| 2018-06-06 08:44:32 |
Po-Hsu Lin |
description |
The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158)
Steps (with root):
1. sudo apt-get install git xfsprogs -y
2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
3. cd ltp
4. make autotools
5. ./configure
6. make; make install
7. cd /opt/ltp/testcases/bin
8. ./add_key04
Test result:
ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring
Summary:
passed 0
failed 1
skipped 0
warnings 0
[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
[52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
[52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
[52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
[52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
[52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-149-generic 3.13.0-149.199
ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39
Uname: Linux 3.13.0-149-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq
crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning
Date: Wed Jun 6 02:54:24 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP
PciMultimedia:
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro
RelatedPackageVersions:
linux-restricted-modules-3.13.0-149-generic N/A
linux-backports-modules-3.13.0-149-generic N/A
linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.86B.03.02.0003.070120151022
dmi.board.asset.tag: ....................
dmi.board.name: S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.asset.tag: ....................
dmi.chassis.type: 17
dmi.chassis.vendor: ..............................
dmi.chassis.version: ..................
dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................:
dmi.product.name: S1200RP
dmi.product.version: ....................
dmi.sys.vendor: Intel Corporation |
[SRU Justification]
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations.
The "add_key04" from the LTP syscall tests will cause kernel oops on a testing node with Trusty kernel installed. And it will make incoming ssh connection hang (bug 1775158)
[Test Case]
This issue can easily be reproduced with the "add_key04" test from the LTP syscall test suite.
Steps (with root):
1. sudo apt-get install git -y
2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
3. cd ltp
4. make autotools
5. ./configure
6. make; make install
7. /opt/ltp/testcases/bin/add_key04
Test result before the patch:
ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring
Summary:
passed 0
failed 1
skipped 0
warnings 0
[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
[52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
[52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
[52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
[52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
[52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---
Test result after the patch:
$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring
Summary:
passed 1
failed 0
skipped 0
warnings 0
[Regression-potential]
Low risk for causing regression.
No additional function was added, only an identifier got removed.
This fix has already landed in Xenial / Artful, and it's still in the mainline tree since then.
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-149-generic 3.13.0-149.199
ProcVersionSignature: User Name 3.13.0-149.199-generic 3.13.11-ckt39
Uname: Linux 3.13.0-149-generic x86_64
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Jun 5 12:22 seq
crw-rw---- 1 root audio 116, 33 Jun 5 12:22 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.27
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CurrentDmesg: [ 3.475549] init: plymouth-upstart-bridge main process ended, respawning
Date: Wed Jun 6 02:54:24 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP
PciMultimedia:
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-149-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro
RelatedPackageVersions:
linux-restricted-modules-3.13.0-149-generic N/A
linux-backports-modules-3.13.0-149-generic N/A
linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.86B.03.02.0003.070120151022
dmi.board.asset.tag: ....................
dmi.board.name: S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.asset.tag: ....................
dmi.chassis.type: 17
dmi.chassis.vendor: ..............................
dmi.chassis.version: ..................
dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................:
dmi.product.name: S1200RP
dmi.product.version: ....................
dmi.sys.vendor: Intel Corporation |
|
