[Bug 1508737] Re: unix domain socket bind causes kernel audit NULL pointer deference

Roman Fiedler Wed, 11 May 2016 10:21:49 -0700

Rediscovered also on our systems, then found this bug report.

Reproducer for Ubuntu Trusty LTS:


auditctl -a always,exit -F arch=b64 -S bind

#!/usr/bin/python2 -BEsSt
import socket
testSocket=socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
testSocket.bind('sock')

# dmesg -c
[  145.499064] BUG: unable to handle kernel NULL pointer dereference at 
0000000000000060
[  145.499522] IP: [<ffffffff811d8024>] d_path+0x24/0x120
[  145.499815] PGD 3bfe8067 PUD 3d080067 PMD 0 
[  145.500236] Oops: 0000 [#1] SMP 
[  145.500539] Modules linked in: nf_conntrack_netlink xt_multiport ppdev 
xt_hashlimit ipt_REJECT xt_tcpudp xt_NFLOG nfnetlink_log xt_conntrack 
iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat 
serio_raw nf_conntrack iptable_mangle ip_tables x_tables parport_pc i2c_piix4 
parport video nfnetlink_acct mac_hid nfnetlink psmouse ahci libahci pata_acpi
[  145.502264] CPU: 0 PID: 1128 Comm: crash Not tainted 3.13.0-86-generic 
#130-Ubuntu
[  145.502264] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS 
VirtualBox 12/01/2006
[  145.502264] task: ffff88003a0cc800 ti: ffff88003d0d4000 task.ti: 
ffff88003d0d4000
[  145.502264] RIP: 0010:[<ffffffff811d8024>]  [<ffffffff811d8024>] 
d_path+0x24/0x120
[  145.502264] RSP: 0018:ffff88003d0d5db8  EFLAGS: 00010286
[  145.502264] RAX: ffff88003795d00b RBX: ffff88003b937660 RCX: 00000000000005b5
[  145.502264] RDX: 000000000000100b RSI: ffff88003795c000 RDI: 0000000000000000
[  145.502264] RBP: ffff88003d0d5de0 R08: 0000000000016040 R09: ffff88003e001200
[  145.502264] R10: ffffffff810fb1d6 R11: ffff88003d0d5c06 R12: ffff88003b6420c0
[  145.502264] R13: ffff88003b937660 R14: ffff88003b937400 R15: 0000000000000000
[  145.502264] FS:  00007f0280520740(0000) GS:ffff88003fc00000(0000) 
knlGS:0000000000000000
[  145.502264] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  145.502264] CR2: 0000000000000060 CR3: 000000003cf68000 CR4: 00000000000006f0
[  145.502264] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  145.502264] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  145.502264] Stack:
[  145.502264]  0000100b3b6420c0 ffff88003795d00b ffff88003b937660 
ffff88003b937400
[  145.502264]  ffff88003795c000 ffff88003d0d5e08 ffffffff810fb1ee 
ffff88003b6420c0
[  145.502264]  ffff88003b937460 0000000000000000 ffff88003d0d5e78 
ffffffff810fc658
[  145.502264] Call Trace:
[  145.502264]  [<ffffffff810fb1ee>] audit_log_d_path+0x5e/0xd0
[  145.502264]  [<ffffffff810fc658>] audit_log_name+0x1b8/0x320
[  145.502264]  [<ffffffff810f9d33>] ? audit_buffer_free+0x73/0xa0
[  145.502264]  [<ffffffff810fefc7>] audit_log_exit+0x3d7/0xb90
[  145.502264]  [<ffffffff81101747>] __audit_syscall_exit+0x277/0x2d0
[  145.502264]  [<ffffffff8173b144>] sysret_audit+0x17/0x21
[  145.502264] Code: ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 63 c2 48 01 f0 
48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 
4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f 
[  145.502264] RIP  [<ffffffff811d8024>] d_path+0x24/0x120
[  145.502264]  RSP <ffff88003d0d5db8>
[  145.502264] CR2: 0000000000000060
[  145.527823] ---[ end trace 0c532c3c01bea0ff ]---

# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04

# cat /proc/version
Linux version 3.13.0-86-generic (buildd@lgw01-19) (gcc version 4.8.2 (Ubuntu 
4.8.2-19ubuntu1) ) #130-Ubuntu SMP Mon Apr 18 18:27:15 UTC 2016
root@localhost:~# apt-cache policy linux-image-3.13.0-86-generic
linux-image-3.13.0-86-generic:
  Installed: 3.13.0-86.130
  Candidate: 3.13.0-86.130
  Version table:
 *** 3.13.0-86.130 0
        500 http://ubuntu-proxy-ehealth.d03.arc.local/ubuntu/ 
trusty-updates/main amd64 Packages
        500 http://ubuntu-proxy-ehealth.d03.arc.local/ubuntu/ 
trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status


** Changed in: linux (Ubuntu)
       Status: Expired => Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1508737

Title:
  unix domain socket bind causes kernel audit NULL pointer deference

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1508737/+subscriptions

-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 1508737] Re: unix domain socket bind causes kernel audit NULL pointer deference

Reply via email to