Re: general protection fault in fib6_nh_init
From: David Ahern
Date: Wed Jun 05 2019 - 11:57:12 EST
On 6/3/19 11:10 PM, syzbot wrote:
>
> general protection fault: 0000 [#1] PREEMPT SMP KASAN
> CPU: 0 PID: 4498 Comm: syz-executor.4 Not tainted 5.2.0-rc2+ #10
> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
> Google 01/01/2011
> RIP: 0010:ipv6_addr_any include/net/ipv6.h:626 [inline]
> RIP: 0010:ip6_route_check_nh_onlink net/ipv6/route.c:2910 [inline]
> RIP: 0010:ip6_validate_gw net/ipv6/route.c:3013 [inline]
> RIP: 0010:fib6_nh_init+0x47e/0x1c80 net/ipv6/route.c:3121
> Code: 89 de e8 45 9f 4e fb 48 85 db 0f 84 fb 10 00 00 e8 97 9d 4e fb 48
> 8d 7b 40 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02
> 00 0f 85 bf 16 00 00 48 8d 7b 48 48 8b 4b 40 48 b8 00 00
> RSP: 0018:ffff888060e277c0 EFLAGS: 00010a02
> RAX: dffffc0000000000 RBX: ff8880a43d5cc000 RCX: ffffc90012a9f000
> RDX: 1ff1101487ab9808 RSI: ffffffff86220829 RDI: ff8880a43d5cc040
This one to me is falls into the corruption of the rt6_info in pcpu memory.
ip6_route_check_nh_onlink has already checked that 'from' is non-NULL
and fib6_dst falls within that memory.
RDI is the first input arg and appears to point to an invalid memory
address. In my tests all mallocs (f6i, nexthops, pcpu routesm etc) start
with 0xffff but RDI is 0xff88 which seems wrong.