Re: "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
On Tue, Jan 12, 2021 at 11:27 AM Marcelo Ricardo Leitner wrote: > > On Tue, Jan 12, 2021 at 10:18:00AM +0800, 慕冬亮 wrote: > > Dear developers, > > > > I find that "general protection fault in l2cap_sock_getsockopt" and > > "general protection fault in sco_sock_getsockopt" may be duplicated > > bugs from the same root cause. > > I am sorry that the above description is for another bug group - https://groups.google.com/g/syzkaller-bugs/c/csbAcYWGd2I. I forget to modify this paragraph. Embarrassing :( The correct description here should be, "I find that general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause, like the title. > > First, by comparing the PoC similarity after own minimization, we find > > they share the same PoC. Second, the stack traces for both bug reports > > are the same except for the last function. And the different last > > functions are due to a function name change (typo fix) from > > "sctp_ulpevent_nofity_peer_addr_change" to > > "sctp_ulpevent_notify_peer_addr_change" > > Not sure where you saw stack traces with this sctp function in it, but > the syzkaller reports from 17 Feb 2020 are not related to SCTP. > > The one on sco_sock_getsockopt() seems to be lack of parameter > validation: it doesn't check if optval is big enough when handling > BT_PHY (which has the same value as SCTP_STATUS). It seems also miss a > check on if level != SOL_BLUETOOTH, but I may be wrong here. > > l2cap_sock_getsockopt also lacks checking optlen. > Please ignore my mistake, and discuss the issue of sco/l2tp_sock_getsockopt in the thread - "general protection fault in l2cap_sock_getsockopt" and "general protection fault in sco_sock_getsockopt" may share the same root cause (https://groups.google.com/g/syzkaller-bugs/c/csbAcYWGd2I) > Marcelo
Re: "general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
On Tue, Jan 12, 2021 at 10:18:00AM +0800, 慕冬亮 wrote: > Dear developers, > > I find that "general protection fault in l2cap_sock_getsockopt" and > "general protection fault in sco_sock_getsockopt" may be duplicated > bugs from the same root cause. > > First, by comparing the PoC similarity after own minimization, we find > they share the same PoC. Second, the stack traces for both bug reports > are the same except for the last function. And the different last > functions are due to a function name change (typo fix) from > "sctp_ulpevent_nofity_peer_addr_change" to > "sctp_ulpevent_notify_peer_addr_change" Not sure where you saw stack traces with this sctp function in it, but the syzkaller reports from 17 Feb 2020 are not related to SCTP. The one on sco_sock_getsockopt() seems to be lack of parameter validation: it doesn't check if optval is big enough when handling BT_PHY (which has the same value as SCTP_STATUS). It seems also miss a check on if level != SOL_BLUETOOTH, but I may be wrong here. l2cap_sock_getsockopt also lacks checking optlen. Marcelo
"general protection fault in sctp_ulpevent_notify_peer_addr_change" and "general protection fault in sctp_ulpevent_nofity_peer_addr_change" should share the same root cause
Dear developers, I find that "general protection fault in l2cap_sock_getsockopt" and "general protection fault in sco_sock_getsockopt" may be duplicated bugs from the same root cause. First, by comparing the PoC similarity after own minimization, we find they share the same PoC. Second, the stack traces for both bug reports are the same except for the last function. And the different last functions are due to a function name change (typo fix) from "sctp_ulpevent_nofity_peer_addr_change" to "sctp_ulpevent_notify_peer_addr_change" -- My best regards to you. No System Is Safe! Dongliang Mu
Re: general protection fault in sctp_ulpevent_notify_peer_addr_change
On Mon, Aug 10, 2020 at 8:31 PM Marcelo Ricardo Leitner
wrote:
>
> On Mon, Aug 10, 2020 at 08:37:18AM -0700, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:fffe3ae0 Merge tag 'for-linus-hmm' of git://git.kernel.org..
