"general protection fault in netlbl_unlhsh_add" in Linux Kernel Version 4.9
From: cheung wall
Date: Sun Dec 01 2024 - 23:32:11 EST
Hello,
I am writing to report a potential vulnerability identified in the
Linux Kernel version 4.9
This issue was discovered using our custom vulnerability discovery
tool.
Affected File: netlabel_unlabeled.c
File: netlabel_unlabeled.c
Function: netlbl_unlhsh_add_addr4
Detailed call trace:
sr 1:0:0:0: [sr0] unaligned transfer
tmpfs: Bad mount option nr_)nodes
9pnet: Insufficient options for proto=fd
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Modules linked in:
CPU: 1 PID: 6915 Comm: syz.2.719 Not tainted 4.9.0+ #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
task: ffff88006b952940 task.stack: ffff88005d920000
RIP: 0010:[<ffffffff82f4e3e6>] [<ffffffff82f4e3e6>]
netlbl_unlhsh_add_addr4 net/netlabel/netlabel_unlabeled.c:262 [inline]
RIP: 0010:[<ffffffff82f4e3e6>] [<ffffffff82f4e3e6>]
netlbl_unlhsh_add+0x8e6/0xf00 net/netlabel/netlabel_unlabeled.c:430
RSP: 0018:ffff88005d9274c8 EFLAGS: 00010257
RAX: 000000000100007f RBX: 0000000000000004 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000202 RDI: 0000000000000000
RBP: ffff88005d9275b8 R08: 00000000000000a0 R09: ffff88005d80c000
R10: 00000000e8d5b47c R11: 0000000097bb816a R12: ffff88006abcd680
R13: 0000000000000000 R14: ffff88005d9bcae0 R15: ffff88006879542c
FS: 00007f7c96bb1640(0000) GS:ffff88006d100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7c96baff88 CR3: 0000000069138000 CR4: 00000000003406e0
Stack:
ffffffff81946e40 ffff88006abcd680 1ffff1000bb24e9e 0000012b83476cad
0000000000000000 0000000041b58ab3 ffffffff834b7a00 ffffffff82f4db00
ffff88005d927638 00000000024000c0 0000000000000022 ffff88005d927550
Call Trace:
[<ffffffff82f4ed95>] netlbl_unlabel_staticadddef+0x395/0x460
net/netlabel/netlabel_unlabeled.c:980
[<ffffffff82915b6c>] genl_family_rcv_msg+0x69c/0xc30 net/netlink/genetlink.c:636
[<ffffffff829162ab>] genl_rcv_msg+0x1ab/0x260 net/netlink/genetlink.c:660
[<ffffffff82914477>] netlink_rcv_skb+0x297/0x390 net/netlink/af_netlink.c:2298
[<ffffffff829154b8>] genl_rcv+0x28/0x40 net/netlink/genetlink.c:671
[<ffffffff82912e84>] netlink_unicast_kernel
net/netlink/af_netlink.c:1231 [inline]
[<ffffffff82912e84>] netlink_unicast+0x4c4/0x6e0 net/netlink/af_netlink.c:1257
[<ffffffff82913a17>] netlink_sendmsg+0x977/0xca0 net/netlink/af_netlink.c:1803
[<ffffffff8280164a>] sock_sendmsg_nosec net/socket.c:621 [inline]
[<ffffffff8280164a>] sock_sendmsg+0xca/0x110 net/socket.c:631
[<ffffffff82803480>] ___sys_sendmsg+0x730/0x870 net/socket.c:1954
[<ffffffff82804cf1>] __sys_sendmsg+0xd1/0x170 net/socket.c:1988
[<ffffffff82804dbd>] SYSC_sendmsg net/socket.c:1999 [inline]
[<ffffffff82804dbd>] SyS_sendmsg+0x2d/0x50 net/socket.c:1995
[<ffffffff82f8f937>] entry_SYSCALL_64_fastpath+0x1a/0xa9
Code: 14 02 4c 89 f8 83 e0 07 83 c0 03 38 d0 7c 08 84 d2 0f 85 f4 02
00 00 48 89 d9 48 ba 00 00 00 00 00 fc ff df 41 8b 07 48 c1 e9 03 <0f>
b6 0c 11 48 89 da 83 e2 07 83 c2 03 38 ca 7c 08 84 c9 0f 85
RIP [<ffffffff82f4e3e6>] netlbl_unlhsh_add_addr4
net/netlabel/netlabel_unlabeled.c:262 [inline]
RIP [<ffffffff82f4e3e6>] netlbl_unlhsh_add+0x8e6/0xf00
net/netlabel/netlabel_unlabeled.c:430
RSP <ffff88005d9274c8>
---[ end trace ec99797c85dd42d0 ]---
Repro C Source Code: https://pastebin.com/aHhVhbJ4
Root Cause:
The root cause appears to be a NULL pointer dereference or improper
memory handling within the netlbl_unlhsh_add function, likely due to
misconfigurations or faulty memory accesses. This could be exacerbated
by incorrect kernel options or mounting configurations, such as
unaligned transfers or missing options for 9pnet.
Thank you for your time and attention.
Best regards
Wall