lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CANn89iLpmrsA+uMhr70yVsfWMwP5BWD7SEMjgGUFbvX1vLYhtg@mail.gmail.com>
Date: Fri, 3 Jan 2025 09:29:16 +0100
From: Eric Dumazet <edumazet@...gle.com>
To: cheung wall <zzqq0103.hey@...il.com>
Cc: "David S. Miller" <davem@...emloft.net>, David Ahern <dsahern@...nel.org>, 
	Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>, Simon Horman <horms@...nel.org>, 
	netdev@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: "KASAN: null-ptr-deref Read in ipv6_renew_options" in Linux
 kernel version 6.13.0-rc2

On Fri, Jan 3, 2025 at 9:23 AM Eric Dumazet <edumazet@...gle.com> wrote:
>
> On Fri, Jan 3, 2025 at 8:16 AM cheung wall <zzqq0103.hey@...il.com> wrote:
> >
> > Hello,
> >
> > I am writing to report a potential vulnerability identified in the
> > Linux Kernel version 6.13.0-rc2. This issue was discovered using our
> > custom vulnerability discovery tool.
> >
> > HEAD commit: fac04efc5c793dccbd07e2d59af9f90b7fc0dca4 (tag: v6.13-rc2)
> >
> > Affected File: net/ipv6/exthdrs.c
> >
> > File: net/ipv6/exthdrs.c
> >
> > Function: ipv6_renew_options
> >
> > Detailed Call Stack:
> >
> > ------------[ cut here begin]------------
> >
> > netlink: 'syz.0.3890': attribute type 4 has an invalid length.
> > TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending
> > cookies. Check SNMP counters.
> > ==================================================================
> > BUG: KASAN: null-ptr-deref in instrument_atomic_read
> > include/linux/instrumented.h:71 [inline]
> > BUG: KASAN: null-ptr-deref in atomic_read
> > include/linux/atomic/atomic-instrumented.h:27 [inline]
> > BUG: KASAN: null-ptr-deref in sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
> > Read of size 4 at addr 0000000000000270 by task syz.0.3891/24197
> >
> > CPU: 3 PID: 24197 Comm: syz.0.3891 Not tainted 5.15.169 #1
> > Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
> > 1.16.3-debian-1.16.3-2 04/01/2014

BTW this stack trace is for 5.15.169, not 6.13 as claimed in your email ???

Please do not post syzbot traces for old kernels.

