kernel-packages team mailing list archive

Thread
Date
[Bug 1508737] Re: unix domain socket bind causes kernel audit NULL pointer deference

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Roman Fiedler <roman.fiedler@xxxxxxxxx>
Date: Wed, 11 May 2016 17:13:36 -0000
Reply-to: Bug 1508737 <1508737@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
Rediscovered also on our systems, then found this bug report.

Reproducer for Ubuntu Trusty LTS:

auditctl -a always,exit -F arch=b64 -S bind

#!/usr/bin/python2 -BEsSt
import socket
testSocket=socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
testSocket.bind('sock')

# dmesg -c
[  145.499064] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
[  145.499522] IP: [<ffffffff811d8024>] d_path+0x24/0x120
[  145.499815] PGD 3bfe8067 PUD 3d080067 PMD 0 
[  145.500236] Oops: 0000 [#1] SMP 
[  145.500539] Modules linked in: nf_conntrack_netlink xt_multiport ppdev xt_hashlimit ipt_REJECT xt_tcpudp xt_NFLOG nfnetlink_log xt_conntrack iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat serio_raw nf_conntrack iptable_mangle ip_tables x_tables parport_pc i2c_piix4 parport video nfnetlink_acct mac_hid nfnetlink psmouse ahci libahci pata_acpi
[  145.502264] CPU: 0 PID: 1128 Comm: crash Not tainted 3.13.0-86-generic #130-Ubuntu
[  145.502264] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[  145.502264] task: ffff88003a0cc800 ti: ffff88003d0d4000 task.ti: ffff88003d0d4000
[  145.502264] RIP: 0010:[<ffffffff811d8024>]  [<ffffffff811d8024>] d_path+0x24/0x120
[  145.502264] RSP: 0018:ffff88003d0d5db8  EFLAGS: 00010286
[  145.502264] RAX: ffff88003795d00b RBX: ffff88003b937660 RCX: 00000000000005b5
[  145.502264] RDX: 000000000000100b RSI: ffff88003795c000 RDI: 0000000000000000
[  145.502264] RBP: ffff88003d0d5de0 R08: 0000000000016040 R09: ffff88003e001200
[  145.502264] R10: ffffffff810fb1d6 R11: ffff88003d0d5c06 R12: ffff88003b6420c0
[  145.502264] R13: ffff88003b937660 R14: ffff88003b937400 R15: 0000000000000000
[  145.502264] FS:  00007f0280520740(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[  145.502264] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[  145.502264] CR2: 0000000000000060 CR3: 000000003cf68000 CR4: 00000000000006f0
[  145.502264] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  145.502264] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[  145.502264] Stack:
[  145.502264]  0000100b3b6420c0 ffff88003795d00b ffff88003b937660 ffff88003b937400
[  145.502264]  ffff88003795c000 ffff88003d0d5e08 ffffffff810fb1ee ffff88003b6420c0
[  145.502264]  ffff88003b937460 0000000000000000 ffff88003d0d5e78 ffffffff810fc658
[  145.502264] Call Trace:
[  145.502264]  [<ffffffff810fb1ee>] audit_log_d_path+0x5e/0xd0
[  145.502264]  [<ffffffff810fc658>] audit_log_name+0x1b8/0x320
[  145.502264]  [<ffffffff810f9d33>] ? audit_buffer_free+0x73/0xa0
[  145.502264]  [<ffffffff810fefc7>] audit_log_exit+0x3d7/0xb90
[  145.502264]  [<ffffffff81101747>] __audit_syscall_exit+0x277/0x2d0
[  145.502264]  [<ffffffff8173b144>] sysret_audit+0x17/0x21
[  145.502264] Code: ff ff 0f 1f 44 00 00 0f 1f 44 00 00 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f 
[  145.502264] RIP  [<ffffffff811d8024>] d_path+0x24/0x120
[  145.502264]  RSP <ffff88003d0d5db8>
[  145.502264] CR2: 0000000000000060
[  145.527823] ---[ end trace 0c532c3c01bea0ff ]---

# lsb_release -rd
Description:    Ubuntu 14.04.4 LTS
Release:        14.04

# cat /proc/version
Linux version 3.13.0-86-generic (buildd@lgw01-19) (gcc version 4.8.2 (Ubuntu 4.8.2-19ubuntu1) ) #130-Ubuntu SMP Mon Apr 18 18:27:15 UTC 2016
root@localhost:~# apt-cache policy linux-image-3.13.0-86-generic
linux-image-3.13.0-86-generic:
  Installed: 3.13.0-86.130
  Candidate: 3.13.0-86.130
  Version table:
 *** 3.13.0-86.130 0
        500 http://ubuntu-proxy-ehealth.d03.arc.local/ubuntu/ trusty-updates/main amd64 Packages
        500 http://ubuntu-proxy-ehealth.d03.arc.local/ubuntu/ trusty-security/main amd64 Packages
        100 /var/lib/dpkg/status


** Changed in: linux (Ubuntu)
       Status: Expired => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1508737

Title:
  unix domain socket bind causes kernel audit NULL pointer deference

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  When audit on bind system call is enabled, any wine application refuse
  to start.

  /var/log/syslog shows the following crash message:
  [  149.512511] BUG: unable to handle kernel NULL pointer dereference at 0000000000000060
  [  149.512518] IP: [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512526] PGD 9b5d1067 PUD ba8a9067 PMD 0 
  [  149.512530] Oops: 0000 [#1] SMP 
  [  149.512534] Modules linked in: tcp_diag inet_diag nfsv3 nfsv4 autofs4 ip6table_filter ip6_tables iptable_filter ip_tables
   ebtable_nat ebtables x_tables vmw_balloon coretemp crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helpe
  r cryptd serio_raw snd_ens1371 snd_ac97_codec ac97_bus gameport snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event joydev snd_rawmidi snd_seq snd_seq_device snd_timer snd soundcore rfcomm bnep bluetooth nfsd auth_rpcgss nfs_acl parport_pc vmwgfx mac_hid nfs ppdev lockd sunrpc shpchp binfmt_misc ttm fscache lp drm vmw_vmci i2c_piix4 parport hid_generic usbhid hid psmouse e1000 floppy mptspi mptscsih mptbase pata_acpi
  [  149.512581] CPU: 3 PID: 11408 Comm: test Not tainted 3.13.0-66-generic #108-Ubuntu
  [  149.512584] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 07/31/2013
  [  149.512587] task: ffff8800369d9800 ti: ffff880096f82000 task.ti: ffff880096f82000
  [  149.512589] RIP: 0010:[<ffffffff811d4a44>]  [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512593] RSP: 0018:ffff880096f83db8  EFLAGS: 00010286
  [  149.512595] RAX: ffff8800acd0f00b RBX: ffff8800a21ed260 RCX: 0000000000000d63
  [  149.512597] RDX: 000000000000100b RSI: ffff8800acd0e000 RDI: 0000000000000000
  [  149.512599] RBP: ffff880096f83de0 R08: 0000000000016040 R09: ffff8801b8803200
  [  149.512600] R10: ffffffff810f83b6 R11: ffff880096f83c06 R12: ffff8801b1b1a200
  [  149.512602] R13: ffff8800a21ed260 R14: ffff8800a21ed000 R15: 0000000000000000
  [  149.512605] FS:  00007f846f981740(0000) GS:ffff8801b8e60000(0000) knlGS:0000000000000000
  [  149.512607] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  149.512608] CR2: 0000000000000060 CR3: 00000000a20d5000 CR4: 00000000000407e0
  [  149.512686] Stack:
  [  149.512689]  0000100bb1b1a200 ffff8800acd0f00b ffff8800a21ed260 ffff8800a21ed000
  [  149.512693]  ffff8800acd0e000 ffff880096f83e08 ffffffff810f83ce ffff8801b1b1a200
  [  149.512697]  ffff8800a21ed060 0000000000000000 ffff880096f83e78 ffffffff810f9838
  [  149.512700] Call Trace:
  [  149.512708]  [<ffffffff810f83ce>] audit_log_d_path+0x5e/0xd0
  [  149.512713]  [<ffffffff810f9838>] audit_log_name+0x1b8/0x320
  [  149.512717]  [<ffffffff810f6f13>] ? audit_buffer_free+0x73/0xa0
  [  149.512722]  [<ffffffff810fc1b7>] audit_log_exit+0x3d7/0xb90
  [  149.512727]  [<ffffffff810fe93f>] __audit_syscall_exit+0x27f/0x2e0
  [  149.512732]  [<ffffffff81734d84>] sysret_audit+0x17/0x21
  [  149.512733] Code: ff ff 0f 1f 44 00 00 66 66 66 66 90 55 48 63 c2 48 01 f0 48 89 e5 53 48 89 fb 48 83 ec 20 48 8b 7f 08 89 54 24 04 48 89 44 24 08 <48> 8b 4f 60 48 85 c9 74 23 48 8b 49 40 48 85 c9 74 1a 48 3b 7f 
  [  149.512764] RIP  [<ffffffff811d4a44>] d_path+0x24/0x120
  [  149.512767]  RSP <ffff880096f83db8>
  [  149.512769] CR2: 0000000000000060
  [  149.512772] ---[ end trace 807bfdda012cc4f6 ]---
  [  173.379604] cfg80211: Calling CRDA to update world regulatory domain
  [  173.392040] cfg80211: World regulatory domain updated:
  [  173.392043] cfg80211:   (start_freq - end_freq @ bandwidth), (max_antenna_gain, max_eirp)
  [  173.392045] cfg80211:   (2402000 KHz - 2472000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392045] cfg80211:   (2457000 KHz - 2482000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392046] cfg80211:   (2474000 KHz - 2494000 KHz @ 20000 KHz), (300 mBi, 2000 mBm)
  [  173.392047] cfg80211:   (5170000 KHz - 5250000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)
  [  173.392048] cfg80211:   (5735000 KHz - 5835000 KHz @ 40000 KHz), (300 mBi, 2000 mBm)

