** Description changed: + [SRU Justification] + The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in + the Linux kernel before 4.13.11 mishandles node splitting, which allows + local users to cause a denial of service (NULL pointer dereference and + panic) via a crafted application, as demonstrated by the keyring key type, + and key addition and link creation operations. + The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158) + [Test Case] + This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite. + Steps (with root): - 1. sudo apt-get install git xfsprogs -y - 2. git clone --depth=1 https://github.com/linux-test-project/ltp.git - 3. cd ltp - 4. make autotools - 5. ./configure - 6. make; make install - 7. cd /opt/ltp/testcases/bin - 8. ./add_key04 + 1. sudo apt-get install git -y + 2. git clone --depth=1 https://github.com/linux-test-project/ltp.git + 3. cd ltp + 4. make autotools + 5. ./configure + 6. make; make install + 7. /opt/ltp/testcases/bin/add_key04 - Test result: + Test result before the patch: ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04 tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s add_key04.c:82: FAIL: kernel oops while filling keyring Summary: passed 0 failed 1 skipped 0 warnings 0 [52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 [52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 - [52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0 - [52399.298952] Oops: 0002 [#1] SMP + [52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0 + [52399.298952] Oops: 0002 [#1] SMP [52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm [52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu [52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015 [52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000 [52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 [52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202 [52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000 [52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800 [52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97 [52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680 [52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000 [52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000 [52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770 [52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [52399.299361] Stack: [52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50 [52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681 [52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000 [52399.299427] Call Trace: [52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40 [52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0 [52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420 [52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210 [52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0 [52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f - [52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00 + [52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00 [52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 [52399.299642] RSP <ffff88045a2e3df0> [52399.299650] CR2: 0000000000000010 [52399.302015] ---[ end trace 0f3e00901ea9f056 ]--- + + Test result after the patch: + $ sudo /opt/ltp/testcases/bin/add_key04 + tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s + add_key04.c:80: PASS: didn't crash while filling keyring + + Summary: + passed 1 + failed 0 + skipped 0 + warnings 0 + + [Regression-potential] + Low risk for causing regression. + No additional function was added, only an identifier got removed. + This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then. + ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: linux-image-3.13.0-149-generic 3.13.0-149.199 ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39 Uname: Linux 3.13.0-149-generic x86_64 AlsaDevices: - total 0 - crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq - crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer + total 0 + crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq + crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.14.1-0ubuntu3.27 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning Date: Wed Jun 6 02:54:24 2018 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' MachineType: Intel Corporation S1200RP PciMultimedia: - + ProcEnviron: - TERM=xterm-256color - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=en_US.UTF-8 - SHELL=/bin/bash + TERM=xterm-256color + PATH=(custom, no user) + XDG_RUNTIME_DIR=<set> + LANG=en_US.UTF-8 + SHELL=/bin/bash ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro RelatedPackageVersions: - linux-restricted-modules-3.13.0-149-generic N/A - linux-backports-modules-3.13.0-149-generic N/A - linux-firmware 1.127.24 + linux-restricted-modules-3.13.0-149-generic N/A + linux-backports-modules-3.13.0-149-generic N/A + linux-firmware 1.127.24 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/01/2015 dmi.bios.vendor: Intel Corp. dmi.bios.version: S1200RP.86B.03.02.0003.070120151022 dmi.board.asset.tag: .................... dmi.board.name: S1200RP dmi.board.vendor: Intel Corporation dmi.board.version: G62254-407 dmi.chassis.asset.tag: .................... dmi.chassis.type: 17 dmi.chassis.vendor: .............................. dmi.chassis.version: .................. dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................: dmi.product.name: S1200RP dmi.product.version: .................... dmi.sys.vendor: Intel Corporation
-- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1775316 Title: add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference) with T kernel Status in ubuntu-kernel-tests: In Progress Status in linux package in Ubuntu: In Progress Bug description: [SRU Justification] The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in the Linux kernel before 4.13.11 mishandles node splitting, which allows local users to cause a denial of service (NULL pointer dereference and panic) via a crafted application, as demonstrated by the keyring key type, and key addition and link creation operations. The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158) [Test Case] This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite. Steps (with root): 1. sudo apt-get install git -y 2. git clone --depth=1 https://github.com/linux-test-project/ltp.git 3. cd ltp 4. make autotools 5. ./configure 6. make; make install 7. /opt/ltp/testcases/bin/add_key04 Test result before the patch: ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04 tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s add_key04.c:82: FAIL: kernel oops while filling keyring Summary: passed 0 failed 1 skipped 0 warnings 0 [52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 [52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 [52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0 [52399.298952] Oops: 0002 [#1] SMP [52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm [52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu [52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015 [52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000 [52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 [52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202 [52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000 [52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800 [52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97 [52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680 [52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000 [52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000 [52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770 [52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [52399.299361] Stack: [52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50 [52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681 [52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000 [52399.299427] Call Trace: [52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40 [52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0 [52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420 [52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210 [52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0 [52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f [52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00 [52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110 [52399.299642] RSP <ffff88045a2e3df0> [52399.299650] CR2: 0000000000000010 [52399.302015] ---[ end trace 0f3e00901ea9f056 ]--- Test result after the patch: $ sudo /opt/ltp/testcases/bin/add_key04 tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s add_key04.c:80: PASS: didn't crash while filling keyring Summary: passed 1 failed 0 skipped 0 warnings 0 [Regression-potential] Low risk for causing regression. No additional function was added, only an identifier got removed. This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then. ProblemType: Bug DistroRelease: Ubuntu 14.04 Package: linux-image-3.13.0-149-generic 3.13.0-149.199 ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39 Uname: Linux 3.13.0-149-generic x86_64 AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay' ApportVersion: 2.14.1-0ubuntu3.27 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning Date: Wed Jun 6 02:54:24 2018 IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig' MachineType: Intel Corporation S1200RP PciMultimedia: ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 inteldrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro RelatedPackageVersions: linux-restricted-modules-3.13.0-149-generic N/A linux-backports-modules-3.13.0-149-generic N/A linux-firmware 1.127.24 RfKill: Error: [Errno 2] No such file or directory: 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 07/01/2015 dmi.bios.vendor: Intel Corp. dmi.bios.version: S1200RP.86B.03.02.0003.070120151022 dmi.board.asset.tag: .................... dmi.board.name: S1200RP dmi.board.vendor: Intel Corporation dmi.board.version: G62254-407 dmi.chassis.asset.tag: .................... dmi.chassis.type: 17 dmi.chassis.vendor: .............................. dmi.chassis.version: .................. dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................: dmi.product.name: S1200RP dmi.product.version: .................... dmi.sys.vendor: Intel Corporation To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1775316/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
