oss-sec mailing list archives
CVE request: Kernel Oops when issuing fcntl on an AUFS directory
From: Ben Hutchings <ben () decadent org uk>
Date: Wed, 31 Aug 2016 01:34:24 +0100
Marcin Szewczyk reported and diagnosed a bug in Debian's kernel packages that allows a denial of service (crash) by local users with access to an aufs filesystem. The bug is in a Debian-specific patch, not the upstream kernel or aufs code. The current version in Debian 7 'wheezy' (3.2.81-1) and the current proposed update to Debian 8 'jessie' (3.16.36-1 are affected. Ben. On Tue, 2016-08-30 at 22:33 +0200, Marcin Szewczyk wrote:
Hi, the wheezy kernel upgrade from 3.2.78-1 to 3.2.81-1 added the SETFL fcntl support code (#627782) which unfortunately results in a kernel Oops when the fcntl is called on a directory. This breaks e.g. copying files from an AUFS filesystem on a remote machine using scp. Minimal code to reproduce the problem: #v+ #include <stdio.h> #include <stdlib.h> #include <fcntl.h> int main (int argc, char **argv) { const char *fname = NULL; int fd; if (argc != 2) exit (1); fname = argv[1]; fd = open (fname, O_RDONLY|O_NONBLOCK); printf ("fd %d\n", fd); fcntl (fd, F_SETFL, O_RDONLY); return 0; } #v- Call the program on regular a file (nothing happens) and then on a directory (Oops). The Oops happens in fs/fcntl.c: #v+ if (!error && filp->f_op->owner && !strcmp(filp->f_op->owner->name, "aufs") && strstr(filp->f_op->owner->version, "+setfl")) error = filp->f_op->setfl(filp, arg); #v-From fs/aufs/inode.c:#v+ case S_IFREG: [...] inode->i_fop = &aufs_file_fop; [...] case S_IFDIR: [...] inode->i_fop = &aufs_dir_fop; #v- The aufs_file_fop structure sets the value of the .setfl member to aufs_setfl (f_op.c). aufs_dir_fop (dir.c) on the other hand does not. dmesg: #v+ [42990.915100] aufs 3.2.x+setfl-debian [43046.383421] BUG: unable to handle kernel NULL pointer dereference at (null) [43046.384011] IP: [< (null)>] (null) [43046.384369] PGD 3d0f1067 PUD 3b8cc067 PMD 0 [43046.384688] Oops: 0010 [#1] SMP [43046.385620] Call Trace: [...] [43046.385620] [<ffffffff81108701>] ? setfl+0xf1/0x157 [43046.385620] [<ffffffff81108b9e>] ? sys_fcntl+0x1dc/0x3b0 [43046.385620] [<ffffffff81358af2>] ? system_call_fastpath+0x16/0x1b #v- gdb: #v+ 0xffffffff811086d3 <+195>: callq 0xffffffff811b2bd2 <strcmp> 0xffffffff811086d8 <+200>: test %eax,%eax 0xffffffff811086da <+202>: jne 0xffffffff81108705 <setfl+245> 0xffffffff811086dc <+204>: mov 0xb0(%r13),%rdi 0xffffffff811086e3 <+211>: mov $0xffffffff814dc9e4,%rsi 0xffffffff811086ea <+218>: callq 0xffffffff811b2e25 <strstr> 0xffffffff811086ef <+223>: test %rax,%rax 0xffffffff811086f2 <+226>: je 0xffffffff81108705 <setfl+245> 0xffffffff811086f4 <+228>: mov %rbp,%rsi 0xffffffff811086f7 <+231>: mov %rbx,%rdi 0xffffffff811086fa <+234>: callq *0xd0(%r14) 0xffffffff81108701 <+241>: test %eax,%eax #v- Naturally it happens both on i686 and amd64. BTW, changelog link on the package's page[1] is dead. Interesting changelog's part: * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782): - for aufs: new f_op->setfl() to support fcntl(F_SETFL) - aufs: implement new f_op->setfl() - fs: Fix ABI change for aufs F_SETFL fix Is there any chance for a fix in some future wheezy-lts update? [1] https://packages.debian.org/wheezy/linux-image-3.2.0-4-amd64
-- Ben Hutchings Anthony's Law of Force: Don't force it, get a larger hammer.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- CVE request: Kernel Oops when issuing fcntl on an AUFS directory Ben Hutchings (Aug 30)
- Re: CVE request: Kernel Oops when issuing fcntl on an AUFS directory cve-assign (Aug 31)