Re: general protection fault in ip6_pol_route
From: Hillf Danton
Date: Wed Feb 05 2025 - 07:09:10 EST
On Tue, 4 Feb 2025 15:07:49 +0100 Eric Dumazet <edumazet@xxxxxxxxxx>
> On Tue, Feb 4, 2025 at 2:47 PM YAN KANG <kangyan91@xxxxxxxxxxx> wrote:
> >
> > Dear maintainers,
> >
> > I found a kernel bug titiled "general protection fault in ip6_pol_route" while using modified syzkaller fuzzing tool. I Itested it on the latest Linux upstream version (6.13.0-rc7) .
> >
> >
> > After preliminary analysis, the rootcause may be in ip6_pol_route function net/ipv6/route.c
> > res is a stack object. [1]
> > fib6_select_path(net, &res, fl6, oif, false, skb, strict) call may initialize res->nh.[2]
> > rt = rt6_get_pcpu_route( &res); [3]
> > pcpu_rt = this_cpu_read(*res->nh->rt6i_pcpu); // *res->nh is NULL, crash
> >
> > in [2], res->nh can be initialized in several ways,possibly one of which initializes it to NULL.
> >
> > Unfortunately, I don't have any reproducer for this bug yet.
> >
> > If you fix this issue, please add the following tag to the commit:
> > Reported-by: yan kang <kangyan91@xxxxxxxxxxx>
> > Reported-by: yue sun <samsun1006219@xxxxxxxxx
> >
> This is a dup of a syzbot report under investigation.
>
> Unless you have a repro and/or a patch, I would recommend you not
> sending these fuzzer reports anymore.
>
> Releasing such reports without a fix is an obvious security risk.
>
Can you specify a bit why report like this one links to security risk, Eric,
given no fix yet delivered to the syzbot report [1] so far?
[1] https://yhbt.net/lore/lkml/67a21f26.050a0220.163cdc.0068.GAE@xxxxxxxxxx/