kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #141303
[Bug 1508737] [NEW] unix domain socket bind causes kernel audit NULL pointer deference
Public bug reported:
When audit on bind system call is enabled, any wine application refuse
to start.
/var/log/syslog shows the following crash message:
[ 149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[ 149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0
[ 149.512530] Oops: 0000 [#1] SMP
[ 149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
[ 149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
[ 149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
[ 149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
[ 149.512589] RIP: 0010:[<ffffffff811d4a44>] [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512593] RSP: 0018:ffff880096f83db8 EFLAGS: 00010286
[ 149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
[ 149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
[ 149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
[ 149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
[ 149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
[ 149.512605] FS: 00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
[ 149.512607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
[ 149.512686] Stack:
[ 149.512689] 0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
[ 149.512693] ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
[ 149.512697] ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
[ 149.512700] Call Trace:
[ 149.512708] [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
[ 149.512713] [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
[ 149.512717] [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
[ 149.512722] [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
[ 149.512727] [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
[ 149.512732] [<ffffffff81734d84>] sysret_audit+0x17/0x21
[ 149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f
[ 149.512764] RIP [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512767] RSP <ffff880096f83db8>
[ 149.512769] CR2: 0000000000000060
[ 149.512772] ---[ end trace 807bfdda012cc4f6 ]---
[ 173.379604] cfg80211: Calling CRDA to update world regulatory domain
[ 173.392040] cfg80211: World regulatory domain updated:
[ 173.392043] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 173.392045] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392045] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392046] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 173.392047] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392048] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
With help of strace, I narrowed down the crash to the following example
code.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
int main() {
int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
printf("fd = %d\n", fd);
struct sockaddr testaddr;
testaddr.sa_family = AF_LOCAL;
testaddr.sa_data[0] = 's';
testaddr.sa_data[1] = 'o';
testaddr.sa_data[2] = 'c';
testaddr.sa_data[3] = 'k';
testaddr.sa_data[4] = 'e';
testaddr.sa_data[5] = 't';
testaddr.sa_data[6] = '\0';
int test = bind(fd, &testaddr, 9);
printf("test = %d\n", test);
}
And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')
I tried the following modification to the example code:
- testaddr.sa_data[0] = 's';
+ testaddr.sa_data[0] = '/';
The modified code does not crash.
So my guess: somewhere in the audit path handling code, there is an
incorrect assumption that the path must start with '/' or '\0'
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-66-generic 3.13.0-66.108
ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
Uname: Linux 3.13.0-66-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: adamwu 10632 F.... pulseaudio
CurrentDesktop: Unity
Date: Wed Oct 21 20:41:30 2015
HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
InstallationDate: Installed on 2012-06-29 (1209 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
IwConfig:
eth0 no wireless extensions.
lo no wireless extensions.
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
RelatedPackageVersions:
linux-restricted-modules-3.13.0-66-generic N/A
linux-backports-modules-3.13.0-66-generic N/A
linux-firmware 1.127.15
RfKill:
SourcePackage: linux
UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
dmi.bios.date: 07/31/2013
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Confirmed
** Tags: amd64 apport-bug trusty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1508737
Title:
unix domain socket bind causes kernel audit NULL pointer deference
Status in linux package in Ubuntu:
Confirmed
Bug description:
When audit on bind system call is enabled, any wine application refuse
to start.
/var/log/syslog shows the following crash message:
[ 149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[ 149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0
[ 149.512530] Oops: 0000 [#1] SMP
[ 149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
[ 149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
[ 149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
[ 149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
[ 149.512589] RIP: 0010:[<ffffffff811d4a44>] [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512593] RSP: 0018:ffff880096f83db8 EFLAGS: 00010286
[ 149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
[ 149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
[ 149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
[ 149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
[ 149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
[ 149.512605] FS: 00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
[ 149.512607] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
[ 149.512686] Stack:
[ 149.512689] 0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
[ 149.512693] ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
[ 149.512697] ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
[ 149.512700] Call Trace:
[ 149.512708] [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
[ 149.512713] [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
[ 149.512717] [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
[ 149.512722] [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
[ 149.512727] [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
[ 149.512732] [<ffffffff81734d84>] sysret_audit+0x17/0x21
[ 149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f
[ 149.512764] RIP [<ffffffff811d4a44>] d_path+0x24/0x120
[ 149.512767] RSP <ffff880096f83db8>
[ 149.512769] CR2: 0000000000000060
[ 149.512772] ---[ end trace 807bfdda012cc4f6 ]---
[ 173.379604] cfg80211: Calling CRDA to update world regulatory domain
[ 173.392040] cfg80211: World regulatory domain updated:
[ 173.392043] cfg80211: (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[ 173.392045] cfg80211: (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392045] cfg80211: (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392046] cfg80211: (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[ 173.392047] cfg80211: (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[ 173.392048] cfg80211: (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
With help of strace, I narrowed down the crash to the following
example code.
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
int main() {
int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
printf("fd = %d\n", fd);
struct sockaddr testaddr;
testaddr.sa_family = AF_LOCAL;
testaddr.sa_data[0] = 's';
testaddr.sa_data[1] = 'o';
testaddr.sa_data[2] = 'c';
testaddr.sa_data[3] = 'k';
testaddr.sa_data[4] = 'e';
testaddr.sa_data[5] = 't';
testaddr.sa_data[6] = '\0';
int test = bind(fd, &testaddr, 9);
printf("test = %d\n", test);
}
And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')
I tried the following modification to the example code:
- testaddr.sa_data[0] = 's';
+ testaddr.sa_data[0] = '/';
The modified code does not crash.
So my guess: somewhere in the audit path handling code, there is an
incorrect assumption that the path must start with '/' or '\0'
ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-66-generic 3.13.0-66.108
ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
Uname: Linux 3.13.0-66-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
AudioDevicesInUse:
USER PID ACCESS COMMAND
/dev/snd/controlC0: adamwu 10632 F.... pulseaudio
CurrentDesktop: Unity
Date: Wed Oct 21 20:41:30 2015
HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
InstallationDate: Installed on 2012-06-29 (1209 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
IwConfig:
eth0 no wireless extensions.
lo no wireless extensions.
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
RelatedPackageVersions:
linux-restricted-modules-3.13.0-66-generic N/A
linux-backports-modules-3.13.0-66-generic N/A
linux-firmware 1.127.15
RfKill:
SourcePackage: linux
UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
dmi.bios.date: 07/31/2013
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1508737/+subscriptions
Follow ups