[T][SRU][PATCH 0/1] Fix for CVE-2017-12193

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

[T][SRU][PATCH 0/1] Fix for CVE-2017-12193

Po-Hsu Lin (Sam)
[SRU Justification]
The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
the Linux kernel before 4.13.11 mishandles node splitting, which allows
local users to cause a denial of service (NULL pointer dereference and
panic) via a crafted application, as demonstrated by the keyring key type,
and key addition and link creation operations.

The "add_key04" from the LTP syscall tests will cause kernel oops on a
testing node with Trusty kernel installed. And it will make incoming ssh
connection hang (bug 1775158)

[Test Case]
This issue can easily be reproduced with the "add_key04" test from the LTP
syscall test suite.

Steps (with root):
  1. sudo apt-get install git -y
  2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
  3. cd ltp
  4. make autotools
  5. ./configure
  6. make; make install
  7. /opt/ltp/testcases/bin/add_key04

Test result before the patch:
ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:82: FAIL: kernel oops while filling keyring

Summary:
passed 0
failed 1
skipped 0
warnings 0

[52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
[52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
[52399.298952] Oops: 0002 [#1] SMP
[52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
[52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
[52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
[52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
[52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
[52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
[52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
[52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
[52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
[52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
[52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
[52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
[52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[52399.299361] Stack:
[52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
[52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
[52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
[52399.299427] Call Trace:
[52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
[52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
[52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
[52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
[52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
[52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
[52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
[52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
[52399.299642] RSP <ffff88045a2e3df0>
[52399.299650] CR2: 0000000000000010
[52399.302015] ---[ end trace 0f3e00901ea9f056 ]---

Test result after the patch:
$ sudo /opt/ltp/testcases/bin/add_key04
tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
add_key04.c:80: PASS: didn't crash while filling keyring

Summary:
passed 1
failed 0
skipped 0
warnings 0

[Regression-potential]
Low risk for causing regression.
No additional function was added, only an identifier got removed.
This fix has already landed in Xenial / Artful, and it's still in the mainline
tree since then.

David Howells (1):
  assoc_array: Fix a buggy node-splitting case

 lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

--
1.9.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

[CVE-2017-12193][T][SRU][PATCH 1/1] assoc_array: Fix a buggy node-splitting case

Po-Hsu Lin (Sam)
From: David Howells <[hidden email]>

CVE-2017-12193

BugLink: https://bugs.launchpad.net/bugs/1775316

This fixes CVE-2017-12193.

Fix a case in the assoc_array implementation in which a new leaf is
added that needs to go into a node that happens to be full, where the
existing leaves in that node cluster together at that level to the
exclusion of new leaf.

What needs to happen is that the existing leaves get moved out to a new
node, N1, at level + 1 and the existing node needs replacing with one,
N0, that has pointers to the new leaf and to N1.

The code that tries to do this gets this wrong in two ways:

 (1) The pointer that should've pointed from N0 to N1 is set to point
     recursively to N0 instead.

 (2) The backpointer from N0 needs to be set correctly in the case N0 is
     either the root node or reached through a shortcut.

Fix this by removing this path and using the split_node path instead,
which achieves the same end, but in a more general way (thanks to Eric
Biggers for spotting the redundancy).

The problem manifests itself as:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
  IP: assoc_array_apply_edit+0x59/0xe5

Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
Reported-and-tested-by: WU Fan <[hidden email]>
Signed-off-by: David Howells <[hidden email]>
Cc: [hidden email] [v3.13-rc1+]
Signed-off-by: Linus Torvalds <[hidden email]>
(cherry picked from commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b)
Signed-off-by: Po-Hsu Lin <[hidden email]>
---
 lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
 1 file changed, 17 insertions(+), 34 deletions(-)

diff --git a/lib/assoc_array.c b/lib/assoc_array.c
index afef906..035c236 100644
--- a/lib/assoc_array.c
+++ b/lib/assoc_array.c
@@ -597,21 +597,31 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit,
  if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
  goto all_leaves_cluster_together;
 
