Keyrings Archive on lore.kernel.org
 help / color / Atom feed
* PROBLEM: "BUG: kernel NULL pointer dereference" in "public_key_verify_signature"
@ 2020-11-11 22:18 Lennart Braun
  0 siblings, 0 replies; only message in thread
From: Lennart Braun @ 2020-11-11 22:18 UTC (permalink / raw)
  To: keyrings; +Cc: David Howells

Hello everyone,

I experience a recurring NULL pointer dereference error in Linux
5.10-rc3 when iwd tries to connect to some 802.1x wireless network
(eduroam) and wants to verify a signature.  The error seems to be
reproducible for me, but I am not sure how one would trigger the bug in
other environments.  With Linux 5.9.6 everything worked fine.

The Oops message (together with some related iwd context that might be
helpful) is pasted below.  I ran it through decode_stacktrace.sh to get
some line numbers.

From the position in the source code and the git history, it seems the
bug may be related to the recent patch series regarding OSCCA
certificate handling.

Please let me know if you need me to gather more information or if there
is anything else I can do to help.

Best regards

Lennart


---


Nov 11 17:55:16 euler kernel: wlan0: Limiting TX power to 17 dBm as advertised
by cc:46:d6:69:3b:8f
Nov 11 17:55:16 euler iwd[2039]: PEAP: tls_tx_handshake:868 Sending a
TLS_CLIENT_HELLO of 117 bytes
Nov 11 17:55:16 euler iwd[2039]: PEAP: l_tls_start:2802 New state
TLS_HANDSHAKE_WAIT_HELLO
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_handshake:2308 Handling a
TLS_SERVER_HELLO of 70 bytes
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_server_hello:1818 Negotiated
TLS 1.2
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_server_hello:1854 Negotiated
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_server_hello:1865 Negotiated
CompressionMethod.null
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_server_hello:1868 New state
TLS_HANDSHAKE_WAIT_CERTIFICATE
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_handshake:2308 Handling a
TLS_CERTIFICATE of 4856 bytes
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_cert_domains_match_mask:718 Trying to
match DNSName: 'radius.hrz.tu-darmsta>
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_certificate:1995 New state
TLS_HANDSHAKE_WAIT_KEY_EXCHANGE
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_handshake:2308 Handling a
TLS_SERVER_KEY_EXCHANGE of 329 bytes
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_handshake:2397 New state
TLS_HANDSHAKE_WAIT_HELLO_DONE
Nov 11 17:55:17 euler iwd[2039]: PEAP: tls_handle_ecdhe_server_key_xchg:506
Negotiated secp256r1
Nov 11 17:55:17 euler kernel: BUG: kernel NULL pointer dereference, address:
0000000000000000
Nov 11 17:55:17 euler kernel: #PF: supervisor read access in kernel mode
Nov 11 17:55:17 euler kernel: #PF: error_code(0x0000) - not-present page
Nov 11 17:55:17 euler kernel: PGD 0 P4D 0
Nov 11 17:55:17 euler kernel: Oops: 0000 [#25] PREEMPT SMP NOPTI
Nov 11 17:55:17 euler kernel: CPU: 14 PID: 2039 Comm: iwd Tainted: G      D
     5.10.0-rc3-1-mainline #1
Nov 11 17:55:17 euler kernel: Hardware name: LENOVO 20UES00L00/20UES00L00, BIOS
R1BET36W(1.05 ) 06/11/2020
Nov 11 17:55:17 euler kernel: RIP: 0010:public_key_verify_signature
(crypto/asymmetric_keys/public_key.c:359)
Nov 11 17:55:17 euler kernel: Code: 48 8b 40 d0 44 89 ca 4c 89 fe 4c 89 e7 e8 ff
27 9b 00 85 c0 0f 85 68 01 00 00 48 8>

