Package: Network-manager
Version: 1.6.2-3
Analysis:
During analysis, I have observed the Linux kernel is vulnerable to a stack
overflow and on the testing it's confirmed that the stack flow guard is
hit. I have found that the vmnet-bridge module throws a segfault (which
shall be the issue) when a USB tethering device is connected to the machine.
How to reproduce:
1. Connect a device with USB tethering capability [I used my Oneplus 3
phone]
2. Switch on USB tethering
This will stop the terminal from working. nautilus seems to be working
correctly.
Technical Details:
*Overflow log from /var/messages*
May 13 18:15:12 N3S7 kernel: [ 881.503677] usb 1-3: USB disconnect, device
number 8
May 13 18:15:13 N3S7 kernel: [ 881.933810] usb 1-3: new high-speed USB
device number 9 using xhci_hcd
May 13 18:15:13 N3S7 kernel: [ 882.074788] usb 1-3: New USB device found,
idVendor=2a70, idProduct=f00e
May 13 18:15:13 N3S7 kernel: [ 882.074791] usb 1-3: New USB device
strings: Mfr=1, Product=2, SerialNumber=3
May 13 18:15:13 N3S7 kernel: [ 882.074793] usb 1-3: Product: Android
May 13 18:15:13 N3S7 kernel: [ 882.074794] usb 1-3: Manufacturer: Android
May 13 18:15:13 N3S7 kernel: [ 882.074795] usb 1-3: SerialNumber: 573b777c
May 13 18:15:13 N3S7 mtp-probe: checking bus 1, device 9:
"/sys/devices/pci0000:00/0000:00:14.0/usb1/1-3"
May 13 18:15:13 N3S7 mtp-probe: bus: 1, device: 9 was not an MTP device
May 13 18:15:13 N3S7 kernel: [ 882.102360] usbcore: registered new
interface driver cdc_ether
May 13 18:15:13 N3S7 kernel: [ 882.105120] rndis_host 1-3:1.0 usb0:
register 'rndis_host' at usb-0000:00:14.0-3, RNDIS device, ae:0a:e7:85:b3:32
May 13 18:15:13 N3S7 kernel: [ 882.106191] usbcore: registered new
interface driver rndis_host
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4680]
manager: (usb0): new Ethernet device (/org/freedesktop/NetworkManag
er/Devices/7)
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4822] devices
added (path: /sys/devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/net/usb0,
iface: usb0)
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4827] device
added (path: /sys/devices/pci0000:00/0000:00:14.0/usb1/1-3/1-3:1.0/net/usb0,
iface: usb0): no ifupdown configuration found.
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4842] device
(usb0): state change: unmanaged -> unavailable (reason 'managed') [10 20 2]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4859] device
(usb0): link connected
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4877] device
(usb0): state change: unavailable -> disconnected (reason 'none') [20 30 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4927] policy:
auto-activating connection 'Profile 1'
May 13 18:15:13 N3S7 kernel: [ 882.124130] IPv6: ADDRCONF(NETDEV_UP):
usb0: link is not ready
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4953] device
(usb0): Activation: starting connection 'Profile 1'
(b8575be4-2a7b-49ee-9c41-685e24c5baf3)
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4957] device
(usb0): state change: disconnected -> prepare (reason 'none') [30 40 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4965] device
(usb0): state change: prepare -> config (reason 'none') [40 50 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.4979] device
(usb0): state change: config -> ip-config (reason 'none') [50 70 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5210] device
(usb0): state change: ip-config -> ip-check (reason 'none') [70 80 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5228] device
(usb0): state change: ip-check -> secondaries (reason 'none') [80 90 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5233] device
(usb0): state change: secondaries -> activated (reason 'none') [90 100 0]
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5602]
manager: NetworkManager state is now CONNECTED_LOCAL
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5604]
manager: NetworkManager state is now CONNECTED_GLOBAL
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5605] policy:
set 'Profile 1' (usb0) as default for IPv4 routing and DNS
May 13 18:15:13 N3S7 NetworkManager[698]: <info> [1494679513.5606] device
(usb0): Activation: successful, device activated.
