lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAP=Rh=NrrMf_WC-c6VQsWGB66FBTgoNg7hYntjcs5BqhqnuzLQ@mail.gmail.com>
Date: Thu, 22 May 2025 23:25:55 +0800
From: John <john.cs.hey@...il.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
Cc: davem@...emloft.net, dsahern@...nel.org, edumazet@...gle.com, 
	horms@...nel.org, kuba@...nel.org, linux-kernel@...r.kernel.org, 
	netdev@...r.kernel.org, pabeni@...hat.com
Subject: Re: [Bug] "general protection fault in calipso_sock_setattr" in Linux
 kernel v6.12

Hello Kuniyuki,

Thank you very much for your prompt reply and support. My full name is
John Cheung. I will continue attempting to reproduce the crash as
discussed.

I will keep you updated on any progress. Thank you again for your time
and assistance.

Best regards,
John

On Thu, May 22, 2025 at 2:10 AM Kuniyuki Iwashima <kuniyu@...zon.com> wrote:
>
> From: John <john.cs.hey@...il.com>
> Date: Wed, 21 May 2025 22:50:38 +0800
> > Dear Linux Kernel Maintainers,
> >
> > I hope this message finds you well.
> >
> > I am writing to report a potential vulnerability I encountered during
> > testing of the Linux Kernel version v6.12.
> >
> > Git Commit: adc218676eef25575469234709c2d87185ca223a (tag: v6.12)
> >
> > Bug Location: calipso_sock_setattr+0xf6/0x380 net/ipv6/calipso.c:1128
> >
> > Bug report: https://hastebin.com/share/iredodibar.yaml
> >
> > Complete log: https://hastebin.com/share/biqowozonu.perl
> >
> > Entire kernel config: https://hastebin.com/share/huqucavidu.ini
>
> Thanks for the report.
>
>
> >
> > Root Cause Analysis:
> > The crash is caused by a NULL pointer dereference in txopt_get() (at
> > include/net/ipv6.h:390) due to an uninitialized struct inet6_opt *opt
> > field.
>
> This is not correct.  The splat says the null deref happens at
> np->opt.
>
> > RIP: 0010:txopt_get root/zhangqiang/kernel_fuzzing/Drivers_Fuzz/linux-6.12/include/net/ipv6.h:390 [inline]
>
>    385  static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
>    386  {
>    387          struct ipv6_txoptions *opt;
>    388
>    389          rcu_read_lock();
>    390          opt = rcu_dereference(np->opt);
>
> and the offset is 0x70, which is of opt in struct ipv6_pinfo.
>
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
>
> $ python3
> >>> 0x70
> 112
>
> $ pahole -C ipv6_pinfo vmlinux
> struct ipv6_pinfo {
> ...
>         struct ipv6_txoptions *    opt;                  /*   112     8 */
>
>
> np + 0x70 = 0x70, meaning np was NULL here.
>
> np is always initialised for IPv6 socket in inet6_create(), so this
> should never happens for IPv6 sockets.
>
> But looking at netlbl_conn_setattr(), it swtiched branch based on
> sockaddr.sa_family provided by userspace, and it does not check if
> the socket is actually IPv6 one.
>
> So, the fix will be:
>
>
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index cd9160bbc919..067f707f194d 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -1165,6 +1165,9 @@ int netlbl_conn_setattr(struct sock *sk,
>                 break;
>  #if IS_ENABLED(CONFIG_IPV6)
>         case AF_INET6:
> +               if (sk->sk_family != AF_INET6)
> +                       return -EPROTONOSUPPORT;
> +
>                 addr6 = (struct sockaddr_in6 *)addr;
>                 entry = netlbl_domhsh_getentry_af6(secattr->domain,
>                                                    &addr6->sin6_addr);
>
>
> > The function is indirectly invoked during an SELinux policy
> > enforcement path via calipso_sock_setattr(), which expects an
> > initialized inet6_sk(sk)->opt structure.
> > However, the socket in question does not have IPv6 tx options set up
> > at the time of the call, likely due to missing or out-of-order
> > initialization during socket creation or connection setup.
> > This leads to an invalid access at offset +0x70, detected by KASAN,
> > and results in a general protection fault.
> >
> > At present, I have not yet obtained a minimal reproducer for this
> > issue. However, I am actively working on reproducing it, and I will
> > promptly share any additional findings or a working reproducer as soon
> > as it becomes available.
>
> Try setting CALIPSO and calling connect(IPv6 addr) for IPv4 socket.
>
>
> >
> > Thank you very much for your time and attention to this matter. I
> > truly appreciate the efforts of the Linux kernel community.
>
> Could you provide your full name so that I can give proper credit
> in Reported-by tag ?
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