add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference) with T kernel
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-kernel-tests |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
linux (Ubuntu) |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
Trusty |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[SRU Justification]
The assoc_array_
the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations.
The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158)
[Test Case]
This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite.
Steps (with root):
1. sudo apt-get install git -y
2. git clone --depth=1 https:/
3. cd ltp
4. make autotools
5. ./configure
6. make; make install
7. /opt/ltp/
Test result before the patch:
ubuntu@
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring
Summary:
passed 0
failed 1
skipped 0
warnings 0
[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<
[52399.299182] RSP: 0018:ffff88045a
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc3974
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7
[52399.299450] [<ffffffff812d5
[52399.299467] [<ffffffff812d6
[52399.299482] [<ffffffff812d7
[52399.299497] [<ffffffff8109e
[52399.299512] [<ffffffff81748
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---
Test result after the patch:
$ sudo /opt/ltp/
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring
Summary:
passed 1
failed 0
skipped 0
warnings 0
[Regression-
Low risk for causing regression.
No additional function was added, only an identifier got removed.
This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-
ProcVersionSign
Uname: Linux 3.13.0-149-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq
crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg: [ 3.475549] init: plymouth-
Date: Wed Jun 6 02:54:24 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP
PciMultimedia:
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=
RelatedPackageV
linux-
linux-
linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.
dmi.board.
dmi.board.name: S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.
dmi.chassis.type: 17
dmi.chassis.vendor: .......
dmi.chassis.
dmi.modalias: dmi:bvnIntelCor
dmi.product.name: S1200RP
dmi.product.
dmi.sys.vendor: Intel Corporation
CVE References
no longer affects: | ubuntu-kernel-tests |
Changed in linux (Ubuntu): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in ubuntu-kernel-tests: | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
status: | New → In Progress |
Changed in linux (Ubuntu): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Committed |
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in ubuntu-kernel-tests: | |
status: | In Progress → Fix Committed |
Changed in ubuntu-kernel-tests: | |
status: | Fix Committed → Fix Released |
This change was made by a bot.