May 13 18:15:13 N3S7 kernel: [ 882.179460] kernel stack overflow (page
fault): 0000 [#1] SMP
May 13 18:15:13 N3S7 kernel: [ 882.179522] Modules linked in: rndis_host
cdc_ether usbnet nls_utf8 isofs uas usb_storage cmac rfcomm bnep vmnet(O)
ppdev parport_pc parport fuse pci_stub vboxpci(O) vmw_vsock_vmci_transport
vsock vmw_vmci vboxnetadp(O) vmmon(O) vboxnetflt(O) vboxdrv(O) ctr ccm
nfnetlink_queue nfnetlink_log nfnetlink snd_hda_codec_hdmi btusb btrtl
btbcm btintel bluetooth binfmt_misc uvcvideo videobuf2_vmalloc
videobuf2_memops videobuf2_v4l2 videobuf2_core videodev intel_rapl media
x86_pkg_temp_thermal snd_hda_codec_realtek snd_hda_codec_generic
snd_hda_intel arc4 iTCO_wdt iTCO_vendor_support snd_hda_codec snd_hda_core
intel_powerclamp coretemp kvm_intel kvm snd_hwdep iwlmvm mac80211 irqbypass
intel_cstate intel_uncore intel_rapl_perf i915 evdev joydev pcspkr
serio_raw drm_kms_helper rtsx_pci_ms memstick iwlwifi drm
May 13 18:15:13 N3S7 kernel: [ 882.180314] mei_me mei lpc_ich
i2c_algo_bit ak8975 sg cfg80211 shpchp inv_mpu6050_i2c inv_mpu6050
industrialio_triggered_buffer kfifo_buf ideapad_laptop industrialio
snd_soc_ssm4567 snd_soc_rt286 snd_soc_rl6347a snd_soc_core snd_compress
snd_pcm sparse_keymap rfkill wmi snd_timer ac video snd snd_soc_sst_acpi
battery elan_i2c dw_dmac dw_dmac_core soundcore snd_soc_sst_match i2c_mux
acpi_pad button ip_tables x_tables autofs4 ext4 crc16 jbd2 crc32c_generic
fscrypto ecb mbcache sr_mod cdrom sd_mod crct10dif_pclmul crc32_pclmul
crc32c_intel ghash_clmulni_intel rtsx_pci_sdmmc aesni_intel aes_x86_64 lrw
gf128mul glue_helper ablk_helper cryptd i2c_i801 i2c_smbus psmouse ahci
libahci libata ehci_pci scsi_mod xhci_pci ehci_hcd xhci_hcd r8169 mii
rtsx_pci usbcore mfd_core usb_common fan thermal sdhci_acpi sdhci mmc_core
i2c_hid hid i2c_designware_platform i2c_designware_core
May 13 18:15:13 N3S7 kernel: [ 882.181171] CPU: 2 PID: 1353 Comm:
vmnet-bridge Tainted: G O 4.9.0-kali4-amd64 #1 Debian
4.9.25-1kali1
May 13 18:15:13 N3S7 kernel: [ 882.181256] Hardware name: LENOVO
80LS/Lenovo B40-80, BIOS A8CN47WW(V3.00) 07/14/2015
May 13 18:15:13 N3S7 kernel: [ 882.181324] task: ffff9d0e8ed6a080
task.stack: ffffc01cc186c000
May 13 18:15:13 N3S7 kernel: [ 882.181376] RIP: 0010:[<ffffffffc0da6088>]
[<ffffffffc0da6088>] VNetBridgeNotify+0x38/0x140 [vmnet]
May 13 18:15:13 N3S7 kernel: [ 882.181459] RSP: 0018:ffffc01cc186fca8
EFLAGS: 00010246
May 13 18:15:13 N3S7 kernel: [ 882.181503] RAX: 0000000000000000 RBX:
ffff9d0e9381e400 RCX: 0000000000000006
May 13 18:15:13 N3S7 kernel: [ 882.181563] RDX: ffffc01cc186fcc8 RSI:
0000000000000001 RDI: ffff9d0e9381e400
May 13 18:15:13 N3S7 kernel: [ 882.181624] RBP: ffff9d0e95726000 R08:
0000000000000000 R09: 00000000000118e0
May 13 18:15:13 N3S7 kernel: [ 882.181685] R10: 0000000000000000 R11:
0000000000000001 R12: ffffffff978d64d8
May 13 18:15:13 N3S7 kernel: [ 882.181737] R13: 0000000000000000 R14:
0000000000000000 R15: ffffffff978d63c0
May 13 18:15:13 N3S7 kernel: [ 882.181798] FS: 00007fbfd6ba8700(0000)
GS:ffff9d0e9f300000(0000) knlGS:0000000000000000
May 13 18:15:13 N3S7 kernel: [ 882.181865] CS: 0010 DS: 0000 ES: 0000
CR0: 0000000080050033
May 13 18:15:13 N3S7 kernel: [ 882.181916] CR2: ffffc01cc18701b0 CR3:
0000000253253000 CR4: 00000000001406e0
May 13 18:15:13 N3S7 kernel: [ 882.181976] Stack:
May 13 18:15:13 N3S7 kernel: [ 882.181997] ffff9d0e93955c00
ffff9d0e9381e400 ffff9d0e95726000 ffffffff970f8434
May 13 18:15:13 N3S7 kernel: [ 882.182067] ffff9d0e95726000
00000000dcb5d302 ffff9d0e9381e400 ffffc01cc186fd40
May 13 18:15:13 N3S7 kernel: [ 882.182134] 0000000000000000
ffffc01cc186fd6c 0000000000000000 ffff9d0e91b44060
May 13 18:15:13 N3S7 kernel: [ 882.182210] Call Trace:
May 13 18:15:13 N3S7 kernel: [ 882.182240] [<ffffffff970f8434>] ?
