CIFS causes oops

Bug #1704857 reported by Thadeu Lima de Souza Cascardo on 2017-07-17
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Thadeu Lima de Souza Cascardo
Xenial
Undecided
Unassigned

Bug Description

"Hi Kleber,

I tested the Xenial kernel from -proposed and got the following crash:

Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262084] BUG: unable to handle kernel NULL pointer dereference at (null)
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262087] IP: [<ffffffffc034151c>] cifs_discard_remaining_data+0xc/0x70 [cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262098] PGD 7db4fb067 PUD 7d5e3a067 PMD 0
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262100] Oops: 0000 [#1] SMP
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262340] Modules linked in: cifs drbg ansi_cprng cmac arc4 md4 nls_utf8 ccm fscache crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i2c_piix4 aes_x86_64 8250_fintek lrw hyperv_fb gf128mul hv_balloon glue_helper ablk_helper cryptd input_leds serio_raw joydev mac_hid nfsd auth_rpcgss nfs_acl lockd grace sunrpc parport_pc ppdev lp parport autofs4 hid_generic hv_netvsc hv_utils ptp hid_hyperv hv_storvsc pps_core hid scsi_transport_fc hyperv_keyboard psmouse pata_acpi hv_vmbus floppy fjes [last unloaded: cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262360] CPU: 2 PID: 18568 Comm: cifsd Not tainted 4.4.0-85-generic #108-Ubuntu
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262361] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006 01/06/2017
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262362] task: ffff8807e1440f00 ti: ffff8807da868000 task.ti: ffff8807da868000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262363] RIP: 0010:[<ffffffffc034151c>] [<ffffffffc034151c>] cifs_discard_remaining_data+0xc/0x70 [cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262371] RSP: 0018:ffff8807da86bdc0 EFLAGS: 00010246
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262372] RAX: 00000000ffffffc3 RBX: ffff8807df0ae200 RCX: 0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262373] RDX: ffffffffc0390b80 RSI: 0000000000000000 RDI: ffff8807db71c000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262373] RBP: ffff8807da86bdd0 R08: 000000000000004d R09: ffff8807da86bcfc
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262374] R10: 00000000000001fc R11: 0000000000000000 R12: 000000000000004d
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262375] R13: ffff8800f2fa1c00 R14: ffff8800f2fa1c00 R15: ffff8807df2ea680
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262376] FS: 0000000000000000(0000) GS:ffff8807e5680000(0000) knlGS:0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262377] CR2: 0000000000000000 CR3: 00000007de707000 CR4: 00000000003406e0
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262380] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262380] Stack:
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262381] ffff8807df0ae200 000000000000004d ffff8807da86bdf8 ffffffffc034159e
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262382] ffff8807db71c000 000000000000004d ffff8807df0ae200 ffff8807da86be40
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262383] ffffffffc0341694 0000000000000000 000000000000000..."

CVE References

Changed in linux (Ubuntu):
status: New → In Progress
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)

Per report, relevant commits:

350be257ea83029daee974c72b1fe2e6f1f8e615 ("CIFS: Fix null pointer deref during read resp processing")
517a6e43c4872c89794af5b377fa085e47345952 ("CIFS: Fix some return values in case of error in 'crypt_message'")

Hi, Pavel.

Can you send us some way to reproduce this?

Thank you very much.
Cascardo.

[Impact]

Causes an oops, possibly causing a DOS on the system.

[Regression Potential]

Changes restricted to the CIFS filesystem code.

Pavel Shilovsky (pshilovsky) wrote :

Hi Cascardo,

I reproduced it with the Connectathon test suite when mounted a share with vers=2.0 or above.

Pavel

[Test Case]

Tried Connectathon and Large Compile test always causes the issue to reproduce on 4.4.0-86. With those patches applied, the bug does not occur anymore when running that test.

Changed in linux (Ubuntu Xenial):
status: New → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-xenial
removed: verification-needed-xenial

Package already tested by Thadeu Cascardo.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-87.110

---------------
linux (4.4.0-87.110) xenial; urgency=low

  * linux: 4.4.0-87.110 -proposed tracker (LP: #1704982)

  * CVE-2017-1000364
    - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
    - mm/mmap.c: expand_downwards: don't require the gap if !vm_prev

  * CIFS causes oops (LP: #1704857)
    - CIFS: Fix null pointer deref during read resp processing
    - CIFS: Fix some return values in case of error in 'crypt_message'

 -- Kleber Sacilotto de Souza <email address hidden> Tue, 18 Jul 2017 13:58:43 +0200

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers