NULL pointer dereference when Inserting the VIMC module

Bug #1840028 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Po-Hsu Lin
Bionic
Fix Released
Undecided
Po-Hsu Lin
Disco
Fix Released
Undecided
Po-Hsu Lin
Eoan
Fix Released
Undecided
Po-Hsu Lin

Bug Description

== SRU Justification ==
When trying to insert a vimc module on a system has other devices being registered in the component framework, if the device is not necessarily a platform_device, nor have a platform_data it will trigger a NULL pointer deference issue.

Issue found on a bare metal node with config vimc enabled.

ubuntu@amaura:~$ sudo modprobe vimc
Killed

dmesg output:
[ 2855.340272] media: Linux media interface: v0.10
[ 2855.344927] Linux video capture interface: v2.00
[ 2855.346146] BUG: unable to handle kernel NULL pointer dereference at 0000000000000000
[ 2855.346172] IP: strcmp+0xe/0x30
[ 2855.346181] PGD 0 P4D 0
[ 2855.346189] Oops: 0000 [#1] SMP PTI
[ 2855.346198] Modules linked in: vimc(+) videodev media ppdev intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel binfmt_misc kvm irqbypass intel_cstate intel_rapl_perf ipmi_si joydev ipmi_devintf ipmi_msghandler intel_pch_thermal input_leds parport_pc lpc_ich shpchp parport mac_hid sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear hid_generic usbhid hid crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc i915 mgag200 ttm drm_kms_helper aesni_intel syscopyarea aes_x86_64 sysfillrect crypto_simd igb sysimgblt glue_helper fb_sys_fops cryptd dca drm i2c_algo_bit
[ 2855.346366] ahci ptp libahci pps_core video
[ 2855.346379] CPU: 4 PID: 1505 Comm: modprobe Not tainted 4.15.0-58-generic #64
[ 2855.346395] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[ 2855.346418] RIP: 0010:strcmp+0xe/0x30
[ 2855.346428] RSP: 0018:ffffb63501f93a00 EFLAGS: 00010202
[ 2855.346440] RAX: ffffffffc0c860f0 RBX: 0000000000000000 RCX: 0000000000000000
[ 2855.346456] RDX: ffffa097d85ec440 RSI: ffffffffc0c8723f RDI: 0000000000000001
[ 2855.346473] RBP: ffffb63501f93a00 R08: ffffa097e09270a0 R09: ffffa097d265ca80
[ 2855.346489] R10: ffffe84b51559600 R11: 0000000000000200 R12: ffffa097dcdbf718
[ 2855.346505] R13: ffffa097d265ca80 R14: ffffa097d2f2b380 R15: 0000000000000000
[ 2855.346521] FS: 00007fd7f4e4b540(0000) GS:ffffa097e0900000(0000) knlGS:0000000000000000
[ 2855.346539] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 2855.346553] CR2: 0000000000000000 CR3: 00000004580fc001 CR4: 00000000003606e0
[ 2855.346569] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 2855.346585] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 2855.346601] Call Trace:
[ 2855.346611] vimc_comp_compare+0x15/0x20 [vimc]
[ 2855.346624] try_to_bring_up_master+0xa3/0x260
[ 2855.346635] ? vimc_remove+0x90/0x90 [vimc]
[ 2855.346646] component_master_add_with_match+0x8b/0xd0
[ 2855.346659] vimc_probe+0x325/0x3c9 [vimc]
[ 2855.346672] ? acpi_dev_pm_attach+0x25/0xd0
[ 2855.346683] platform_drv_probe+0x3e/0xa0
[ 2855.346693] driver_probe_device+0x30c/0x490
[ 2855.346704] __driver_attach+0xa7/0xf0
[ 2855.346714] ? driver_probe_device+0x490/0x490
[ 2855.346725] bus_for_each_dev+0x70/0xc0
[ 2855.346735] driver_attach+0x1e/0x20
[ 2855.346744] bus_add_driver+0x1c7/0x270
[ 2855.346754] ? 0xffffffffc0c8b000
[ 2855.346763] driver_register+0x60/0xe0
[ 2855.346772] ? 0xffffffffc0c8b000
[ 2855.346781] __platform_driver_register+0x36/0x40
[ 2855.346793] vimc_init+0x46/0x1000 [vimc]
[ 2855.347306] do_one_initcall+0x52/0x19f
[ 2855.347810] ? __vunmap+0x8e/0xc0
[ 2855.348322] ? _cond_resched+0x19/0x40
[ 2855.348811] ? kmem_cache_alloc_trace+0x14e/0x1b0
[ 2855.349290] ? do_init_module+0x27/0x209
[ 2855.349768] do_init_module+0x5f/0x209
[ 2855.350246] load_module+0x193b/0x1f30
[ 2855.350710] ? ima_post_read_file+0x96/0xa0
[ 2855.351159] SYSC_finit_module+0xfc/0x120
[ 2855.351592] ? SYSC_finit_module+0xfc/0x120
[ 2855.352010] SyS_finit_module+0xe/0x10
[ 2855.352412] do_syscall_64+0x73/0x130
[ 2855.352797] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 2855.353169] RIP: 0033:0x7fd7f4959839
[ 2855.353538] RSP: 002b:00007ffd7e3fd5c8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 2855.353915] RAX: ffffffffffffffda RBX: 0000563c3b02eea0 RCX: 00007fd7f4959839
[ 2855.354286] RDX: 0000000000000000 RSI: 0000563c39de5d2e RDI: 0000000000000005
[ 2855.354647] RBP: 0000563c39de5d2e R08: 0000000000000000 R09: 0000563c3b02eea0
[ 2855.355009] R10: 0000000000000005 R11: 0000000000000246 R12: 0000000000000000
[ 2855.355369] R13: 0000563c3b02ef20 R14: 0000000000040000 R15: 0000563c3b02eea0
[ 2855.355728] Code: 01 c8 c3 c6 44 07 ff 00 eb 91 31 c0 eb c9 48 c7 c0 f9 ff ff ff c3 0f 1f 80 00 00 00 00 55 48 89 e5 eb 04 84 c0 74 18 48 83 c7 01 <0f> b6 47 ff 48 83 c6 01 3a 46 ff 74 eb 19 c0 83 c8 01 5d c3 31
[ 2855.356503] RIP: strcmp+0xe/0x30 RSP: ffffb63501f93a00
[ 2855.356885] CR2: 0000000000000000
[ 2855.357259] ---[ end trace bfba48c80f803d2d ]---

