unix domain socket bind causes kernel audit NULL pointer deference

Bug #1508737 reported by AdamWu
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Confirmed
Medium
Unassigned

Bug Description

When audit on bind system call is enabled, any wine application refuse to start.

/var/log/syslog shows the following crash message:
[ 149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[ 149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0
[ 149.512530] Oops: 0000 [#1] SMP
[ 149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
 ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
[ 149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
[ 149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
[ 149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
[ 149.512589] RIP: 0010:[<ffffffff811d4a44>] [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512593] RSP: 0018:ffff880096f83db8 EFLAGS: 00010286
[ 149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
[ 149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
[ 149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
[ 149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
[ 149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
[ 149.512605] FS: 00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
[ 149.512607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
[ 149.512686] Stack:
[ 149.512689] 0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
[ 149.512693] ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
[ 149.512697] ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
[ 149.512700] Call Trace:
[ 149.512708] [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
[ 149.512713] [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
[ 149.512717] [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
[ 149.512722] [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
[ 149.512727] [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
[ 149.512732] [<ffffffff81734d84>] sysret_audit+0x17/0x21
[ 149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f
[ 149.512764] RIP [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512767] RSP <ffff880096f83db8>
[ 149.512769] CR2: 0000000000000060
[ 149.512772] ---[ end trace 807bfdda012cc4f6 ]---
[ 173.379604] cfg80211: Calling CRDA to update world regulatory domain
[ 173.392040] cfg80211: World regulatory domain updated:
[ 173.392043] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 173.392045] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392045] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392046] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 173.392047] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392048] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

With help of strace, I narrowed down the crash to the following example code.

#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>

int main() {
 int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
 printf("fd = %d\n", fd);

 struct sockaddr testaddr;
 testaddr.sa_family = AF_LOCAL;
 testaddr.sa_data[0] = 's';
 testaddr.sa_data[1] = 'o';
 testaddr.sa_data[2] = 'c';
 testaddr.sa_data[3] = 'k';
 testaddr.sa_data[4] = 'e';
 testaddr.sa_data[5] = 't';
 testaddr.sa_data[6] = '\0';

 int test = bind(fd, &testaddr, 9);
 printf("test = %d\n", test);
}

And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')

I tried the following modification to the example code:
- testaddr.sa_data[0] = 's';
+ testaddr.sa_data[0] = '/';

The modified code does not crash.

So my guess: somewhere in the audit path handling code, there is an incorrect assumption that the path must start with '/' or '\0'

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-66-generic 3.13.0-66.108
ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
Uname: Linux 3.13.0-66-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: adamwu 10632 F.... pulseaudio
CurrentDesktop: Unity
Date: Wed Oct 21 20:41:30 2015
HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
InstallationDate: Installed on 2012-06-29 (1209 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
IwConfig:
 eth0 no wireless extensions.

 lo no wireless extensions.
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-66-generic N/A
 linux-backports-modules-3.13.0-66-generic N/A
 linux-firmware 1.127.15
RfKill:

SourcePackage: linux
UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
dmi.bios.date: 07/31/2013
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.

Revision history for this message
AdamWu (adam-5wu) wrote :
Revision history for this message
Brad Figg (brad-figg) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Luis Henriques (henrix) wrote :

We have found a regression in this kernel that may or may not be related with this bug. This was bug #1508510 and I would like to ask you to test a kernel I've uploaded here:

http://people.canonical.com/~henrix/LP1508510/v1/amd64/

Could you please test this kernel and see if it fixes this issue? Thanks

penalvch (penalvch)
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Incomplete
Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for linux (Ubuntu) because there has been no activity for 60 days.]

Changed in linux (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :
Download full text (3.8 KiB)

Rediscovered also on our systems, then found this bug report.

