Re: [syzbot] general protection fault in ax25_send_frame (2)

From: Peter Lafreniere
Date: Sat Nov 19 2022 - 19:02:35 EST

Next message: pr-tracker-bot: "Re: [GIT PULL] SCSI fixes for 6.0-rc5"
Previous message: Jason A. Donenfeld: "Re: [PATCH v5 1/3] random: add vgetrandom_alloc() syscall"
In reply to: syzbot: "[syzbot] general protection fault in ax25_send_frame (2)"
Next in thread: Peter Lafreniere: "Re: [syzbot] general protection fault in ax25_send_frame (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

In response to the following syzbot report:

> general protection fault, probably for non-canonical address 0xdffffc000000006c: 0000 [#1] PREEMPT SMP KASAN
> KASAN: null-ptr-deref in range [0x0000000000000360-0x0000000000000367]
> CPU: 1 PID: 10715 Comm: syz-executor.3 Not tainted 6.0.0-rc4-syzkaller-00136-g0727a9a5fbc1 #0
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
> RIP: 0010:ax25_dev_ax25dev include/net/ax25.h:342 [inline]
> RIP: 0010:ax25_send_frame+0xe4/0x640 net/ax25/ax25_out.c:56
> Code: 00 48 85 c0 49 89 c4 0f 85 fb 03 00 00 e8 34 cb 2b f9 49 8d bd 60 03 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b1 04 00 00 4d 8b ad 60 03 00 00 4d 85 ed 0f 84
>
> RSP: 0000:ffffc90004c77a00 EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: ffff88814a308008 RCX: 0000000000000100
> RDX: 000000000000006c RSI: ffffffff88503efc RDI: 0000000000000360
> RBP: ffffffff91561460 R08: 0000000000000001 R09: ffffffff908e4a9f
> R10: 0000000000000001 R11: 1ffffffff2020d9a R12: 0000000000000000
> R13: 0000000000000000 R14: 0000000000000104 R15: 0000000000000000
> FS: 0000555556215400(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 0000001b2f328000 CR3: 0000000050a64000 CR4: 00000000003506e0
> DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> Call Trace:
> <TASK>
>
> rose_send_frame+0xcc/0x2f0 net/rose/rose_link.c:106
> rose_transmit_clear_request+0x1d5/0x290 net/rose/rose_link.c:255
> rose_rx_call_request+0x4c0/0x1bc0 net/rose/af_rose.c:1009
> rose_loopback_timer+0x19e/0x590 net/rose/rose_loopback.c:111
> call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
> expire_timers kernel/time/timer.c:1519 [inline]
> __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
> __run_timers kernel/time/timer.c:1768 [inline]
> run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
> [...]
> </TASK>

The null dereference in ax25_dev_ax25dev() must be from a null struct
net_device* dev being passed to ax25_send_frame(). By tracing the call stack,
the null pointer can be shown as coming from the dev field of
rose_loopback_neigh being null.

The null dereference was already mitigated with a fail-silent check by
commit e97c089d7a49 ("rose: Fix NULL pointer dereference in rose_send_frame()")
in response to a previous syzbot report "general protection fault in
rose_send_frame (2)", which was not closed.

Does anyone object to marking syzbot bugs
"general protection fault in {ax25|rose}_send_frame (2)"
as fixed?

Respectfully,
Peter Lafreniere (N8PJL)

Next message: pr-tracker-bot: "Re: [GIT PULL] SCSI fixes for 6.0-rc5"
Previous message: Jason A. Donenfeld: "Re: [PATCH v5 1/3] random: add vgetrandom_alloc() syscall"
In reply to: syzbot: "[syzbot] general protection fault in ax25_send_frame (2)"
Next in thread: Peter Lafreniere: "Re: [syzbot] general protection fault in ax25_send_frame (2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]