BUG unable to handle kernel paging request in michael_update

[Ubisectech Sirius]

Hello.
We are Ubisectech Sirius Team, the vulnerability lab of China ValiantSec. Recently, our team has discovered a issue in Linux kernel 6.8. Attached to the email were a PoC file of the issue.

Stack dump:

BUG: unable to handle page fault for address: ffff8880549788c0
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 14601067 P4D 14601067 PUD 14604067 PMD 5d656063 PTE 800fffffab687060
Oops: 0000 [#1] PREEMPT SMP KASAN NOPTI
CPU: 0 PID: 10418 Comm: syz.2.73 Not tainted 6.8.0 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
RIP: 0010:memcpy_orig+0x115/0x140 arch/x86/lib/memcpy_64.S:160
Code: 0f 1f 44 00 00 83 fa 04 72 1b 8b 0e 44 8b 44 16 fc 89 0f 44 89 44 17 fc c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 83 ea 01 72 19 <0f> b6 0e 74 12 4c 0f b6 46 01 4c 0f b6 0c 16 44 88 47 01 44 88 0c
RSP: 0018:ffffc90001ba77f0 EFLAGS: 00010246
RAX: ffff888058eb3b00 RBX: 0000000000000001 RCX: ffffc90007921000
RDX: 0000000000000000 RSI: ffff8880549788c0 RDI: ffff888058eb3b00
RBP: ffff888058eb3b08 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff81e23f44 R12: 0000000000000001
R13: ffff888058eb3af8 R14: 000000000000001d R15: 0000000000000000
FS:  00007fa947932640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880549788c0 CR3: 0000000054a6c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
 <TASK>
 michael_update+0x334/0x3d0 crypto/michael_mic.c:90
 shash_ahash_update+0x178/0x1c0 crypto/ahash.c:71
 crypto_ahash_update+0x7b/0x120 crypto/ahash.c:350
 hash_sendmsg+0x354/0xfb0 crypto/algif_hash.c:149
 sock_sendmsg_nosec net/socket.c:730 [inline]
 __sock_sendmsg net/socket.c:745 [inline]
 ____sys_sendmsg+0xaaf/0xc70 net/socket.c:2584
 ___sys_sendmsg+0x11d/0x1c0 net/socket.c:2638
 __sys_sendmmsg+0x18c/0x460 net/socket.c:2724
 __do_sys_sendmmsg net/socket.c:2753 [inline]
 __se_sys_sendmmsg net/socket.c:2750 [inline]
 __x64_sys_sendmmsg+0x9c/0x100 net/socket.c:2750
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd5/0x270 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6f/0x77
RIP: 0033:0x7fa946b958cd
Code: 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fa947931fa8 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007fa946d33f60 RCX: 00007fa946b958cd
RDX: 0000000000000001 RSI: 0000000020000e40 RDI: 000000000000000b
RBP: 00007fa946c1bb06 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000008084 R11: 0000000000000246 R12: 0000000000000000
R13: 000000000000000b R14: 00007fa946d33f60 R15: 00007fa947912000
 </TASK>
Modules linked in:
CR2: ffff8880549788c0
---[ end trace 0000000000000000 ]---
RIP: 0010:memcpy_orig+0x115/0x140 arch/x86/lib/memcpy_64.S:160
Code: 0f 1f 44 00 00 83 fa 04 72 1b 8b 0e 44 8b 44 16 fc 89 0f 44 89 44 17 fc c3 cc cc cc cc 0f 1f 84 00 00 00 00 00 83 ea 01 72 19 <0f> b6 0e 74 12 4c 0f b6 46 01 4c 0f b6 0c 16 44 88 47 01 44 88 0c
RSP: 0018:ffffc90001ba77f0 EFLAGS: 00010246
RAX: ffff888058eb3b00 RBX: 0000000000000001 RCX: ffffc90007921000
RDX: 0000000000000000 RSI: ffff8880549788c0 RDI: ffff888058eb3b00
RBP: ffff888058eb3b08 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: ffffffff81e23f44 R12: 0000000000000001
R13: ffff888058eb3af8 R14: 000000000000001d R15: 0000000000000000
FS:  00007fa947932640(0000) GS:ffff88802c600000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffff8880549788c0 CR3: 0000000054a6c000 CR4: 0000000000750ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
----------------
Code disassembly (best guess):
   0:   0f 1f 44 00 00          nopl   0x0(%rax,%rax,1)
   5:   83 fa 04                cmp    $0x4,%edx
   8:   72 1b                   jb     0x25
   a:   8b 0e                   mov    (%rsi),%ecx
   c:   44 8b 44 16 fc          mov    -0x4(%rsi,%rdx,1),%r8d
  11:   89 0f                   mov    %ecx,(%rdi)
  13:   44 89 44 17 fc          mov    %r8d,-0x4(%rdi,%rdx,1)
  18:   c3                      ret
  19:   cc                      int3
  1a:   cc                      int3
  1b:   cc                      int3
  1c:   cc                      int3
  1d:   0f 1f 84 00 00 00 00    nopl   0x0(%rax,%rax,1)
  24:   00
  25:   83 ea 01                sub    $0x1,%edx
  28:   72 19                   jb     0x43
* 2a:   0f b6 0e                movzbl (%rsi),%ecx <-- trapping instruction
  2d:   74 12                   je     0x41
  2f:   4c 0f b6 46 01          movzbq 0x1(%rsi),%r8
  34:   4c 0f b6 0c 16          movzbq (%rsi,%rdx,1),%r9
  39:   44 88 47 01             mov    %r8b,0x1(%rdi)
  3d:   44                      rex.R
  3e:   88                      .byte 0x88
  3f:   0c                      .byte 0xc


Thank you for taking the time to read this email and we look forward to working with you further.

Attachment: poc.c
Description: Binary data