BUG: unable to handle kernel NULL pointer dereference in l2tp_session_free
29 views
Skip to first unread message
syzbot
Apr 11, 2019, 8:00:42 PM4/11/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: 09eb2ba5 ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1071ba0a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=59246eb7b3f7dd72
dashboard link: https://syzkaller.appspot.com/bug?extid=62064b854cbe734a71f2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165f315a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1237d7bc400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+62064b...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
PGD 1c9a8b067 [ 55.140577] PUD 1c633a067
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3821 Comm: syz-executor049 Not tainted 4.9.124-g09eb2ba #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c3d2c800 task.stack: ffff8801d9488000
RIP: 0010:[<ffffffff836c473c>] [<ffffffff836c473c>]
l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
RSP: 0018:ffff8801d948fc98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801b6f2b180 RCX: 0000000000000000
RDX: 1ffff100395050d0 RSI: ffffffff836c4711 RDI: ffff8801ca828680
RBP: ffff8801d948fcb8 R08: ffff8801c3d2d0e8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801ca828500
R13: ffff8801b6f2b188 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000001947880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001b7cda000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d94a0880 ffff8801b6f2b180 ffff8801d94a0c50 ffff8801d94a0b58
ffff8801d948fce0 ffffffff836cc022 ffff8801d94a0cc0 ffff8801d94a0880
ffffffff836cbf50 ffff8801d948fd18 ffffffff830281f5 ffff8801d94a0cc0
Call Trace:
[<ffffffff836cc022>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:297
[inline]
[<ffffffff836cc022>] pppol2tp_session_destruct+0xd2/0x110
net/l2tp/l2tp_ppp.c:460
[<ffffffff830281f5>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
[<ffffffff8302fc83>] sk_destruct+0x63/0x80 net/core/sock.c:1463
[<ffffffff8302fcef>] __sk_free+0x4f/0x220 net/core/sock.c:1471
[<ffffffff8302feeb>] sk_free+0x2b/0x40 net/core/sock.c:1482
[<ffffffff836cf329>] sock_put include/net/sock.h:1588 [inline]
[<ffffffff836cf329>] pppol2tp_release+0x239/0x2e0 net/l2tp/l2tp_ppp.c:501
[<ffffffff83018357>] __sock_release+0xd7/0x260 net/socket.c:605
[<ffffffff830184f9>] sock_close+0x19/0x20 net/socket.c:1059
[<ffffffff8157ca73>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff8157cf95>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8119a66c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8100559c>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
arch/x86/entry/common.c:161
[<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191
[inline]
[<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260
[inline]
[<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
[<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
ea 03 80 3c 02 00 0f 85 c6 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e
80 00 00 00 74 69 e8 a5 c5 c9 fd 4c 89 ea 48 b8 00
RIP [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
RSP <ffff8801d948fc98>
CR2: 0000000000000080
---[ end trace 23ee9bb7740e99e9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot found the following crash on:
HEAD commit: 09eb2ba5 ANDROID: x86_64_cuttlefish_defconfig: Enable lz4 ..
git tree: android-4.9
console output: https://syzkaller.appspot.com/x/log.txt?x=1071ba0a400000
kernel config: https://syzkaller.appspot.com/x/.config?x=59246eb7b3f7dd72
dashboard link: https://syzkaller.appspot.com/bug?extid=62064b854cbe734a71f2
compiler: gcc (GCC) 8.0.1 20180413 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=165f315a400000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1237d7bc400000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+62064b...@syzkaller.appspotmail.com
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
random: sshd: uninitialized urandom read (32 bytes read)
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
IP: [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
PGD 1c9a8b067 [ 55.140577] PUD 1c633a067
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 3821 Comm: syz-executor049 Not tainted 4.9.124-g09eb2ba #31
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801c3d2c800 task.stack: ffff8801d9488000
RIP: 0010:[<ffffffff836c473c>] [<ffffffff836c473c>]
l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1765
RSP: 0018:ffff8801d948fc98 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801b6f2b180 RCX: 0000000000000000
RDX: 1ffff100395050d0 RSI: ffffffff836c4711 RDI: ffff8801ca828680
RBP: ffff8801d948fcb8 R08: ffff8801c3d2d0e8 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801ca828500
R13: ffff8801b6f2b188 R14: 0000000000000000 R15: 0000000000000000
FS: 0000000001947880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001b7cda000 CR4: 00000000001606f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d94a0880 ffff8801b6f2b180 ffff8801d94a0c50 ffff8801d94a0b58
ffff8801d948fce0 ffffffff836cc022 ffff8801d94a0cc0 ffff8801d94a0880
ffffffff836cbf50 ffff8801d948fd18 ffffffff830281f5 ffff8801d94a0cc0
Call Trace:
[<ffffffff836cc022>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:297