register_netdevice_notifier+0x1b4/0x1c0
May 13 18:15:13 N3S7 kernel: [ 882.182302] [<ffffffffc0da63e6>] ?
VNetBridge_Create+0x206/0x230 [vmnet]
May 13 18:15:13 N3S7 kernel: [ 882.182361] [<ffffffffc0da3186>] ?
VNetFileOpUnlockedIoctl+0x626/0x7d0 [vmnet]
May 13 18:15:13 N3S7 kernel: [ 882.182427] [<ffffffff971ff47b>] ?
__schedule+0x23b/0x6d0
May 13 18:15:13 N3S7 kernel: [ 882.182476] [<ffffffff971ff942>] ?
schedule+0x32/0x80
May 13 18:15:13 N3S7 kernel: [ 882.182525] [<ffffffff96c852a1>] ?
ptrace_stop+0x201/0x290
May 13 18:15:13 N3S7 kernel: [ 882.182572] [<ffffffff96c853b6>] ?
ptrace_do_notify+0x86/0xb0
May 13 18:15:13 N3S7 kernel: [ 882.182625] [<ffffffff96e1610f>] ?
do_vfs_ioctl+0x9f/0x600
May 13 18:15:13 N3S7 kernel: [ 882.182670] [<ffffffff96c866d5>] ?
ptrace_notify+0x55/0x80
May 13 18:15:13 N3S7 kernel: [ 882.182717] [<ffffffff96c0330a>] ?
syscall_trace_enter+0x7a/0x2c0
May 13 18:15:13 N3S7 kernel: [ 882.182769] [<ffffffff96e166e4>] ?
SyS_ioctl+0x74/0x80
May 13 18:15:13 N3S7 kernel: [ 882.182816] [<ffffffff96c03b1c>] ?
do_syscall_64+0x7c/0xf0
May 13 18:15:13 N3S7 kernel: [ 882.182868] [<ffffffff972041ef>] ?
entry_SYSCALL64_slow_path+0x25/0x25
May 13 18:15:13 N3S7 kernel: [ 882.182926] Code: 08 48 83 fe 02 0f 84 bd
00 00 00 48 83 fe 06 0f 84 8a 00 00 00 48 83 fe 01 74 09 48 83 c4 08 31 c0
5b 5d c3 48 83 7f 28 00 75 f0 <48> 81 ba e8 04 00 00 c0 63 8d 97 75 e3 48
8d 6f 18 48 89 d7 48
May 13 18:15:13 N3S7 kernel: [ 882.183341] RSP <ffffc01cc186fca8>
May 13 18:15:13 N3S7 kernel: [ 882.193988]
---[ end trace 51313f7dc2ebf875 ]---
*Strace for the vmnet-bridge driver*
dh4wk@N3S7:~$ sudo strace -p 1266
strace: Process 1266 attached
restart_syscall(<... resuming interrupted poll ...>) = 1
recvfrom(6, {{len=64, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\3\0\0\0C\20\1\0\0\0\0\0\n\0\3\0wlan0\0\0\0\24\0\v\0"...}, 16384,
0, NULL, NULL) = 64
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1
([{fd=6, revents=POLLIN}])
recvfrom(6, {{len=1236, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\6\0\0\0\2\20\0\0\377\377\377\377\t\0\3\0usb0\0\0\0\0\10\0\r\0"...},
16384, 0, NULL, NULL) = 1236
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 81, MSG_NOSIGNAL, NULL, 0)
= 81
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=1240, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\6\0\0\0C\20\1\0\1\0\0\0\t\0\3\0usb0\0\0\0\0\10\0\r\0"...}, 16384,
0, NULL, NULL) = 1240
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 81, MSG_NOSIGNAL, NULL, 0)
= 81
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 63, MSG_NOSIGNAL, NULL, 0)
= 63
recvfrom(6, {{len=1240, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\6\0\0\0C\20\1\0\0\0\0\0\t\0\3\0usb0\0\0\0\0\10\0\r\0"...}, 16384,
MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = 1240
