APPLIED: [T][SRU][PATCH 0/1] Fix for CVE-2017-12193

Khaled Elmously khalid.elmously at canonical.com
Thu Jun 7 21:55:52 UTC 2018 

Applied to trusty


On 2018-06-06 16:52:38 , Po-Hsu Lin wrote:
> [SRU Justification]
> The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
> the Linux kernel before 4.13.11 mishandles node splitting, which allows
> local users to cause a denial of service (NULL pointer dereference and
> panic) via a crafted application, as demonstrated by the keyring key type,
> and key addition and link creation operations.
> 
> The "add_key04" from the LTP syscall tests will cause kernel oops on a
> testing node with Trusty kernel installed. And it will make incoming ssh
> connection hang (bug 1775158)
> 
> [Test Case]
> This issue can easily be reproduced with the "add_key04" test from the LTP
> syscall test suite.
> 
> Steps (with root):
>   1. sudo apt-get install git -y
>   2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
>   3. cd ltp
>   4. make autotools
>   5. ./configure
>   6. make; make install
>   7. /opt/ltp/testcases/bin/add_key04
> 
> Test result before the patch:
> ubuntu at amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
> tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
> add_key04.c:82: FAIL: kernel oops while filling keyring
> 
> Summary:
> passed 0
> failed 1
> skipped 0
> warnings 0
> 
> [52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> [52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
> [52399.298952] Oops: 0002 [#1] SMP
> [52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
> [52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
> [52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
> [52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
> [52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
> [52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
> [52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
> [52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
> [52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
> [52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
> [52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
> [52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
> [52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [52399.299361] Stack:
> [52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
> [52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
> [52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
> [52399.299427] Call Trace:
> [52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
> [52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
> [52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
> [52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
> [52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
> [52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
> [52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
> [52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.299642] RSP <ffff88045a2e3df0>
> [52399.299650] CR2: 0000000000000010
> [52399.302015] ---[ end trace 0f3e00901ea9f056 ]---
> 
> Test result after the patch:
> $ sudo /opt/ltp/testcases/bin/add_key04
> tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
> add_key04.c:80: PASS: didn't crash while filling keyring
> 
> Summary:
> passed 1
> failed 0
> skipped 0
> warnings 0
> 
> [Regression-potential]
> Low risk for causing regression.
> No additional function was added, only an identifier got removed.
> This fix has already landed in Xenial / Artful, and it's still in the mainline
> tree since then.
> 
> David Howells (1):
>   assoc_array: Fix a buggy node-splitting case
> 
>  lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
>  1 file changed, 17 insertions(+), 34 deletions(-)
> 
> -- 
> 1.9.1
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list