[inline]
[<ffffffff836cc022>] pppol2tp_session_destruct+0xd2/0x110
net/l2tp/l2tp_ppp.c:460
[<ffffffff830281f5>] __sk_destruct+0x55/0x590 net/core/sock.c:1428
[<ffffffff8302fc83>] sk_destruct+0x63/0x80 net/core/sock.c:1463
[<ffffffff8302fcef>] __sk_free+0x4f/0x220 net/core/sock.c:1471
[<ffffffff8302feeb>] sk_free+0x2b/0x40 net/core/sock.c:1482
[<ffffffff836cf329>] sock_put include/net/sock.h:1588 [inline]
[<ffffffff836cf329>] pppol2tp_release+0x239/0x2e0 net/l2tp/l2tp_ppp.c:501
[<ffffffff83018357>] __sock_release+0xd7/0x260 net/socket.c:605
[<ffffffff830184f9>] sock_close+0x19/0x20 net/socket.c:1059
[<ffffffff8157ca73>] __fput+0x263/0x700 fs/file_table.c:208
[<ffffffff8157cf95>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8119a66c>] task_work_run+0x10c/0x180 kernel/task_work.c:116
[<ffffffff8100559c>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100559c>] exit_to_usermode_loop+0xfc/0x120
arch/x86/entry/common.c:161
[<ffffffff810064d4>] prepare_exit_to_usermode arch/x86/entry/common.c:191
[inline]
[<ffffffff810064d4>] syscall_return_slowpath arch/x86/entry/common.c:260
[inline]
[<ffffffff810064d4>] do_syscall_64+0x364/0x490 arch/x86/entry/common.c:287
[<ffffffff83a019d3>] entry_SYSCALL_64_after_swapgs+0x5d/0xdb
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
ea 03 80 3c 02 00 0f 85 c6 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e
80 00 00 00 74 69 e8 a5 c5 c9 fd 4c 89 ea 48 b8 00
RIP [<ffffffff836c473c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1765
RSP <ffff8801d948fc98>
CR2: 0000000000000080
---[ end trace 23ee9bb7740e99e9 ]---
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches
syzbot
Apr 12, 2019, 8:00:42 PM4/12/19
to syzkaller-a...@googlegroups.com
Hello,
syzbot found the following crash on:
HEAD commit: aa856bd8 Merge 4.4.115 into android-4.4
syzbot found the following crash on:
git tree: android-4.4
console output: https://syzkaller.appspot.com/x/log.txt?x=143fd78d800000
kernel config: https://syzkaller.appspot.com/x/.config?x=58e89c40ea7f5c9c
dashboard link: https://syzkaller.appspot.com/bug?extid=fedb6726c4a8c66824bb
compiler: gcc (GCC) 7.1.1 20170620
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=141a48ed800000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=147b0f8d800000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000080
net/l2tp/l2tp_core.c:1667
PGD 80000001cbe40067 PUD 1cbfab067 PMD 0
Oops: 0002 [#1] PREEMPT SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3957 Comm: syzkaller971971 Not tainted 4.4.115-gaa856bd #6
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
task: ffff8801d8810000 task.stack: ffff8801d8f50000
Google 01/01/2011
RIP: 0010:[<ffffffff8345ac1c>] [<ffffffff8345ac1c>]
l2tp_session_free+0x11c/0x200 net/l2tp/l2tp_core.c:1667
RSP: 0018:ffff8801d8f57cd8 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff8801cbe8c780 RCX: ffffffff8345abf1
RDX: 1ffff10039518750 RSI: 0000000000000001 RDI: ffff8801ca8c3a80
RBP: ffff8801d8f57cf8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 1ffff1003b1eaf5c R12: ffff8801ca8c3900
R13: ffff8801cbe8c788 R14: 0000000000000000 R15: ffffffff82de7b90
FS: 00007fb1bad61700(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000080 CR3: 00000001caa3e000 CR4: 0000000000160670
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d89e3b80 ffff8801cbe8c780 ffff8801d89e3f50 ffff8801d89e3e58
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Stack:
ffff8801d8f57d20 ffffffff83464a13 ffff8801d89e3b80 ffffffff83464940
ffff8800aba24ce0 ffff8801d8f57d48 ffffffff82dfca9a ffff8801d89e3b80
Call Trace:
[<ffffffff83464a13>] l2tp_session_dec_refcount_1 net/l2tp/l2tp_core.h:293
[inline]
[<ffffffff83464a13>] pppol2tp_session_destruct+0xd3/0x110
net/l2tp/l2tp_ppp.c:477
[<ffffffff82dfca9a>] sk_destruct+0x4a/0x4c0 net/core/sock.c:1447
[<ffffffff82dfcf67>] __sk_free+0x57/0x230 net/core/sock.c:1480
[<ffffffff82dfd170>] sk_free+0x30/0x40 net/core/sock.c:1491
[<ffffffff834658ea>] sock_put include/net/sock.h:1639 [inline]
[<ffffffff834658ea>] pppol2tp_release+0x27a/0x310 net/l2tp/l2tp_ppp.c:518
[<ffffffff82de7a3d>] sock_release+0x8d/0x1e0 net/socket.c:586
[<ffffffff82de7ba6>] sock_close+0x16/0x20 net/socket.c:1037
[<ffffffff815236a3>] __fput+0x233/0x6d0 fs/file_table.c:208
[<ffffffff81523bc5>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff8118b9e4>] task_work_run+0x104/0x180 kernel/task_work.c:115
[<ffffffff8100361d>] tracehook_notify_resume include/linux/tracehook.h:191
[inline]
[<ffffffff8100361d>] exit_to_usermode_loop+0x13d/0x160
arch/x86/entry/common.c:251
[<ffffffff81006535>] prepare_exit_to_usermode arch/x86/entry/common.c:282
[inline]
[<ffffffff81006535>] syscall_return_slowpath+0x1b5/0x1f0
arch/x86/entry/common.c:347
[<ffffffff837745a9>] int_ret_from_sys_call+0x25/0xa3
Code: 49 8d bc 24 80 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1
ea 03 80 3c 02 00 0f 85 c3 00 00 00 4d 8b b4 24 80 01 00 00 <f0> 41 ff 8e
80 00 00 00 74 64 e8 55 61 f0 fd e8 50 61 f0 fd 4c
RIP [<ffffffff8345ac1c>] l2tp_session_free+0x11c/0x200
net/l2tp/l2tp_core.c:1667
RSP <ffff8801d8f57cd8>
CR2: 0000000000000080
---[ end trace 18adfd4322ec3827 ]---
Reply all
Reply to author
Forward
0 new messages