← Back to team overview

kernel-packages team mailing list archive

[Bug 1508737] [NEW] unix domain socket bind causes kernel audit NULL pointer deference

 

Public bug reported:

When audit on bind system call is enabled, any wine application refuse
to start.

/var/log/syslog shows the following crash message:
[  149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
[  149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0 
[  149.512530] Oops: 0000 [#1] SMP 
[  149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
 ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
[  149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
[  149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
[  149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
[  149.512589] RIP: 0010:[<ffffffff811d4a44>]  [<ffffffff811d4a44>] d_path+0x24/0x120
[  149.512593] RSP: 0018:ffff880096f83db8  EFLAGS: 00010286
[  149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
[  149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
[  149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
[  149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
[  149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
[  149.512605] FS:  00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
[  149.512607] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
[  149.512686] Stack:
[  149.512689]  0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
[  149.512693]  ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
[  149.512697]  ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
[  149.512700] Call Trace:
[  149.512708]  [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
[  149.512713]  [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
[  149.512717]  [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
[  149.512722]  [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
[  149.512727]  [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
[  149.512732]  [<ffffffff81734d84>] sysret_audit+0x17/0x21
[  149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f 
[  149.512764] RIP  [<ffffffff811d4a44>] d_path+0x24/0x120
[  149.512767]  RSP <ffff880096f83db8>
[  149.512769] CR2: 0000000000000060
[  149.512772] ---[ end trace 807bfdda012cc4f6 ]---
[  173.379604] cfg80211: Calling CRDA to update world regulatory domain
[  173.392040] cfg80211: World regulatory domain updated:
[  173.392043] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
[  173.392045] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  173.392045] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  173.392046] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
[  173.392047] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
[  173.392048] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

With help of strace, I narrowed down the crash to the following example
code.

#include <stdio.h>                                                                                                                                              
#include <sys/types.h>
#include <sys/socket.h>

int main() {
 int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
 printf("fd = %d\n", fd);

 struct sockaddr testaddr;
 testaddr.sa_family = AF_LOCAL;
 testaddr.sa_data[0] = 's';
 testaddr.sa_data[1] = 'o';
 testaddr.sa_data[2] = 'c';
 testaddr.sa_data[3] = 'k';
 testaddr.sa_data[4] = 'e';
 testaddr.sa_data[5] = 't';
 testaddr.sa_data[6] = '\0';

 int test = bind(fd, &testaddr, 9);
 printf("test = %d\n", test);
}

And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')

I tried the following modification to the example code:
- testaddr.sa_data[0] = 's';
+ testaddr.sa_data[0] = '/';

The modified code does not crash.

So my guess: somewhere in the audit path handling code, there is an
incorrect assumption that the path must start with '/' or '\0'

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-66-generic 3.13.0-66.108
ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
Uname: Linux 3.13.0-66-generic x86_64
ApportVersion: 2.14.1-0ubuntu3.15
Architecture: amd64
AudioDevicesInUse:
 USER        PID ACCESS COMMAND
 /dev/snd/controlC0:  adamwu    10632 F.... pulseaudio
CurrentDesktop: Unity
Date: Wed Oct 21 20:41:30 2015
HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
InstallationDate: Installed on 2012-06-29 (1209 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
IwConfig:
 eth0      no wireless extensions.
 
 lo        no wireless extensions.
MachineType: VMware, Inc. VMware Virtual Platform
ProcFB: 0 svgadrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-66-generic N/A
 linux-backports-modules-3.13.0-66-generic  N/A
 linux-firmware                             1.127.15
RfKill:
 
SourcePackage: linux
UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
dmi.bios.date: 07/31/2013
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.

** Affects: linux (Ubuntu)
     Importance: Undecided
         Status: Confirmed


** Tags: amd64 apport-bug trusty

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1508737

Title:
  unix domain socket bind causes kernel audit NULL pointer deference

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  When audit on bind system call is enabled, any wine application refuse
  to start.

