oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BUG_ON crash in linux 4.7-rc6/master skbuff.c

From: cve-assign () mitre org
Date: Tue, 5 Jul 2016 18:39:38 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256


this program will crash the linux kernel 4.7-rc6 and current master in a
voluntary panic() call triggered at a BUG_ON in net/core/skbuff.c:3051

kernel BUG at net/core/skbuff.c:3051!

in a qemu environment with kASAN enabled in a syzkaller-kind setup



[   59.831394] kernel BUG at net/core/skbuff.c:3051!
[   59.831802] invalid opcode: 0000 [#1] SMP KASAN



[   59.844495]  [<ffffffff82c54dba>] udpv6_queue_rcv_skb+0x4fa/0x15b0
[   59.845048]  [<ffffffff82c56b36>] __udp6_lib_rcv+0xcc6/0x1d20
[   59.845540]  [<ffffffff82c57bb1>] udpv6_rcv+0x21/0x30
[   59.845975]  [<ffffffff82bf5971>] ip6_input_finish+0x3a1/0x1170
[   59.846510]  [<ffffffff82bf7faa>] ip6_input+0xda/0x1f0
[   59.846950]  [<ffffffff82bf7ed0>] ? ipv6_rcv+0x1790/0x1790
[   59.847418]  [<ffffffff8296ce36>] ? __netif_receive_skb+0x36/0x170



[   59.883546] Kernel panic - not syncing: Fatal exception in interrupt



reproducer --- derp2.c

r[0] = syscall(SYS_mmap, ...
r[1] = syscall(SYS_socket, ...
r[3] = syscall(SYS_bind, ...
r[6] = syscall(SYS_sendto, ...
r[13] = syscall(SYS_setsockopt, ...
r[14] = syscall(SYS_dup, ...
r[21] = syscall(SYS_write, ...


Use CVE-2016-6162.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXfDVGAAoJEHb/MwWLVhi2AqUQAJzw7O7PX85JseeWkL6p9e8u
RHZtWmwh3TBgkdXuCh/GtayjL+pRdGjWs4Xz6S/vXf4iOMIxMc5BHXaaUSn1Yjpk
SBxfhNQPCVaAMnGD4FizEpJW2IY/79RqS7VB5GVTROuqrDySEg7p+9mT/XSZ3QyU
GKydUzilXBvq2AG3E+PVvCwXT7Nefd1tVNOWrvz1dFmOZ8lveJx2EQes8EvE2VzN
NEMKSuTl8Ey734VynwDkCUojHLjS40c0ny0ZhXtH1UURk3xb+WM9jLtTbmBLzmJC
sVH/rBORjvoptyR397KxuPYlXVXIjf8qRnVeZyV/y/gZhI6e8Hvxq1Df0wuZ9lzq
k41ldbLCEYnPKBVZbT+y+LobbF6Xp57/uCmBDSm11HDTle5EvSOWXVHd/4cw5t/c
b2IiNHTMkN9aeZVVT2yG8F9bEKBTzyIv5LbEaHhwNXgNuCfX2Ey5iZo2PBxVMBRJ
TeMlQK7AoBVidiWVMsB4jvZMJMCMWXFXROG2istI87WbLEzRzmKhqWjAEEbXVSzh
3lZHb0+06iH7e44mzsErURLkJlbOWSzNRo+Xl7nLCig+0wAqDYphC14bkZtNY1+z
rb+cune9A/mQe5qSLBckzB+W83dc7JQu/sHjFZhn1AgT5MI1nq6s36Ud+xdfQgvf
5ytAy5KDBdLxn2HCukEh
=c6Oy
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: