2018-11-06 07:59:29 |
Gavin Guo |
bug |
|
|
added bug |
2018-11-06 08:00:06 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
2018-11-06 08:00:08 |
Ubuntu Kernel Bot |
tags |
|
bionic |
|
2018-11-06 14:38:31 |
Gavin Guo |
description |
[267265.140511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[267265.144406] IP: xfrm_lookup+0x31/0x870
[267265.146224] PGD 0 P4D 0
[267265.147469] Oops: 0000 [#1] SMP PTI
[267265.149141] Modules linked in: xt_iprange xt_nat ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_mangle xt_limit nf_log_ipv4 nf_log_common xt_LOG xt_mark ipt_REJECT nf_reject_ipv4 xt_tcpudp xt_conntrack veth overlay vxlan ip6_udp_tunnel udp_tunnel xfs binfmt_misc xfrm4_mode_transport xfrm_user xfrm4_tunnel tunnel4 iptable_nat nf_conntrack_ipv4 ipcomp nf_defrag_ipv4 xfrm_ipcomp nf_nat_ipv4 nf_nat esp4 nf_conntrack ah4 libcrc32c af_key xfrm_algo iptable_filter ip_tables x_tables intel_rapl sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel input_leds aes_x86_64 i2c_piix4 crypto_simd glue_helper cryptd mac_hid serio_raw intel_rapl_perf autofs4 cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse pata_acpi ena drm floppy
[267265.180439] CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.15.0-36-generic #39~16.04.1-Ubuntu
[267265.184285] Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006
[267265.187224] RIP: 0010:xfrm_lookup+0x31/0x870
[267265.189246] RSP: 0018:ffff98b542343a48 EFLAGS: 00010246
[267265.191743] RAX: 0000000000000000 RBX: ffff98b542343ac8 RCX: 0000000000000000
[267265.195048] RDX: ffff98b542343ac8 RSI: 0000000000000000 RDI: ffffffffb39e4380
[267265.198524] RBP: ffff98b542343ab8 R08: 0000000000000002 R09: 0000000000000000
[267265.201930] R10: 0000000000000020 R11: 000000007fb56465 R12: 0000000000000000
[267265.205235] R13: ffffffffb39e4380 R14: 0000000000000002 R15: ffffffffb39e4380
[267265.208567] FS: 0000000000000000(0000) GS:ffff98b542340000(0000) knlGS:0000000000000000
[267265.212404] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[267265.215084] CR2: 0000000000000020 CR3: 00000004ed40a001 CR4: 00000000001606e0
[267265.218442] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[267265.221769] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[267265.225063] Call Trace:
[267265.226280] <IRQ>
[267265.227291] ? __xfrm_policy_check+0x41d/0x630
[267265.229412] __xfrm_route_forward+0xa3/0x110
[267265.231475] ip_forward+0x38c/0x470
[267265.233140] ? ip_route_input_noref+0x28/0x40
[267265.235214] ip_rcv_finish+0x124/0x410
[267265.237041] ip_rcv+0x28e/0x3b0
[267265.238572] ? inet_del_offload+0x40/0x40
[267265.240487] __netif_receive_skb_core+0x879/0xba0
[267265.242734] ? __skb_checksum+0x188/0x2c0
[267265.244631] __netif_receive_skb+0x18/0x60
[267265.246591] ? __netif_receive_skb+0x18/0x60
[267265.248625] netif_receive_skb_internal+0x37/0xe0
[267265.252142] ? tcp4_gro_complete+0x86/0x90
[267265.255313] napi_gro_complete+0x73/0x90
[267265.258432] dev_gro_receive+0x2ee/0x5c0
[267265.261560] napi_gro_frags+0xa3/0x230
[267265.264583] ena_clean_rx_irq+0x486/0x7c0 [ena]
[267265.267981] ena_io_poll+0x41d/0x770 [ena]
[267265.271189] net_rx_action+0x265/0x3b0
[267265.274134] __do_softirq+0xf5/0x28f
[267265.276933] irq_exit+0xb8/0xc0
[267265.279648] xen_evtchn_do_upcall+0x30/0x40
[267265.282691] xen_hvm_callback_vector+0x84/0x90 |
[Impact]
NULL pointer access happens when trying to access dst_orig->ops.