== Fix ==
* ee1c71a8 (media: vimc: fix component match compare)

This patch can be cherry-picked in to B/D/E.
VIMC support was requested to enabled on these kernels (lp:1831482).

== Test ==
Test kernels could be found here:
https://people.canonical.com/~phlin/kernel/lp-1840028-null-ptr-vimc/

Tested with node "amaura", patch works as expected, the vimc module can be inserted / removed without any issue.

== Regression Potential ==
Low, this patch is specific for vimc and we have positive test result with it.

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
description: updated
tags: added: bionic
Changed in linux (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Po-Hsu Lin (cypressyew)
status: New → Incomplete
status: Incomplete → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

With the Bionic test kernel https://people.canonical.com/~phlin/kernel/lp-1840028-null-ptr-vimc/B/

This issue will gone:

ubuntu@amaura:~$ sudo modprobe vimc
ubuntu@amaura:~$

[ 10.048268] IPv6: ADDRCONF(NETDEV_CHANGE): eno1: link becomes ready
[ 127.217396] new mount options do not match the existing superblock, will be ignored
[ 142.328019] media: Linux media interface: v0.10
[ 142.332711] Linux video capture interface: v2.00
[ 142.343775] vimc vimc.0: bound vimc-sensor.1.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.343891] vimc vimc.0: bound vimc-sensor.2.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.343893] vimc vimc.0: bound vimc-debayer.3.auto (ops vimc_deb_comp_ops [vimc_debayer])
[ 142.343895] vimc vimc.0: bound vimc-debayer.4.auto (ops vimc_deb_comp_ops [vimc_debayer])
[ 142.343931] vimc vimc.0: bound vimc-capture.5.auto (ops vimc_cap_comp_ops [vimc_capture])
[ 142.343952] vimc vimc.0: bound vimc-capture.6.auto (ops vimc_cap_comp_ops [vimc_capture])
[ 142.344059] vimc vimc.0: bound vimc-sensor.7.auto (ops vimc_sen_comp_ops [vimc_sensor])
[ 142.344061] vimc vimc.0: bound vimc-scaler.8.auto (ops vimc_sca_comp_ops [vimc_scaler])
[ 142.344083] vimc vimc.0: bound vimc-capture.9.auto (ops vimc_cap_comp_ops [vimc_capture])

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1840028

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Affecting Disco as well, passed with patched kernel.

Changed in linux (Ubuntu Disco):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew)
description: updated
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Eoan):
status: Incomplete → In Progress
Po-Hsu Lin (cypressyew)
description: updated
Po-Hsu Lin (cypressyew)
description: updated
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Seth Forshee (sforshee)
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew)
tags: added: disco eoan
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (27.8 KiB)

This bug was fixed in the package linux - 5.2.0-13.14

---------------
linux (5.2.0-13.14) eoan; urgency=medium

  * eoan/linux: 5.2.0-13.14 -proposed tracker (LP: #1840261)

  * NULL pointer dereference when Inserting the VIMC module (LP: #1840028)
    - media: vimc: fix component match compare

