From: Wei Chen <harperchen1110@gmail.com>
To: vyasevich@gmail.com, nhorman@tuxdriver.com,
marcelo.leitner@gmail.com, linux-sctp@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
davem@davemloft.net, Eric Dumazet <edumazet@google.com>,
kuba@kernel.org, pabeni@redhat.com
Subject: BUG: unable to handle kernel NULL pointer dereference in sctp_sched_dequeue_common
Date: Tue, 12 Jul 2022 14:50:33 +0800 [thread overview]
Message-ID: <CAO4mrfcB0d+qbwtfndzqcrL+QEQgfOmJYQMAdzwxRePmP8TY1A@mail.gmail.com> (raw)
In-Reply-To: <CAO4mrfcUYjEi69mcSt_vXyb3VGFTAAq3dyNeWueucgw0DGABfg@mail.gmail.com>
Dear Linux Developer,
Recently when using our tool to fuzz kernel, the following crash was triggered:
HEAD commit: c5eb0a61238d Linux 5.18-rc6
git tree: upstream
compiler: clang 12.0.0
console output:
https://drive.google.com/file/d/1zbd9t-NNorzTXESdQ3bxE-q9uLu-Bm9d/view?usp=sharing
Syzlang reproducer:
https://drive.google.com/file/d/18wnwTf53Ln4K8e4G9d8hS4-e0URQKHet/view?usp=sharing
C reproducer: https://drive.google.com/file/d/1ttiMq0WYi46zFP1II8O9eee_dvDweIb6/view?usp=sharing
kernel config: https://drive.google.com/file/d/1fITkvcuglspvuhI0mhXUndx112fJmcOZ/view?usp=sharing
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: Wei Chen <harperchen1110@gmail.com>
BUG: kernel NULL pointer dereference, address: 0000000000000000
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 12f83067 P4D 12f83067 PUD 0
Oops: 0000 [#1] PREEMPT SMP
CPU: 0 PID: 13 Comm: ksoftirqd/0 Not tainted 5.18.0-rc6 #12
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:__list_del_entry_valid+0x26/0x80
Code: 00 00 00 00 55 48 89 e5 48 89 fe 48 ba 00 01 00 00 00 00 ad de
48 8b 0f 48 39 d1 74 22 48 8b 46 08 48 83 c2 22 48 39 d0 74 25 <48> 8b
10 48 39 f2 75 2d 48 8b 51 08 48 39 f2 75 37 b0 01 5d c3 48
RSP: 0018:ffff888007313720 EFLAGS: 00010217
RAX: 0000000000000000 RBX: ffff88800c6283e8 RCX: 0000000000000000
RDX: dead000000000122 RSI: ffff88800c6283e8 RDI: ffff88800c6283e8
RBP: ffff888007313720 R08: ffffffff84399732 R09: ffffffff84392a74
R10: 0000000000000042 R11: ffff8880072a2f80 R12: ffff8880138be238
R13: ffff888016cdb000 R14: ffff888016cdb5a0 R15: ffff888016cdb000
FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000012f82000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
<TASK>
sctp_sched_dequeue_common+0x1c/0x90
sctp_sched_prio_dequeue+0x67/0x80
__sctp_outq_teardown+0x299/0x380
sctp_outq_free+0x15/0x20
sctp_association_free+0xc3/0x440
sctp_do_sm+0x1ca7/0x2210
sctp_assoc_bh_rcv+0x1f6/0x340
sctp_inq_push+0x98/0xb0
sctp_rcv+0x134e/0x16b0
sctp6_rcv+0x1b/0x30
ip6_protocol_deliver_rcu+0x5b7/0x930
ip6_input+0x80/0x140
ip6_rcv_finish+0x16e/0x1d0
ipv6_rcv+0x72/0x110
__netif_receive_skb+0x66/0x140
process_backlog+0x13d/0x230
__napi_poll+0x4b/0x310
net_rx_action+0x1ae/0x410
__do_softirq+0x16e/0x30f
run_ksoftirqd+0x23/0x30
smpboot_thread_fn+0x210/0x370
kthread+0x124/0x160
ret_from_fork+0x1f/0x30
</TASK>
Modules linked in:
Dumping ftrace buffer:
(ftrace buffer empty)
CR2: 0000000000000000
---[ end trace 0000000000000000 ]---
RIP: 0010:__list_del_entry_valid+0x26/0x80
Code: 00 00 00 00 55 48 89 e5 48 89 fe 48 ba 00 01 00 00 00 00 ad de
48 8b 0f 48 39 d1 74 22 48 8b 46 08 48 83 c2 22 48 39 d0 74 25 <48> 8b
10 48 39 f2 75 2d 48 8b 51 08 48 39 f2 75 37 b0 01 5d c3 48
RSP: 0018:ffff888007313720 EFLAGS: 00010217
RAX: 0000000000000000 RBX: ffff88800c6283e8 RCX: 0000000000000000
RDX: dead000000000122 RSI: ffff88800c6283e8 RDI: ffff88800c6283e8
RBP: ffff888007313720 R08: ffffffff84399732 R09: ffffffff84392a74
R10: 0000000000000042 R11: ffff8880072a2f80 R12: ffff8880138be238
R13: ffff888016cdb000 R14: ffff888016cdb5a0 R15: ffff888016cdb000
FS: 0000000000000000(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 0000000012f82000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
0: 00 00 add %al,(%rax)
2: 00 00 add %al,(%rax)
4: 55 push %rbp
5: 48 89 e5 mov %rsp,%rbp
8: 48 89 fe mov %rdi,%rsi
b: 48 ba 00 01 00 00 00 movabs $0xdead000000000100,%rdx
12: 00 ad de
15: 48 8b 0f mov (%rdi),%rcx
18: 48 39 d1 cmp %rdx,%rcx
1b: 74 22 je 0x3f
1d: 48 8b 46 08 mov 0x8(%rsi),%rax
21: 48 83 c2 22 add $0x22,%rdx
25: 48 39 d0 cmp %rdx,%rax
28: 74 25 je 0x4f
* 2a: 48 8b 10 mov (%rax),%rdx <-- trapping instruction
2d: 48 39 f2 cmp %rsi,%rdx
30: 75 2d jne 0x5f
32: 48 8b 51 08 mov 0x8(%rcx),%rdx
36: 48 39 f2 cmp %rsi,%rdx
39: 75 37 jne 0x72
3b: b0 01 mov $0x1,%al
3d: 5d pop %rbp
3e: c3 retq
3f: 48 rex.W
next parent reply other threads:[~2022-07-12 6:51 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CAO4mrfcUYjEi69mcSt_vXyb3VGFTAAq3dyNeWueucgw0DGABfg@mail.gmail.com>
2022-07-12 6:50 ` Wei Chen [this message]
2022-07-16 22:06 ` BUG: unable to handle kernel NULL pointer dereference in sctp_sched_dequeue_common Xin Long
2022-07-13 16:20 Wei Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAO4mrfcB0d+qbwtfndzqcrL+QEQgfOmJYQMAdzwxRePmP8TY1A@mail.gmail.com \
--to=harperchen1110@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-sctp@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=pabeni@redhat.com \
--cc=vyasevich@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.