search

tempesta-tech / tempesta

All-in-one solution for high performance web content delivery and advanced protection against DDoS and web attacks
https://tempesta-tech.com/
GNU General Public License v2.0
621 stars 103 forks source link

BUG: kernel NULL pointer dereference: tfw_hpack_add_index #2206

Closed kingluo closed 3 months ago

kingluo commented 3 months ago 
[ 9241.758089] BUG: kernel NULL pointer dereference, address: 0000000000000008
[ 9241.759403] #PF: supervisor read access in kernel mode
[ 9241.760288] #PF: error_code(0x0000) - not-present page
[ 9241.761169] PGD 0 P4D 0 
[ 9241.761700] Oops: 0000 [#1] SMP KASAN PTI
[ 9241.762487] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G    B      OE     5.10.35+ #5
[ 9241.763861] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
[ 9241.765441] RIP: 0010:tfw_hpack_decode+0x1940/0x3c50 [tempesta_fw]
[ 9241.784017] Code: 10 00 00 44 39 65 b0 0f 83 10 10 00 00 48 89 df e8 b5 28 9e d9 4c 8b 2b 49 8d 7d 08 e8 a9 28 9e d9 ba e0 ff ff ff 48 8d 7b 1c <41> 2b 55 08 41 01 d4 e8 34 25 9e d9 f6 43 1c 01 74 b1 48 8b bd 68
[ 9241.787148] RSP: 0018:ffff888420188e50 EFLAGS: 00010282
[ 9241.788061] RAX: 0000000000000000 RBX: ffff8881cd93c010 RCX: ffffffffc1717377
[ 9241.789274] RDX: 00000000ffffffe0 RSI: 0000000000000008 RDI: ffff8881cd93c02c
[ 9241.790589] RBP: ffff888420188f48 R08: ffffffffc1716d49 R09: ffff8881e3d860c7
[ 9241.797484] R10: 00000000000000ac R11: 0000000000000001 R12: 0000000000000fcd
[ 9241.797486] R13: 0000000000000000 R14: 0000000000000041 R15: 0000000000000000
[ 9241.797491] FS:  0000000000000000(0000) GS:ffff888420180000(0000) knlGS:0000000000000000
[ 9241.834645] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9241.834648] CR2: 0000000000000008 CR3: 00000001d941e005 CR4: 0000000000770ee0
[ 9241.834652] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 9241.834657] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 9241.868321] PKRU: 55555554
[ 9241.908572] Call Trace:
[ 9241.908575]  <IRQ>
[ 9241.908631]  ? create_prof_cpu_mask+0x30/0x30
[ 9241.908679]  tfw_h2_parse_req+0x382/0x590 [tempesta_fw]
[ 9241.953404]  ? tcp_data_ready+0x73/0x210
[ 9242.000530]  ? tcp_rcv_established+0x98f/0xf70
[ 9242.000537]  ? tcp_v4_do_rcv+0x25f/0x360
[ 9242.034845]  ss_skb_process+0x26f/0x2f0 [tempesta_fw]
[ 9242.034889]  ? h2_set_hdr_x_method_override+0x50/0x50 [tempesta_fw]
[ 9242.088834]  ? tfw_sock_srv_exit+0x30/0x30 [tempesta_fw]
[ 9242.123983]  ? prep_new_page+0xae/0x110
[ 9242.171167]  tfw_http_req_process+0x145/0x1120 [tempesta_fw]
[ 9242.223490]  ? tfw_http_extract_request_authority+0x110/0x110 [tempesta_fw]
[ 9242.285011]  ? rb_insert_color+0x10b/0x2a0
[ 9242.330851]  ? memset+0x3c/0x50
[ 9242.330871]  ? bzero_fast+0xe/0x10 [tempesta_lib]
[ 9242.386895]  ? tfw_pool_alloc_pages+0x51/0x80 [tempesta_fw]
[ 9242.386902]  ? __kasan_check_write+0x14/0x20
[ 9242.439885]  ? tfw_http_conn_msg_alloc+0x378/0x3c0 [tempesta_fw]
[ 9242.439925]  tfw_http_msg_process_generic+0x36b/0xec0 [tempesta_fw]
[ 9242.494073]  ? mem_cgroup_calculate_protection+0x1e0/0x1e0
[ 9242.494081]  ? free_unref_page_commit+0x12b/0x1b0
[ 9242.548291]  ? tfw_http_req_process+0x1120/0x1120 [tempesta_fw]
[ 9242.585885]  ? __kasan_check_write+0x14/0x20
[ 9242.585932]  ? ss_skb_chop_head_tail+0x31b/0x3a0 [tempesta_fw]
[ 9242.585938]  ? __kasan_check_write+0x14/0x20
[ 9242.622419]  ? ss_skb_expand_head_tail+0x180/0x180 [tempesta_fw]
[ 9242.622426]  ? memcpy_fast+0xe/0x10 [tempesta_lib]
[ 9242.678725]  ? ss_skb_split+0x1de/0x220 [tempesta_fw]
[ 9242.733512]  tfw_h2_frame_process+0x7c1/0xc80 [tempesta_fw]
[ 9242.733553]  ? tfw_h2_frame_recv+0x3940/0x3940 [tempesta_fw]
