add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference) with T kernel

Bug #1775316 reported by Po-Hsu Lin on 2018-06-06
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Po-Hsu Lin
linux (Ubuntu)
Po-Hsu Lin

Bug Description

[SRU Justification]
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations.

The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158)

[Test Case]
This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite.

Steps (with root):
  1. sudo apt-get install git -y
  2. git clone --depth=1
  3. cd ltp
  4. make autotools
  5. ./configure
  6. make; make install
  7. /opt/ltp/testcases/bin/add_key04

Test result before the patch:
ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring

passed 0
failed 1
skipped 0
warnings 0

[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
[52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
[52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
[52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
[52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
[52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---

Test result after the patch:
$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

passed 1
failed 0
skipped 0
warnings 0

Low risk for causing regression.
No additional function was added, only an identifier got removed.
This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-149-generic 3.13.0-149.199
ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39
Uname: Linux 3.13.0-149-generic x86_64
 total 0
 crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq
 crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning
Date: Wed Jun 6 02:54:24 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP

 PATH=(custom, no user)
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro
 linux-restricted-modules-3.13.0-149-generic N/A
 linux-backports-modules-3.13.0-149-generic N/A
 linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install) 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.86B.03.02.0003.070120151022
dmi.board.asset.tag: .................... S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.asset.tag: ....................
dmi.chassis.type: 17
dmi.chassis.vendor: ..............................
dmi.chassis.version: ..................
dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................: S1200RP
dmi.product.version: ....................
dmi.sys.vendor: Intel Corporation

Po-Hsu Lin (cypressyew) wrote :

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Po-Hsu Lin (cypressyew) on 2018-06-06
no longer affects: ubuntu-kernel-tests
Changed in linux (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew) on 2018-06-06
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → In Progress
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Po-Hsu Lin (cypressyew) wrote :

This seems to be related to CVE-2017-12193

A test kernel with the fix (ea678998) could be found here:

Po-Hsu Lin (cypressyew) wrote :

The kernel in comment #3 can fix this issue:
ubuntu@amaura:~$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

passed 1
failed 0
skipped 0
warnings 0

Po-Hsu Lin (cypressyew) on 2018-06-06
description: updated
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Po-Hsu Lin (cypressyew) wrote :

add_key04 test passed with the proposed Trusty kernel.

tag=add_key04 stime=1529400599
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

passed 1
failed 0
skipped 0
warnings 0
duration=0 termination_type=exited termination_id=0 corefile=no
cutime=0 cstime=1

tags: added: verification-done-trusty
removed: verification-needed-trusty
Po-Hsu Lin (cypressyew) on 2018-06-21
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-153.203

linux (3.13.0-153.203) trusty; urgency=medium

  * linux: 3.13.0-153.203 -proposed tracker (LP: #1776819)

  * CVE-2018-3665 (x86)
    - x86/fpu: Print out whether we are doing lazy/eager FPU context switches
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix math emulation in eager fpu mode

linux (3.13.0-152.202) trusty; urgency=medium

  * linux: 3.13.0-152.202 -proposed tracker (LP: #1776350)

  * CVE-2017-15265
    - ALSA: seq: Fix use-after-free at creating a port

  * register on binfmt_misc may overflow and crash the system (LP: #1775856)
    - fs/binfmt_misc.c: do not allow offset overflow

  * CVE-2018-1130
    - dccp: check sk for closed state in dccp_sendmsg()
    - ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped

  * add_key04 in LTP syscall test cause kernel oops (NULL pointer dereference)
    with T kernel (LP: #1775316) // CVE-2017-12193
    - assoc_array: Fix a buggy node-splitting case

  * CVE-2017-12154
    - kvm: nVMX: Don't allow L2 to access the hardware CR8

  * CVE-2018-7757
    - scsi: libsas: fix memory leak in sas_smp_get_phy_events()

  * CVE-2018-6927
    - futex: Prevent overflow by strengthen input validation

  * FS-Cache: Assertion failed: FS-Cache: 6 == 5 is false (LP: #1774336)
    - SAUCE: CacheFiles: fix a read_waiter/read_copier race

  * CVE-2018-5803
    - sctp: verify size of a new chunk in _sctp_make_chunk()

  * WARNING: CPU: 28 PID: 34085 at /build/linux-
    90Gc2C/linux-3.13.0/net/core/dev.c:1433 dev_disable_lro+0x87/0x90()
    (LP: #1771480)
    - net/core: generic support for disabling netdev features down stack
    - SAUCE: Backport helper function netdev_upper_get_next_dev_rcu

  * CVE-2018-7755
    - SAUCE: floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl

  * CVE-2018-5750
    - ACPI: sbshc: remove raw pointer from printk() message

 -- Stefan Bader <email address hidden> Thu, 14 Jun 2018 07:00:42 +0200

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) on 2018-07-06
Changed in ubuntu-kernel-tests:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers