Hello, could you please fix your mailer and resend, something wrong happened, we received the totally unreadable block below, as if all line breaks were removed! Thanks, Willy On Fri, Dec 16, 2022 at 07:16:08AM -0000, ??? wrote: > On Dec 16, 2022, at 4:11 PM, ??? <darklight2357@xxxxxxxxxx> wrote:Attachments available until January 15, 2023.Hello, I am "Changheon Lee" concerned with kernel security.A "memory leak in inet_create" was reported in Syzkaller targeting Linux kernel Version 6.1 on December 15, 2022 at 18:36 (KST).The environment in which the bug was detected is as follows.Syzkaller revision : 67be1ae7Kernel version : Linux kernel 6.1The report provided by Syzkaller is as follows.BUG: memory leakunreferenced object 0xffff88810a908c80 (size 2912): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.786s) hex dump (first 32 bytes): 7f 00 00 01 7f 00 00 01 08 e4 6b 1b 4e 20 00 00 ..........k.N .. 02 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ backtrace: [<ffffffff83478054>] sk_prot_alloc+0x64/0x2a0 net/core/sock.c:2024 [<ffffffff8348316b>] sk_alloc+0x3b/0x7d0 net/core/sock.c:2083 [<ffffffff838e2e8b>] inet_create+0x39b/0xee0 net/ipv4/af_inet.c:319 [<ffffffff8346bca1>] __sock_create+0x381/0x850 net/socket.c:1515 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff888112a6f020 (size 32): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.786s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 40 e9 ba 0e 81 88 ff ff ........@....... 01 00 00 00 03 00 00 00 10 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d8987>] kmalloc_trace+0x27/0x60 mm/slab_common.c:1045 [<ffffffff81f4869f>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff81f4869f>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff81f4869f>] selinux_sk_alloc_security+0x9f/0x230 security/selinux/hooks.c:5190 [<ffffffff81f34938>] security_sk_alloc+0x58/0xc0 security/security.c:2286 [<ffffffff8347809e>] sk_prot_alloc+0xae/0x2a0 net/core/sock.c:2033 [<ffffffff8348316b>] sk_alloc+0x3b/0x7d0 net/core/sock.c:2083 [<ffffffff838e2e8b>] inet_create+0x39b/0xee0 net/ipv4/af_inet.c:319 [<ffffffff8346bca1>] __sock_create+0x381/0x850 net/socket.c:1515 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff88810ebae940 (size 64): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.787s) hex dump (first 32 bytes): 15 00 00 01 00 00 00 00 70 33 b8 02 81 88 ff ff ........p3...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff816d8987>] kmalloc_trace+0x27/0x60 mm/slab_common.c:1045 [<ffffffff81fb7e15>] kmalloc include/linux/slab.h:553 [inline] [<ffffffff81fb7e15>] kzalloc include/linux/slab.h:689 [inline] [<ffffffff81fb7e15>] netlbl_secattr_alloc include/net/netlabel.h:382 [inline] [<ffffffff81fb7e15>] selinux_netlbl_sock_genattr+0xb5/0x4b0 security/selinux/netlabel.c:77 [<ffffffff81fb9bfc>] selinux_netlbl_socket_post_create+0x7c/0x170 security/selinux/netlabel.c:401 [<ffffffff81f5215f>] selinux_socket_post_create+0x30f/0x820 security/selinux/hooks.c:4605 [<ffffffff81f33fcc>] security_socket_post_create+0x6c/0xd0 security/security.c:2198 [<ffffffff8346c024>] __sock_create+0x704/0x850 net/socket.c:1531 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdBUG: memory leakunreferenced object 0xffff888102b83370 (size 16): comm "syz-executor609", pid 330, jiffies 4294839395 (age 15.787s) hex dump (first 16 bytes): 6b 65 72 6e 65 6c 5f 74 00 6b 6b 6b 6b 6b 6b a5 kernel_t.kkkkkk. backtrace: [<ffffffff816d949c>] __do_kmalloc_node mm/slab_common.c:954 [inline] [<ffffffff816d949c>] __kmalloc_node_track_caller+0x4c/0xd0 mm/slab_common.c:975 [<ffffffff816b7b90>] kstrdup+0x40/0x80 mm/util.c:61 [<ffffffff81fade31>] security_netlbl_sid_to_secattr+0x1f1/0x4e0 security/selinux/ss/services.c:3973 [<ffffffff81fb7e59>] selinux_netlbl_sock_genattr+0xf9/0x4b0 security/selinux/netlabel.c:80 [<ffffffff81fb9bfc>] selinux_netlbl_socket_post_create+0x7c/0x170 security/selinux/netlabel.c:401 [<ffffffff81f5215f>] selinux_socket_post_create+0x30f/0x820 security/selinux/hooks.c:4605 [<ffffffff81f33fcc>] security_socket_post_create+0x6c/0xd0 security/security.c:2198 [<ffffffff8346c024>] __sock_create+0x704/0x850 net/socket.c:1531 [<ffffffff8346fa8b>] sock_create net/socket.c:1566 [inline] [<ffffffff8346fa8b>] __sys_socket_create net/socket.c:1603 [inline] [<ffffffff8346fa8b>] __sys_socket+0x13b/0x250 net/socket.c:1636 [<ffffffff8346fc13>] __do_sys_socket net/socket.c:1649 [inline] [<ffffffff8346fc13>] __se_sys_socket net/socket.c:1647 [inline] [<ffffffff8346fc13>] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 [<ffffffff843153c8>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff843153c8>] do_syscall_64+0x38/0x90 arch/x86/entry/common.c:80 [<ffffffff8440009b>] entry_SYSCALL_64_after_hwframe+0x63/0xcdI cannot rule out the possibility that this bug detected in Syzkaller targeting 6.1 is a false positive.However, as far as I can check, this memory leak has not been reported recently.I just found a reported case on "mail-archive.com" with a backtrace very similar to the memory leak I just reported.Considering the contents of the mail I found, the "memory leak in inet_create" I reported seems to be related to SElinux, and I attach the link at the bottom.Link : https://www.mail-archive.com/linux-kernel@xxxxxxxxxxxxxxx/msg1950307.htmlThe email in the link was made in 2019, and it seems to be related to what I reported this time, but it is seen as a separate matter.kernel config, vmlinux, bzImage and C reproducer will be attached separately.Thanks.ChangHeon Lee Ps. I have now cheaked that emails with the same contents were sent multiple times due to issues such as the inability to properly set the recipient, CC settings, or HTML forms being included in the email.I apologize for any inconvenience caused.Download from iCloudvmlinux475.5 MBDownload from iCloudC_repo.c5 KBDownload from iCloudbzImage30 MBDownload from iCloudkernel config (.config).txt139 KBI'm so sorry... no more HTML forms or links are included...
