“BUG: unable to handle kernel paging request in anon_inode_getfile” in Linux Kenrel Version 2.6.32

From: cheung wall
Date: Sun Dec 01 2024 - 23:32:24 EST


Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 2.6.32, specifically on the PowerPC architecture.
This issue was discovered using our custom vulnerability discovery
tool.

Affected File:

File: fs/anon_inodes.c

Function: anon_inode_getfile

Detailed Call Stack:

b3f455be4663db/report0
sched_yield()
flistxattr(r7, &(0x7f0000003040)=""/124, 0x7c)
dup(r4)
#executor: Prog has number of calls = 30
0x0
Unable to handle kernel paging request for data at address 0x00000014
Oops: Kernel access of bad area, sig: 11 [#1]
Modules linked in:
REGS: c05cbc60 TRAP: 0300 Not tainted (2.6.32)
DEAR: 00000014, ESR: 00000000
GPR00: 00000000 c05cbd10 c0591330 00000009 c05cbd18 c78020c0 00000000 00000020
GPR16: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
NIP [c00f23c0] anon_inode_getfile+0x90/0x170
root/linux-2.6.32/fs/anon_inodes.c:109
Call Trace:
[c05cbd50] [c00f3e3c] eventfd_file_create+0x8c/0xe0
root/linux-2.6.32/fs/eventfd.c:341
[c05cbd90] [c0003174] execute_syscall+0xcc/0xf0
root/linux-2.6.32/init/executor.c:465
[c05cbfa0] [c00052e8] executor_main+0x2c/0x54
root/linux-2.6.32/init/executor.c:709
[c05cbff0] [c0000398] skpinv+0x2b0/0x2ec
7c00492d 40a2fff4 80090000 90610010 3f20c05d 3be0fff4 4bf28275 7c240b78
---[ end trace 31fd0ba7d8756001 ]---


Root Cause:

The root cause of this issue is the kernel's failure to properly
handle memory access during the execution of the anon_inode_getfile
function. This is likely due to invalid or uninitialized memory being
accessed, possibly as a result of a bug in memory allocation or an
issue with pointer dereferencing. The function attempts to access data
at an invalid address (0x00000014), which leads to a kernel paging
request error, causing a segmentation fault. This could be caused by
improper initialization of the anon_inode structures, incorrect memory
handling, or a bug in the relevant kernel subsystems dealing with
anonymous inodes or file operations.

Thank you for your time and attention.

Best regards

Wall