- /* Otherwise we can just insert a new node ahead of the old
- * one.
+ /* Otherwise all the old leaves cluster in the same slot, but
+ * the new leaf wants to go into a different slot - so we
+ * create a new node (n0) to hold the new leaf and a pointer to
+ * a new node (n1) holding all the old leaves.
+ *
+ * This can be done by falling through to the node splitting
+ * path.
  */
- goto present_leaves_cluster_but_not_new_leaf;
+ pr_devel("present leaves cluster but not new leaf\n");
  }
 
 split_node:
  pr_devel("split node\n");
 
- /* We need to split the current node; we know that the node doesn't
- * simply contain a full set of leaves that cluster together (it
- * contains meta pointers and/or non-clustering leaves).
+ /* We need to split the current node.  The node must contain anything
+ * from a single leaf (in the one leaf case, this leaf will cluster
+ * with the new leaf) and the rest meta-pointers, to all leaves, some
+ * of which may cluster.
+ *
+ * It won't contain the case in which all the current leaves plus the
+ * new leaves want to cluster in the same slot.
  *
  * We need to expel at least two leaves out of a set consisting of the
- * leaves in the node and the new leaf.
+ * leaves in the node and the new leaf.  The current meta pointers can
+ * just be copied as they shouldn't cluster with any of the leaves.
  *
  * We need a new node (n0) to replace the current one and a new node to
  * take the expelled nodes (n1).
@@ -716,33 +726,6 @@ found_slot_for_multiple_occupancy:
  pr_devel("<--%s() = ok [split node]\n", __func__);
  return true;
 
-present_leaves_cluster_but_not_new_leaf:
- /* All the old leaves cluster in the same slot, but the new leaf wants
- * to go into a different slot, so we create a new node to hold the new
- * leaf and a pointer to a new node holding all the old leaves.
- */
- pr_devel("present leaves cluster but not new leaf\n");
-
- new_n0->back_pointer = node->back_pointer;
- new_n0->parent_slot = node->parent_slot;
- new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
- new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
- new_n1->parent_slot = edit->segment_cache[0];
- new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
- edit->adjust_count_on = new_n0;
-
- for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
- new_n1->slots[i] = node->slots[i];
-
- new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
- edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
-
- edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
- edit->set[0].to = assoc_array_node_to_ptr(new_n0);
- edit->excised_meta[0] = assoc_array_node_to_ptr(node);
- pr_devel("<--%s() = ok [insert node before]\n", __func__);
- return true;
-
 all_leaves_cluster_together:
  /* All the leaves, new and old, want to cluster together in this node
  * in the same slot, so we have to replace this node with a shortcut to
--
1.9.1


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE-2017-12193][T][SRU][PATCH 1/1] assoc_array: Fix a buggy node-splitting case

Stefan Bader-2
On 06.06.2018 01:52, Po-Hsu Lin wrote:

> From: David Howells <[hidden email]>
>
> CVE-2017-12193
>
> BugLink: https://bugs.launchpad.net/bugs/1775316
>
> This fixes CVE-2017-12193.
>
> Fix a case in the assoc_array implementation in which a new leaf is
> added that needs to go into a node that happens to be full, where the
> existing leaves in that node cluster together at that level to the
> exclusion of new leaf.
>
> What needs to happen is that the existing leaves get moved out to a new
> node, N1, at level + 1 and the existing node needs replacing with one,
> N0, that has pointers to the new leaf and to N1.
>
> The code that tries to do this gets this wrong in two ways:
>
>  (1) The pointer that should've pointed from N0 to N1 is set to point
>      recursively to N0 instead.
>
>  (2) The backpointer from N0 needs to be set correctly in the case N0 is
>      either the root node or reached through a shortcut.
>
> Fix this by removing this path and using the split_node path instead,
> which achieves the same end, but in a more general way (thanks to Eric
> Biggers for spotting the redundancy).
>
> The problem manifests itself as:
>
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
>   IP: assoc_array_apply_edit+0x59/0xe5
>
> Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
> Reported-and-tested-by: WU Fan <[hidden email]>
> Signed-off-by: David Howells <[hidden email]>
> Cc: [hidden email] [v3.13-rc1+]
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b)
> Signed-off-by: Po-Hsu Lin <[hidden email]>
Acked-by: Stefan Bader <[hidden email]>

