kernel panic on ioctl(TUNSETIFF) with a dev name with '/'

Bug #1743792 reported by Akihiro Suda on 2018-01-17
266
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned

Bug Description

Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic.
Mostly running just once is enough to hit the issue, but not 100% deterministic.

[ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null)
[ 121.726006] IP: (null)
[ 121.729333] PGD 0
[ 121.729334] P4D 0
[ 121.731445]
[ 121.735149] Oops: 0010 [#1] SMP PTI
[ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n
f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf
 ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct1
0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc
[ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi
[ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu
[ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[ 121.836674] task: ffffffffad212480 task.stack: ffffffffad200000
[ 121.842693] RIP: 0010: (null)
[ 121.846544] RSP: 0018:ffff9e253fc03e80 EFLAGS: 00010206
[ 121.851868] RAX: 0000000000000000 RBX: 0000000000000100 RCX: 0000000000000100
[ 121.859111] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 121.866438] RBP: ffff9e253fc03eb0 R08: fffffffffffffff8 R09: 000000000000000f
[ 121.873680] R10: 0000000045fc5cc2 R11: 000000000edc6924 R12: ffff9e253fc03ed0
[ 121.880918] R13: ffff9e251a7ef140 R14: 0000000000000000 R15: 0000000000000000
[ 121.888158] FS: 0000000000000000(0000) GS:ffff9e253fc00000(0000) knlGS:0000000000000000
[ 121.896377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 121.902225] CR2: 0000000000000000 CR3: 000000035b60a003 CR4: 00000000001606f0
[ 121.909463] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 121.916699] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 121.923935] Call Trace:
[ 121.926482] <IRQ>
[ 121.928599] ? call_timer_fn+0x33/0x130
[ 121.932539] run_timer_softirq+0x40f/0x470
[ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20
[ 121.941195] ? ktime_get+0x40/0xa0
[ 121.944725] ? native_apic_msr_write+0x2b/0x40
[ 121.949359] __do_softirq+0xde/0x2a5
[ 121.953040] irq_exit+0xb6/0xc0
[ 121.956290] smp_apic_timer_interrupt+0x68/0x90
[ 121.960922] apic_timer_interrupt+0x9f/0xb0
[ 121.965206] </IRQ>
[ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10
[ 121.972058] RSP: 0018:ffffffffad203de0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10
[ 121.979726] RAX: 0000000000000000 RBX: ffffffffad212480 RCX: 0000000000000000
[ 121.986965] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
[ 121.994210] RBP: ffffffffad203de0 R08: 000000209c1b3133 R09: ffff9e252d00fe00
[ 122.001446] R10: 0000000000000000 R11: 7fffffffffffffff R12: 0000000000000000
[ 122.008700] R13: ffffffffad212480 R14: 0000000000000000 R15: 0000000000000000
[ 122.015942] default_idle+0x20/0x100
[ 122.019635] arch_cpu_idle+0xf/0x20
[ 122.023229] default_idle_call+0x23/0x30
[ 122.027267] do_idle+0x17d/0x200
[ 122.030598] cpu_startup_entry+0x73/0x80
[ 122.034631] rest_init+0xbc/0xc0
[ 122.037962] start_kernel+0x4c5/0x4e6
[ 122.041726] ? early_idt_handler_array+0x120/0x120
[ 122.046622] x86_64_start_reservations+0x24/0x26
[ 122.051338] x86_64_start_kernel+0x13a/0x15d
[ 122.055710] secondary_startup_64+0x9f/0xa0
[ 122.059992] Code: Bad RIP value.
[ 122.063415] RIP: (null) RSP: ffff9e253fc03e80
[ 122.068738] CR2: 0000000000000000
[ 122.072159] ---[ end trace 6975f2922c493ef4 ]---
[ 122.076874] Kernel panic - not syncing: Fatal exception in interrupt
[ 122.084613] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 122.095591] Rebooting in 10 seconds..
[ 132.021415] ACPI MEMORY or I/O RESET_REG.

The issue happens on Ubuntu 17.10 amd64, kernel 4.13.0-25-generic #29-Ubuntu, running on a GCP n1-standard-4 instance.
However, the issue don't seem to happen on CentOS 7 and Debian 9.
I haven't tried the latest vanilla kernel.

I'm going to report this as a security issue, as an unprivileged user can easily crash the system with `unshare -r -n`.

CVE References

Akihiro Suda (suda-kyoto) wrote :
Akihiro Suda (suda-kyoto) wrote :

The issue seems to have been reported and fixed in 2013, but some recent commit caused regression?

- LKML: https://lwn.net/Articles/566277/
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4343
- Ubuntu 13.10 fix: https://usn.ubuntu.com/usn/USN-2049-1/

Seth Arnold (seth-arnold) wrote :

Hello Akihiro, thanks for the excellent report, research, and sample program.

Akihiro Suda (suda-kyoto) wrote :

I bisected the issue with vanilla kernels, and I found the issue seems already fixed in v4.13.14
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/log/?h=v4.13.14

Could you cherry-pick tun/tap commits in v4.13.14?

Maybe it is worth opening an Ubuntu-specific CVE, but I'm not sure.

Akihiro Suda (suda-kyoto) wrote :

ping, this issue seems critical but should be easy to fix

Akihiro Suda (suda-kyoto) wrote :

As this is known and fixed in the upstream, can I disclose this issue?

Seth Arnold (seth-arnold) wrote :

Hello Akihiro, please not yet; fallout from the Spectre patches has consumed the kernel team's time. We haven't yet forgotten this.

Thanks

Tyler Hicks (tyhicks) wrote :

Cherry-picking the following upstream commits to the artful kernel prevents the kernel BUG triggered by the reproducer:

0ad646c81b2182f7fa67ec0c8c825e0ee165696d
5c25f65fd1e42685f7ccd80e0621829c105785d9
93161922c658c714715686cd0cf69b090cb9bf1d

Hi,

The SHA1's mentioned on comment #8 have been cherry-picked onto artful/master-next branch and will be available on the next release of the 4.13 kernel packages, which are planned to be published to -proposed soon.

Thanks.

I have opened bug 1748846 as a public bug without the sensitive information so we can use it in the kernel changelogs.

Steve Beattie (sbeattie) wrote :

This issue has been assigned CVE-2018-7191

I was not able to reproduce the issue with the latest Artful kernel currently in -proposed (4.13.0-36-generic).

Akihiro Suda (suda-kyoto) wrote :

I think this issue is now closable

Akihiro Suda (suda-kyoto) wrote :

and thank you a lot for cherrypicking :)

Tyler Hicks (tyhicks) wrote :

This issue has been fixed. See the corresponding public bug (bug 1748846) for version information.

Changed in linux (Ubuntu):
status: New → Fix Released
Akihiro Suda (suda-kyoto) wrote :

Hi, any reason to keep CVE-2018-7191 still secret?
May I mention the CVE on the Internet publicly?

Seth Arnold (seth-arnold) wrote :

Thanks for commenting on this issue. I'm sorry we lost track of proper public attribution for the discovery.

Yes, you may use this CVE publicly. (And thanks for asking.)

information type: Private Security → Public Security
Tyler Hicks (tyhicks) wrote :

For anyone coming here for information on CVE-2018-7191, 0ad646c81b2182f7fa67ec0c8c825e0ee165696d is the fix for the CVE and 5c25f65fd1e42685f7ccd80e0621829c105785d9 is a bugfix for the fix.

The other commit mentioned, 93161922c658c714715686cd0cf69b090cb9bf1d, is unrelated to CVE-2018-7191.

Akihiro Suda (suda-kyoto) wrote :

Thanks!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Bug attachments