Code starting with the faulting instruction
===========================================
   0:	48 8b 40 d0          	mov    -0x30(%rax),%rax
   4:	44 89 ca             	mov    %r9d,%edx
   7:	4c 89 fe             	mov    %r15,%rsi
   a:	4c 89 e7             	mov    %r12,%rdi
   d:	e8 ff 27 9b 00       	callq  0x9b2811
  12:	85 c0                	test   %eax,%eax
  14:	0f 85 68 01 00 00    	jne    0x182
  1a:	48                   	rex.W
  1b:	08                   	.byte 0x8
Nov 11 17:55:17 euler kernel: RSP: 0018:ffff9ee2c16d7d50 EFLAGS: 00010246
Nov 11 17:55:17 euler kernel: RAX: 0000000000000000 RBX: ffff997ac93c91c0 RCX:
0000000000000004
Nov 11 17:55:17 euler kernel: RDX: ffff997adfef0000 RSI: 0000000000000000 RDI:
ffffffff9e79bf38
Nov 11 17:55:17 euler kernel: RBP: ffff9ee2c16d7e88 R08: ffff997b009aa760 R09:
0000000000000008
Nov 11 17:55:17 euler kernel: R10: 0000000000000000 R11: 000000000000000a R12:
ffff997ac93c9600
Nov 11 17:55:17 euler kernel: R13: ffff997adfef0600 R14: ffff9ee2c16d7d88 R15:
ffff997afe09c200
Nov 11 17:55:17 euler kernel: FS:  00007fbd1eca9740(0000)
GS:ffff997dbfb80000(0000) knlGS:0000000000000000
Nov 11 17:55:17 euler kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 11 17:55:17 euler kernel: CR2: 0000000000000000 CR3: 000000011d7e0000 CR4:
0000000000350ee0
Nov 11 17:55:17 euler kernel: Call Trace:
Nov 11 17:55:17 euler kernel: asymmetric_key_verify_signature
(crypto/asymmetric_keys/asymmetric_type.c:575)
Nov 11 17:55:17 euler kernel: keyctl_pkey_verify (security/keys/keyctl_pkey.c:315)
Nov 11 17:55:17 euler kernel: do_syscall_64 (arch/x86/entry/common.c:46)
Nov 11 17:55:17 euler kernel: entry_SYSCALL_64_after_hwframe
(arch/x86/entry/entry_64.S:127)
Nov 11 17:55:17 euler kernel: RIP: 0033:0x7fbd1eda6d5d
Nov 11 17:55:17 euler kernel: Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f
1e fa 48 89 f8 48 89 f7 48 89 d6 48 8>

Code starting with the faulting instruction
===========================================
   0:	00 c3                	add    %al,%bl
   2:	66 2e 0f 1f 84 00 00 	nopw   %cs:0x0(%rax,%rax,1)
   9:	00 00 00
   c:	90                   	nop
   d:	f3 0f 1e fa          	endbr64
  11:	48 89 f8             	mov    %rdi,%rax
  14:	48 89 f7             	mov    %rsi,%rdi
  17:	48 89 d6             	mov    %rdx,%rsi
  1a:	48                   	rex.W
  1b:	08                   	.byte 0x8
Nov 11 17:55:17 euler kernel: RSP: 002b:00007fff490b4f68 EFLAGS: 00000246
ORIG_RAX: 00000000000000fa
Nov 11 17:55:17 euler kernel: RAX: ffffffffffffffda RBX: 00007fff490b4ff0 RCX:
00007fbd1eda6d5d
Nov 11 17:55:17 euler kernel: RDX: 0000556100c732c0 RSI: 00007fff490b4f70 RDI:
000000000000001c
Nov 11 17:55:17 euler kernel: RBP: 0000556100c732c0 R08: 0000556100c7638d R09:
000000302e9f2766
Nov 11 17:55:17 euler kernel: R10: 00007fff490b4ff0 R11: 0000000000000246 R12:
0000556100c7638d
Nov 11 17:55:17 euler kernel: R13: 00005560ff388b30 R14: 0000556100c76344 R15:
00007fff490b4ff0
Nov 11 17:55:17 euler kernel: Modules linked in: xt_CHECKSUM xt_MASQUERADE
xt_conntrack ipt_REJECT nf_reject_ipv4 xt_t>
Nov 11 17:55:17 euler kernel:  tpm_crb rapl psmouse input_leds typec_ucsi
tpm_tis k10temp i2c_piix4 rfkill snd libphy >
Nov 11 17:55:17 euler kernel: CR2: 0000000000000000
Nov 11 17:55:17 euler kernel: ---[ end trace b6f21d0c7ffe6cc2 ]---
Nov 11 17:55:17 euler kernel: RIP: 0010:public_key_verify_signature
(crypto/asymmetric_keys/public_key.c:359)
Nov 11 17:55:17 euler kernel: Code: 48 8b 40 d0 44 89 ca 4c 89 fe 4c 89 e7 e8 ff
27 9b 00 85 c0 0f 85 68 01 00 00 48 8>