> ---
>  lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
>  1 file changed, 17 insertions(+), 34 deletions(-)
>
> diff --git a/lib/assoc_array.c b/lib/assoc_array.c
> index afef906..035c236 100644
> --- a/lib/assoc_array.c
> +++ b/lib/assoc_array.c
> @@ -597,21 +597,31 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit,
>   if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
>   goto all_leaves_cluster_together;
>  
> - /* Otherwise we can just insert a new node ahead of the old
> - * one.
> + /* Otherwise all the old leaves cluster in the same slot, but
> + * the new leaf wants to go into a different slot - so we
> + * create a new node (n0) to hold the new leaf and a pointer to
> + * a new node (n1) holding all the old leaves.
> + *
> + * This can be done by falling through to the node splitting
> + * path.
>   */
> - goto present_leaves_cluster_but_not_new_leaf;
> + pr_devel("present leaves cluster but not new leaf\n");
>   }
>  
>  split_node:
>   pr_devel("split node\n");
>  
> - /* We need to split the current node; we know that the node doesn't
> - * simply contain a full set of leaves that cluster together (it
> - * contains meta pointers and/or non-clustering leaves).
> + /* We need to split the current node.  The node must contain anything
> + * from a single leaf (in the one leaf case, this leaf will cluster
> + * with the new leaf) and the rest meta-pointers, to all leaves, some
> + * of which may cluster.
> + *
> + * It won't contain the case in which all the current leaves plus the
> + * new leaves want to cluster in the same slot.
>   *
>   * We need to expel at least two leaves out of a set consisting of the
> - * leaves in the node and the new leaf.
> + * leaves in the node and the new leaf.  The current meta pointers can
> + * just be copied as they shouldn't cluster with any of the leaves.
>   *
>   * We need a new node (n0) to replace the current one and a new node to
>   * take the expelled nodes (n1).
> @@ -716,33 +726,6 @@ found_slot_for_multiple_occupancy:
>   pr_devel("<--%s() = ok [split node]\n", __func__);
>   return true;
>  
> -present_leaves_cluster_but_not_new_leaf:
> - /* All the old leaves cluster in the same slot, but the new leaf wants
> - * to go into a different slot, so we create a new node to hold the new
> - * leaf and a pointer to a new node holding all the old leaves.
> - */
> - pr_devel("present leaves cluster but not new leaf\n");
> -
> - new_n0->back_pointer = node->back_pointer;
> - new_n0->parent_slot = node->parent_slot;
> - new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
> - new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
> - new_n1->parent_slot = edit->segment_cache[0];
> - new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
> - edit->adjust_count_on = new_n0;
> -
> - for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
> - new_n1->slots[i] = node->slots[i];
> -
> - new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
> - edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
> -
> - edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
> - edit->set[0].to = assoc_array_node_to_ptr(new_n0);
> - edit->excised_meta[0] = assoc_array_node_to_ptr(node);
> - pr_devel("<--%s() = ok [insert node before]\n", __func__);
> - return true;
> -
>  all_leaves_cluster_together:
>   /* All the leaves, new and old, want to cluster together in this node
>   * in the same slot, so we have to replace this node with a shortcut to
>


--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team

signature.asc (836 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

ACK: [CVE-2017-12193][T][SRU][PATCH 1/1] assoc_array: Fix a buggy node-splitting case

Kleber Souza
In reply to this post by Po-Hsu Lin (Sam)
On 06/06/18 01:52, Po-Hsu Lin wrote:

