linux-6.10/net/core/dev.c:5668 [inline]
 __netif_receive_skb_list_core+0x576/0x910 linux-6.10/net/core/dev.c:5716
 __netif_receive_skb_list linux-6.10/net/core/dev.c:5768 [inline]
 netif_receive_skb_list_internal+0x64b/0xb60 linux-6.10/net/core/dev.c:5860
 gro_normal_list linux-6.10/include/net/gro.h:515 [inline]
 gro_normal_list linux-6.10/include/net/gro.h:511 [inline]
 napi_complete_done+0x20a/0x760 linux-6.10/net/core/dev.c:6203
 e1000_clean+0x863/0x22c0
linux-6.10/drivers/net/ethernet/intel/e1000/e1000_main.c:3809
 __napi_poll+0xa7/0x590 linux-6.10/net/core/dev.c:6722
 napi_poll linux-6.10/net/core/dev.c:6791 [inline]
 net_rx_action+0x877/0xc30 linux-6.10/net/core/dev.c:6907
 handle_softirqs+0x162/0x520 linux-6.10/kernel/softirq.c:554
 __do_softirq linux-6.10/kernel/softirq.c:588 [inline]
 invoke_softirq linux-6.10/kernel/softirq.c:428 [inline]
 __irq_exit_rcu linux-6.10/kernel/softirq.c:637 [inline]
 irq_exit_rcu+0x7f/0xb0 linux-6.10/kernel/softirq.c:649
 common_interrupt+0x98/0xb0 linux-6.10/arch/x86/kernel/irq.c:278
 </IRQ>
 <TASK>
 asm_common_interrupt+0x26/0x40 linux-6.10/arch/x86/include/asm/idtentry.h:693
RIP: 0010:native_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0x1e/0x30 linux-6.10/arch/x86/kernel/process.c:743
Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00
66 90 0f 1f 44 00 00 0f 00 2d 79 d9 3f 00 0f 1f 44 00 00 fb f4 <fa> c3
cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffffff84e07e18 EFLAGS: 00000246
RAX: ffff88806d200000 RBX: 0000000000000000 RCX: ffffffff83e26864
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000061af4
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed100da46a99
R10: ffffed100da46a98 R11: ffff88806d2354c3 R12: ffffffff856175d0
R13: 1ffffffff09c0fc8 R14: 0000000000000000 R15: 0000000000000000
 default_idle_call+0x38/0x60 linux-6.10/kernel/sched/idle.c:117
 cpuidle_idle_call linux-6.10/kernel/sched/idle.c:191 [inline]
 do_idle+0x2e8/0x3a0 linux-6.10/kernel/sched/idle.c:332
 cpu_startup_entry+0x4f/0x60 linux-6.10/kernel/sched/idle.c:430
 rest_init+0x116/0x140 linux-6.10/init/main.c:747
 start_kernel+0x355/0x450 linux-6.10/init/main.c:1103
 x86_64_start_reservations+0x18/0x30 linux-6.10/arch/x86/kernel/head64.c:507
 x86_64_start_kernel+0x92/0xa0 linux-6.10/arch/x86/kernel/head64.c:488
 common_startup_64+0x12c/0x138
 </TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffff88806d209728 EFLAGS: 00010246
RAX: ffffffff84e14440 RBX: ffff88806d2097e8 RCX: 1ffff11001879283
RDX: 0000000000000000 RSI: ffffffff837b2033 RDI: ffff88800c3c93c0
RBP: ffff88800c3c93c0 R08: 0000000000000001 R09: ffff88800c3c93c0
R10: ffff88800c3c93e8 R11: ffff88800c3c949f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88806d2097e8 R15: ffff88806d2097e8
FS:  0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000fea4006 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: 90                    nop
   1: 90                    nop
   2: 90                    nop
   3: 90                    nop
   4: 90                    nop
   5: 90                    nop
   6: 90                    nop
   7: 90                    nop
   8: 90                    nop
   9: 90                    nop
   a: 90                    nop
   b: 90                    nop
   c: f3 0f 1e fa          endbr64
  10: 0f 1f 44 00 00        nopl   0x0(%rax,%rax,1)
  15: 66 90                xchg   %ax,%ax
  17: 0f 1f 44 00 00        nopl   0x0(%rax,%rax,1)
  1c: 0f 00 2d 79 d9 3f 00 verw   0x3fd979(%rip)        # 0x3fd99c
  23: 0f 1f 44 00 00        nopl   0x0(%rax,%rax,1)
  28: fb                    sti
  29: f4                    hlt
* 2a: fa                    cli <-- trapping instruction
  2b: c3                    retq
  2c: cc                    int3
  2d: cc                    int3
  2e: cc                    int3
  2f: cc                    int3
  30: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
  37: 00 00 00 00
  3b: 90                    nop
  3c: 90                    nop
  3d: 90                    nop
  3e: 90                    nop
  3f: 90                    nop


- reproducer
syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff)
socket$inet(0x2, 0xa, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
openat$null(0xffffffffffffff9c, &(0x7f0000001180), 0x0, 0x0)
r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
read(r0, &(0x7f0000000000), 0x2000)
r1 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r1, 0x1,
&(0x7f0000000000)=ANY=[@ANYBLOB="000000001d00000085", @ANYRES8=r1])


- kernel config
https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing


[^1] We used a customized Syzkaller but did not change the guest kernel or the
hypervisor.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