Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 31 Aug 2016 01:34:24 +0100
From: Ben Hutchings <ben@...adent.org.uk>
To: oss-security <oss-security@...ts.openwall.com>
Cc: Marcin Szewczyk <debian@...ny.org>, debian-lts@...ts.debian.org
Subject: CVE request: Kernel Oops when issuing fcntl on an AUFS directory

Marcin Szewczyk reported and diagnosed a bug in Debian's kernel
packages that allows a denial of service (crash) by local users with
access to an aufs filesystem.  The bug is in a Debian-specific patch,
not the upstream kernel or aufs code.

The current version in Debian 7 'wheezy' (3.2.81-1) and the current proposed update to Debian 8 'jessie' (3.16.36-1 are affected.

Ben.

On Tue, 2016-08-30 at 22:33 +0200, Marcin Szewczyk wrote:
> Hi,
> 
> the wheezy kernel upgrade from 3.2.78-1 to 3.2.81-1 added the SETFL
> fcntl support code (#627782) which unfortunately results in a kernel
> Oops when the fcntl is called on a directory. This breaks e.g. copying
> files from an AUFS filesystem on a remote machine using scp.
>
> Minimal code to reproduce the problem:
> #v+
> #include <stdio.h>
> #include <stdlib.h>
> #include <fcntl.h>
> 
> int main (int argc, char **argv) {
>         const char *fname = NULL;
>         int fd;
>         if (argc != 2)
>                 exit (1);
>         fname = argv[1];
>         fd = open (fname, O_RDONLY|O_NONBLOCK);
>         printf ("fd %d\n", fd);
>         fcntl (fd, F_SETFL, O_RDONLY);
>         return 0;
> }
> #v-
> 
> Call the program on regular a file (nothing happens) and then on a
> directory (Oops).
> 
> The Oops happens in fs/fcntl.c:
> #v+
> if (!error && filp->f_op->owner &&
>     !strcmp(filp->f_op->owner->name, "aufs") &&
>     strstr(filp->f_op->owner->version, "+setfl"))
>         error = filp->f_op->setfl(filp, arg);
> #v-
> 
> > 
> > From fs/aufs/inode.c:
> #v+
> case S_IFREG:
>         [...]
> 	inode->i_fop = &aufs_file_fop;
>         [...]
> case S_IFDIR:
>         [...]
> 	inode->i_fop = &aufs_dir_fop;
> #v-
> 
> The aufs_file_fop structure sets the value of the .setfl member to
> aufs_setfl (f_op.c). aufs_dir_fop (dir.c) on the other hand does not.
> 
> dmesg:
> #v+
> [42990.915100] aufs 3.2.x+setfl-debian
> [43046.383421] BUG: unable to handle kernel NULL pointer dereference
> at           (null)
> [43046.384011] IP: [<          (null)>]           (null)
> [43046.384369] PGD 3d0f1067 PUD 3b8cc067 PMD 0 
> [43046.384688] Oops: 0010 [#1] SMP 
> [43046.385620] Call Trace:
> [...]
> [43046.385620]  [<ffffffff81108701>] ? setfl+0xf1/0x157
> [43046.385620]  [<ffffffff81108b9e>] ? sys_fcntl+0x1dc/0x3b0
> [43046.385620]  [<ffffffff81358af2>] ? system_call_fastpath+0x16/0x1b
> #v-
> 
> gdb:
> #v+
> 0xffffffff811086d3 <+195>:   callq  0xffffffff811b2bd2 <strcmp>
> 0xffffffff811086d8 <+200>:   test   %eax,%eax
> 0xffffffff811086da <+202>:   jne    0xffffffff81108705 <setfl+245>
> 0xffffffff811086dc <+204>:   mov    0xb0(%r13),%rdi
> 0xffffffff811086e3 <+211>:   mov    $0xffffffff814dc9e4,%rsi
> 0xffffffff811086ea <+218>:   callq  0xffffffff811b2e25 <strstr>
> 0xffffffff811086ef <+223>:   test   %rax,%rax
> 0xffffffff811086f2 <+226>:   je     0xffffffff81108705 <setfl+245>
> 0xffffffff811086f4 <+228>:   mov    %rbp,%rsi
> 0xffffffff811086f7 <+231>:   mov    %rbx,%rdi
> 0xffffffff811086fa <+234>:   callq  *0xd0(%r14)
> 0xffffffff81108701 <+241>:   test   %eax,%eax
> #v-
> 
> Naturally it happens both on i686 and amd64.
> 
> BTW, changelog link on the package's page[1] is dead.
> 
> Interesting changelog's part:
> 
>   * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782):
>     - for aufs: new f_op->setfl() to support fcntl(F_SETFL)
>     - aufs: implement new f_op->setfl()
>     - fs: Fix ABI change for aufs F_SETFL fix
> 
> Is there any chance for a fix in some future wheezy-lts update?
> 
> [1] https://packages.debian.org/wheezy/linux-image-3.2.0-4-amd64
> 
-- 
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.

Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.