kernel panic on ioctl(TUNSETIFF) with a dev name with '/'
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic.
Mostly running just once is enough to hit the issue, but not 100% deterministic.
[ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 121.726006] IP: (null)
[ 121.729333] PGD 0
[ 121.729334] P4D 0
[ 121.731445]
[ 121.735149] Oops: 0010 [#1] SMP PTI
[ 121.738747] Modules linked in: nf_conntrack_
f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf
ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc
[ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi
[ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu
[ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 121.836674] task: ffffffffad212480 task.stack: ffffffffad200000
[ 121.842693] RIP: 0010: (null)
[ 121.846544] RSP: 0018:ffff9e253f
[ 121.851868] RAX: 0000000000000000 RBX: 0000000000000100 RCX: 0000000000000100
[ 121.859111] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 121.866438] RBP: ffff9e253fc03eb0 R08: fffffffffffffff8 R09: 000000000000000f
[ 121.873680] R10: 0000000045fc5cc2 R11: 000000000edc6924 R12: ffff9e253fc03ed0
[ 121.880918] R13: ffff9e251a7ef140 R14: 0000000000000000 R15: 0000000000000000
[ 121.888158] FS: 000000000000000
[ 121.896377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 121.902225] CR2: 0000000000000000 CR3: 000000035b60a003 CR4: 00000000001606f0
[ 121.909463] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 121.916699] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 121.923935] Call Trace:
[ 121.926482] <IRQ>
[ 121.928599] ? call_timer_
[ 121.932539] run_timer_
[ 121.936738] ? kvm_clock_
[ 121.941195] ? ktime_get+0x40/0xa0
[ 121.944725] ? native_
[ 121.949359] __do_softirq+
[ 121.953040] irq_exit+0xb6/0xc0
[ 121.956290] smp_apic_
[ 121.960922] apic_timer_
[ 121.965206] </IRQ>
[ 121.967417] RIP: 0010:native_
[ 121.972058] RSP: 0018:ffffffffad
[ 121.979726] RAX: 0000000000000000 RBX: ffffffffad212480 RCX: 0000000000000000
[ 121.986965] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 121.994210] RBP: ffffffffad203de0 R08: 000000209c1b3133 R09: ffff9e252d00fe00
[ 122.001446] R10: 0000000000000000 R11: 7fffffffffffffff R12: 0000000000000000
[ 122.008700] R13: ffffffffad212480 R14: 0000000000000000 R15: 0000000000000000
[ 122.015942] default_
[ 122.019635] arch_cpu_
[ 122.023229] default_
[ 122.027267] do_idle+0x17d/0x200
[ 122.030598] cpu_startup_
[ 122.034631] rest_init+0xbc/0xc0
[ 122.037962] start_kernel+
[ 122.041726] ? early_idt_
[ 122.046622] x86_64_
[ 122.051338] x86_64_
[ 122.055710] secondary_
[ 122.059992] Code: Bad RIP value.
[ 122.063415] RIP: (null) RSP: ffff9e253fc03e80
[ 122.068738] CR2: 0000000000000000
[ 122.072159] ---[ end trace 6975f2922c493ef4 ]---
[ 122.076874] Kernel panic - not syncing: Fatal exception in interrupt
[ 122.084613] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000
[ 122.095591] Rebooting in 10 seconds..
[ 132.021415] ACPI MEMORY or I/O RESET_REG.
The issue happens on Ubuntu 17.10 amd64, kernel 4.13.0-25-generic #29-Ubuntu, running on a GCP n1-standard-4 instance.
However, the issue don't seem to happen on CentOS 7 and Debian 9.
I haven't tried the latest vanilla kernel.
I'm going to report this as a security issue, as an unprivileged user can easily crash the system with `unshare -r -n`.
The issue seems to have been reported and fixed in 2013, but some recent commit caused regression?
- LKML: https:/ /lwn.net/ Articles/ 566277/ /cve.mitre. org/cgi- bin/cvename. cgi?name= CVE-2013- 4343 /usn.ubuntu. com/usn/ USN-2049- 1/
- CVE: https:/
- Ubuntu 13.10 fix: https:/