[ 9242.770382]  ? ss_skb_chop_head_tail+0x2a0/0x3a0 [tempesta_fw]
[ 9242.770424]  tfw_http_msg_process+0x9e/0xc0 [tempesta_fw]
[ 9242.826846]  tfw_connection_recv+0x188/0x250 [tempesta_fw]
[ 9242.826886]  ? tfw_connection_send+0x60/0x60 [tempesta_fw]
[ 9242.885701]  ? ss_skb_list_chop_head_tail+0x6e/0x1d0 [tempesta_fw]
[ 9242.885754]  ? ttls_payload_off+0x3f/0x1a0 [tempesta_tls]
[ 9242.943426]  tfw_tls_connection_recv+0x52f/0x700 [tempesta_fw]
[ 9242.943468]  ? tfw_tls_connection_lost+0x40/0x40 [tempesta_fw]
[ 9242.981621]  ss_tcp_process_data+0x45f/0x8a0 [tempesta_fw]
[ 9242.981670]  ? ss_linkerror+0x90/0x90 [tempesta_fw]
[ 9243.019458]  ? __alloc_skb+0x272/0x330
[ 9243.019500]  ss_tcp_data_ready+0xa9/0x1d0 [tempesta_fw]
[ 9243.077577]  tcp_data_ready+0x73/0x210
[ 9243.077584]  tcp_rcv_established+0x98f/0xf70
[ 9243.144385]  ? tcp_data_queue+0x1e00/0x1e00
[ 9243.144391]  ? __kasan_check_read+0x11/0x20
[ 9243.183788]  tcp_v4_do_rcv+0x25f/0x360
[ 9243.222394]  tcp_v4_rcv+0x1579/0x16b0
[ 9243.222401]  ? tcp_v4_early_demux+0x300/0x300
[ 9243.306268]  ? __kasan_check_write+0x14/0x20
[ 9243.363206]  ip_protocol_deliver_rcu+0x57/0x340
[ 9243.363213]  ip_local_deliver_finish+0xc6/0xf0
[ 9243.419526]  ip_local_deliver+0x136/0x210
[ 9243.419532]  ? ip_local_deliver_finish+0xf0/0xf0
[ 9243.436545]  ? tcp_v4_early_demux+0x2a0/0x300
[ 9243.492905]  ? ip_rcv_finish_core.constprop.0+0x17c/0x8d0
[ 9243.492912]  ip_rcv_finish+0xcf/0xf0
[ 9243.547894]  ip_rcv+0x16d/0x180
[ 9243.630900]  ? ip_local_deliver+0x210/0x210
[ 9243.648692]  ? ip_rcv_finish_core.constprop.0+0x8d0/0x8d0
[ 9243.686050]  ? ip_local_deliver+0x210/0x210
[ 9243.686062]  __netif_receive_skb_one_core+0x132/0x140
[ 9243.686068]  ? __netif_receive_skb_core+0x1900/0x1900
[ 9243.722928]  ? find_next_bit+0x14/0x20
[ 9243.786759]  ? cpumask_next+0x2c/0x40
[ 9243.786765]  ? __kasan_check_write+0x14/0x20
[ 9243.822018]  ? _raw_spin_lock+0x7b/0xd0
[ 9243.822026]  __netif_receive_skb+0x26/0xb0
[ 9243.858031]  process_backlog+0xfe/0x290
[ 9243.858038]  net_rx_action+0x287/0x730
[ 9243.912956]  ? napi_complete_done+0x2c0/0x2c0
[ 9243.912986]  ? switch_fpu_return+0x120/0x120
[ 9243.912994]  __do_softirq+0x106/0x445
[ 9243.958392]  asm_call_irq_on_stack+0x12/0x20
[ 9243.983083]  </IRQ>
[ 9243.983095]  do_softirq_own_stack+0x3d/0x50
[ 9243.983108]  irq_exit_rcu+0xcf/0x120
[ 9244.074665]  sysvec_call_function_single+0x3a/0x90
[ 9244.127995]  asm_sysvec_call_function_single+0x12/0x20
[ 9244.128010] RIP: 0010:native_safe_halt+0xe/0x10
[ 9244.128016] Code: 56 ff e9 a8 fe ff ff 4c 89 e6 48 c7 c7 60 6b 51 9d e8 b6 6e 56 ff e9 70 fe ff ff cc e9 07 00 00 00 0f 00 2d 04 fc 55 00 fb f4 <c3> 90 e9 07 00 00 00 0f 00 2d f4 fb 55 00 f4 c3 cc cc 0f 1f 44 00
[ 9244.162871] RSP: 0018:ffff88810e42fdb8 EFLAGS: 00000206
[ 9244.205059] 
[ 9244.205065] RAX: ffffffff9c0fb260 RBX: ffff88810e423f80 RCX: ffffffff9c0e40c5
[ 9244.221866] RDX: 000000000027cb72 RSI: 0000000000000004 RDI: ffff8884201b5040
[ 9244.276394] RBP: ffff88810e42fdc0 R08: 0000000000000001 R09: ffff8884201b5043
[ 9244.276396] R10: ffffed1084036a08 R11: 0000000000000001 R12: 0000000000000006
[ 9244.276399] R13: ffffffff9e2a1be0 R14: 0000000000000000 R15: 0000000000000000
[ 9244.276407]  ? __cpuidle_text_start+0x8/0x8
[ 9244.331637]  ? rcu_eqs_enter.constprop.0+0x85/0xa0
[ 9244.331643]  ? default_idle+0xe/0x20
[ 9244.331648]  arch_cpu_idle+0x15/0x20
[ 9244.331655]  default_idle_call+0x66/0x160
[ 9244.385748]  do_idle+0x379/0x440
[ 9244.385756]  ? arch_cpu_idle_exit+0x40/0x40
[ 9244.440483]  cpu_startup_entry+0x20/0x30
[ 9244.497019]  start_secondary+0x1f2/0x270
