general protection fault in __fib6_update_sernum_upto_root
Hello. We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue. Stack dump: general protection fault, probably for non-canonical address 0xff1f1b1f1f1f1f24: [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xf8f8f8f8f8f8f920-0xf8f8f8f8f8f8f927] CPU: 1 PID: 9367 Comm: kworker/1:5 Not tainted 6.7.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358 Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c9000631f7c8 EFLAGS: 00010a07 RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: 89508644 RDX: 888051d78000 RSI: 895085dc RDI: f8f8f8f8f8f8f924 RBP: 0001 R08: 0005 R09: R10: 0001 R11: R12: dc00 R13: 0186 R14: 888052396c00 R15: ed100a472d80 FS: () GS:88807ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f42c8487d00 CR3: 4b42c000 CR4: 00750ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 PKRU: 5554 Call Trace: __list_add include/linux/list.h:153 [inline] list_add include/linux/list.h:169 [inline] fib6_add+0x16c4/0x4410 net/ipv6/ip6_fib.c:1490 __ip6_ins_rt net/ipv6/route.c:1313 [inline] ip6_ins_rt+0xb6/0x110 net/ipv6/route.c:1323 __ipv6_ifa_notify+0xab3/0xd30 net/ipv6/addrconf.c:6266 ipv6_ifa_notify net/ipv6/addrconf.c:6303 [inline] addrconf_dad_completed+0x15f/0xef0 net/ipv6/addrconf.c:4317 addrconf_dad_work+0x785/0x14e0 net/ipv6/addrconf.c:4260 process_one_work+0x87b/0x15c0 kernel/workqueue.c:3226 worker_thread+0x855/0x1200 kernel/workqueue.c:3380 kthread+0x2cc/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:256 Modules linked in: ---[ end trace ]--- RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358 Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c9000631f7c8 EFLAGS: 00010a07 RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: 89508644 RDX: 888051d78000 RSI: 895085dc RDI: f8f8f8f8f8f8f924 RBP: 0001 R08: 0005 R09: R10: 0001 R11: R12: dc00 R13: 0186 R14: 888052396c00 R15: ed100a472d80 FS: () GS:88807ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f42c8487d00 CR3: 4b42c000 CR4: 00750ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 PKRU: 5554 Code disassembly (best guess): 0: c1 e8 03shr$0x3,%eax 3: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 8: 0f 85 9b 01 00 00 jne0x1a9 e: 48 8b 1bmov(%rbx),%rbx 11: 48 85 dbtest %rbx,%rbx 14: 0f 84 d9 00 00 00 je 0xf3 1a: e8 74 70 39 f8 call 0xf8397093 1f: 48 8d 7b 2c lea0x2c(%rbx),%rdi 23: 48 89 f8mov%rdi,%rax 26: 48 c1 e8 03 shr$0x3,%rax * 2a: 42 0f b6 14 20 movzbl (%rax,%r12,1),%edx <-- trapping instruction 2f: 48 89 f8mov%rdi,%rax 32: 83 e0 07and$0x7,%eax 35: 83 c0 03add$0x3,%eax 38: 38 d0 cmp%dl,%al 3a: 7c 08 jl 0x44 3c: 84 d2 test %dl,%dl 3e: 0f .byte 0xf 3f: 85 .byte 0x85 Thank you for taking the time to read this email and we look forward to working with you further. poc.c Description: Binary data
general protection fault in __fib6_update_sernum_upto_root
Hello. We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.7. Attached to the email were a PoC file of the issue. Stack dump: general protection fault, probably for non-canonical address 0xff1f1b1f1f1f1f24: [#1] PREEMPT SMP KASAN NOPTI KASAN: maybe wild-memory-access in range [0xf8f8f8f8f8f8f920-0xf8f8f8f8f8f8f927] CPU: 1 PID: 9367 Comm: kworker/1:5 Not tainted 6.7.0 #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358 Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c9000631f7c8 EFLAGS: 00010a07 RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: 89508644 RDX: 888051d78000 RSI: 895085dc RDI: f8f8f8f8f8f8f924 RBP: 0001 R08: 0005 R09: R10: 0001 R11: R12: dc00 R13: 0186 R14: 888052396c00 R15: ed100a472d80 FS: () GS:88807ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f42c8487d00 CR3: 4b42c000 CR4: 00750ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 PKRU: 5554 Call Trace: __list_add include/linux/list.h:153 [inline] list_add include/linux/list.h:169 [inline] fib6_add+0x16c4/0x4410 net/ipv6/ip6_fib.c:1490 __ip6_ins_rt net/ipv6/route.c:1313 [inline] ip6_ins_rt+0xb6/0x110 net/ipv6/route.c:1323 __ipv6_ifa_notify+0xab3/0xd30 net/ipv6/addrconf.c:6266 ipv6_ifa_notify net/ipv6/addrconf.c:6303 [inline] addrconf_dad_completed+0x15f/0xef0 net/ipv6/addrconf.c:4317 addrconf_dad_work+0x785/0x14e0 net/ipv6/addrconf.c:4260 process_one_work+0x87b/0x15c0 kernel/workqueue.c:3226 worker_thread+0x855/0x1200 kernel/workqueue.c:3380 kthread+0x2cc/0x3b0 kernel/kthread.c:388 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:256 Modules linked in: ---[ end trace ]--- RIP: 0010:__fib6_update_sernum_upto_root+0xa7/0x270 net/ipv6/ip6_fib.c:1358 Code: c1 e8 03 42 80 3c 20 00 0f 85 9b 01 00 00 48 8b 1b 48 85 db 0f 84 d9 00 00 00 e8 74 70 39 f8 48 8d 7b 2c 48 89 f8 48 c1 e8 03 <42> 0f b6 14 20 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 RSP: 0018:c9000631f7c8 EFLAGS: 00010a07 RAX: 1f1f1f1f1f1f1f24 RBX: f8f8f8f8f8f8f8f8 RCX: 89508644 RDX: 888051d78000 RSI: 895085dc RDI: f8f8f8f8f8f8f924 RBP: 0001 R08: 0005 R09: R10: 0001 R11: R12: dc00 R13: 0186 R14: 888052396c00 R15: ed100a472d80 FS: () GS:88807ec0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: 7f42c8487d00 CR3: 4b42c000 CR4: 00750ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 PKRU: 5554 Code disassembly (best guess): 0: c1 e8 03shr$0x3,%eax 3: 42 80 3c 20 00 cmpb $0x0,(%rax,%r12,1) 8: 0f 85 9b 01 00 00 jne0x1a9 e: 48 8b 1bmov(%rbx),%rbx 11: 48 85 dbtest %rbx,%rbx 14: 0f 84 d9 00 00 00 je 0xf3 1a: e8 74 70 39 f8 call 0xf8397093 1f: 48 8d 7b 2c lea0x2c(%rbx),%rdi 23: 48 89 f8mov%rdi,%rax 26: 48 c1 e8 03 shr$0x3,%rax * 2a: 42 0f b6 14 20 movzbl (%rax,%r12,1),%edx <-- trapping instruction 2f: 48 89 f8mov%rdi,%rax 32: 83 e0 07and$0x7,%eax 35: 83 c0 03add$0x3,%eax 38: 38 d0 cmp%dl,%al 3a: 7c 08 jl 0x44 3c: 84 d2 test %dl,%dl 3e: 0f .byte 0xf 3f: 85 .byte 0x85 Thank you for taking the time to read this email and we look forward to working with you further. poc.c Description: Binary data
