tipc: NULL deref in tipc_net_finalize

50 views
Skip to first unread message

Dmitry Vyukov

unread,
Dec 10, 2018, 10:34:12 AM12/10/18
to Jon Maloy, Ying Xue, David Miller, netdev, tipc-di...@lists.sourceforge.net, LKML, syzkaller
Hello,

The following program crashes upstream kernel on
40e020c129cfc991e8ab4736d2665351ffd1468d (Dec 9) with:

BUG: unable to handle kernel NULL pointer dereference at 0000000000000001
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 1 PID: 45 Comm: kworker/1:1 Not tainted 4.20.0-rc6 #3
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Workqueue: events tipc_net_finalize_work
RIP: 0010:rht_bucket_nested+0x31/0x90 lib/rhashtable.c:1190
Code: 89 f3 e8 32 84 ca ff 8b 4d 04 b8 01 00 00 00 48 8b 95 80 00 00
00 44 8b 65 00 d3 e0 83 e8 01 41 d3 ec 21 d8 d3 eb 48 8d 04 c2 <48> 8b
28 48 85 ed 75 22 eb 29 e8 00 84 ca ff 89 d8 41 c1 ec 09 c1
RSP: 0018:ffffb1bd8045fd68 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffff9f0e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9f0efa5433e0
RBP: ffff9f0efa5433e0 R08: 00000006c423ea71 R09: 0000000000000027
R10: ffffb1bd80377df8 R11: fefefefefefefeff R12: 000000000003e951
R13: ffffb1bd8045fdf0 R14: 0000000000000000 R15: ffff9f0efa5433e0
FS: 0000000000000000(0000) GS:ffff9f0efda80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 0000000015e0a002 CR4: 0000000000160ee0
Call Trace:
rht_bucket include/linux/rhashtable.h:280 [inline]
__rhashtable_walk_find_next+0x1af/0x1e0 lib/rhashtable.c:801
rhashtable_walk_next+0x56/0xf0 lib/rhashtable.c:885
tipc_sk_reinit+0xaa/0x120 net/tipc/socket.c:2726
tipc_net_finalize.part.4+0x26/0x50 net/tipc/net.c:138
tipc_net_finalize net/tipc/net.c:134 [inline]
tipc_net_finalize_work+0x3f/0x50 net/tipc/net.c:148
process_one_work+0x290/0x540 kernel/workqueue.c:2153
worker_thread+0x39/0x500 kernel/workqueue.c:2296
kthread+0x12c/0x150 kernel/kthread.c:246
ret_from_fork+0x35/0x40 arch/x86/entry/entry_64.S:352
Modules linked in:
CR2: 0000000000000001
---[ end trace 49f6dae32389e817 ]---
RIP: 0010:rht_bucket_nested+0x31/0x90 lib/rhashtable.c:1190
Code: 89 f3 e8 32 84 ca ff 8b 4d 04 b8 01 00 00 00 48 8b 95 80 00 00
00 44 8b 65 00 d3 e0 83 e8 01 41 d3 ec 21 d8 d3 eb 48 8d 04 c2 <48> 8b
28 48 85 ed 75 22 eb 29 e8 00 84 ca ff 89 d8 41 c1 ec 09 c1
RSP: 0018:ffffb1bd8045fd68 EFLAGS: 00010246
RAX: 0000000000000001 RBX: 0000000000000000 RCX: 00000000ffff9f0e
RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff9f0efa5433e0
RBP: ffff9f0efa5433e0 R08: 00000006c423ea71 R09: 0000000000000027
R10: ffffb1bd80377df8 R11: fefefefefefefeff R12: 000000000003e951
R13: ffffb1bd8045fdf0 R14: 0000000000000000 R15: ffff9f0efa5433e0
FS: 0000000000000000(0000) GS:ffff9f0efda80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000001 CR3: 0000000015e0a002 CR4: 0000000000160ee0

Kernel config (nothing special: mostly defconfig+enabled tipc):
https://gist.githubusercontent.com/dvyukov/b67e6428ecc170b090b9f65eec784e5a/raw/b77b0f3e86d702f868ab7511d04ca307180f3abc/gistfile1.txt

Reproducer program:
https://gist.github.com/dvyukov/9d9d9f2f87b05766323e3a97e07b5af8

There is a bunch of boilerplate to enable namespaces and net devices,
etc, but in a nutshell it basically does only TIPC_NL_BEARER_ENABLE:

r0 = socket$nl_generic(0x10, 0x3, 0x10)
r1 = syz_genetlink_get_family_id$tipc2(&(0x7f0000000000)='TIPCv2\x00')
sendmsg$TIPC_NL_BEARER_ENABLE(r0, &(0x7f0000000080)={0x0, 0x0,
&(0x7f00000000c0)={&(0x7f0000000100)={0x54, r1, 0x1, 0x123, 0x234, {},
[@TIPC_NLA_BEARER={0x40, 0x1, [@TIPC_NLA_BEARER_NAME={0x10, 0x1,
@udp='udp:syz0\x00'}, @TIPC_NLA_BEARER_UDP_OPTS={0x2c, 0x4, {{0x14,
0x1, @in={0x2, 0x4e20, @loopback}}, {0x14, 0x2, @in={0x2, 0x4e20,
@loopback}}}}]}]}, 0x54}}, 0x0)

This makes overall tipc testing a bit problematic as kernel always
crashes whenever syzkaller tries to do just anything with udp bearer,
so I would appreciate timely fix.

Thanks

Dmitry Vyukov

unread,
Dec 12, 2018, 5:45:07 AM12/12/18
to Jon Maloy, Ying Xue, David Miller, netdev, tipc-di...@lists.sourceforge.net, LKML, syzkaller, Cong Wang
FTR, this is fixed by Cong with "tipc: use lock_sock() in tipc_sk_reinit()"
https://www.spinics.net/lists/netdev/msg538775.html
Reply all
Reply to author
Forward
0 new messages