  * Miscellaneous upstream changes
    - selftests/bpf: remove bpf_util.h from BPF C progs

linux (5.2.0-12.13) eoan; urgency=medium

  * eoan/linux: 5.2.0-12.13 -proposed tracker (LP: #1840184)

  * Eoan update: v5.2.8 upstream stable release (LP: #1840178)
    - scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure
    - libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant
    - libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock
    - ALSA: usb-audio: Sanity checks for each pipe and EP types
    - ALSA: usb-audio: Fix gpf in snd_usb_pipe_sanity_check
    - HID: wacom: fix bit shift for Cintiq Companion 2
    - HID: Add quirk for HP X1200 PIXART OEM mouse
    - atm: iphase: Fix Spectre v1 vulnerability
    - bnx2x: Disable multi-cos feature.
    - drivers/net/ethernet/marvell/mvmdio.c: Fix non OF case
    - ife: error out when nla attributes are empty
    - ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6
    - ip6_tunnel: fix possible use-after-free on xmit
    - ipip: validate header length in ipip_tunnel_xmit
    - mlxsw: spectrum: Fix error path in mlxsw_sp_module_init()
    - mvpp2: fix panic on module removal
    - mvpp2: refactor MTU change code
    - net: bridge: delete local fdb on device init failure
    - net: bridge: mcast: don't delete permanent entries when fast leave is
      enabled
    - net: bridge: move default pvid init/deinit to NETDEV_REGISTER/UNREGISTER
    - net: fix ifindex collision during namespace removal
    - net/mlx5e: always initialize frag->last_in_page
    - net/mlx5: Use reversed order when unregister devices
    - net: phy: fixed_phy: print gpio error only if gpio node is present
    - net: phylink: don't start and stop SGMII PHYs in SFP modules twice
    - net: phylink: Fix flow control for fixed-link
    - net: phy: mscc: initialize stats array
    - net: qualcomm: rmnet: Fix incorrect UL checksum offload logic
    - net: sched: Fix a possible null-pointer dereference in dequeue_func()
    - net sched: update vlan action for batched events operations
    - net: sched: use temporary variable for actions indexes
    - net/smc: do not schedule tx_work in SMC_CLOSED state
    - net: stmmac: Use netif_tx_napi_add() for TX polling function
    - NFC: nfcmrvl: fix gpio-handling regression
    - ocelot: Cancel delayed work before wq destruction
    - tipc: compat: allow tipc commands without arguments
    - tipc: fix unitilized skb list crash
    - tun: mark small packets as owned by the tap sock
    - net/mlx5: Fix modify_cq_in alignment
    - net/mlx5e: Prevent encap flow counter update async to user query
    - r8169: don't use MSI before RTL8168d
    - bpf: fix XDP vlan selftests test_xdp_vlan.sh
    - selftests/bpf: add wrapper scripts for test_xdp_vlan.sh
    - selftests/bpf: reduce time to execute test_xdp_vlan.sh
    - net: fix bpf_xdp_adjust_head regression for generic-XDP
    - hv_sock: Fi...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-disco' to 'verification-done-disco'. If the problem still exists, change the tag 'verification-needed-disco' to 'verification-failed-disco'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-disco
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (20.2 KiB)

This bug was fixed in the package linux - 4.15.0-65.74

---------------
linux (4.15.0-65.74) bionic; urgency=medium

  * bionic/linux: 4.15.0-65.74 -proposed tracker (LP: #1844403)

  * arm64: large modules fail to load (LP: #1841109)
    - arm64/kernel: kaslr: reduce module randomization range to 4 GB
    - arm64/kernel: don't ban ADRP to work around Cortex-A53 erratum #843419
    - arm64: fix undefined reference to 'printk'
    - arm64/kernel: rename module_emit_adrp_veneer->module_emit_veneer_for_adrp
    - [config] Remove CONFIG_ARM64_MODULE_CMODEL_LARGE

  * CVE-2018-20976
    - xfs: clear sb->s_fs_info on mount failure

  * br_netfilter: namespace sysctl operations (LP: #1836910)
    - net: bridge: add bitfield for options and convert vlan opts
    - net: bridge: convert nf call options to bits
    - netfilter: bridge: port sysctls to use brnf_net
    - netfilter: bridge: namespace bridge netfilter sysctls
    - netfilter: bridge: prevent UAF in brnf_exit_net()

  * tuntap: correctly set SOCKWQ_ASYNC_NOSPACE (LP: #1830756)
    - tuntap: correctly set SOCKWQ_ASYNC_NOSPACE