The function xfrm_lookup() calls xfrm_lookup_with_ifid() and there is
a line inside trying to access dst_orig->ops and it's exactly where the
panicing happens:
u16 family = dst_orig->ops->family;
As you can see that the symbol offset of ops is about 32(0x20) which
definitely is the error message shows in the kern.log:
[267265.140511] BUG: unable to handle kernel NULL pointer dereference
at 0000000000000020
struct dst_entry {
struct callback_head callback_head; /* 0 16 */
struct dst_entry * child; /* 16 8 */
struct net_device * dev; /* 24 8 */
struct dst_ops * ops; <-- /* 32 8 */
The oops:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
IP: xfrm_lookup+0x31/0x870
PGD 0 P4D 0
Oops: 0000 [#1] SMP PTI
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.15.0-36-generic #39~16.04.1-Ubuntu
Hardware name: Xen HVM domU, BIOS 4.2.amazon 08/24/2006
RIP: 0010:xfrm_lookup+0x31/0x870
RSP: 0018:ffff98b542343a48 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff98b542343ac8 RCX: 0000000000000000
RDX: ffff98b542343ac8 RSI: 0000000000000000 RDI: ffffffffb39e4380
RBP: ffff98b542343ab8 R08: 0000000000000002 R09: 0000000000000000
R10: 0000000000000020 R11: 000000007fb56465 R12: 0000000000000000
R13: ffffffffb39e4380 R14: 0000000000000002 R15: ffffffffb39e4380
FS: 0000000000000000(0000) GS:ffff98b542340000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000020 CR3: 00000004ed40a001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
? __xfrm_policy_check+0x41d/0x630
__xfrm_route_forward+0xa3/0x110
ip_forward+0x38c/0x470
? ip_route_input_noref+0x28/0x40
ip_rcv_finish+0x124/0x410
ip_rcv+0x28e/0x3b0
? inet_del_offload+0x40/0x40
__netif_receive_skb_core+0x879/0xba0
? __skb_checksum+0x188/0x2c0
__netif_receive_skb+0x18/0x60
? __netif_receive_skb+0x18/0x60
netif_receive_skb_internal+0x37/0xe0
? tcp4_gro_complete+0x86/0x90
napi_gro_complete+0x73/0x90
dev_gro_receive+0x2ee/0x5c0
napi_gro_frags+0xa3/0x230
ena_clean_rx_irq+0x486/0x7c0 [ena]
ena_io_poll+0x41d/0x770 [ena]
net_rx_action+0x265/0x3b0
__do_softirq+0xf5/0x28f
irq_exit+0xb8/0xc0
xen_evtchn_do_upcall+0x30/0x40
xen_hvm_callback_vector+0x84/0x90
[Fix]
The patch tries to avoid the NULL pointer access before the line
mentioned "dst_orig->ops->family" in function __xfrm_route_forward.
And the function calling sequence is:
__xfrm_route_forward -> xfrm_lookup -> xfrm_lookup_with_ifid
It definitely avoids the NULL pointer access in the
xfrm_lookup_with_ifid.
commit c5e39ef174ad34cd4d26af3a83bdbccddd2ad9d6
Author: Steffen Klassert <steffen.klassert@secunet.com>
Date: Tue Sep 11 10:31:15 2018 +0200
xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code don't expect this to happen, so we crash with
a NULL pointer dereference in this case. Fix it by checking
skb_dst(skb) for NULL after skb_dst_force() and drop the packet
in cast the dst_entry was cleared.
[Test]
The fix has been tested in the production system with the IPSec enabled. |
|
2018-11-06 15:10:54 |
Gavin Guo |
nominated for series |
|
Ubuntu Xenial |
|
2018-11-06 15:10:54 |
Gavin Guo |
nominated for series |
|
Ubuntu Cosmic |
|
2018-11-06 15:10:54 |
Gavin Guo |
nominated for series |
|
Ubuntu Bionic |
|
2018-11-06 17:53:46 |
Stefan Bader |
bug task added |
|
linux (Ubuntu Bionic) |
|
2018-11-06 17:53:52 |
Stefan Bader |
bug task added |
|
linux (Ubuntu Cosmic) |
|
2018-11-06 17:53:57 |
Stefan Bader |
bug task added |
|
linux (Ubuntu Xenial) |
|
2018-11-08 04:33:32 |
Khaled El Mously |
linux (Ubuntu Xenial): status |
New |
Fix Committed |
|
2018-11-08 04:33:36 |
Khaled El Mously |
linux (Ubuntu Bionic): status |
New |
Fix Committed |
|
2018-11-08 04:33:40 |
Khaled El Mously |
linux (Ubuntu Cosmic): status |
New |
Fix Committed |
|
2018-11-15 11:04:27 |
Brad Figg |
tags |
bionic |
bionic verification-needed-cosmic |
|
2018-11-15 11:34:32 |
Brad Figg |
tags |
bionic verification-needed-cosmic |
bionic verification-needed-bionic verification-needed-cosmic |
|
2018-11-16 16:36:09 |
Brad Figg |
tags |
bionic verification-needed-bionic verification-needed-cosmic |
bionic verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
|
2018-11-26 12:38:10 |
Gavin Guo |
tags |
bionic verification-needed-bionic verification-needed-cosmic verification-needed-xenial |
bionic verification-done-bionic verification-done-cosmic verification-done-xenial |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
linux (Ubuntu Cosmic): status |
Fix Committed |
Fix Released |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18653 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-18955 |
|
2018-12-03 08:49:32 |
Launchpad Janitor |
cve linked |
|
2018-6559 |
|
2018-12-03 14:01:15 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2018-12-03 14:59:47 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2019-05-16 11:33:50 |
Po-Hsu Lin |
linux (Ubuntu): status |
Incomplete |
Fix Released |
|
2019-07-24 21:29:42 |
Brad Figg |
tags |
bionic verification-done-bionic verification-done-cosmic verification-done-xenial |
bionic cscc verification-done-bionic verification-done-cosmic verification-done-xenial |
|