  /var/log/syslog shows the following crash message:
  [  149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
  [  149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0 
  [  149.512530] Oops: 0000 [#1] SMP 
  [  149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
   ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
  r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
  [  149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
  [  149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
  [  149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
  [  149.512589] RIP: 0010:[<ffffffff811d4a44>]  [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512593] RSP: 0018:ffff880096f83db8  EFLAGS: 00010286
  [  149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
  [  149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
  [  149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
  [  149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
  [  149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
  [  149.512605] FS:  00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
  [  149.512607] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
  [  149.512686] Stack:
  [  149.512689]  0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
  [  149.512693]  ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
  [  149.512697]  ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
  [  149.512700] Call Trace:
  [  149.512708]  [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
  [  149.512713]  [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
  [  149.512717]  [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
  [  149.512722]  [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
  [  149.512727]  [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
  [  149.512732]  [<ffffffff81734d84>] sysret_audit+0x17/0x21
  [  149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f 
  [  149.512764] RIP  [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512767]  RSP <ffff880096f83db8>
  [  149.512769] CR2: 0000000000000060
  [  149.512772] ---[ end trace 807bfdda012cc4f6 ]---
  [  173.379604] cfg80211: Calling CRDA to update world regulatory domain
  [  173.392040] cfg80211: World regulatory domain updated:
  [  173.392043] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
  [  173.392045] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392045] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392046] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
  [  173.392047] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392048] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

  With help of strace, I narrowed down the crash to the following
  example code.

  #include <stdio.h>                                                                                                                                              
  #include <sys/types.h>
  #include <sys/socket.h>

  int main() {
   int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
   printf("fd = %d\n", fd);

   struct sockaddr testaddr;
   testaddr.sa_family = AF_LOCAL;
   testaddr.sa_data[0] = 's';
   testaddr.sa_data[1] = 'o';
   testaddr.sa_data[2] = 'c';
   testaddr.sa_data[3] = 'k';
   testaddr.sa_data[4] = 'e';
   testaddr.sa_data[5] = 't';
   testaddr.sa_data[6] = '\0';

   int test = bind(fd, &testaddr, 9);
   printf("test = %d\n", test);
  }

  And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
  By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')

  I tried the following modification to the example code:
  - testaddr.sa_data[0] = 's';
  + testaddr.sa_data[0] = '/';

  The modified code does not crash.

  So my guess: somewhere in the audit path handling code, there is an
  incorrect assumption that the path must start with '/' or '\0'

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: linux-image-3.13.0-66-generic 3.13.0-66.108
  ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
  Uname: Linux 3.13.0-66-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.15
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  adamwu    10632 F.... pulseaudio
  CurrentDesktop: Unity
  Date: Wed Oct 21 20:41:30 2015
  HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
  InstallationDate: Installed on 2012-06-29 (1209 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  IwConfig:
   eth0      no wireless extensions.
   
   lo        no wireless extensions.
  MachineType: VMware, Inc. VMware Virtual Platform
  ProcFB: 0 svgadrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
  RelatedPackageVersions:
   linux-restricted-modules-3.13.0-66-generic N/A
   linux-backports-modules-3.13.0-66-generic  N/A
   linux-firmware                             1.127.15
  RfKill:
   
  SourcePackage: linux
  UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
  dmi.bios.date: 07/31/2013
  dmi.bios.vendor: Phoenix Technologies LTD
  dmi.bios.version: 6.00
  dmi.board.name: 440BX Desktop Reference Platform
  dmi.board.vendor: Intel Corporation
  dmi.board.version: None
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 1
  dmi.chassis.vendor: No Enclosure
  dmi.chassis.version: N/A
  dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
  dmi.product.name: VMware Virtual Platform
  dmi.product.version: None
  dmi.sys.vendor: VMware, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1508737/+subscriptions


Follow ups