  With help of strace, I narrowed down the crash to the following
  example code.

  #include <stdio.h>                                                                                                                                              
  #include <sys/types.h>
  #include <sys/socket.h>

  int main() {
   int fd = socket(PF_LOCAL, SOCK_DGRAM, 0);
   printf("fd = %d\n", fd);

   struct sockaddr testaddr;
   testaddr.sa_family = AF_LOCAL;
   testaddr.sa_data[0] = 's';
   testaddr.sa_data[1] = 'o';
   testaddr.sa_data[2] = 'c';
   testaddr.sa_data[3] = 'k';
   testaddr.sa_data[4] = 'e';
   testaddr.sa_data[5] = 't';
   testaddr.sa_data[6] = '\0';

   int test = bind(fd, &testaddr, 9);
   printf("test = %d\n", test);
  }

  And then, I observed that other programs using UNIX domain socket (e.g. dbus) are not affected.
  By reading /proc/net/unix, I found that the addresses all seem to start with '/' or '\0' (shown as '@')

  I tried the following modification to the example code:
  - testaddr.sa_data[0] = 's';
  + testaddr.sa_data[0] = '/';

  The modified code does not crash.

  So my guess: somewhere in the audit path handling code, there is an
  incorrect assumption that the path must start with '/' or '\0'

  ProblemType: Bug
  DistroRelease: Ubuntu 14.04
  Package: linux-image-3.13.0-66-generic 3.13.0-66.108
  ProcVersionSignature: Ubuntu 3.13.0-66.108-generic 3.13.11-ckt27
  Uname: Linux 3.13.0-66-generic x86_64
  ApportVersion: 2.14.1-0ubuntu3.15
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/controlC0:  adamwu    10632 F.... pulseaudio
  CurrentDesktop: Unity
  Date: Wed Oct 21 20:41:30 2015
  HibernationDevice: RESUME=UUID=c7142107-2e6f-4bf8-9926-1f787b4572a0
  InstallationDate: Installed on 2012-06-29 (1209 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  IwConfig:
   eth0      no wireless extensions.
   
   lo        no wireless extensions.
  MachineType: VMware, Inc. VMware Virtual Platform
  ProcFB: 0 svgadrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-66-generic root=UUID=75999bab-d7fa-4355-91b3-1c68855a1510 ro quiet splash vga=789
  RelatedPackageVersions:
   linux-restricted-modules-3.13.0-66-generic N/A
   linux-backports-modules-3.13.0-66-generic  N/A
   linux-firmware                             1.127.15
  RfKill:
   
  SourcePackage: linux
  UpgradeStatus: Upgraded to trusty on 2014-09-29 (387 days ago)
  dmi.bios.date: 07/31/2013
  dmi.bios.vendor: Phoenix Technologies LTD
  dmi.bios.version: 6.00
  dmi.board.name: 440BX Desktop Reference Platform
  dmi.board.vendor: Intel Corporation
  dmi.board.version: None
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 1
  dmi.chassis.vendor: No Enclosure
  dmi.chassis.version: N/A
  dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd07/31/2013:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:
  dmi.product.name: VMware Virtual Platform
  dmi.product.version: None
  dmi.sys.vendor: VMware, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1508737/+subscriptions
References

[Bug 1508737] [NEW] unix domain socket bind causes kernel audit NULL pointer deference
From: AdamWu, 2015-10-22