Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <1472603664.25374.41.camel@decadent.org.uk>
Date: Wed, 31 Aug 2016 01:34:24 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Marcin Szewczyk <debian@...ny.org>, debian-lts@...ts.debian.org
Subject: CVE request: Kernel Oops when issuing fcntl on an AUFS directory

Marcin Szewczyk reported and diagnosed a bug in Debian's kernel
packages that allows a denial of service (crash) by local users with
access to an aufs filesystem.  The bug is in a Debian-specific patch,
not the upstream kernel or aufs code.

The current version in Debian 7 'wheezy' (3.2.81-1) and the current proposed update to Debian 8 'jessie' (3.16.36-1 are affected.

Ben.

On Tue, 2016-08-30 at 22:33 +0200, Marcin Szewczyk wrote:
> Hi,
> 
> the wheezy kernel upgrade from 3.2.78-1 to 3.2.81-1 added the SETFL
> fcntl support code (#627782) which unfortunately results in a kernel
> Oops when the fcntl is called on a directory. This breaks e.g. copying
> files from an AUFS filesystem on a remote machine using scp.
>
> Minimal code to reproduce the problem:
> #v+
> #include <stdio.h>
> #include <stdlib.h>
> #include <fcntl.h>
> 
> int main (int argc, char **argv) {
>         const char *fname = NULL;
>         int fd;
>         if (argc != 2)
>                 exit (1);
>         fname = argv[1];
>         fd = open (fname, O_RDONLY|O_NONBLOCK);
>         printf ("fd %d\n", fd);
>         fcntl (fd, F_SETFL, O_RDONLY);
>         return 0;
> }
> #v-
> 
> Call the program on regular a file (nothing happens) and then on a
> directory (Oops).
> 
> The Oops happens in fs/fcntl.c:
> #v+
> if (!error && filp->f_op->owner &&
>     !strcmp(filp->f_op->owner->name, "aufs") &&
>     strstr(filp->f_op->owner->version, "+setfl"))
>         error = filp->f_op->setfl(filp, arg);
> #v-
> 
> > 
> > From fs/aufs/inode.c:
> #v+
> case S_IFREG:
>         [...]
> 	inode->i_fop = &aufs_file_fop;
>         [...]
> case S_IFDIR:
>         [...]
> 	inode->i_fop = &aufs_dir_fop;
> #v-
> 
> The aufs_file_fop structure sets the value of the .setfl member to
> aufs_setfl (f_op.c). aufs_dir_fop (dir.c) on the other hand does not.
> 
> dmesg:
> #v+
> [42990.915100] aufs 3.2.x+setfl-debian
> [43046.383421] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [43046.384011] IP: [<          (null)>]           (null)
> [43046.384369] PGD 3d0f1067 PUD 3b8cc067 PMD 0 
> [43046.384688] Oops: 0010 [#1] SMP 
> [43046.385620] Call Trace:
> [...]
> [43046.385620]  [<ffffffff81108701>] ? setfl+0xf1/0x157
> [43046.385620]  [<ffffffff81108b9e>] ? sys_fcntl+0x1dc/0x3b0
> [43046.385620]  [<ffffffff81358af2>] ? system_call_fastpath+0x16/0x1b
> #v-
> 
> gdb:
> #v+
> 0xffffffff811086d3 <+195>:   callq  0xffffffff811b2bd2 <strcmp>
> 0xffffffff811086d8 <+200>:   test   %eax,%eax
> 0xffffffff811086da <+202>:   jne    0xffffffff81108705 <setfl+245>
> 0xffffffff811086dc <+204>:   mov    0xb0(%r13),%rdi
> 0xffffffff811086e3 <+211>:   mov    $0xffffffff814dc9e4,%rsi
> 0xffffffff811086ea <+218>:   callq  0xffffffff811b2e25 <strstr>
> 0xffffffff811086ef <+223>:   test   %rax,%rax
> 0xffffffff811086f2 <+226>:   je     0xffffffff81108705 <setfl+245>
> 0xffffffff811086f4 <+228>:   mov    %rbp,%rsi
> 0xffffffff811086f7 <+231>:   mov    %rbx,%rdi
> 0xffffffff811086fa <+234>:   callq  *0xd0(%r14)
> 0xffffffff81108701 <+241>:   test   %eax,%eax
> #v-
> 
> Naturally it happens both on i686 and amd64.
> 
> BTW, changelog link on the package's page[1] is dead.
> 
> Interesting changelog's part:
> 
>   * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782):
>     - for aufs: new f_op->setfl() to support fcntl(F_SETFL)
>     - aufs: implement new f_op->setfl()
>     - fs: Fix ABI change for aufs F_SETFL fix
> 
> Is there any chance for a fix in some future wheezy-lts update?
> 
> [1] https://packages.debian.org/wheezy/linux-image-3.2.0-4-amd64
> 
-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.