Ubuntu
linux package

CIFS causes oops

Bug #1704857 reported by Thadeu Lima de Souza Cascardo
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
In Progress
Undecided
Thadeu Lima de Souza Cascardo
Xenial
Fix Released
Undecided
Unassigned

Bug Description

"Hi Kleber,

I tested the Xenial kernel from -proposed and got the following crash:

Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262084] BUG: unable to handle kernel NULL pointer dereference at (null)
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262087] IP: [<ffffffffc034151c>] cifs_discard_remaining_data+0xc/0x70 [cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262098] PGD 7db4fb067 PUD 7d5e3a067 PMD 0
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262100] Oops: 0000 [#1] SMP
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262340] Modules linked in: cifs drbg ansi_cprng cmac arc4 md4 nls_utf8 ccm fscache crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel i2c_piix4 aes_x86_64 8250_fintek lrw hyperv_fb gf128mul hv_balloon glue_helper ablk_helper cryptd input_leds serio_raw joydev mac_hid nfsd auth_rpcgss nfs_acl lockd grace sunrpc parport_pc ppdev lp parport autofs4 hid_generic hv_netvsc hv_utils ptp hid_hyperv hv_storvsc pps_core hid scsi_transport_fc hyperv_keyboard psmouse pata_acpi hv_vmbus floppy fjes [last unloaded: cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262360] CPU: 2 PID: 18568 Comm: cifsd Not tainted 4.4.0-85-generic #108-Ubuntu
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262361] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090006 01/06/2017
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262362] task: ffff8807e1440f00 ti: ffff8807da868000 task.ti: ffff8807da868000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262363] RIP: 0010:[<ffffffffc034151c>] [<ffffffffc034151c>] cifs_discard_remaining_data+0xc/0x70 [cifs]
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262371] RSP: 0018:ffff8807da86bdc0 EFLAGS: 00010246
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262372] RAX: 00000000ffffffc3 RBX: ffff8807df0ae200 RCX: 0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262373] RDX: ffffffffc0390b80 RSI: 0000000000000000 RDI: ffff8807db71c000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262373] RBP: ffff8807da86bdd0 R08: 000000000000004d R09: ffff8807da86bcfc
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262374] R10: 00000000000001fc R11: 0000000000000000 R12: 000000000000004d
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262375] R13: ffff8800f2fa1c00 R14: ffff8800f2fa1c00 R15: ffff8807df2ea680
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262376] FS: 0000000000000000(0000) GS:ffff8807e5680000(0000) knlGS:0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262377] CR2: 0000000000000000 CR3: 00000007de707000 CR4: 00000000003406e0
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262380] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262380] Stack:
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262381] ffff8807df0ae200 000000000000004d ffff8807da86bdf8 ffffffffc034159e
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262382] ffff8807db71c000 000000000000004d ffff8807df0ae200 ffff8807da86be40
Jul 13 14:38:05 ubuntu-vm kernel: [ 770.262383] ffffffffc0341694 0000000000000000 000000000000000..."

CVE References

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

As reported here: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1670508/comments/19

Changed in linux (Ubuntu):
status: New → In Progress
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Per report, relevant commits:

350be257ea83029daee974c72b1fe2e6f1f8e615 ("CIFS: Fix null pointer deref during read resp processing")
517a6e43c4872c89794af5b377fa085e47345952 ("CIFS: Fix some return values in case of error in 'crypt_message'")

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

Hi, Pavel.

Can you send us some way to reproduce this?

Thank you very much.
Cascardo.

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

[Impact]

Causes an oops, possibly causing a DOS on the system.

[Regression Potential]

Changes restricted to the CIFS filesystem code.

Revision history for this message
Pavel Shilovsky (pshilovsky) wrote :

Hi Cascardo,

I reproduced it with the Connectathon test suite when mounted a share with vers=2.0 or above.

Pavel

Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

[Test Case]

Tried Connectathon and Large Compile test always causes the issue to reproduce on 4.4.0-86. With those patches applied, the bug does not occur anymore when running that test.

Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Package already tested by Thadeu Cascardo.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-87.110

---------------
linux (4.4.0-87.110) xenial; urgency=low

  * linux: 4.4.0-87.110 -proposed tracker (LP: #1704982)

  * CVE-2017-1000364
    - mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack
    - mm/mmap.c: expand_downwards: don't require the gap if !vm_prev

  * CIFS causes oops (LP: #1704857)
    - CIFS: Fix null pointer deref during read resp processing
    - CIFS: Fix some return values in case of error in 'crypt_message'

 -- Kleber Sacilotto de Souza <email address hidden> Tue, 18 Jul 2017 13:58:43 +0200

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.