"Bug in qdisc_create" in Linux kernel version 2.6.26
From: cheung wall
Date: Sun Dec 01 2024 - 23:31:29 EST
Hello,
I am writing to report a potential vulnerability identified in the
Linux Kernel version 2.6.26.
This issue was discovered using our custom vulnerability discovery
tool.
Affected File:
File: net/sched/sch_dsmark.c
Function: qdisc_create
Detailed call trace:
[ 2020.553610] Pid: 23156, comm: a.out Tainted: G D 2.6.26-1-amd64 #1
[ 2020.553610] RIP: 0010:[<ffffffffa030b3a0>] [<ffffffffa030b3a0>]
:sch_dsmark:dsmark_init+0x45/0x123
[ 2020.553610] RSP: 0018:ffff8101711a39a8 EFLAGS: 00000246
[ 2020.553610] RAX: 0000000000000000 RBX: ffff810238109a00 RCX: 0000000000000008
[ 2020.553610] RDX: 0000000000000000 RSI: 0000000000000006 RDI: ffff810238109634
[ 2020.553610] RBP: 0000000000010000 R08: ffffffffa030b8c0 R09: ffff810238109624
[ 2020.553610] R10: ffff81000109f8f0 R11: 0000000000200200 R12: 0000000080020000
[ 2020.553610] R13: ffff810238109a00 R14: ffff810238109600 R15: ffffffffa030c300
[ 2020.553610] FS: 00007f375936f6e0(0000) GS:ffff81023beefc40(0000)
knlGS:0000000000000000
[ 2020.553610] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 2020.553610] CR2: 0000000000000004 CR3: 0000000156c8f000 CR4: 00000000000006e0
[ 2020.553610] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2020.553610] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 2020.553610] Process a.out (pid: 23156, threadinfo ffff8101711a2000,
task ffff81022d116fa0)
[ 2020.553610] Stack: 0000000000000000 0000000000000000
ffff810238109634 0000000000000000
[ 2020.553610] 0000000000000000 0000000000000000 ffff810238109a00
0000000000010000
[ 2020.553610] 0000000080020000 ffff81023b1db000 ffff810238109600
ffffffff803ccf98
[ 2020.553610] Call Trace:
[ 2020.553610] [<ffffffff803ccf98>] ? qdisc_create+0x166/0x21e
[ 2020.553610] [<ffffffff803cdb33>] ? tc_modify_qdisc+0x286/0x393
[ 2020.553690] [<ffffffff803c3bf3>] ? rtnetlink_rcv_msg+0x0/0x1dd
[ 2020.553690] [<ffffffff803d1cc8>] ? netlink_rcv_skb+0x34/0x7c
[ 2020.553690] [<ffffffff803c3bed>] ? rtnetlink_rcv+0x18/0x1e
[ 2020.553690] [<ffffffff803d1ab3>] ? netlink_unicast+0x1e9/0x261
[ 2020.553690] [<ffffffff803b5f34>] ? __alloc_skb+0x7f/0x12d
[ 2020.553690] [<ffffffff803d2280>] ? netlink_sendmsg+0x274/0x287
[ 2020.553690] [<ffffffffa0113e46>] ?
:ext3:__ext3_journal_dirty_metadata+0x1e/0x46
[ 2020.553690] [<ffffffff803afea1>] ? sock_sendmsg+0xe2/0xff
[ 2020.553690] [<ffffffff802461a9>] ? autoremove_wake_function+0x0/0x2e
[ 2020.553690] [<ffffffff8027ca79>] ? zone_statistics+0x3a/0x8e
[ 2020.553690] [<ffffffff80276423>] ? get_page_from_freelist+0x45a/0x603
[ 2020.553690] [<ffffffff8027117a>] ? find_lock_page+0x1f/0x8a
[ 2020.553690] [<ffffffff8027e7c7>] ? __do_fault+0x39b/0x3e6
[ 2020.553690] [<ffffffff803b00d5>] ? sys_sendmsg+0x217/0x28a
[ 2020.553690] [<ffffffff803b1f69>] ? lock_sock_nested+0x9b/0xa6
[ 2020.553690] [<ffffffff802817df>] ? handle_mm_fault+0x3f4/0x867
[ 2020.553690] [<ffffffff80429e2d>] ? _spin_lock_bh+0x9/0x1f
[ 2020.553690] [<ffffffff803b1e4b>] ? release_sock+0x13/0x96
[ 2020.553690] [<ffffffff803b0aea>] ? move_addr_to_user+0x5d/0x78
[ 2020.553690] [<ffffffff803b0f9c>] ? sys_getsockname+0x7a/0xaa
[ 2020.553690] [<ffffffff8020beca>] ? system_call_after_swapgs+0x8a/0x8f
[ 2020.553690]
[ 2020.553690]
[ 2020.553690] Code: 0e 48 8d 56 04 48 89 e7 49 c7 c0 c0 b8 30 a0 be
05 00 00 00 83 e9 04 e8 dc 7f 0c e0 85 c0 89 c2 0f 88 d4 00 00 00 48
8b 44 24 08 <66> 8b 68 04 0f b7 fd e8 f8 7b 01 e0 ff c8 0f 85 b6 00 00
00 48
[ 2020.553690] RIP [<ffffffffa030b3a0>] :sch_dsmark:dsmark_init+0x45/0x123
[ 2020.553691] RSP <ffff8101711a39a8>
[ 2020.553691] CR2: 0000000000000004
[ 2020.558108] ---[ end trace 9deab910d1f789fc ]---
Repro C Source Code: https://pastebin.com/Gmj8kvJB
Root Cause:
The root cause of this bug lies in the dsmark_init function within the
sch_dsmark module, where an invalid memory access occurs due to a null
pointer dereference (CR2: 0000000000000004). The PoC triggers this
issue by invoking a series of socket-related system calls, including
socket, bind, getsockname, and sendmsg, with crafted parameters and
malformed data. This results in the improper initialization or
handling of the dsmark traffic control queueing discipline, leading to
an assertion failure and kernel crash. The issue arises from
insufficient input validation and error handling during the
initialization of the sch_dsmark structure, where certain fields are
not properly set up before being accessed, violating kernel invariants
and causing the crash.
Thank you for your time and attention.
Best regards
Wall