recvfrom(6, {{len=1240, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\6\0\0\0C\20\1\0\0\0\0\0\t\0\3\0usb0\0\0\0\0\10\0\r\0"...}, 16384,
0, NULL, NULL) = 1240
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 81, MSG_NOSIGNAL, NULL, 0)
= 81
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=1240, type=0x10 /* NLMSG_??? */, flags=0, seq=0, pid=0},
"\0\0\1\0\6\0\0\0C\20\1\0\0\0\0\0\t\0\3\0usb0\0\0\0\0\10\0\r\0"...}, 16384,
0, NULL, NULL) = 1240
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 81, MSG_NOSIGNAL, NULL, 0)
= 81
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=0, pid=0}, "\2 \0\0\377\2\376\2\0\0\0\0\10\0\
17\0\377\0\0\0\10\0\1\0\n\0\0\24\10\0\7\0"...}, 16384, 0, NULL, NULL) = 60
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=0, pid=0}, "\2 \0\0\377\2\375\3\0\0\0\0\10\0\
17\0\377\0\0\0\10\0\1\0\n\377\377\377\10\0\7\0"...}, 16384, 0, NULL, NULL)
= 60
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=0, pid=0}, "\2\10\0\0\376\2\375\1\0\0\0\0
\10\0\17\0\376\0\0\0\10\0\1\0\n\0\0\0\10\0\7\0"...}, 16384, 0, NULL, NULL)
= 60
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=0, pid=0}, "\2 \0\0\377\2\375\3\0\0\0\0\10\0\
17\0\377\0\0\0\10\0\1\0\n\0\0\0\10\0\7\0"...}, 16384, 0, NULL, NULL) = 60
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x19 /* NLMSG_??? */, flags=0, seq=66,
pid=2218787508}, "\2\10\0\0\376\2\375\1\0\0\0\0
\10\0\17\0\376\0\0\0\10\0\1\0\n\0\0\0\10\0\7\0"...}, 16384, 0, NULL, NULL)
= 60
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=68, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=67, pid=2218787508}, "\2\10\0\0\376\2\375\1\0\0\0\0
\10\0\17\0\376\0\0\0\10\0\1\0\n\0\0\0\10\0\6\0"...}, 16384, 0, NULL, NULL)
= 68
recvfrom(6, 0x55828d642240, 16384, MSG_PEEK|MSG_DONTWAIT, NULL, NULL) = -1
EAGAIN (Resource temporarily unavailable)
poll([{fd=6, events=POLLIN}, {fd=5, events=POLLIN}], 2, -1) = 1 ([{fd=6,
revents=POLLIN}])
recvfrom(6, {{len=60, type=0x18 /* NLMSG_??? */, flags=0x600 /* NLM_F_???
*/, seq=68, pid=2218787508}, "\2\0\0\0\376\4\0\1\0\0\0\0\10
\0\17\0\376\0\0\0\10\0\6\0d\0\0\0\10\0\5\0"...}, 16384, 0, NULL, NULL) = 60
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 55, MSG_NOSIGNAL, NULL, 0)
= 55
close(8) = 0
sendto(3, "<30>May 13 17:56:28 vmnetBridge:"..., 76, MSG_NOSIGNAL, NULL, 0)
= 76
open("/dev/vmnet0", O_RDWR) = 8
ioctl(8, _IOC(_IOC_READ|_IOC_WRITE, 0x99, 0xe0, 0x04), 0x7ffcca9d56fc) = 0
ioctl(8, _IOC(_IOC_WRITE, 0x99, 0xe4, 0x24) <unfinished ...>) = ?
+++ killed by SIGSEGV +++
Other Details
*uname -a*
Linux N3S7 4.9.0-kali4-amd64 #1 SMP Debian 4.9.25-1kali1 (2017-05-04)
x86_64 GNU/Linux
As known, the network-manager on restarting after the bug occurrence throws
a "Null Pointer Deference"
Regards,
dHawk