[ 9244.497025]  ? set_cpu_sibling_map+0x18e0/0x18e0
[ 9244.553786]  ? set_bringup_idt_handler.constprop.0+0x84/0x90
[ 9244.553793]  ? start_cpu0+0xc/0xc
[ 9244.610745]  secondary_startup_64_no_verify+0xc2/0xcb
[ 9244.610759] Modules linked in:
[ 9244.674949]  nft_counter
[ 9244.762590]  xt_mark xt_tcpudp nft_compat nf_tables nfnetlink
[ 9244.820608]  tempesta_fw(OE)
[ 9244.881010]  tempesta_db(OE)
[ 9244.920396]  sha256_ssse3 sha512_ssse3 tempesta_tls(OE) tempesta_lib(OE) intel_rapl_msr
[ 9244.957618]  intel_rapl_common
[ 9245.017055]  isst_if_common
[ 9245.054945]  nfit kvm_intel snd_hda_codec_generic ledtrig_audio
[ 9245.092112]  snd_hda_intel snd_intel_dspcfg kvm
[ 9245.149461]  binfmt_misc snd_hda_codec
[ 9245.216173]  snd_hda_core rapl
[ 9245.234582]  snd_hwdep
[ 9245.291962]  snd_pcm
[ 9245.328445]  snd_timer
[ 9245.365015]  joydev input_leds
[ 9245.429551]  snd serio_raw
[ 9245.486354]  soundcore
[ 9245.523871]  qemu_fw_cfg
[ 9245.560398]  mac_hid
[ 9245.622464]  dm_multipath
[ 9245.657849]  sch_fq_codel scsi_dh_rdac
[ 9245.715406]  scsi_dh_emc
[ 9245.772040]  scsi_dh_alua
[ 9245.830319]  msr
[ 9245.891313]  efi_pstore ip_tables x_tables
[ 9245.952654]  autofs4
[ 9246.011960]  btrfs
[ 9246.071783]  blake2b_generic raid10 raid456
[ 9246.135236]  async_raid6_recov
[ 9246.196239]  async_memcpy async_pq
[ 9246.257381]  async_xor async_tx
[ 9246.319040]  xor
[ 9246.388089]  raid6_pq
[ 9246.449572]  libcrc32c raid1
[ 9246.509377]  raid0
[ 9246.567805]  multipath
[ 9246.629433]  linear hid_generic
[ 9246.647844]  qxl
[ 9246.706470]  usbhid
[ 9246.734458]  hid
[ 9246.792285]  drm_ttm_helper
[ 9246.849011]  ttm drm_kms_helper syscopyarea
[ 9246.886742]  sysfillrect
[ 9246.923378]  sysimgblt
[ 9246.980204]  fb_sys_fops
[ 9246.997365]  cec
[ 9247.032917]  rc_core
[ 9247.088048]  drm crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
[ 9247.144907]  aesni_intel psmouse crypto_simd cryptd virtio_net ahci glue_helper
[ 9247.215294]  i2c_i801 libahci
[ 9247.297078]  net_failover
[ 9247.331448]  i2c_smbus
[ 9247.386986]  lpc_ich
[ 9247.424323]  xhci_pci
[ 9247.480766]  virtio_blk virtio_rng
[ 9247.518765]  failover
[ 9247.575843]  xhci_pci_renesas
[ 9247.592692] 
[ 9247.592718] CR2: 0000000000000008
[ 9247.629546] ---[ end trace 240ebb03671f1790 ]---
[ 9247.665603] RIP: 0010:tfw_hpack_decode+0x1940/0x3c50 [tempesta_fw]
[ 9247.665611] Code: 10 00 00 44 39 65 b0 0f 83 10 10 00 00 48 89 df e8 b5 28 9e d9 4c 8b 2b 49 8d 7d 08 e8 a9 28 9e d9 ba e0 ff ff ff 48 8d 7b 1c <41> 2b 55 08 41 01 d4 e8 34 25 9e d9 f6 43 1c 01 74 b1 48 8b bd 68
[ 9247.721243] RSP: 0018:ffff888420188e50 EFLAGS: 00010282
[ 9247.721249] RAX: 0000000000000000 RBX: ffff8881cd93c010 RCX: ffffffffc1717377
[ 9247.721256] RDX: 00000000ffffffe0 RSI: 0000000000000008 RDI: ffff8881cd93c02c
[ 9247.776833] RBP: ffff888420188f48 R08: ffffffffc1716d49 R09: ffff8881e3d860c7
[ 9247.776835] R10: 00000000000000ac R11: 0000000000000001 R12: 0000000000000fcd
[ 9247.776837] R13: 0000000000000000 R14: 0000000000000041 R15: 0000000000000000
[ 9247.776844] FS:  0000000000000000(0000) GS:ffff888420180000(0000) knlGS:0000000000000000
[ 9247.821176] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 9247.821185] CR2: 0000000000000008 CR3: 00000001d941e005 CR4: 0000000000770ee0
[ 9247.821189] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 9247.821191] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 9247.821193] PKRU: 55555554
[ 9247.821196] Kernel panic - not syncing: Fatal exception in interrupt
[ 9247.848380] Kernel Offset: 0x19c00000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 9258.811503] Rebooting in 1 seconds..