> > git tree: upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12f34d3a90
> > kernel config: https://syzkaller.appspot.com/x/.config?x=50463ec6729f9706
> > dashboard link: https://syzkaller.appspot.com/bug?extid=8f2165a7b1f2820feffc
> > compiler: gcc (GCC) 10.1.0-syz 20200507
> > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1517701c90
> > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b7e0e290
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+8f2165a7b1f2820fe...@syzkaller.appspotmail.com
> >
> > general protection fault, probably for non-canonical address
> > 0xdc4c: [#1] PREEMPT SMP KASAN
> > KASAN: null-ptr-deref in range [0x0260-0x0267]
> > CPU: 0 PID: 12765 Comm: syz-executor391 Not tainted 5.8.0-syzkaller #0
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> > rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> > RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0xa9/0xad0
> > net/sctp/ulpevent.c:346
>
> Crashed in code added by 45ebf73ebcec ("sctp: check assoc before
> SCTP_ADDR_{MADE_PRIM, ADDED} event"), but it would have crashed a
> couple of instructions later on already anyway.
>
> I can't reproduce this crash, with the same commit and kernel config.
> I'm not seeing how transport->asoc can be null at there.
>
I haven't been able to reproduce this yet either.
Doesn't this report have similarities with "general protection fault
in sctp_ulpevent_nofity_peer_addr_change" from 19 March 2020?
https://syzkaller.appspot.com/bug?extid=3950016bd95c2ca0377b
Re: general protection fault in sctp_ulpevent_notify_peer_addr_change
On Mon, Aug 10, 2020 at 08:37:18AM -0700, syzbot wrote:
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit:fffe3ae0 Merge tag 'for-linus-hmm' of git://git.kernel.org..
> git tree: upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=12f34d3a90
> kernel config: https://syzkaller.appspot.com/x/.config?x=50463ec6729f9706
> dashboard link: https://syzkaller.appspot.com/bug?extid=8f2165a7b1f2820feffc
> compiler: gcc (GCC) 10.1.0-syz 20200507
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1517701c90
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b7e0e290
>
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+8f2165a7b1f2820fe...@syzkaller.appspotmail.com
>
> general protection fault, probably for non-canonical address
> 0xdc4c: [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0260-0x0267]
> CPU: 0 PID: 12765 Comm: syz-executor391 Not tainted 5.8.0-syzkaller #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
> rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
> RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0xa9/0xad0
> net/sctp/ulpevent.c:346
Crashed in code added by 45ebf73ebcec ("sctp: check assoc before
SCTP_ADDR_{MADE_PRIM, ADDED} event"), but it would have crashed a
couple of instructions later on already anyway.
I can't reproduce this crash, with the same commit and kernel config.
I'm not seeing how transport->asoc can be null at there.
While trying to reproduce this, when I aborted a test, I actually
triggerred:
[ 1527.736212][ T8008] team0 (unregistering): Port device team_slave_1 removed
[ 1527.896902][ T8008] team0 (unregistering): Port device team_slave_0 removed
[ 1528.053936][ T8008] bond0 (unregistering): (slave bond_slave_1): Releasing
backup interface
[ 1528.445113][ T8008] bond0 (unregistering): (slave bond_slave_0): Releasing
backup interface
[ 1528.915669][ T8008] bond0 (unregistering): Released all slaves
[ 1530.531179][ T8008] [ cut here ]
[ 1530.666414][ T8008] ODEBUG: free active (active state 0) object type:
timer_list hint: delayed_work_timer_fn+0x0/0x90
[ 1530.913574][ T8008] WARNING: CPU: 11 PID: 8008 at lib/debugobjects.c:485
debug_print_object+0x160/0x250
[ 1531.165944][ T8008] Kernel panic - not syncing: panic_on_warn set ...
[ 1531.291997][ T8008] CPU: 11 PID: 8008 Comm: kworker/u48:8 Not tainted 5.8.0+
#6
[ 1531.554397][ T8008] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.13.0-2.fc32 04/01/2014
[ 1531.842844][ T8008] Workqueue: netns cleanup_net
[ 1531.983054][ T8008] Call Trace:
[ 1532.122433][ T8008] dump_stack+0x18f/0x20d
[ 1532.257582][ T8008] panic+0x2e3/0x75c
[ 1532.385158][ T8008] ? __warn_printk+0xf3/0xf3
[ 1532.520152][ T8008] ? console_unlock+0x7f0/0xf30
[ 1532.643891][ T8008] ? __warn.cold+0x5/0x45
[ 1532.763171][ T8008] ? __warn+0xd6/0x1f2
[ 1532.884107][ T8008] ? debug_print_object+0x160/0x250
[ 1533.011290][ T8008] __warn.cold+0x20/0x45
[ 1533.132625][ T8008] ? wake_up_klogd.part.0+0x8c/0xc0
[ 1533.248423][ T8008] ? debug_print_object+0x160/0x250
[ 1533.370165][ T8008] report_bug+0x1bd/0x210
[ 1533.492858][ T8008] handle_bug+0x38/0x90
[ 1533.614108][ T8008] exc_invalid_op+0x14/0x40
[ 1533.730968][ T8008] asm_exc_invalid_op+0x12/0x20
[ 1533.851289][ T8008] RIP: 0010:debug_print_object+0x160/0x250
[ 1533.964027][ T8008] Code: dd 40 b8 93 88 48 89 fa 48 c1 ea 03 80 3c 02 00 0f
85 bf 00 00 00 48 8b 14 dd 40 b8 93 88 48 c7 c7 a0 ad 93 88 e8 02 66 a9 fd <0f>
0b 83 05 73 9f 13 07 01 48 83 c4 20 5b 5d 41 5c 41 5d c3 48 89
[ 1534.313398][ T8008] RSP: 0018:c9e378a8 EFLAGS: 00010086
[ 1534.432053][ T8008] RAX: RBX: 0003 RCX:
[ 1534.677101][ T8008] RDX: 8881331a2300 RSI: 815d8e17 RDI:
f520001c6f07
[ 1534.930977][ T8008] RBP: 0001 R08: 0001 R09:
888142fa0fcb
[ 1535.180403][ T8008] R10: R11: 8026 R12:
89bce120
[ 1535.424399][ T8008] R13: 81636500 R14: dead0100 R15:
dc00
[ 1535.678140][ T8008] ? calc_wheel_index+0x3f0/0x3f0
[ 1535.808026][ T8008] ? vprintk_func+0x97/0x1a6
[ 1535.939928][ T8008] ? debug_print_object+0x160/0x250
[ 1536.072538][ T8008] debug_check_no_obj_freed+0x301/0x41c
[ 1536.203742][ T8008] ? dev_attr_show+0x90/0x90
[ 1536.343659][ T8008] kfree+0xf0/0x2c0
[ 1536.484984][ T8008] ? dev_attr_show+0x90/0x90
[ 1536.620853][ T8008] kvfree+0x42/0x50
[ 1536.752990][ T8008] ? netdev_class_remove_file_ns+0x30/0x30
[ 1536.886457][ T8008] device_release+0x71/0x200
[ 1537.015419][ T8008] ? dev_attr_show+0x90/0x90
[ 1537.142315][ T8008] kobject_put+0x171/0x270
[ 1537.269426][ T8008] netdev_run_todo+0x765/0xac0
[ 1537.402993][ T8008] ? dev_xdp_uninstall+0x3f0/0x3f0
[ 1537.542007][ T8008] ? default_device_exit_batch+0x3d0/0
general protection fault in sctp_ulpevent_notify_peer_addr_change
Hello, syzbot found the following issue on: HEAD commit:fffe3ae0 Merge tag 'for-linus-hmm' of git://git.kernel.org.. git tree: upstream console output: https://syzkaller.appspot.com/x/log.txt?x=12f34d3a90 kernel config: https://syzkaller.appspot.com/x/.config?x=50463ec6729f9706 dashboard link: https://syzkaller.appspot.com/bug?extid=8f2165a7b1f2820feffc compiler: gcc (GCC) 10.1.0-syz 20200507 syz repro: https://syzkaller.appspot.com/x/repro.syz?x=1517701c90 C reproducer: https://syzkaller.appspot.com/x/repro.c?x=11b7e0e290 IMPORTANT: if you fix the issue, please add the following tag to the commit: Reported-by: syzbot+8f2165a7b1f2820fe...