Ubuntu
linux package

add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference) with T kernel

Bug #1775316 reported by Po-Hsu Lin
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Fix Released
Undecided
Po-Hsu Lin
linux (Ubuntu)
Fix Released
Undecided
Po-Hsu Lin
Trusty
Fix Released
Undecided
Unassigned

Bug Description

[SRU Justification]
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations.

The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158)

[Test Case]
This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite.

Steps (with root):
  1. sudo apt-get install git -y
  2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
  3. cd ltp
  4. make autotools
  5. ./configure
  6. make; make install
  7. /opt/ltp/testcases/bin/add_key04

Test result before the patch:
ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring

Summary:
passed 0
failed 1
skipped 0
warnings 0

[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
[52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
[52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
[52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
[52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
[52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---

Test result after the patch:
$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

Summary:
passed 1
failed 0
skipped 0
warnings 0

[Regression-potential]
Low risk for causing regression.
No additional function was added, only an identifier got removed.
This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-149-generic 3.13.0-149.199
ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39
Uname: Linux 3.13.0-149-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq
 crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning
Date: Wed Jun 6 02:54:24 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP
PciMultimedia:

ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-149-generic N/A
 linux-backports-modules-3.13.0-149-generic N/A
 linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.86B.03.02.0003.070120151022
dmi.board.asset.tag: ....................
dmi.board.name: S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.asset.tag: ....................
dmi.chassis.type: 17
dmi.chassis.vendor: ..............................
dmi.chassis.version: ..................
dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................:
dmi.product.name: S1200RP
dmi.product.version: ....................
dmi.sys.vendor: Intel Corporation

See original description
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Po-Hsu Lin (cypressyew)
no longer affects: ubuntu-kernel-tests
Changed in linux (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → In Progress
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

This seems to be related to CVE-2017-12193

A test kernel with the fix (ea678998) could be found here:
http://people.canonical.com/~phlin/kernel/lp-1775316/

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

The kernel in comment #3 can fix this issue:
ubuntu@amaura:~$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

Summary:
passed 1
failed 0
skipped 0
warnings 0

Po-Hsu Lin (cypressyew)
description: updated
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

add_key04 test passed with the proposed Trusty kernel.

<<<test_start>>>
tag=add_key04 stime=1529400599
cmdline="add_key04"
contacts=""
analysis=exit
<<<test_output>>>
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

Summary:
passed 1
failed 0
skipped 0
warnings 0
<<<execution_status>>>
initiation_status="ok"
duration=0 termination_type=exited termination_id=0 corefile=no
cutime=0 cstime=1
<<<test_end>>>

tags: added: verification-done-trusty
removed: verification-needed-trusty
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-153.203

---------------
linux (3.13.0-153.203) trusty; urgency=medium

  * linux: 3.13.0-153.203 -proposed tracker (LP: #1776819)

  * CVE-2018-3665 (x86)
    - x86/fpu: Print out whether we are doing lazy/eager FPU context switches
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix math emulation in eager fpu mode

linux (3.13.0-152.202) trusty; urgency=medium

  * linux: 3.13.0-152.202 -proposed tracker (LP: #1776350)

  * CVE-2017-15265
    - ALSA: seq: Fix use-after-free at creating a port

  * register on binfmt_misc may overflow and crash the system (LP: #1775856)
    - fs/binfmt_misc.c: do not allow offset overflow

  * CVE-2018-1130
    - dccp: check sk for closed state in dccp_sendmsg()
    - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped

  * add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference)
    with T kernel (LP: #1775316) // CVE-2017-12193
    - assoc_array: Fix a buggy node-splitting case

  * CVE-2017-12154
    - kvm: nVMX: Don't allow L2 to access the hardware CR8

  * CVE-2018-7757
    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()

  * CVE-2018-6927
    - futex: Prevent overflow by strengthen input validation

  * FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336)
    - SAUCE: CacheFiles: fix a read_waiter/read_copier race

  * CVE-2018-5803
    - sctp: verify size of a new chunk in _sctp_make_chunk()

  * WARNING: CPU: 28 PID: 34085 at /build/linux-
    90Gc2C/linux-3.13.0/net/core/dev.c:1433 dev_disable_lro+0x87/0x90()
    (LP: #1771480)
    - net/core: generic support for disabling netdev features down stack
    - SAUCE: Backport helper function netdev_upper_get_next_dev_rcu

  * CVE-2018-7755
    - SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

  * CVE-2018-5750
    - ACPI: sbshc: remove raw pointer from printk() message

 -- Stefan Bader <email address hidden> Thu, 14 Jun 2018 07:00:42 +0200

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Duplicates of this bug

Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.