e42225f5

/home/kingluo/tempesta/fw/hpack.c:833
                                size -= HPACK_ENTRY_OVERHEAD + cp->hdr->len;
   1b8a0:       48 89 df                mov    %rbx,%rdi
   1b8a3:       e8 00 00 00 00          call   1b8a8 <tfw_hpack_decode+0x1828>
                        1b8a4: R_X86_64_PLT32   __asan_load8_noabort-0x4
   1b8a8:       4c 8b 2b                mov    (%rbx),%r13
   1b8ab:       49 8d 7d 08             lea    0x8(%r13),%rdi
   1b8af:       e8 00 00 00 00          call   1b8b4 <tfw_hpack_decode+0x1834>
                        1b8b0: R_X86_64_PLT32   __asan_load8_noabort-0x4
   1b8b4:       ba e0 ff ff ff          mov    $0xffffffe0,%edx
/home/kingluo/tempesta/fw/hpack.c:836
                                if (cp->last)
   1b8b9:       48 8d 7b 1c             lea    0x1c(%rbx),%rdi
/home/kingluo/tempesta/fw/hpack.c:833
                                size -= HPACK_ENTRY_OVERHEAD + cp->hdr->len;  <---- cp->hdr=%r13=0x0
   1b8bd:       41 2b 55 08             sub    0x8(%r13),%edx
   1b8c1:       41 01 d4                add    %edx,%r12d