[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CA+-ZZ_g+VqQn6-SQoRgh8u4TBw1uNTy46wjOcAuyniBM6JUYzg@mail.gmail.com>
Date: Tue, 24 Sep 2024 12:19:57 -0400
From: reveliofuzzing <reveliofuzzing@...il.com>
To: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com,
kuba@...nel.org, pabeni@...hat.com, netdev@...r.kernel.org
Subject: Report "BUG: unable to handle kernel NULL pointer dereference in ip6_sublist_rcv_finish"
Hello,
We found the following crash when fuzzing^1 the Linux kernel 6.10 and
we are able
to reproduce it. To our knowledge, this crash has not been observed by SyzBot so
we would like to report it for your reference.
- Crash
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor instruction fetch in kernel mode
#PF: error_code(0x0010) - not-present page
PGD 800000000ff97067 P4D 800000000ff97067 PUD 8944067 PMD 0
Oops: Oops: 0010 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.10.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffff88806d209728 EFLAGS: 00010246
RAX: ffffffff84e14440 RBX: ffff88806d2097e8 RCX: 1ffff11001879283
RDX: 0000000000000000 RSI: ffffffff837b2033 RDI: ffff88800c3c93c0
RBP: ffff88800c3c93c0 R08: 0000000000000001 R09: ffff88800c3c93c0
R10: ffff88800c3c93e8 R11: ffff88800c3c949f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88806d2097e8 R15: ffff88806d2097e8
FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000fea4006 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
dst_input linux-6.10/include/net/dst.h:460 [inline]
ip6_sublist_rcv_finish+0x179/0x1f0 linux-6.10/net/ipv6/ip6_input.c:88
ip6_list_rcv_finish linux-6.10/net/ipv6/ip6_input.c:146 [inline]
ip6_sublist_rcv+0x55e/0x830 linux-6.10/net/ipv6/ip6_input.c:320
ipv6_list_rcv+0x2cd/0x3c0 linux-6.10/net/ipv6/ip6_input.c:355
__netif_receive_skb_list_ptype linux-6.10/net/core/dev.c:5668 [inline]
__netif_receive_skb_list_core+0x576/0x910 linux-6.10/net/core/dev.c:5716
__netif_receive_skb_list linux-6.10/net/core/dev.c:5768 [inline]
netif_receive_skb_list_internal+0x64b/0xb60 linux-6.10/net/core/dev.c:5860
gro_normal_list linux-6.10/include/net/gro.h:515 [inline]
gro_normal_list linux-6.10/include/net/gro.h:511 [inline]
napi_complete_done+0x20a/0x760 linux-6.10/net/core/dev.c:6203
e1000_clean+0x863/0x22c0
linux-6.10/drivers/net/ethernet/intel/e1000/e1000_main.c:3809
__napi_poll+0xa7/0x590 linux-6.10/net/core/dev.c:6722
napi_poll linux-6.10/net/core/dev.c:6791 [inline]
net_rx_action+0x877/0xc30 linux-6.10/net/core/dev.c:6907
handle_softirqs+0x162/0x520 linux-6.10/kernel/softirq.c:554
__do_softirq linux-6.10/kernel/softirq.c:588 [inline]
invoke_softirq linux-6.10/kernel/softirq.c:428 [inline]
__irq_exit_rcu linux-6.10/kernel/softirq.c:637 [inline]
irq_exit_rcu+0x7f/0xb0 linux-6.10/kernel/softirq.c:649
common_interrupt+0x98/0xb0 linux-6.10/arch/x86/kernel/irq.c:278
</IRQ>
<TASK>
asm_common_interrupt+0x26/0x40 linux-6.10/arch/x86/include/asm/idtentry.h:693
RIP: 0010:native_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:37 [inline]
RIP: 0010:arch_local_irq_disable
linux-6.10/arch/x86/include/asm/irqflags.h:72 [inline]
RIP: 0010:default_idle+0x1e/0x30 linux-6.10/arch/x86/kernel/process.c:743
Code: 90 90 90 90 90 90 90 90 90 90 90 90 f3 0f 1e fa 0f 1f 44 00 00
66 90 0f 1f 44 00 00 0f 00 2d 79 d9 3f 00 0f 1f 44 00 00 fb f4 <fa> c3
cc cc cc cc 66 66 2e 0f 1f 84 00 00 00 00 00 90 90 90 90 90
RSP: 0018:ffffffff84e07e18 EFLAGS: 00000246
RAX: ffff88806d200000 RBX: 0000000000000000 RCX: ffffffff83e26864
RDX: 0000000000000001 RSI: 0000000000000004 RDI: 0000000000061af4
RBP: dffffc0000000000 R08: 0000000000000001 R09: ffffed100da46a99
R10: ffffed100da46a98 R11: ffff88806d2354c3 R12: ffffffff856175d0
R13: 1ffffffff09c0fc8 R14: 0000000000000000 R15: 0000000000000000
default_idle_call+0x38/0x60 linux-6.10/kernel/sched/idle.c:117
cpuidle_idle_call linux-6.10/kernel/sched/idle.c:191 [inline]
do_idle+0x2e8/0x3a0 linux-6.10/kernel/sched/idle.c:332
cpu_startup_entry+0x4f/0x60 linux-6.10/kernel/sched/idle.c:430
rest_init+0x116/0x140 linux-6.10/init/main.c:747
start_kernel+0x355/0x450 linux-6.10/init/main.c:1103
x86_64_start_reservations+0x18/0x30 linux-6.10/arch/x86/kernel/head64.c:507
x86_64_start_kernel+0x92/0xa0 linux-6.10/arch/x86/kernel/head64.c:488
common_startup_64+0x12c/0x138
</TASK>
Modules linked in:
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:0x0
Code: Unable to access opcode bytes at 0xffffffffffffffd6.
RSP: 0018:ffff88806d209728 EFLAGS: 00010246
RAX: ffffffff84e14440 RBX: ffff88806d2097e8 RCX: 1ffff11001879283
RDX: 0000000000000000 RSI: ffffffff837b2033 RDI: ffff88800c3c93c0
RBP: ffff88800c3c93c0 R08: 0000000000000001 R09: ffff88800c3c93c0
R10: ffff88800c3c93e8 R11: ffff88800c3c949f R12: dffffc0000000000
R13: 0000000000000000 R14: ffff88806d2097e8 R15: ffff88806d2097e8
FS: 0000000000000000(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffffffffd6 CR3: 000000000fea4006 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 90 nop
a: 90 nop
b: 90 nop
c: f3 0f 1e fa endbr64
10: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
15: 66 90 xchg %ax,%ax
17: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
1c: 0f 00 2d 79 d9 3f 00 verw 0x3fd979(%rip) # 0x3fd99c
23: 0f 1f 44 00 00 nopl 0x0(%rax,%rax,1)
28: fb sti
29: f4 hlt
* 2a: fa cli <-- trapping instruction
2b: c3 retq
2c: cc int3
2d: cc int3
2e: cc int3
2f: cc int3
30: 66 66 2e 0f 1f 84 00 data16 nopw %cs:0x0(%rax,%rax,1)
37: 00 00 00 00
3b: 90 nop
3c: 90 nop
3d: 90 nop
3e: 90 nop
3f: 90 nop
- reproducer
syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff)
socket$inet(0x2, 0xa, 0x0)
socket$nl_generic(0x10, 0x3, 0x10)
openat$null(0xffffffffffffff9c, &(0x7f0000001180), 0x0, 0x0)
r0 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
read(r0, &(0x7f0000000000), 0x2000)
r1 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r1, 0x1,
&(0x7f0000000000)=ANY=[@ANYBLOB="000000001d00000085", @ANYRES8=r1])
- kernel config
https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing
[^1] We used a customized Syzkaller but did not change the guest kernel or the
hypervisor.
Powered by blists - more mailing lists