Reproducer for Ubuntu Trusty LTS:

auditctl -a always,exit -F arch=b64 -S bind

#!/usr/bin/python2 -BEsSt
import socket
testSocket=socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
testSocket.bind('sock')

# dmesg -c
[ 145.499064] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[ 145.499522] IP: [<ffffffff811d8024>] d_path+0x24/0x120
[ 145.499815] PGD 3bfe8067 PUD 3d080067 PMD 0
[ 145.500236] Oops: 0000 [#1] SMP
[ 145.500539] Modules linked in: nf_conntrack_netlink xt_multiport ppdev xt_hashlimit ipt_REJECT xt_tcpudp xt_NFLOG nfnetlink_log xt_conntrack iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat serio_raw nf_conntrack iptable_mangle ip_tables x_tables parport_pc i2c_piix4 parport video nfnetlink_acct mac_hid nfnetlink psmouse ahci libahci pata_acpi
[ 145.502264] CPU: 0 PID: 1128 Comm: crash Not tainted 3.13.0-86-generic #130-Ubuntu
[ 145.502264] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 145.502264] task: ffff88003a0cc800 ti: ffff88003d0d4000 task.ti: ffff88003d0d4000
[ 145.502264] RIP: 0010:[<ffffffff811d8024>] [<ffffffff811d8024>] d_path+0x24/0x120
[ 145.502264] RSP: 0018:ffff88003d0d5db8 EFLAGS: 00010286
[ 145.502264] RAX: ffff88003795d00b RBX: ffff88003b937660 RCX: 00000000000005b5
[ 145.502264] RDX: 000000000000100b RSI: ffff88003795c000 RDI: 0000000000000000
[ 145.502264] RBP: ffff88003d0d5de0 R08: 0000000000016040 R09: ffff88003e001200
[ 145.502264] R10: ffffffff810fb1d6 R11: ffff88003d0d5c06 R12: ffff88003b6420c0
[ 145.502264] R13: ffff88003b937660 R14: ffff88003b937400 R15: 0000000000000000
[ 145.502264] FS: 00007f0280520740(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[ 145.502264] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 145.502264] CR2: 0000000000000060 CR3: 000000003cf68000 CR4: 00000000000006f0
[ 145.502264] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 145.502264] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 145.502264] Stack:
[ 145.502264] 0000100b3b6420c0 ffff88003795d00b ffff88003b937660 ffff88003b937400
[ 145.502264] ffff88003795c000 ffff88003d0d5e08 ffffffff810fb1ee ffff88003b6420c0
[ 145.502264] ffff88003b937460 0000000000000000 ffff88003d0d5e78 ffffffff810fc658
[ 145.502264] Call Trace:
[ 145.502264] [<ffffffff810fb1ee>] audit_log_d_path+0x5e/0xd0
[ 145.502264] [<ffffffff810fc658>] audit_log_name+0x1b8/0x320
[ 145.502264] [<ffffffff810f9d33>] ? audit_buffer_free+0x73/0xa0
[ 145.502264] [<ffffffff810fefc7>] audit_log_exit+0x3d7/0xb90
[ 145.502264] [<ffffffff81101747>] __audit_syscall_exit+0x277/0x2d0
[ 145.502264] [<ffffffff8173b144>] sysret_audit+0x17/0x21
[ 145.502264] Code: ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f
[ 145.502264] RIP [<ffffffff811d8024>] d_path+0x24/0x120
[ 145.502264] RSP <ffff88003d0d5db8>
[ 145.502264] CR2: 0000000000000060
[ 145.527823] ---[ end trace 0c532c3c01bea0ff ]---

#...

Read more...

Changed in linux (Ubuntu):
status: Expired → Confirmed
information type: Public → Public Security
Revision history for this message
penalvch (penalvch) wrote :

Roman Fiedler, it will help immensely if you filed a new report with the Ubuntu repository kernel (not mainline/upstream) via a terminal:
ubuntu-bug linux

Please feel free to subscribe me to it.

For more on why this is helpful, please see https://wiki.ubuntu.com/ReportingBugs.

Changed in linux (Ubuntu):
status: Confirmed → Incomplete
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Roman Fiedler (roman-fiedler-deactivatedaccount) wrote :
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.