@syzkaller.appspotmail.com general protection fault, probably for non-canonical address 0xdc4c: [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0260-0x0267] CPU: 0 PID: 12765 Comm: syz-executor391 Not tainted 5.8.0-syzkaller #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0xa9/0xad0 net/sctp/ulpevent.c:346 Code: 03 80 3c 18 00 0f 85 9f 08 00 00 48 8b 9d b0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 60 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 3a 08 00 00 44 8b a3 60 02 00 RSP: 0018:c9d27380 EFLAGS: 00010202 RAX: dc00 RBX: RCX: RDX: 004c RSI: 875c9422 RDI: 0260 RBP: 8880235da158 R08: 0001 R09: 8880234cdd48 R10: fbfff155f111 R11: R12: 0001 R13: 1920001a4e76 R14: 0004 R15: FS: 7fdd571b7700() GS:88802ce0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff600400 CR3: 1c9d CR4: 00350ef0 DR0: DR1: DR2: DR3: DR6: fffe0ff0 DR7: 0400 Call Trace: sctp_assoc_set_primary+0x6c/0x300 net/sctp/associola.c:435 sctp_assoc_rm_peer+0x6f7/0x950 net/sctp/associola.c:508 sctp_assoc_update+0x588/0xfd0 net/sctp/associola.c:1116 sctp_cmd_assoc_update net/sctp/sm_sideeffect.c:836 [inline] sctp_cmd_interpreter net/sctp/sm_sideeffect.c:1305 [inline] sctp_side_effects net/sctp/sm_sideeffect.c:1185 [inline] sctp_do_sm+0x27f8/0x4d80 net/sctp/sm_sideeffect.c:1156 sctp_assoc_bh_rcv+0x386/0x6c0 net/sctp/associola.c:1044 sctp_inq_push+0x1da/0x270 net/sctp/inqueue.c:80 sctp_backlog_rcv+0x19e/0x5c0 net/sctp/input.c:344 sk_backlog_rcv include/net/sock.h:1001 [inline] __release_sock+0x134/0x3a0 net/core/sock.c:2550 release_sock+0x54/0x1b0 net/core/sock.c:3087 sctp_wait_for_connect+0x30f/0x540 net/sctp/socket.c:9302 __sctp_connect+0x96b/0xc00 net/sctp/socket.c:1247 __sctp_setsockopt_connectx+0x12d/0x180 net/sctp/socket.c:1343 sctp_setsockopt_connectx net/sctp/socket.c:1375 [inline] sctp_setsockopt net/sctp/socket.c:4720 [inline] sctp_setsockopt+0x1642/0x70d0 net/sctp/socket.c:4677 __sys_setsockopt+0x24a/0x480 net/socket.c:2127 __do_sys_setsockopt net/socket.c:2143 [inline] __se_sys_setsockopt net/socket.c:2140 [inline] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2140 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x43e119 Code: e8 4c b5 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 bb d0 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:7fdd571b6ce8 EFLAGS: 0246 ORIG_RAX: 0036 RAX: ffda RBX: 006c7c58 RCX: 0043e119 RDX: 006e RSI: 0084 RDI: 0003 RBP: 006c7c50 R08: 0020 R09: R10: 2000 R11: 0246 R12: 006c7c5c R13: 7ffdb7fcef0f R14: 7fdd57197000 R15: 0003 Modules linked in: ---[ end trace 49c057cb66761ca9 ]--- RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0xa9/0xad0 net/sctp/ulpevent.c:346 Code: 03 80 3c 18 00 0f 85 9f 08 00 00 48 8b 9d b0 00 00 00 48 b8 00 00 00 00 00 fc ff df 48 8d bb 60 02 00 00 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 08 3c 03 0f 8e 3a 08 00 00 44 8b a3 60 02 00 RSP: 0018:c9d27380 EFLAGS: 00010202 RAX: dc00 RBX: RCX: RDX: 004c RSI: 875c9422 RDI: 0260 RBP: 8880235da158 R08: 0001 R09: 8880234cdd48 R10: fbfff155f111 R11: R12: 0001 R13: 1920001a4e76 R14: 0004 R15: FS: 7fdd571b7700() GS:88802cf0() knlGS: CS: 0010 DS: ES: CR0: 80050033 CR2: ff600400 CR3: 1c9d CR4: 00350ee0 DR0: DR1: DR2: 0
