BUG: unable to handle kernel NULL pointer dereference in cipso_v4_sock_setattr

Dmitry Vyukov dvyukov at google.com
Tue Feb 25 14:27:51 UTC 2020 

On Tue, Feb 25, 2020 at 3:20 PM Paul Moore <paul at paul-moore.com> wrote:
>
> On Tue, Feb 25, 2020 at 3:19 AM syzbot
> <syzbot+f4dfece964792d80b139 at syzkaller.appspotmail.com> wrote:
> >
> > Hello,
> >
> > syzbot found the following crash on:
> >
> > HEAD commit:    ca7e1fd1 Merge tag 'linux-kselftest-5.6-rc3' of git://git...
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=179f0931e00000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=a61f2164c515c07f
> > dashboard link: https://syzkaller.appspot.com/bug?extid=f4dfece964792d80b139
> > compiler:       clang version 10.0.0 (https://github.com/llvm/llvm-project/ c2443155a0fb245c8f17f2c1c72b6ea391e86e81)
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=14fdfdede00000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=17667de9e00000
> >
> > The bug was bisected to:
> >
> > commit 2303f994b3e187091fd08148066688b08f837efc
> > Author: Peter Krystad <peter.krystad at linux.intel.com>
> > Date:   Wed Jan 22 00:56:17 2020 +0000
> >
> >     mptcp: Associate MPTCP context with TCP socket
> >
> > bisection log:  https://syzkaller.appspot.com/x/bisect.txt?x=14fbec81e00000
> > final crash:    https://syzkaller.appspot.com/x/report.txt?x=16fbec81e00000
> > console output: https://syzkaller.appspot.com/x/log.txt?x=12fbec81e00000
> >
> > IMPORTANT: if you fix the bug, please add the following tag to the commit:
> > Reported-by: syzbot+f4dfece964792d80b139 at syzkaller.appspotmail.com
> > Fixes: 2303f994b3e1 ("mptcp: Associate MPTCP context with TCP socket")
> >
> > BUG: kernel NULL pointer dereference, address: 0000000000000000
> > #PF: supervisor instruction fetch in kernel mode
> > #PF: error_code(0x0010) - not-present page
> > PGD 8e171067 P4D 8e171067 PUD 93fa2067 PMD 0
> > Oops: 0010 [#1] PREEMPT SMP KASAN
> > CPU: 0 PID: 8984 Comm: syz-executor066 Not tainted 5.6.0-rc2-syzkaller #0
> > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > RIP: 0010:0x0
> > Code: Bad RIP value.
> > RSP: 0018:ffffc900020b7b80 EFLAGS: 00010246
> > RAX: 1ffff110124ba600 RBX: 0000000000000000 RCX: ffff88809fefa600
> > RDX: ffff8880994cdb18 RSI: 0000000000000000 RDI: ffff8880925d3140
> > RBP: ffffc900020b7bd8 R08: ffffffff870225be R09: fffffbfff140652a
> > R10: fffffbfff140652a R11: 0000000000000000 R12: ffff8880925d35d0
> > R13: ffff8880925d3140 R14: dffffc0000000000 R15: 1ffff110124ba6ba
> > FS:  0000000001a0b880(0000) GS:ffff8880aea00000(0000) knlGS:0000000000000000
> > CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> > CR2: ffffffffffffffd6 CR3: 00000000a6d6f000 CR4: 00000000001406f0
> > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> > DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> > Call Trace:
> >  cipso_v4_sock_setattr+0x34b/0x470 net/ipv4/cipso_ipv4.c:1888
> >  netlbl_sock_setattr+0x2a7/0x310 net/netlabel/netlabel_kapi.c:989
> >  smack_netlabel security/smack/smack_lsm.c:2425 [inline]
> >  smack_inode_setsecurity+0x3da/0x4a0 security/smack/smack_lsm.c:2716
> >  security_inode_setsecurity+0xb2/0x140 security/security.c:1364
> >  __vfs_setxattr_noperm+0x16f/0x3e0 fs/xattr.c:197
> >  vfs_setxattr fs/xattr.c:224 [inline]
> >  setxattr+0x335/0x430 fs/xattr.c:451
> >  __do_sys_fsetxattr fs/xattr.c:506 [inline]
> >  __se_sys_fsetxattr+0x130/0x1b0 fs/xattr.c:495
> >  __x64_sys_fsetxattr+0xbf/0xd0 fs/xattr.c:495
> >  do_syscall_64+0xf7/0x1c0 arch/x86/entry/common.c:294
> >  entry_SYSCALL_64_after_hwframe+0x49/0xbe
>
> Netdev folks, I'm not very familiar with the multipath TCP code so I
> was wondering if you might help me out a bit with this report.  Based
> on the stack trace above it looks like for a given AF_INET sock "sk",
> inet_sk(sk)->is_icsk is true but inet_csk(sk) is NULL; should this be
> possible under normal conditions or is there an issue somewhere?

Paolo has submitted some patch for testing for this bug, not sure if
you have seen it, just in case:
https://groups.google.com/forum/#!msg/syzkaller-bugs/dqwnTBh-MQw/LhgSZYGsBgAJ

More information about the Linux-security-module-archive mailing list