CVE request: Kernel Oops when issuing fcntl on an AUFS directory

[Ben Hutchings <ben () decadent org uk>]

Marcin Szewczyk reported and diagnosed a bug in Debian's kernel
packages that allows a denial of service (crash) by local users with
access to an aufs filesystem.  The bug is in a Debian-specific patch,
not the upstream kernel or aufs code.

The current version in Debian 7 'wheezy' (3.2.81-1) and the current proposed update to Debian 8 'jessie' (3.16.36-1 are 
affected.

Ben.

On Tue, 2016-08-30 at 22:33 +0200, Marcin Szewczyk wrote:
> Hi,
>
> the wheezy kernel upgrade from 3.2.78-1 to 3.2.81-1 added the SETFL
> fcntl support code (#627782) which unfortunately results in a kernel
> Oops when the fcntl is called on a directory. This breaks e.g. copying
> files from an AUFS filesystem on a remote machine using scp.
>
> Minimal code to reproduce the problem:
> #v+
> #include <stdio.h>
> #include <stdlib.h>
> #include <fcntl.h>
>
> int main (int argc, char **argv) {
>         const char *fname = NULL;
>         int fd;
>         if (argc != 2)
>                 exit (1);
>         fname = argv[1];
>         fd = open (fname, O_RDONLY|O_NONBLOCK);
>         printf ("fd %d\n", fd);
>         fcntl (fd, F_SETFL, O_RDONLY);
>         return 0;
> }
> #v-
>
> Call the program on regular a file (nothing happens) and then on a
> directory (Oops).
>
> The Oops happens in fs/fcntl.c:
> #v+
> if (!error && filp->f_op->owner &&
>     !strcmp(filp->f_op->owner->name, "aufs") &&
>     strstr(filp->f_op->owner->version, "+setfl"))
>         error = filp->f_op->setfl(filp, arg);
> #v-
>
> > From fs/aufs/inode.c:
> #v+
> case S_IFREG:
>         [...]
>       inode->i_fop = &aufs_file_fop;
>         [...]
> case S_IFDIR:
>         [...]
>       inode->i_fop = &aufs_dir_fop;
> #v-
>
> The aufs_file_fop structure sets the value of the .setfl member to
> aufs_setfl (f_op.c). aufs_dir_fop (dir.c) on the other hand does not.
>
> dmesg:
> #v+
> [42990.915100] aufs 3.2.x+setfl-debian
> [43046.383421] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [43046.384011] IP: [<          (null)>]           (null)
> [43046.384369] PGD 3d0f1067 PUD 3b8cc067 PMD 0 
> [43046.384688] Oops: 0010 [#1] SMP 
> [43046.385620] Call Trace:
> [...]
> [43046.385620]  [<ffffffff81108701>] ? setfl+0xf1/0x157
> [43046.385620]  [<ffffffff81108b9e>] ? sys_fcntl+0x1dc/0x3b0
> [43046.385620]  [<ffffffff81358af2>] ? system_call_fastpath+0x16/0x1b
> #v-
>
> gdb:
> #v+
> 0xffffffff811086d3 <+195>:   callq  0xffffffff811b2bd2 <strcmp>
> 0xffffffff811086d8 <+200>:   test   %eax,%eax
> 0xffffffff811086da <+202>:   jne    0xffffffff81108705 <setfl+245>
> 0xffffffff811086dc <+204>:   mov    0xb0(%r13),%rdi
> 0xffffffff811086e3 <+211>:   mov    $0xffffffff814dc9e4,%rsi
> 0xffffffff811086ea <+218>:   callq  0xffffffff811b2e25 <strstr>
> 0xffffffff811086ef <+223>:   test   %rax,%rax
> 0xffffffff811086f2 <+226>:   je     0xffffffff81108705 <setfl+245>
> 0xffffffff811086f4 <+228>:   mov    %rbp,%rsi
> 0xffffffff811086f7 <+231>:   mov    %rbx,%rdi
> 0xffffffff811086fa <+234>:   callq  *0xd0(%r14)
> 0xffffffff81108701 <+241>:   test   %eax,%eax
> #v-
>
> Naturally it happens both on i686 and amd64.
>
> BTW, changelog link on the package's page[1] is dead.
>
> Interesting changelog's part:
>
>   * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782):
>     - for aufs: new f_op->setfl() to support fcntl(F_SETFL)
>     - aufs: implement new f_op->setfl()
>     - fs: Fix ABI change for aufs F_SETFL fix
>
> Is there any chance for a fix in some future wheezy-lts update?
>
> [1] https://packages.debian.org/wheezy/linux-image-3.2.0-4-amd64
-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

Attachment: signature.asc
Description: This is a digitally signed message part