BUG: general protection fault in tomoyo_check_acl

Xingyu Li xli399 at ucr.edu
Wed Aug 28 23:00:55 UTC 2024


Hi,

We found a bug in Linux 6.10 using syzkaller. It is possibly a null
pointer dereference  bug.
The bug report is as follows, but unfortunately there is no generated
syzkaller reproducer.

Bug report:

Oops: general protection fault, probably for non-canonical address
0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
CPU: 0 PID: 1 Comm: systemd Not tainted 6.10.0 #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:tomoyo_check_acl+0xa8/0x3f0 security/tomoyo/domain.c:173
Code: e8 03 42 8a 04 28 84 c0 0f 85 c1 02 00 00 48 8b 1c 24 4c 8b 23
49 39 dc 0f 84 fa 01 00 00 49 8d 6c 24 18 48 89 e8 48 c1 e8 03 <42> 0f
b6 04 28 84 c0 0f 85 16 01 00 00 0f b6 6d 00 31 ff 89 ee e8
RSP: 0018:ffffc9000003f518 EFLAGS: 00010206
RAX: 0000000000000003 RBX: ffff88801e329f10 RCX: ffff8880142c8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000018 R08: ffffffff840e6c85 R09: ffffffff840fb2f0
R10: 0000000000000002 R11: ffffffff840e6c00 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88801e329f00 R15: 0000000000000000
FS:  00007f1b0d157900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff1162f68b8 CR3: 000000001a4bc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 tomoyo_path_permission+0x1a8/0x360 security/tomoyo/file.c:586
 tomoyo_check_open_permission+0x2f5/0x4f0 security/tomoyo/file.c:777
 security_file_open+0x4f/0x760 security/security.c:2962
 do_dentry_open+0x382/0x1420 fs/open.c:942
 vfs_open+0x3a/0x330 fs/open.c:1086
 do_open fs/namei.c:3654 [inline]
 path_openat+0x2bb9/0x3580 fs/namei.c:3813
 do_filp_open+0x22d/0x480 fs/namei.c:3840
 do_sys_openat2+0x13a/0x1c0 fs/open.c:1413
 do_sys_open fs/open.c:1428 [inline]
 __do_sys_openat fs/open.c:1444 [inline]
 __se_sys_openat fs/open.c:1439 [inline]
 __x64_sys_openat+0x243/0x290 fs/open.c:1439
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x7e/0x150 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x67/0x6f
RIP: 0033:0x7f1b0d62d1e4
Code: 84 00 00 00 00 00 44 89 54 24 0c e8 36 58 f9 ff 44 8b 54 24 0c
44 89 e2 48 89 ee 41 89 c0 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d
00 f0 ff ff 77 34 44 89 c7 89 44 24 0c e8 68 58 f9 ff 8b 44
RSP: 002b:00007ffc7a797b50 EFLAGS: 00000293 ORIG_RAX: 0000000000000101
RAX: ffffffffffffffda RBX: 0000560238c8c780 RCX: 00007f1b0d62d1e4
RDX: 0000000000080000 RSI: 00007ffc7a797cb0 RDI: 00000000ffffff9c
RBP: 00007ffc7a797cb0 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000080000
R13: 0000560238c8c780 R14: 0000000000000001 R15: 00007ffc7a797cb0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:tomoyo_check_acl+0xa8/0x3f0 security/tomoyo/domain.c:173
Code: e8 03 42 8a 04 28 84 c0 0f 85 c1 02 00 00 48 8b 1c 24 4c 8b 23
49 39 dc 0f 84 fa 01 00 00 49 8d 6c 24 18 48 89 e8 48 c1 e8 03 <42> 0f
b6 04 28 84 c0 0f 85 16 01 00 00 0f b6 6d 00 31 ff 89 ee e8
RSP: 0018:ffffc9000003f518 EFLAGS: 00010206
RAX: 0000000000000003 RBX: ffff88801e329f10 RCX: ffff8880142c8000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: 0000000000000018 R08: ffffffff840e6c85 R09: ffffffff840fb2f0
R10: 0000000000000002 R11: ffffffff840e6c00 R12: 0000000000000000
R13: dffffc0000000000 R14: ffff88801e329f00 R15: 0000000000000000
FS:  00007f1b0d157900(0000) GS:ffff888063a00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff116299ba8 CR3: 000000001a4bc000 CR4: 0000000000350ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
----------------
Code disassembly (best guess):
   0: e8 03 42 8a 04       call   0x48a4208
   5: 28 84 c0 0f 85 c1 02 sub    %al,0x2c1850f(%rax,%rax,8)
   c: 00 00                 add    %al,(%rax)
   e: 48 8b 1c 24           mov    (%rsp),%rbx
  12: 4c 8b 23             mov    (%rbx),%r12
  15: 49 39 dc             cmp    %rbx,%r12
  18: 0f 84 fa 01 00 00     je     0x218
  1e: 49 8d 6c 24 18       lea    0x18(%r12),%rbp
  23: 48 89 e8             mov    %rbp,%rax
  26: 48 c1 e8 03           shr    $0x3,%rax
* 2a: 42 0f b6 04 28       movzbl (%rax,%r13,1),%eax <-- trapping instruction
  2f: 84 c0                 test   %al,%al
  31: 0f 85 16 01 00 00     jne    0x14d
  37: 0f b6 6d 00           movzbl 0x0(%rbp),%ebp
  3b: 31 ff                 xor    %edi,%edi
  3d: 89 ee                 mov    %ebp,%esi
  3f: e8                   .byte 0xe8


-- 
Yours sincerely,
Xingyu



More information about the Linux-security-module-archive mailing list