[Bug] "general protection fault in calipso_sock_setattr" in Linux kernel v6.12

[Bug] "general protection fault in calipso_sock_setattr" in Linux kernel v6.12

[John]

Dear Linux Kernel Maintainers,

I hope this message finds you well.

I am writing to report a potential vulnerability I encountered during
testing of the Linux Kernel version v6.12.

Git Commit: adc218676eef25575469234709c2d87185ca223a (tag: v6.12)

Bug Location: calipso_sock_setattr+0xf6/0x380 net/ipv6/calipso.c:1128

Bug report: https://hastebin.com/share/iredodibar.yaml

Complete log: https://hastebin.com/share/biqowozonu.perl

Entire kernel config: https://hastebin.com/share/huqucavidu.ini

Root Cause Analysis:
The crash is caused by a NULL pointer dereference in txopt_get() (at
include/net/ipv6.h:390) due to an uninitialized struct inet6_opt *opt
field.
The function is indirectly invoked during an SELinux policy
enforcement path via calipso_sock_setattr(), which expects an
initialized inet6_sk(sk)->opt structure.
However, the socket in question does not have IPv6 tx options set up
at the time of the call, likely due to missing or out-of-order
initialization during socket creation or connection setup.
This leads to an invalid access at offset +0x70, detected by KASAN,
and results in a general protection fault.

At present, I have not yet obtained a minimal reproducer for this
issue. However, I am actively working on reproducing it, and I will
promptly share any additional findings or a working reproducer as soon
as it becomes available.

Thank you very much for your time and attention to this matter. I
truly appreciate the efforts of the Linux kernel community.

Best regards,
John

Re: [Bug] "general protection fault in calipso_sock_setattr" in Linux kernel v6.12

[Kuniyuki Iwashima]

From: John <john.cs.hey@gmail.com>
Date: Wed, 21 May 2025 22:50:38 +0800
> Dear Linux Kernel Maintainers,
> 
> I hope this message finds you well.
> 
> I am writing to report a potential vulnerability I encountered during
> testing of the Linux Kernel version v6.12.
> 
> Git Commit: adc218676eef25575469234709c2d87185ca223a (tag: v6.12)
> 
> Bug Location: calipso_sock_setattr+0xf6/0x380 net/ipv6/calipso.c:1128
> 
> Bug report: https://hastebin.com/share/iredodibar.yaml
> 
> Complete log: https://hastebin.com/share/biqowozonu.perl
> 
> Entire kernel config: https://hastebin.com/share/huqucavidu.ini

Thanks for the report.


> 
> Root Cause Analysis:
> The crash is caused by a NULL pointer dereference in txopt_get() (at
> include/net/ipv6.h:390) due to an uninitialized struct inet6_opt *opt
> field.

This is not correct.  The splat says the null deref happens at
np->opt.

> RIP: 0010:txopt_get root/zhangqiang/kernel_fuzzing/Drivers_Fuzz/linux-6.12/include/net/ipv6.h:390 [inline]

   385	static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
   386	{
   387		struct ipv6_txoptions *opt;
   388	
   389		rcu_read_lock();
   390		opt = rcu_dereference(np->opt);

and the offset is 0x70, which is of opt in struct ipv6_pinfo.

> KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]

$ python3
>>> 0x70
112

$ pahole -C ipv6_pinfo vmlinux
struct ipv6_pinfo {
...
	struct ipv6_txoptions *    opt;                  /*   112     8 */


np + 0x70 = 0x70, meaning np was NULL here.

np is always initialised for IPv6 socket in inet6_create(), so this
should never happens for IPv6 sockets.

But looking at netlbl_conn_setattr(), it swtiched branch based on
sockaddr.sa_family provided by userspace, and it does not check if
the socket is actually IPv6 one.

So, the fix will be:


diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
index cd9160bbc919..067f707f194d 100644
--- a/net/netlabel/netlabel_kapi.c
+++ b/net/netlabel/netlabel_kapi.c
@@ -1165,6 +1165,9 @@ int netlbl_conn_setattr(struct sock *sk,
 		break;
 #if IS_ENABLED(CONFIG_IPV6)
 	case AF_INET6:
+		if (sk->sk_family != AF_INET6)
+			return -EPROTONOSUPPORT;
+
 		addr6 = (struct sockaddr_in6 *)addr;
 		entry = netlbl_domhsh_getentry_af6(secattr->domain,
 						   &addr6->sin6_addr);


> The function is indirectly invoked during an SELinux policy
> enforcement path via calipso_sock_setattr(), which expects an
> initialized inet6_sk(sk)->opt structure.
> However, the socket in question does not have IPv6 tx options set up
> at the time of the call, likely due to missing or out-of-order
> initialization during socket creation or connection setup.
> This leads to an invalid access at offset +0x70, detected by KASAN,
> and results in a general protection fault.
> 
> At present, I have not yet obtained a minimal reproducer for this
> issue. However, I am actively working on reproducing it, and I will
> promptly share any additional findings or a working reproducer as soon
> as it becomes available.

