Report "general protection fault in do_select"

reveliofuzzing <reveliofuzzing@xxxxxxxxx> · Tue, 24 Sep 2024 11:57:12 -0400

Hello,

We found the following crash when fuzzing^1 the Linux kernel 6.10 and
we are able
to reproduce it. To our knowledge, this crash has not been observed by SyzBot so
we would like to report it for your reference.

- Crash
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000009: 0000 [#1] PREEMPT SMP KASAN PTI
KASAN: null-ptr-deref in range [0x0000000000000048-0x000000000000004f]
CPU: 0 PID: 239 Comm: syz-executor Not tainted 6.10.0 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:vfs_poll linux-6.10/include/linux/poll.h:82 [inline]
RIP: 0010:do_select+0xaa7/0x13f0 linux-6.10/fs/select.c:538
Code: c1 e8 03 80 3c 30 00 0f 85 c7 07 00 00 4d 8b ac 24 b0 00 00 00
48 ba 00 00 00 00 00 fc ff df 49 8d 7d 48 48 89 f8 48 c1 e8 03 <80> 3c
10 00 0f 85 b9 07 00 00 4d 8b 6d 48 83 e3 01 4d 85 ed 0f 84
RSP: 0018:ffff88800bed7740 EFLAGS: 00010206
RAX: 0000000000000009 RBX: ffff88800a608780 RCX: 1ffff110017c30d4
RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: 0000000000000048
RBP: ffff88800bed7be0 R08: 0000000000000000 R09: ffffed10017c30d1
R10: ffffed10017c30d0 R11: ffff88800be18683 R12: ffff88800a608780
R13: 0000000000000000 R14: 000000000000001e R15: 0000000040000000
FS:  00005555585f49c0(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f4ae87930 CR3: 000000000a098001 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 <TASK>
 core_sys_select+0x270/0x5f0 linux-6.10/fs/select.c:681
 do_pselect.constprop.0+0x159/0x1a0 linux-6.10/fs/select.c:763
 __do_sys_pselect6 linux-6.10/fs/select.c:804 [inline]
 __se_sys_pselect6 linux-6.10/fs/select.c:795 [inline]
 __x64_sys_pselect6+0x154/0x1d0 linux-6.10/fs/select.c:795
 do_syscall_x64 linux-6.10/arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0x4b/0x110 linux-6.10/arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x76/0x7e
RIP: 0033:0x7f2210e3194b
Code: 29 44 24 30 4c 89 4c 24 40 48 c7 44 24 48 08 00 00 00 64 8b 04
25 18 00 00 00 4c 8d 4c 24 40 85 c0 75 2c b8 0e 01 00 00 0f 05 <48> 3d
00 f0 ff ff 77 7d 48 8b 4c 24 58 64 48 33 0c 25 28 00 00 00
RSP: 002b:00007ffe3c6a17c0 EFLAGS: 00000246 ORIG_RAX: 000000000000010e
RAX: ffffffffffffffda RBX: 000000000000001e RCX: 00007f2210e3194b
RDX: 0000000000000000 RSI: 00007ffe3c6a1940 RDI: 000000000000001f
RBP: 00007ffe3c6a1c10 R08: 00007ffe3c6a17f0 R09: 00007ffe3c6a1800
R10: 0000000000000000 R11: 0000000000000246 R12: 0000555558611e80
R13: 0000000000000001 R14: 0000555558612d50 R15: 00007ffe3c6a1cf0
 </TASK>
Modules linked in:
---[ end trace 0000000000000000 ]---
RIP: 0010:vfs_poll linux-6.10/include/linux/poll.h:82 [inline]
RIP: 0010:do_select+0xaa7/0x13f0 linux-6.10/fs/select.c:538
Code: c1 e8 03 80 3c 30 00 0f 85 c7 07 00 00 4d 8b ac 24 b0 00 00 00
48 ba 00 00 00 00 00 fc ff df 49 8d 7d 48 48 89 f8 48 c1 e8 03 <80> 3c
10 00 0f 85 b9 07 00 00 4d 8b 6d 48 83 e3 01 4d 85 ed 0f 84
RSP: 0018:ffff88800bed7740 EFLAGS: 00010206
RAX: 0000000000000009 RBX: ffff88800a608780 RCX: 1ffff110017c30d4
RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: 0000000000000048
RBP: ffff88800bed7be0 R08: 0000000000000000 R09: ffffed10017c30d1
R10: ffffed10017c30d0 R11: ffff88800be18683 R12: ffff88800a608780
R13: 0000000000000000 R14: 000000000000001e R15: 0000000040000000
FS:  00005555585f49c0(0000) GS:ffff88806d200000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f4f4ae87930 CR3: 000000000a098001 CR4: 0000000000170ef0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

- reproducer
syz_genetlink_get_family_id$mptcp(0x0, 0xffffffffffffffff)
unlink(0x0)
syz_genetlink_get_family_id$nl80211(0x0, 0xffffffffffffffff)
r0 = socket$nl_generic(0x10, 0x3, 0x10)
openat$null(0xffffffffffffff9c, 0x0, 0x0, 0x0)
socket$inet6_tcp(0xa, 0x1, 0x0)
syz_genetlink_get_family_id$ipvs(0x0, r0)
r1 = openat$urandom(0xffffffffffffff9c, &(0x7f0000000040), 0x0, 0x0)
read(r1, &(0x7f0000000000), 0x2000)
r2 = syz_open_dev$sg(&(0x7f0000000040), 0x0, 0x0)
ioctl$SCSI_IOCTL_SEND_COMMAND(r2, 0x1,
&(0x7f0000000000)=ANY=[@ANYBLOB="000000001d00000085", @ANYRES8=r2])

- kernel config
https://drive.google.com/file/d/1LMJgfJPhTu78Cd2DfmDaRitF6cdxxcey/view?usp=sharing

[^1] We used a customized Syzkaller but did not change the guest kernel or the
hypervisor.