> > Call Trace:
> > <IRQ>
> > __dump_stack lib/dump_stack.c:88 [inline]
> > dump_stack_lvl+0x8b/0xb3 lib/dump_stack.c:106
> > __kasan_report mm/kasan/report.c:438 [inline]
> > kasan_report.cold+0x116/0x11b mm/kasan/report.c:451
> > check_region_inline mm/kasan/generic.c:183 [inline]
> > kasan_check_range+0xfd/0x1f0 mm/kasan/generic.c:189
> > instrument_atomic_read include/linux/instrumented.h:71 [inline]
> > atomic_read include/linux/atomic/atomic-instrumented.h:27 [inline]
> > sock_kmalloc+0x4a/0x100 net/core/sock.c:2425
> > ipv6_renew_options+0x275/0x960 net/ipv6/exthdrs.c:1310
> > calipso_req_setattr+0x131/0x2e0 net/ipv6/calipso.c:1207
> > calipso_req_setattr+0x52/0x80 net/netlabel/netlabel_calipso.c:596
> > netlbl_req_setattr+0x18c/0x580 net/netlabel/netlabel_kapi.c:1224
> > selinux_netlbl_inet_conn_request+0x1fe/0x330 security/selinux/netlabel.c:337
> > selinux_inet_conn_request+0x1cc/0x2a0 security/selinux/hooks.c:5583
> > security_inet_conn_request+0x56/0xb0 security/security.c:2344
> > tcp_v6_route_req+0x24f/0x520 net/ipv6/tcp_ipv6.c:858
> > tcp_conn_request+0xaa4/0x3120 net/ipv4/tcp_input.c:6995
> > tcp_v6_conn_request net/ipv6/tcp_ipv6.c:1218 [inline]
> > tcp_v6_conn_request+0x24c/0x420 net/ipv6/tcp_ipv6.c:1205
> > tcp_rcv_state_process+0x9e5/0x47c0 net/ipv4/tcp_input.c:6512
> > tcp_v6_do_rcv+0x438/0x16b0 net/ipv6/tcp_ipv6.c:1551
> > tcp_v6_rcv+0x32d4/0x3620 net/ipv6/tcp_ipv6.c:1755
> > ip6_protocol_deliver_rcu+0x2f5/0x1800 net/ipv6/ip6_input.c:425
> > ip6_input_finish+0x64/0x1b0 net/ipv6/ip6_input.c:466
> > NF_HOOK include/linux/netfilter.h:302 [inline]
> > NF_HOOK include/linux/netfilter.h:296 [inline]
> > ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:475
> > dst_input include/net/dst.h:453 [inline]
> > ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
> > ip6_rcv_finish net/ipv6/ip6_input.c:69 [inline]
> > NF_HOOK include/linux/netfilter.h:302 [inline]
> > NF_HOOK include/linux/netfilter.h:296 [inline]
> > ipv6_rcv+0x155/0x520 net/ipv6/ip6_input.c:300
> > __netif_receive_skb_one_core+0x12e/0x1f0 net/core/dev.c:5489
> > __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5603
> > process_backlog+0x222/0x820 net/core/dev.c:6480
> > __napi_poll+0xb9/0x5b0 net/core/dev.c:7039
> > napi_poll net/core/dev.c:7106 [inline]
> > net_rx_action+0x8b1/0xbb0 net/core/dev.c:7196
> > handle_softirqs+0x1bd/0x6e0 kernel/softirq.c:558
> > do_softirq kernel/softirq.c:459 [inline]
> > do_softirq+0xad/0xe0 kernel/softirq.c:446
> > </IRQ>
> > <TASK>
> > __local_bh_enable_ip+0xd7/0x100 kernel/softirq.c:383
> > local_bh_enable include/linux/bottom_half.h:32 [inline]
> > rcu_read_unlock_bh include/linux/rcupdate.h:809 [inline]
> > ip6_finish_output2+0xb71/0x1d00 net/ipv6/ip6_output.c:131
> > __ip6_finish_output.part.0+0x509/0xc10 net/ipv6/ip6_output.c:201
> > __ip6_finish_output net/ipv6/ip6_output.c:186 [inline]
> > ip6_finish_output net/ipv6/ip6_output.c:211 [inline]
> > NF_HOOK_COND include/linux/netfilter.h:291 [inline]
> > ip6_output+0x30b/0x9f0 net/ipv6/ip6_output.c:234
> > dst_output include/net/dst.h:443 [inline]
> > NF_HOOK include/linux/netfilter.h:302 [inline]
> > NF_HOOK include/linux/netfilter.h:296 [inline]
> > ip6_xmit+0x1053/0x1d50 net/ipv6/ip6_output.c:338
> > inet6_csk_xmit+0x36d/0x6f0 net/ipv6/inet6_connection_sock.c:135
> > __tcp_transmit_skb+0x18d8/0x35a0 net/ipv4/tcp_output.c:1402
> > tcp_transmit_skb net/ipv4/tcp_output.c:1420 [inline]
> > tcp_send_syn_data net/ipv4/tcp_output.c:3851 [inline]
> > tcp_connect+0x23b0/0x4600 net/ipv4/tcp_output.c:3890
> > tcp_v6_connect+0x1419/0x1c40 net/ipv6/tcp_ipv6.c:337
> > __inet_stream_connect+0x8d8/0xe70 net/ipv4/af_inet.c:674
> > tcp_sendmsg_fastopen net/ipv4/tcp.c:1195 [inline]
> > tcp_sendmsg_locked+0x2004/0x2ce0 net/ipv4/tcp.c:1237
> > tcp_sendmsg+0x2b/0x50 net/ipv4/tcp.c:1457
> > inet6_sendmsg+0xb5/0x140 net/ipv6/af_inet6.c:669
> > sock_sendmsg_nosec net/socket.c:704 [inline]
> > __sock_sendmsg+0xf2/0x190 net/socket.c:716
> > __sys_sendto+0x21c/0x320 net/socket.c:2063
> > __do_sys_sendto net/socket.c:2075 [inline]
> > __se_sys_sendto net/socket.c:2071 [inline]
> > __x64_sys_sendto+0xdd/0x1b0 net/socket.c:2071
> > do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> > do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80
> > entry_SYSCALL_64_after_hwframe+0x6c/0xd6
> > RIP: 0033:0x2b4da5fe19c9
> > Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48
> > 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
> > 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00002b4da7f5e038 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
> > RAX: ffffffffffffffda RBX: 00002b4da61fdf80 RCX: 00002b4da5fe19c9
> > RDX: fffffffffffffedd RSI: 0000000020000280 RDI: 0000000000000004
> > RBP: 00002b4da608e1b6 R08: 0000000020000080 R09: 000000000000001c
> > R10: 0000000020000004 R11: 0000000000000246 R12: 0000000000000000
> > R13: 0000000000000000 R14: 00002b4da61fdf80 R15: 00007ffed7f48918
> >
> > ------------[ cut here end]------------
> >
> > Root Cause:
> >
> > The crash is caused by a null pointer dereference detected by
> > KernelAddressSANitizer (KASAN) within the sock_kmalloc function of the
> > Linux networking stack. Specifically, the atomic_read operation in
> > sock_kmalloc is attempting to access memory at address 0x270, which is
> > invalid or uninitialized. This issue likely arises from an improperly
> > handled or uninitialized socket structure, leading the kernel to
> > attempt to read from a null or corrupted pointer. The problem occurs
> > during the processing of IPv6 connections, involving multiple layers
> > of the networking and security (SELinux) subsystems. As a result, the
> > kernel crashes when it tries to access or manipulate this invalid
> > memory address during socket allocation.
> >
>
> Yeah, the 'root cause' section seems to be AI generated, you are
> rephrasing the report.
>
> I have an idea of the root cause, I had a syzbot report for the same
> issue in my queue.
>
> A similar bug was fixed in
>
> commit eedcad2f2a371786f8a32d0046794103dadcedf3
> Author: Eric Dumazet <edumazet@...gle.com>
> Date:   Tue Nov 26 14:59:11 2024 +0000
>
>     selinux: use sk_to_full_sk() in selinux_ip_output()
>
>
>
> Thanks.
>
> > Thank you for your time and attention.
> >
> > Best regards
> >
> > Wall

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