Ubuntu
linux package

General protection fault on c->freelist broken with Trusty Tahr

  1. Trusty (14.04)
  2. Bug #1403282
Bug #1403282 reported by Gavin Guo
18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Gavin Guo
Trusty
Fix Released
Undecided
Unassigned

Bug Description

[6650285.515240] CPU: 15 PID: 27439 Comm: vtep_test.sh Tainted: G W 3.13.0-34-generic #60-Ubuntu
[6650285.525760] Hardware name: Cisco Systems Inc UCSC-C220-M3S/UCSC-C220-M3S, BIOS C220M3.1.5.4f.0.111320130449 11/13/2013
[6650285.537933] task: ffff883fa972c7d0 ti: ffff8830372a6000 task.ti: ffff8830372a6000
[6650285.546506] RIP: 0010:[<ffffffff811a1e10>] [<ffffffff811a1e10>] kmem_cache_alloc_trace+0x80/0x1f0
[6650285.556815] RSP: 0018:ffff8830372a7e80 EFLAGS: 00010286
[6650285.562990] RAX: 0000000000000000 RBX: ffff883f3a2178c0 RCX: 0000000001bf16c6
[6650285.571235] RDX: 0000000001bf16c5 RSI: 00000000000080d0 RDI: ffff881fff803500
[6650285.579477] RBP: ffff8830372a7eb8 R08: 00000000000172a0 R09: ffff881fff803500
[6650285.587721] R10: ffffffff811c5b6e R11: 0000000000000246 R12: 0006000600000000
[6650285.595962] R13: 00000000000080d0 R14: 0000000000000280 R15: ffff881fff803500
[6650285.604211] FS: 00007fe3cf4ec740(0000) GS:ffff88407fce0000(0000) knlGS:0000000000000000
[6650285.613525] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[6650285.620184] CR2: 0000000001a78608 CR3: 0000003c28958000 CR4: 00000000001427e0
[6650285.628426] Stack:
[6650285.630895] ffff881fff803500 ffffffff811c5b6e ffff883f3a2178c0 ffff8830372a7f60
[6650285.639493] 0000000000000000 ffff8830372a7f58 0000000000000000 ffff8830372a7ed0
[6650285.648086] ffffffff811c5b6e ffff88228205f6c0 ffff8830372a7f10 ffffffff811c6086
[6650285.656704] Call Trace:
[6650285.659678] [<ffffffff811c5b6e>] ? alloc_pipe_info+0x3e/0xb0
[6650285.666342] [<ffffffff811c5b6e>] alloc_pipe_info+0x3e/0xb0
[6650285.672811] [<ffffffff811c6086>] create_pipe_files+0x46/0x200
[6650285.679574] [<ffffffff8109ddf4>] ? vtime_account_user+0x54/0x60
[6650285.686529] [<ffffffff811c6274>] __do_pipe_flags+0x34/0xf0
[6650285.692996] [<ffffffff811c6440>] SyS_pipe+0x20/0xa0
[6650285.698791] [<ffffffff8172c97f>] tracesys+0xe1/0xe6
[6650285.704581] Code: dc 00 00 49 8b 50 08 4d 8b 20 49 8b 40 10 4d 85 e4 0f 84 14 01 00 00 48 85 c0 0f 84 0b 01 00 00 49 63 47 20 48 8d 4a 01 4d 8b 07 <49> 8b 1c 04 4c 89 e0 65 49 0f c7 08 0f 94 c0 84 c0 74 b9 49 63
[6650285.727070] RIP [<ffffffff811a1e10>] kmem_cache_alloc_trace+0x80/0x1f0
[6650285.734726] RSP <ffff8830372a7e80>

Tags: sts trusty

CVE References

Revision history for this message
Gavin Guo (mimi0213kimo) wrote :
Changed in linux (Ubuntu):
assignee: nobody → Gavin Guo (mimi0213kimo)
assignee: Gavin Guo (mimi0213kimo) → nobody
status: New → In Progress
assignee: nobody → Gavin Guo (mimi0213kimo)
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Nominated for Trusty as request by Gavin

Chris J Arges (arges)
tags: added: kernel-key
Revision history for this message
Chris J Arges (arges) wrote :

linux-mm question about this issue: http://www.spinics.net/lists/linux-mm/msg82078.html

Joseph Salisbury (jsalisbury)
tags: added: kernel-da-key
removed: kernel-key
tags: added: kernel-key
removed: kernel-da-key
Dave Chiluk (chiluk)
summary: - CISCO UCSC-C220-M3S/UCSC-C220-M3S - general protection fault on
- c->freelist broken with Trusty Tahr
+ General protection fault on c->freelist broken with Trusty Tahr
Revision history for this message
Gavin Guo (mimi0213kimo) wrote :

Currently, the bug cannot be reproduced in the original platform. However,
there is another platform has similar symptom. And the bug can be captured
by Kasan(Kernel Address Sanitizer) backported on the v3.13.0-52.86.

The source code:
http://kernel.ubuntu.com/git/gavinguo/ubuntu-trusty-amd64.git/log/?h=kasan_porting_alpha

The kernel package:
http://kernel.ubuntu.com/~gavinguo/kasan/kasan_alpha_52/linux-image-3.13.0-52-generic_3.13.0-52.86_amd64.deb

The Kasan has found some errors related to the kmalloc-1024. The error
related to kmalloc-1024 object can be summarized as following(The
var/log/kern.log is also attached):

BUG: KASan: out of bounds access in pipe_iov_copy_from_user+0x9e/0x100 at addr ffff882044fc8940
BUG: KASan: out of bounds access in iov_fault_in_pages_read+0x67/0xd0 at addr ffff882044fc8940

After some investigation and found the CVE 2015-1805 is the culprit and already
included in the Ubuntu-3.13.0-58.96.

commit c825e30e2a91fc94540959c16ebbba2ca095ad2c
Author: Ben Hutchings <email address hidden>
Date: Tue Jun 16 22:11:06 2015 +0100

    pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic

    pipe_iov_copy_{from,to}_user() may be tried twice with the same iovec,
    the first time atomically and the second time not. The second attempt
    needs to continue from the iovec position, pipe buffer offset and
    remaining length where the first attempt failed, but currently the
    pipe buffer offset and remaining length are reset. This will corrupt
    the piped data (possibly also leading to an information leak between
    processes) and may also corrupt kernel memory.

    This was fixed upstream by commits f0d1bec9d58d ("new helper:
    copy_page_from_iter()") and 637b58c2887e ("switch pipe_read() to
    copy_page_to_iter()"), but those aren't suitable for stable. This fix
    for older kernel versions was made by Seth Jennings for RHEL and I
    have extracted it from their update.

    CVE-2015-1805

    References: https://bugzilla.redhat.com/show_bug.cgi?id=1202855
    Signed-off-by: Ben Hutchings <email address hidden>
    Acked-by: Stefan Bader <email address hidden>
    Acked-by: Andy Whitcroft <email address hidden>
    Signed-off-by: Kamal Mostafa <email address hidden>

The kernel 3.13.0-65.105 with backported Kasan enabled has been tested and the bug
cannot be reproduced anymore.

Revision history for this message
Gavin Guo (mimi0213kimo) wrote :
Joseph Salisbury (jsalisbury)
tags: removed: kernel-key
Gavin Guo (mimi0213kimo)
tags: added: sts
removed: cts
Guilherme G. Piccoli (gpiccoli)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Changed in linux (Ubuntu Trusty):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.