Hello, I am writing to report a potential vulnerability identified in the Linux Kernel version 5.15.169. This issue was discovered using our custom vulnerability discovery tool. Affected File: block/genhd.c File: block/genhd.c Function: del_gendisk Detailed Call Stack: ------------[ cut here begin]------------ RIP: 0010:del_gendisk+0x63b/0x830 block/genhd.c:586 Code: 3c 03 0f 8e df 01 00 00 8b ab a0 00 00 00 31 ff 81 e5 00 04 00 00 89 ee e8 82 fe 54 ff 85 ed 0f 85 a8 fa ff ff e8 d5 fb 54 ff <0f> 0b e9 71 ff ff ff e8 c9 fb 54 ff 48 8b 14 24 48 b8 00 00 00 00 netlink: 'syz.4.3926': attribute type 4 has an invalid length. RSP: 0018:ffff888113ff7df8 EFLAGS: 00010216 RAX: 000000000000008c RBX: ffff88810af7c800 RCX: ffffc9000749c000 RDX: 0000000000040000 RSI: ffffffff81ed737b RDI: 0000000000000005 RBP: 0000000000000000 R08: 0000000000000000 R09: ffff888113ff7dbf R10: 0000000000000000 R11: 0000000000000001 R12: ffff88810af7c8a0 R13: ffff88810b351400 R14: ffff88810b351000 R15: ffff88810a70b1c0 FS: 00007f620e2b66c0(0000) GS:ffff88811af80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000000 CR3: 00000001090f6000 CR4: 0000000000350ee0 Call Trace: <TASK> loop_remove+0x39/0xf0 drivers/block/loop.c:2452 loop_control_remove drivers/block/loop.c:2509 [inline] loop_control_ioctl+0x44d/0x4d0 drivers/block/loop.c:2547 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:874 [inline] __se_sys_ioctl fs/ioctl.c:860 [inline] __x64_sys_ioctl+0x19a/0x210 fs/ioctl.c:860 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x33/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x6c/0xd6 RIP: 0033:0x7f620f6e89c9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f620e2b6038 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007f620f904f80 RCX: 00007f620f6e89c9 RDX: 0000000020002540 RSI: 0000000000004c81 RDI: 0000000000000003 RBP: 00007f620f7951b6 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f620f904f80 R15: 00007ffe5d3a2638 </TASK> irq event stamp: 553 hardirqs last enabled at (559): [<ffffffff812b32ca>] console_trylock_spinning kernel/printk/printk.c:1891 [inline] hardirqs last enabled at (559): [<ffffffff812b32ca>] vprintk_emit+0x3da/0x420 kernel/printk/printk.c:2273 hardirqs last disabled at (710): [<ffffffff812acf9d>] __up_console_sem+0x5d/0x80 kernel/printk/printk.c:255 softirqs last enabled at (244): [<ffffffff81166c99>] __do_softirq kernel/softirq.c:592 [inline] softirqs last enabled at (244): [<ffffffff81166c99>] invoke_softirq kernel/softirq.c:432 [inline] softirqs last enabled at (244): [<ffffffff81166c99>] __irq_exit_rcu kernel/softirq.c:641 [inline] softirqs last enabled at (244): [<ffffffff81166c99>] irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653 softirqs last disabled at (187): [<ffffffff81166c99>] __do_softirq kernel/softirq.c:592 [inline] softirqs last disabled at (187): [<ffffffff81166c99>] invoke_softirq kernel/softirq.c:432 [inline] softirqs last disabled at (187): [<ffffffff81166c99>] __irq_exit_rcu kernel/softirq.c:641 [inline] softirqs last disabled at (187): [<ffffffff81166c99>] irq_exit_rcu+0xe9/0x130 kernel/softirq.c:653 ------------[ cut here end]------------ Root Cause: The kernel crash is triggered by the del_gendisk function within the block/genhd.c file at line 586. The root cause appears to be an improperly formatted netlink message, specifically an attribute of type 4 that has an invalid length. This malformed netlink message is processed by the loop device driver (drivers/block/loop.c), particularly during the removal of a loop device (loop_remove and loop_control_remove functions). The invalid attribute leads to incorrect handling within the loop device's ioctl operations (loop_control_ioctl), ultimately causing del_gendisk to malfunction. This sequence results in a kernel oops, crashing the system. The issue likely stems from the loop device driver not adequately validating the length of netlink message attributes before processing them, allowing malformed data to disrupt kernel operations. Thank you for your time and attention. Best regards Wall