  * Bionic update: upstream stable patchset 2019-08-30 (LP: #1842114)
    - HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT
    - MIPS: kernel: only use i8253 clocksource with periodic clockevent
    - mips: fix cacheinfo
    - netfilter: ebtables: fix a memory leak bug in compat
    - ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks
    - bonding: Force slave speed check after link state recovery for 802.3ad
    - can: dev: call netif_carrier_off() in register_candev()
    - ASoC: Fail card instantiation if DAI format setup fails
    - st21nfca_connectivity_event_received: null check the allocation
    - st_nci_hci_connectivity_event_received: null check the allocation
    - ASoC: ti: davinci-mcasp: Correct slot_width posed constraint
    - net: usb: qmi_wwan: Add the BroadMobi BM818 card
    - qed: RDMA - Fix the hw_ver returned in device attributes
    - isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in
      start_isoc_chain()
    - netfilter: ipset: Fix rename concurrency with listing
    - isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack
    - perf bench numa: Fix cpu0 binding
    - can: sja1000: force the string buffer NULL-terminated
    - can: peak_usb: force the string buffer NULL-terminated
    - net/ethernet/qlogic/qed: force the string buffer NULL-terminated
    - NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim()
    - HID: input: fix a4tech horizontal wheel custom usage
    - SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL
    - net: cxgb3_main: Fix a resource leak in a error path in 'init_one()'
    - net: hisilicon: make hip04_tx_reclaim non-reentrant
    - net: hisilicon: fix hip04-xmit never return TX_BUSY
    - net: hisilicon: Fix dma_map_single failed on arm64
    - libata: have ata_scsi_rw_xlat() fail invalid passthrough requests
    - libata: add SG safety checks in SFF pio transfers
    - x86/lib/cpu: Address missing prototypes warning
    - drm/vmwgfx: fix memory leak when too many retries have occurred
    - perf ftrace: Fix failure to set cpuma...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (126.4 KiB)

This bug was fixed in the package linux - 5.0.0-31.33

---------------
linux (5.0.0-31.33) disco; urgency=medium

  * disco/linux: 5.0.0-31.33 -proposed tracker (LP: #1846026)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * /proc/self/maps paths missing on live session (was vlc won't start; eoan
    19.10 & bionic 18.04 ubuntu/lubuntu/kubuntu/xubuntu/ubuntu-mate dailies)
    (LP: #1842382)
    - SAUCE: Revert "UBUNTU: SAUCE: shiftfs: enable overlayfs on shiftfs"

linux (5.0.0-30.32) disco; urgency=medium

  * disco/linux: 5.0.0-30.32 -proposed tracker (LP: #1844362)

  * Disco update: upstream stable patchset 2019-08-20 (LP: #1840846)
    - Revert "e1000e: fix cyclic resets at link up with active tx"
    - e1000e: start network tx queue only when link is up
    - Input: synaptics - enable SMBUS on T480 thinkpad trackpad
    - nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header
    - drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel RDT
    - firmware: improve LSM/IMA security behaviour
    - irqchip/gic-v3-its: Fix command queue pointer comparison bug
    - clk: ti: clkctrl: Fix returning uninitialized data
    - efi/bgrt: Drop BGRT status field reserved bits check
    - perf/core: Fix perf_sample_regs_user() mm check
    - ARM: dts: gemini Fix up DNS-313 compatible string
    - ARM: omap2: remove incorrect __init annotation
    - afs: Fix uninitialised spinlock afs_volume::cb_break_lock
    - x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz
    - be2net: fix link failure after ethtool offline test
    - ppp: mppe: Add softdep to arc4
    - sis900: fix TX completion
    - ARM: dts: imx6ul: fix PWM[1-4] interrupts
    - pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order
    - dm table: don't copy from a NULL pointer in realloc_argv()
    - dm verity: use message limit for data block corruption message
    - x86/boot/64: Fix crash if kernel image crosses page table boundary
    - x86/boot/64: Add missing fixup_pointer() for next_early_pgt access
    - HID: chicony: add another quirk for PixArt mouse
    - pinctrl: mediatek: Ignore interrupts that are wake only during resume
    - cpu/hotplug: Fix out-of-bounds read when setting fail state
    - pinctrl: mediatek: Update cur_mask in mask/mask ops
    - linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL
    - genirq: Delay deactivation in free_irq()
    - genirq: Fix misleading synchronize_irq() documentation
    - genirq: Add optional hardware synchronization for shutdown
    - x86/ioapic: Implement irq_get_irqchip_state() callback
    - x86/irq: Handle spurious interrupt after shutdown gracefully
    - x86/irq: Seperate unused system vectors from spurious entry again
    - ARC: hide unused function unw_hdr_alloc
    - s390: fix stfle zero padding
    - s390/qdio: (re-)initialize tiqdio list entries
    - s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
    - crypto: talitos - move struct talitos_edesc into talitos.h
    - crypto: talitos - fix hash on SEC1.
    - crypto/NX: Set receive window credits to max number of CRBs in RxFIFO
    - drm/udl: introduce a macro to convert dev t...

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers