2019-04-16 11:34:40 |
Christoph Probst |
bug |
|
|
added bug |
2019-04-16 11:34:40 |
Christoph Probst |
attachment added |
|
dmesg https://bugs.launchpad.net/bugs/1824981/+attachment/5256266/+files/dmesg.txt |
|
2019-04-16 12:00:06 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
2019-04-16 12:00:07 |
Ubuntu Kernel Bot |
tags |
|
bionic |
|
2019-04-16 12:51:15 |
Christoph Probst |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
2019-04-18 05:43:09 |
Christoph Probst |
summary |
cifs related buffer overflow in strcat |
cifs set_oplock overflow in strcat |
|
2019-04-18 05:43:30 |
Christoph Probst |
summary |
cifs set_oplock overflow in strcat |
cifs set_oplock buffer overflow in strcat |
|
2019-04-18 23:12:43 |
Terry Rudd |
bug |
|
|
added subscriber Terry Rudd |
2019-04-23 05:57:33 |
Christoph Probst |
attachment added |
|
4.15.0-48.51~lp1824981-generic_kernel.log https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+attachment/5258116/+files/4.15.0-48.51~lp1824981-generic_kernel.log |
|
2019-05-06 20:46:45 |
Christoph Probst |
linux (Ubuntu): status |
Confirmed |
Fix Committed |
|
2019-05-08 07:51:48 |
Christoph Probst |
linux (Ubuntu): status |
Fix Committed |
Fix Released |
|
2019-05-08 07:51:48 |
Christoph Probst |
linux (Ubuntu): assignee |
|
Christoph Probst (christophprobst) |
|
2019-05-22 19:17:28 |
Guilherme G. Piccoli |
tags |
bionic |
bionic sts |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
nominated for series |
|
Ubuntu Cosmic |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
bug task added |
|
linux (Ubuntu Cosmic) |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
nominated for series |
|
Ubuntu Eoan |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
bug task added |
|
linux (Ubuntu Eoan) |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
nominated for series |
|
Ubuntu Bionic |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
bug task added |
|
linux (Ubuntu Bionic) |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
nominated for series |
|
Ubuntu Disco |
|
2019-05-23 13:08:17 |
Guilherme G. Piccoli |
bug task added |
|
linux (Ubuntu Disco) |
|
2019-05-23 13:08:36 |
Guilherme G. Piccoli |
linux (Ubuntu Eoan): status |
Fix Released |
Fix Committed |
|
2019-05-23 13:08:44 |
Guilherme G. Piccoli |
linux (Ubuntu Disco): status |
New |
In Progress |
|
2019-05-23 13:08:47 |
Guilherme G. Piccoli |
linux (Ubuntu Cosmic): status |
New |
In Progress |
|
2019-05-23 13:08:49 |
Guilherme G. Piccoli |
linux (Ubuntu Bionic): status |
New |
In Progress |
|
2019-05-23 13:08:51 |
Guilherme G. Piccoli |
linux (Ubuntu Bionic): assignee |
|
Guilherme G. Piccoli (gpiccoli) |
|
2019-05-23 13:08:53 |
Guilherme G. Piccoli |
linux (Ubuntu Cosmic): assignee |
|
Guilherme G. Piccoli (gpiccoli) |
|
2019-05-23 13:08:55 |
Guilherme G. Piccoli |
linux (Ubuntu Disco): assignee |
|
Guilherme G. Piccoli (gpiccoli) |
|
2019-05-23 13:09:01 |
Guilherme G. Piccoli |
linux (Ubuntu Eoan): importance |
Undecided |
High |
|
2019-05-23 13:09:03 |
Guilherme G. Piccoli |
linux (Ubuntu Disco): importance |
Undecided |
High |
|
2019-05-23 13:09:06 |
Guilherme G. Piccoli |
linux (Ubuntu Bionic): importance |
Undecided |
High |
|
2019-05-23 13:09:09 |
Guilherme G. Piccoli |
linux (Ubuntu Cosmic): importance |
Undecided |
High |
|
2019-05-23 22:09:15 |
Dan Poler |
bug |
|
|
added subscriber Dan Poler |
2019-07-16 21:31:07 |
Guilherme G. Piccoli |
linux (Ubuntu Cosmic): status |
In Progress |
Won't Fix |
|
2019-07-17 19:50:42 |
Guilherme G. Piccoli |
description |
Ubuntu 18.04.2 LTS
Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM
top - 12:39:53 up 3:41, 4 users, load average: 66.19, 64.06, 76.90
Tasks: 1076 total, 1 running, 675 sleeping, 12 stopped, 1 zombie
%Cpu(s): 28.2 us, 0.3 sy, 0.0 ni, 71.5 id, 0.0 wa, 0.0 hi, 0.1 si, 0.0 st
KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache
KiB Swap: 999420 total, 999420 free, 0 used. 33477683+avail Mem
We've seen the following bug many times since we introduced new machines running Ubuntu 18. Wasn't an issue older machines running Ubuntu 16. Three different machines are affected, so it's rather not a hardware issue.