Code starting with the faulting instruction
===========================================
   0:	48 8b 40 d0          	mov    -0x30(%rax),%rax
   4:	44 89 ca             	mov    %r9d,%edx
   7:	4c 89 fe             	mov    %r15,%rsi
   a:	4c 89 e7             	mov    %r12,%rdi
   d:	e8 ff 27 9b 00       	callq  0x9b2811
  12:	85 c0                	test   %eax,%eax
  14:	0f 85 68 01 00 00    	jne    0x182
  1a:	48                   	rex.W
  1b:	08                   	.byte 0x8
Nov 11 17:55:17 euler kernel: RSP: 0018:ffff9ee2c17a7d50 EFLAGS: 00010246
Nov 11 17:55:17 euler kernel: RAX: 0000000000000000 RBX: ffff997ac515f440 RCX:
0000000000000004
Nov 11 17:55:17 euler kernel: RDX: ffff997ac6496400 RSI: 0000000000000000 RDI:
ffffffff9e79bf38
Nov 11 17:55:17 euler kernel: RBP: ffff9ee2c17a7e88 R08: ffff997ac5a75220 R09:
0000000000000008
Nov 11 17:55:17 euler kernel: R10: 0000000000000000 R11: 000000000000000a R12:
ffff997ac515fac0
Nov 11 17:55:17 euler kernel: R13: ffff997ac6496b00 R14: ffff9ee2c17a7d88 R15:
ffff997ac578c800
Nov 11 17:55:17 euler kernel: FS:  00007fbd1eca9740(0000)
GS:ffff997dbfb80000(0000) knlGS:0000000000000000
Nov 11 17:55:17 euler kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Nov 11 17:55:17 euler kernel: CR2: 0000000000000000 CR3: 000000011d7e0000 CR4:
0000000000350ee0
Nov 11 17:55:17 euler kernel: audit: type=1131 audit(1605113717.462:211): pid=1
uid=0 auid=4294967295 ses=4294967295 m>
Nov 11 17:55:17 euler audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295
ses=4294967295 msg='unit=iwd comm="systemd" e>
Nov 11 17:55:17 euler systemd[1]: iwd.service: Main process exited, code=killed,
status=9/KILL
Nov 11 17:55:17 euler systemd[1]: iwd.service: Failed with result 'signal'.
Nov 11 17:55:17 euler kernel: wlan0: deauthenticating from cc:46:d6:69:3b:8f by
local choice (Reason: 3=DEAUTH_LEAVING)
Nov 11 17:55:17 euler systemd-networkd[501]: wlan0: Link DOWN



^ permalink raw reply	[flat|nested] only message in thread

only message in thread, back to index

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-11 22:18 PROBLEM: "BUG: kernel NULL pointer dereference" in "public_key_verify_signature" Lennart Braun

Keyrings Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/keyrings/0 keyrings/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 keyrings keyrings/ https://lore.kernel.org/keyrings \
		keyrings@vger.kernel.org
	public-inbox-index keyrings

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.keyrings


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git