Try setting CALIPSO and calling connect(IPv6 addr) for IPv4 socket.


> 
> Thank you very much for your time and attention to this matter. I
> truly appreciate the efforts of the Linux kernel community.

Could you provide your full name so that I can give proper credit
in Reported-by tag ?

Re: [Bug] "general protection fault in calipso_sock_setattr" in Linux kernel v6.12

[John]

Hello Kuniyuki,

Thank you very much for your prompt reply and support. My full name is
John Cheung. I will continue attempting to reproduce the crash as
discussed.

I will keep you updated on any progress. Thank you again for your time
and assistance.

Best regards,
John

On Thu, May 22, 2025 at 2:10 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote:
>
> From: John <john.cs.hey@gmail.com>
> Date: Wed, 21 May 2025 22:50:38 +0800
> > Dear Linux Kernel Maintainers,
> >
> > I hope this message finds you well.
> >
> > I am writing to report a potential vulnerability I encountered during
> > testing of the Linux Kernel version v6.12.
> >
> > Git Commit: adc218676eef25575469234709c2d87185ca223a (tag: v6.12)
> >
> > Bug Location: calipso_sock_setattr+0xf6/0x380 net/ipv6/calipso.c:1128
> >
> > Bug report: https://hastebin.com/share/iredodibar.yaml
> >
> > Complete log: https://hastebin.com/share/biqowozonu.perl
> >
> > Entire kernel config: https://hastebin.com/share/huqucavidu.ini
>
> Thanks for the report.
>
>
> >
> > Root Cause Analysis:
> > The crash is caused by a NULL pointer dereference in txopt_get() (at
> > include/net/ipv6.h:390) due to an uninitialized struct inet6_opt *opt
> > field.
>
> This is not correct.  The splat says the null deref happens at
> np->opt.
>
> > RIP: 0010:txopt_get root/zhangqiang/kernel_fuzzing/Drivers_Fuzz/linux-6.12/include/net/ipv6.h:390 [inline]
>
>    385  static inline struct ipv6_txoptions *txopt_get(const struct ipv6_pinfo *np)
>    386  {
>    387          struct ipv6_txoptions *opt;
>    388
>    389          rcu_read_lock();
>    390          opt = rcu_dereference(np->opt);
>
> and the offset is 0x70, which is of opt in struct ipv6_pinfo.
>
> > KASAN: null-ptr-deref in range [0x0000000000000070-0x0000000000000077]
>
> $ python3
> >>> 0x70
> 112
>
> $ pahole -C ipv6_pinfo vmlinux
> struct ipv6_pinfo {
> ...
>         struct ipv6_txoptions *    opt;                  /*   112     8 */
>
>
> np + 0x70 = 0x70, meaning np was NULL here.
>
> np is always initialised for IPv6 socket in inet6_create(), so this
> should never happens for IPv6 sockets.
>
> But looking at netlbl_conn_setattr(), it swtiched branch based on
> sockaddr.sa_family provided by userspace, and it does not check if
> the socket is actually IPv6 one.
>
> So, the fix will be:
>
>
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index cd9160bbc919..067f707f194d 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -1165,6 +1165,9 @@ int netlbl_conn_setattr(struct sock *sk,
>                 break;
>  #if IS_ENABLED(CONFIG_IPV6)
>         case AF_INET6:
> +               if (sk->sk_family != AF_INET6)
> +                       return -EPROTONOSUPPORT;
> +
>                 addr6 = (struct sockaddr_in6 *)addr;
>                 entry = netlbl_domhsh_getentry_af6(secattr->domain,
>                                                    &addr6->sin6_addr);
>
>
> > The function is indirectly invoked during an SELinux policy
> > enforcement path via calipso_sock_setattr(), which expects an
> > initialized inet6_sk(sk)->opt structure.
> > However, the socket in question does not have IPv6 tx options set up
> > at the time of the call, likely due to missing or out-of-order
> > initialization during socket creation or connection setup.
> > This leads to an invalid access at offset +0x70, detected by KASAN,
> > and results in a general protection fault.
> >
> > At present, I have not yet obtained a minimal reproducer for this
> > issue. However, I am actively working on reproducing it, and I will
> > promptly share any additional findings or a working reproducer as soon
> > as it becomes available.
>
> Try setting CALIPSO and calling connect(IPv6 addr) for IPv4 socket.
>
>
> >
> > Thank you very much for your time and attention to this matter. I
> > truly appreciate the efforts of the Linux kernel community.
>
> Could you provide your full name so that I can give proper credit
> in Reported-by tag ?
>