| detected buffer overflow in strcat
| ------------[ cut here ]------------
| kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052!
| invalid opcode: 0000 [#1] SMP PTI
| Modules linked in: [...]
| Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018
| RIP: 0010:fortify_panic+0x13/0x22
| [...]
| Call Trace:
| smb21_set_oplock_level+0x147/0x1a0 [cifs]
| smb3_set_oplock_level+0x22/0x90 [cifs]
| smb2_set_fid+0x76/0xb0 [cifs]
| cifs_new_fileinfo+0x259/0x390 [cifs]
| ? smb2_get_lease_key+0x40/0x40 [cifs]
| ? cifs_new_fileinfo+0x259/0x390 [cifs]
| cifs_open+0x3db/0x8d0 [cifs]
| [...]
(Full dmesg output attached)
After hitting this bug there are many cifs related dmesg entries, processes lock up and eventually the systems freezes.
The share is mounted using:
//server/share /mnt/server/ cifs defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks
Currently we're testing the cifs mount options "cache=none" as the bug seems to be oplock related. |
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in Ubuntu kernel version 5.0 and newer, as well as linux stable branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. |
|
2019-07-17 19:56:17 |
Guilherme G. Piccoli |
description |
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in Ubuntu kernel version 5.0 and newer, as well as linux stable branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. |
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches and will soon be in Ubuntu kernel version 5.0 (when it gets rebased with 5.0.19).
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. |
|
2019-07-17 19:56:51 |
Guilherme G. Piccoli |
description |
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches and will soon be in Ubuntu kernel version 5.0 (when it gets rebased with 5.0.19).
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. |
[Impact]
* We got reports of a kernel crash in cifs module with the following signature:
detected buffer overflow in strcat
kernel BUG at <...>/lib/string.c:1052!
invalid opcode: 0000 [#1] SMP PTI
RIP: 0010:fortify_panic+0x13/0x1f
Call Trace:
smb21_set_oplock_level+0xde/0x190 [cifs]
smb3_set_oplock_level+0x22/0x90 [cifs]
smb2_set_fid+0x76/0xb0 [cifs]
cifs_new_fileinfo+0x268/0x3c0 [cifs]
? smb2_get_lease_key+0x40/0x40 [cifs]
? cifs_new_fileinfo+0x268/0x3c0 [cifs]
cifs_open+0x57c/0x8d0 [cifs]
do_dentry_open+0x1fe/0x320
[...]
* By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow.
* By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches.
[Test case]
* Unfortunately we cannot reproduce the issue. The patch proposed here was
validated by us with xfstests (instructions followed from
https://wiki.samba.org/index.php/Xfstesting-cifs) and fio.
* Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch.
[Regression potential]
* The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. |
|
2019-07-17 19:58:05 |
Guilherme G. Piccoli |
linux (Ubuntu Eoan): status |
Fix Committed |
Fix Released |
|
2019-07-19 02:46:48 |
Khaled El Mously |
linux (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2019-07-19 02:46:50 |
Khaled El Mously |
linux (Ubuntu Disco): status |
In Progress |
Fix Committed |
|
2019-07-24 20:59:19 |
Brad Figg |
tags |
bionic sts |
bionic cscc sts |
|
2019-07-25 16:04:43 |
Ubuntu Kernel Bot |
tags |
bionic cscc sts |
bionic cscc sts verification-needed-disco |
|
2019-07-25 18:32:18 |
Ubuntu Kernel Bot |
tags |
bionic cscc sts verification-needed-disco |
bionic cscc sts verification-needed-bionic verification-needed-disco |
|
2019-07-31 14:29:33 |
Guilherme G. Piccoli |
tags |
bionic cscc sts verification-needed-bionic verification-needed-disco |
bionic cscc sts verification-done-bionic verification-needed-disco |
|
2019-08-07 08:34:25 |
Ubuntu Kernel Bot |
tags |
bionic cscc sts verification-done-bionic verification-needed-disco |
bionic cscc sts verification-done-bionic verification-needed-disco verification-needed-xenial |
|
2019-08-10 17:21:50 |
granjerox |
bug |
|
|
added subscriber granjerox |
2019-08-12 14:18:48 |
Guilherme G. Piccoli |
bug |
|
|
added subscriber Guilherme G. Piccoli |
2019-08-13 08:59:53 |
Launchpad Janitor |
linux (Ubuntu Disco): status |
Fix Committed |
Fix Released |
|
2019-08-13 08:59:53 |
Launchpad Janitor |
cve linked |
|
2019-1125 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2000-1134 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2007-3852 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2008-0525 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2009-0416 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2011-4834 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2015-1838 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2015-7442 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2016-7489 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2018-5383 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-10126 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-12614 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-12818 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-12819 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-12984 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-13233 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-13272 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-2101 |
|
2019-08-13 11:27:47 |
Launchpad Janitor |
cve linked |
|
2019-3846 |
|
2019-10-09 08:02:12 |
Gerrit Venema |
bug |
|
|
added subscriber Gerrit Venema |