lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAKHoSAt_KtBEBHoc3ucdCdMVy89unQPBCKrM3oTA=Kz4Nqpjjw@mail.gmail.com>
Date: Fri, 3 Jan 2025 15:16:34 +0800
From: cheung wall <zzqq0103.hey@...il.com>
To: "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, 
	Eric Dumazet <edumazet@...gle.com>
Cc: Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: "KASAN: null-ptr-deref Read in ipv6_renew_options" in Linux kernel
 version 6.13.0-rc2

Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 6.13.0-rc2. This issue was discovered using our
custom vulnerability discovery tool.

HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)

Affected File: net/ipv6/exthdrs.c

File: net/ipv6/exthdrs.c

Function: ipv6_renew_options

Detailed Call Stack:

------------[ cut here begin]------------

netlink: 'syz.0.3890': attribute type 4 has an invalid length.
TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
cookies. Check SNMP counters.
==================================================================
BUG: KASAN: null-ptr-deref in instrument_atomic_read
include/linux/instrumented.h:71 [inline]
BUG: KASAN: null-ptr-deref in atomic_read
include/linux/atomic/atomic-instrumented.h:27 [inline]
BUG: KASAN: null-ptr-deref in sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
Read of size 4 at addr 0000000000000270 by task syz.0.3891/24197

CPU: 3 PID: 24197 Comm: syz.0.3891 Not tainted 5.15.169 #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
__kasan_report mm/kasan/report.c:438 [inline]
kasan_report.cold+0x116/0x11b mm/kasan/report.c:451
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0xfd/0x1f0 mm/kasan/generic.c:189
instrument_atomic_read include/linux/instrumented.h:71 [inline]
atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
ipv6_renew_options+0x275/0x960 net/ipv6/exthdrs.c:1310
calipso_req_setattr+0x131/0x2e0 net/ipv6/calipso.c:1207
calipso_req_setattr+0x52/0x80 net/netlabel/netlabel_calipso.c:596
netlbl_req_setattr+0x18c/0x580 net/netlabel/netlabel_kapi.c:1224
selinux_netlbl_inet_conn_request+0x1fe/0x330 security/selinux/netlabel.c:337
selinux_inet_conn_request+0x1cc/0x2a0 security/selinux/hooks.c:5583
security_inet_conn_request+0x56/0xb0 security/security.c:2344
tcp_v6_route_req+0x24f/0x520 net/ipv6/tcp_ipv6.c:858
tcp_conn_request+0xaa4/0x3120 net/ipv4/tcp_input.c:6995
tcp_v6_conn_request net/ipv6/tcp_ipv6.c:1218 [inline]
tcp_v6_conn_request+0x24c/0x420 net/ipv6/tcp_ipv6.c:1205
tcp_rcv_state_process+0x9e5/0x47c0 net/ipv4/tcp_input.c:6512
tcp_v6_do_rcv+0x438/0x16b0 net/ipv6/tcp_ipv6.c:1551
tcp_v6_rcv+0x32d4/0x3620 net/ipv6/tcp_ipv6.c:1755
ip6_protocol_deliver_rcu+0x2f5/0x1800 net/ipv6/ip6_input.c:425
ip6_input_finish+0x64/0x1b0 net/ipv6/ip6_input.c:466
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:475
dst_input include/net/dst.h:453 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:69 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ipv6_rcv+0x155/0x520 net/ipv6/ip6_input.c:300
__netif_receive_skb_one_core+0x12e/0x1f0 net/core/dev.c:5489
__netif_receive_skb+0x24/0x1b0 net/core/dev.c:5603
process_backlog+0x222/0x820 net/core/dev.c:6480
__napi_poll+0xb9/0x5b0 net/core/dev.c:7039
napi_poll net/core/dev.c:7106 [inline]
net_rx_action+0x8b1/0xbb0 net/core/dev.c:7196
handle_softirqs+0x1bd/0x6e0 kernel/softirq.c:558
do_softirq kernel/softirq.c:459 [inline]
do_softirq+0xad/0xe0 kernel/softirq.c:446
</IRQ>
<TASK>
__local_bh_enable_ip+0xd7/0x100 kernel/softirq.c:383
local_bh_enable include/linux/bottom_half.h:32 [inline]
rcu_read_unlock_bh include/linux/rcupdate.h:809 [inline]
ip6_finish_output2+0xb71/0x1d00 net/ipv6/ip6_output.c:131
__ip6_finish_output.part.0+0x509/0xc10 net/ipv6/ip6_output.c:201
__ip6_finish_output net/ipv6/ip6_output.c:186 [inline]
ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x30b/0x9f0 net/ipv6/ip6_output.c:234
dst_output include/net/dst.h:443 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
ip6_xmit+0x1053/0x1d50 net/ipv6/ip6_output.c:338
inet6_csk_xmit+0x36d/0x6f0 net/ipv6/inet6_connection_sock.c:135
__tcp_transmit_skb+0x18d8/0x35a0 net/ipv4/tcp_output.c:1402
tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
tcp_send_syn_data net/ipv4/tcp_output.c:3851 [inline]
tcp_connect+0x23b0/0x4600 net/ipv4/tcp_output.c:3890
tcp_v6_connect+0x1419/0x1c40 net/ipv6/tcp_ipv6.c:337
__inet_stream_connect+0x8d8/0xe70 net/ipv4/af_inet.c:674
tcp_sendmsg_fastopen net/ipv4/tcp.c:1195 [inline]
tcp_sendmsg_locked+0x2004/0x2ce0 net/ipv4/tcp.c:1237
tcp_sendmsg+0x2b/0x50 net/ipv4/tcp.c:1457
inet6_sendmsg+0xb5/0x140 net/ipv6/af_inet6.c:669
sock_sendmsg_nosec net/socket.c:704 [inline]
__sock_sendmsg+0xf2/0x190 net/socket.c:716
__sys_sendto+0x21c/0x320 net/socket.c:2063
__do_sys_sendto net/socket.c:2075 [inline]
__se_sys_sendto net/socket.c:2071 [inline]
__x64_sys_sendto+0xdd/0x1b0 net/socket.c:2071
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6c/0xd6
RIP: 0033:0x2b4da5fe19c9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00002b4da7f5e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00002b4da61fdf80 RCX: 00002b4da5fe19c9
RDX: fffffffffffffedd RSI: 0000000020000280 RDI: 0000000000000004
RBP: 00002b4da608e1b6 R08: 0000000020000080 R09: 000000000000001c
R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00002b4da61fdf80 R15: 00007ffed7f48918

------------[ cut here end]------------

Root Cause:

The crash is caused by a null pointer dereference detected by
KernelAddressSANitizer (KASAN) within the sock_kmalloc function of the
Linux networking stack. Specifically, the atomic_read operation in
sock_kmalloc is attempting to access memory at address 0x270, which is
invalid or uninitialized. This issue likely arises from an improperly
handled or uninitialized socket structure, leading the kernel to
attempt to read from a null or corrupted pointer. The problem occurs
during the processing of IPv6 connections, involving multiple layers
of the networking and security (SELinux) subsystems. As a result, the
kernel crashes when it tries to access or manipulate this invalid
memory address during socket allocation.

Thank you for your time and attention.

Best regards

Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