Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 17 Jan 2023 23:11:09 -0700
From: Kyle Zeng <zengyhkyle@...il.com>
To: oss-security@...ts.openwall.com
Subject: null pointer dereference in Linux kernel

Hi there,

I recently found a null pointer dereference in Linux kernel that
affects multiple kernel versions. According to the versions that got
patched, the vulnerability affects 6.1, 5.15, 5.10, 5.4, and 4.19.

[Root Cause Analysis]
The bug is in "rawv6_push_pending_frames" function in net/ipv6/raw.c.
According to Herbert Xu, who fixed the bug, the root cause is that
"total_len = inet_sk(sk)->cork.base.length" in this function also
counts the length of the extension header (+ the amount of valid data
in the socket cork queue). In the vulnerable version of the function,
it directly uses the length as the amount of data in the cork queue.
In the following code:

    struct sk_buff *csum_skb = NULL;
    ...
    skb_queue_walk(&sk->sk_write_queue, skb) {
        ...
        if (offset >= len) {
            offset -= len;
            continue;
        }
        csum_skb = skb;
    }
    skb = csum_skb;

If the `offset` is larger than the amount of data in the socket cork
queue but smaller than valid data length + extension header length,
then the loop shown above will always enter the "if (offset >= len)"
branch. As a result, csum_skb will never be set. Consequently, the
final skb variable will be set to NULL.

Null dereference happens in the following "skb_transport_offset(skb);" call.

[Patch]
I have contacted Linux kernel team and helped them prepare a patch.
The patch to this bug has been merged into the mainline and stable
trees: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=cb3e9864cdbe35ff6378966660edbcbac955fe17

This bug does not have a CVE number assigned yet. I'll appreciate it
if someone from the list can give it a CVE number to notify other
vendors about its security implication.

A crash report is attached to the email. And a poc that triggers oops
can be found here:
https://lore.kernel.org/netdev/Y7s%2FFofVXLwoVgWt@westworld/

Best,
Kyle Zeng


=====================================
general protection fault, probably for non-canonical address
0xdffffc0000000018: 0000 [#1] SMP KASAN PTI
KASAN: null-ptr-deref in range [0x00000000000000c0-0x00000000000000c7]
CPU: 0 PID: 619 Comm: syz-executor390 Not tainted 5.10.140+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:skb_transport_header include/linux/skbuff.h:2500 [inline]
RIP: 0010:skb_transport_offset include/linux/skbuff.h:2606 [inline]
RIP: 0010:rawv6_push_pending_frames net/ipv6/raw.c:593 [inline]
RIP: 0010:rawv6_sendmsg+0x4368/0x5db0 net/ipv6/raw.c:956
Code: e8 cd ca e0 fb e9 51 fe ff ff e8 c3 7b 61 fb 49 89 dd 48 bd 00
00 00 00 00 fc ff df 49 8d bd c0 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c
28 00 74 05 e8 bd ca e0 fb 49 8b 9d c0 00 00 00 49 8d bd b2
RSP: 0018:ffff888013ddf7e8 EFLAGS: 00010206
RAX: 0000000000000018 RBX: 0000000000000000 RCX: ffff888011f05500
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000000000c0
RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed10027a9afc
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000479c45b8
R13: 0000000000000000 R14: ffff888013d4d800 R15: 00000000000000d8
FS:  00005555560ca3c0(0000) GS:ffff88806b800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000000eb5a002 CR4: 0000000000170ef0
Call Trace:
 sock_sendmsg_nosec net/socket.c:651 [inline]
 sock_sendmsg net/socket.c:671 [inline]
 kernel_sendmsg+0x20a/0x230 net/socket.c:691
 sock_no_sendpage+0xde/0x130 net/core/sock.c:2852
 kernel_sendpage+0x4c8/0x530 net/socket.c:3514
 sock_sendpage+0x83/0xb0 net/socket.c:944
 pipe_to_sendpage+0x4c0/0x630 fs/splice.c:364
 splice_from_pipe_feed fs/splice.c:418 [inline]
 __splice_from_pipe+0x655/0xf60 fs/splice.c:562
 splice_from_pipe fs/splice.c:597 [inline]
 generic_splice_sendpage+0x132/0x1a0 fs/splice.c:743
 do_splice_from fs/splice.c:764 [inline]
 do_splice+0x1ea8/0x2da0 fs/splice.c:1057
 __do_splice fs/splice.c:1135 [inline]
 __do_sys_splice fs/splice.c:1341 [inline]
 __se_sys_splice+0x935/0xdc0 fs/splice.c:1323
 do_syscall_64+0x13a/0x160 arch/x86/entry/common.c:46
 entry_SYSCALL_64_after_hwframe+0x61/0xc6
RIP: 0033:0x7f111d8c47dd
Code: c3 e8 e7 22 00 00 0f 1f 80 00 00 00 00 f3 0f 1e fa 48 89 f8 48
89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d
01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fff0105cb48 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007f111d8c47dd
RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007fff0105cb80 R08: 000000000804ffe2 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000bbd1 R14: 00007fff0105cb64 R15: 00007fff0105cb70
Modules linked in:
---[ end trace 66de936c85813c54 ]---
RIP: 0010:skb_transport_header include/linux/skbuff.h:2500 [inline]
RIP: 0010:skb_transport_offset include/linux/skbuff.h:2606 [inline]
RIP: 0010:rawv6_push_pending_frames net/ipv6/raw.c:593 [inline]
RIP: 0010:rawv6_sendmsg+0x4368/0x5db0 net/ipv6/raw.c:956
Code: e8 cd ca e0 fb e9 51 fe ff ff e8 c3 7b 61 fb 49 89 dd 48 bd 00
00 00 00 00 fc ff df 49 8d bd c0 00 00 00 48 89 f8 48 c1 e8 03 <80> 3c
28 00 74 05 e8 bd ca e0 fb 49 8b 9d c0 00 00 00 49 8d bd b2
RSP: 0018:ffff888013ddf7e8 EFLAGS: 00010206
RAX: 0000000000000018 RBX: 0000000000000000 RCX: ffff888011f05500
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 00000000000000c0
RBP: dffffc0000000000 R08: dffffc0000000000 R09: ffffed10027a9afc
R10: 0000000000000000 R11: 0000000000000000 R12: 00000000479c45b8
R13: 0000000000000000 R14: ffff888013d4d800 R15: 00000000000000d8
FS:  00005555560ca3c0(0000) GS:ffff88806b800000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020001000 CR3: 000000000eb5a002 CR4: 0000000000170ef0
----------------
Code disassembly (best guess):
   0: e8 cd ca e0 fb        call   0xfbe0cad2
   5: e9 51 fe ff ff        jmp    0xfffffe5b
   a: e8 c3 7b 61 fb        call   0xfb617bd2
   f: 49 89 dd              mov    %rbx,%r13
  12: 48 bd 00 00 00 00 00 movabs $0xdffffc0000000000,%rbp
  19: fc ff df
  1c: 49 8d bd c0 00 00 00 lea    0xc0(%r13),%rdi
  23: 48 89 f8              mov    %rdi,%rax
  26: 48 c1 e8 03          shr    $0x3,%rax
* 2a: 80 3c 28 00          cmpb   $0x0,(%rax,%rbp,1) <-- trapping instruction
  2e: 74 05                je     0x35
  30: e8 bd ca e0 fb        call   0xfbe0caf2
  35: 49 8b 9d c0 00 00 00 mov    0xc0(%r13),%rbx
  3c: 49                    rex.WB
  3d: 8d                    .byte 0x8d
  3e: bd                    .byte 0xbd
  3f: b2                    .byte 0xb2

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.