[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <CADW8OBv8QgoMu5qdMst4qRgtLUD8b6TjqhckPapJDQYFBa4S+w@mail.gmail.com>
Date: Tue, 10 Jan 2023 15:07:44 -0700
From: Kyle Zeng <zengyhkyle@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: Type Confusion in Linux Kernel
Hi John,
A crash report is attached to this email. I hope this helps evaluate
the security implication of the bug.
Best,
Kyle Zeng
==================================================================
BUG: KASAN: slab-out-of-bounds in cbq_enqueue+0x9d8/0x1fc0
Read of size 1 at addr ffff88806bfd40aa by task sd-resolve/250
CPU: 2 PID: 250 Comm: sd-resolve Not tainted 5.4.188 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack+0x19d/0x1e7
print_address_description+0xd7/0xca0
__kasan_report+0x1e0/0x270
kasan_report+0x30/0x60
cbq_enqueue+0x9d8/0x1fc0
__dev_queue_xmit+0x2238/0x49f0
ip_finish_output2+0x1529/0x2430
ip_output+0x358/0x3f0
ip_send_skb+0xec/0x220
udp_send_skb+0xd4f/0x1710
udp_sendmsg+0x3889/0x4ee0
____sys_sendmsg+0x1083/0x1240
__sys_sendmmsg+0x88d/0xe90
__x64_sys_sendmmsg+0xa1/0xb0
do_syscall_64+0x32f/0x3e0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x7f188612135f
Code: 89 f5 55 53 89 cd 41 89 d4 89 fb 48 83 ec 18 e8 b7 b1 00 00 44
89 e2 41 89 c0 48 63 fb 4c 63 d5 4c 89 ee b8 33 01 00 00 0f 05 <48> 3d
00 f0 ff ff 77 1b 44 89 c7 89 44 24 0c e8 ed b1 00 00 8b 44
RSP: 002b:00007f1883b5fc10 EFLAGS: 00000293 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 000000000000000d RCX: 00007f188612135f
RDX: 0000000000000002 RSI: 00007f1883b5fdb0 RDI: 000000000000000d
RBP: 0000000000004000 R08: 0000000000000000 R09: 0000000000000004
R10: 0000000000004000 R11: 0000000000000293 R12: 0000000000000002
R13: 00007f1883b5fdb0 R14: 0000000008ce68e8 R15: 00007f1883b67db8
Allocated by task 1285:
__kasan_kmalloc+0x1d9/0xdf0
tc_new_tfilter+0x1f2e/0x41f0
rtnetlink_rcv_msg+0x777/0x12d0
netlink_rcv_skb+0x39b/0x870
netlink_unicast+0xb45/0xf90
netlink_sendmsg+0x1477/0x1830
____sys_sendmsg+0x1206/0x1240
__sys_sendmsg+0x48d/0x570
do_syscall_64+0x32f/0x3e0
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Freed by task 106:
__kasan_slab_free+0x293/0xe30
kfree+0x33e/0x1010
process_one_work+0xea3/0x17b0
worker_thread+0xecc/0x1a00
kthread+0x33b/0x3a0
ret_from_fork+0x35/0x40
The buggy address belongs to the object at ffff88806bfd4000
which belongs to the cache kmalloc-128 of size 128
The buggy address is located 42 bytes to the right of
128-byte region [ffff88806bfd4000, ffff88806bfd4080)
The buggy address belongs to the page:
page:ffffea0001aff500 refcount:1 mapcount:0 mapping:ffff88806bc03200 index:0x0
flags: 0x100000000000200(slab)
raw: 0100000000000200 ffffea0001a50b40 0000000400000004 ffff88806bc03200
raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88806bfd3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88806bfd4000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc
>ffff88806bfd4080: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88806bfd4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88806bfd4180: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
==================================================================
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