> From: David Howells <[hidden email]>
>
> CVE-2017-12193
>
> BugLink: https://bugs.launchpad.net/bugs/1775316
>
> This fixes CVE-2017-12193.
>
> Fix a case in the assoc_array implementation in which a new leaf is
> added that needs to go into a node that happens to be full, where the
> existing leaves in that node cluster together at that level to the
> exclusion of new leaf.
>
> What needs to happen is that the existing leaves get moved out to a new
> node, N1, at level + 1 and the existing node needs replacing with one,
> N0, that has pointers to the new leaf and to N1.
>
> The code that tries to do this gets this wrong in two ways:
>
>  (1) The pointer that should've pointed from N0 to N1 is set to point
>      recursively to N0 instead.
>
>  (2) The backpointer from N0 needs to be set correctly in the case N0 is
>      either the root node or reached through a shortcut.
>
> Fix this by removing this path and using the split_node path instead,
> which achieves the same end, but in a more general way (thanks to Eric
> Biggers for spotting the redundancy).
>
> The problem manifests itself as:
>
>   BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
>   IP: assoc_array_apply_edit+0x59/0xe5
>
> Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
> Reported-and-tested-by: WU Fan <[hidden email]>
> Signed-off-by: David Howells <[hidden email]>
> Cc: [hidden email] [v3.13-rc1+]
> Signed-off-by: Linus Torvalds <[hidden email]>
> (cherry picked from commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b)
> Signed-off-by: Po-Hsu Lin <[hidden email]>

Acked-by: Kleber Sacilotto de Souza <[hidden email]>

> ---
>  lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
>  1 file changed, 17 insertions(+), 34 deletions(-)
>
> diff --git a/lib/assoc_array.c b/lib/assoc_array.c
> index afef906..035c236 100644
> --- a/lib/assoc_array.c
> +++ b/lib/assoc_array.c
> @@ -597,21 +597,31 @@ static bool assoc_array_insert_into_terminal_node(struct assoc_array_edit *edit,
>   if ((edit->segment_cache[ASSOC_ARRAY_FAN_OUT] ^ base_seg) == 0)
>   goto all_leaves_cluster_together;
>  
> - /* Otherwise we can just insert a new node ahead of the old
> - * one.
> + /* Otherwise all the old leaves cluster in the same slot, but
> + * the new leaf wants to go into a different slot - so we
> + * create a new node (n0) to hold the new leaf and a pointer to
> + * a new node (n1) holding all the old leaves.
> + *
> + * This can be done by falling through to the node splitting
> + * path.
>   */
> - goto present_leaves_cluster_but_not_new_leaf;
> + pr_devel("present leaves cluster but not new leaf\n");
>   }
>  
>  split_node:
>   pr_devel("split node\n");
>  
> - /* We need to split the current node; we know that the node doesn't
> - * simply contain a full set of leaves that cluster together (it
> - * contains meta pointers and/or non-clustering leaves).
> + /* We need to split the current node.  The node must contain anything
> + * from a single leaf (in the one leaf case, this leaf will cluster
> + * with the new leaf) and the rest meta-pointers, to all leaves, some
> + * of which may cluster.
> + *
> + * It won't contain the case in which all the current leaves plus the
> + * new leaves want to cluster in the same slot.
>   *
>   * We need to expel at least two leaves out of a set consisting of the
> - * leaves in the node and the new leaf.
> + * leaves in the node and the new leaf.  The current meta pointers can
> + * just be copied as they shouldn't cluster with any of the leaves.
>   *
>   * We need a new node (n0) to replace the current one and a new node to
>   * take the expelled nodes (n1).
> @@ -716,33 +726,6 @@ found_slot_for_multiple_occupancy:
>   pr_devel("<--%s() = ok [split node]\n", __func__);
>   return true;
>  
> -present_leaves_cluster_but_not_new_leaf:
> - /* All the old leaves cluster in the same slot, but the new leaf wants
> - * to go into a different slot, so we create a new node to hold the new
> - * leaf and a pointer to a new node holding all the old leaves.
> - */
> - pr_devel("present leaves cluster but not new leaf\n");
> -
> - new_n0->back_pointer = node->back_pointer;
> - new_n0->parent_slot = node->parent_slot;
> - new_n0->nr_leaves_on_branch = node->nr_leaves_on_branch;
> - new_n1->back_pointer = assoc_array_node_to_ptr(new_n0);
> - new_n1->parent_slot = edit->segment_cache[0];
> - new_n1->nr_leaves_on_branch = node->nr_leaves_on_branch;
> - edit->adjust_count_on = new_n0;
> -
> - for (i = 0; i < ASSOC_ARRAY_FAN_OUT; i++)
> - new_n1->slots[i] = node->slots[i];
> -
> - new_n0->slots[edit->segment_cache[0]] = assoc_array_node_to_ptr(new_n0);
> - edit->leaf_p = &new_n0->slots[edit->segment_cache[ASSOC_ARRAY_FAN_OUT]];
> -
> - edit->set[0].ptr = &assoc_array_ptr_to_node(node->back_pointer)->slots[node->parent_slot];
> - edit->set[0].to = assoc_array_node_to_ptr(new_n0);
> - edit->excised_meta[0] = assoc_array_node_to_ptr(node);
> - pr_devel("<--%s() = ok [insert node before]\n", __func__);
> - return true;
> -
>  all_leaves_cluster_together:
>   /* All the leaves, new and old, want to cluster together in this node
>   * in the same slot, so we have to replace this node with a shortcut to
>

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team
Reply | Threaded
Open this post in threaded view
|

APPLIED: [T][SRU][PATCH 0/1] Fix for CVE-2017-12193

Khaled Elmously
In reply to this post by Po-Hsu Lin (Sam)
Applied to trusty


On 2018-06-06 16:52:38 , Po-Hsu Lin wrote:

> [SRU Justification]
> The assoc_array_insert_into_terminal_node function in lib/assoc_array.c in
> the Linux kernel before 4.13.11 mishandles node splitting, which allows
> local users to cause a denial of service (NULL pointer dereference and
> panic) via a crafted application, as demonstrated by the keyring key type,
> and key addition and link creation operations.
>
> The "add_key04" from the LTP syscall tests will cause kernel oops on a
> testing node with Trusty kernel installed. And it will make incoming ssh
> connection hang (bug 1775158)
>
> [Test Case]
> This issue can easily be reproduced with the "add_key04" test from the LTP
> syscall test suite.
>
> Steps (with root):
>   1. sudo apt-get install git -y
>   2. git clone --depth=1 https://github.com/linux-test-project/ltp.git
>   3. cd ltp
>   4. make autotools
>   5. ./configure
>   6. make; make install
>   7. /opt/ltp/testcases/bin/add_key04
>
> Test result before the patch:
> ubuntu@amaura:/opt/ltp/testcases/bin$ sudo ./add_key04
> tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
> add_key04.c:82: FAIL: kernel oops while filling keyring
>
> Summary:
> passed 0
> failed 1
> skipped 0
> warnings 0
>
> [52399.298894] BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
> [52399.298918] IP: [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.298938] PGD 8000000455a3a067 PUD 45725f067 PMD 0
> [52399.298952] Oops: 0002 [#1] SMP
> [52399.298963] Modules linked in: cfg80211 ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi dm_crypt joydev hid_generic x86_pkg_temp_thermal coretemp kvm_intel kvm usbhid hid lpc_ich shpchp mac_hid crct10dif_pclmul crc32_pclmul i915_bdw ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper igb cryptd ahci dca ptp libahci pps_core intel_ips i2c_algo_bit drm_kms_helper video drm
> [52399.299100] CPU: 7 PID: 9559 Comm: add_key04 Not tainted 3.13.0-149-generic #199-Ubuntu
> [52399.299118] Hardware name: Intel Corporation S1200RP/S1200RP, BIOS S1200RP.86B.03.02.0003.070120151022 07/01/2015
> [52399.299142] task: ffff880457b43000 ti: ffff88045a2e2000 task.ti: ffff88045a2e2000
> [52399.299159] RIP: 0010:[<ffffffff81387a77>] [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.299182] RSP: 0018:ffff88045a2e3df0 EFLAGS: 00010202
> [52399.299194] RAX: 0000000000000010 RBX: ffff88045a2e3e78 RCX: 0000000000000000
> [52399.299211] RDX: ffff88045a1d1741 RSI: ffff880456028880 RDI: ffff880456028800
> [52399.299228] RBP: ffff88045a2e3df0 R08: 0000000000016880 R09: ffffffff812dba97
> [52399.299244] R10: ffff880460803c00 R11: 00000000ddf32900 R12: ffff880456f7f680
> [52399.299261] R13: ffff88045a1d09c0 R14: 0000000000000000 R15: 0000000000000000
> [52399.299278] FS: 00007ff43fc39740(0000) GS:ffff8804704e0000(0000) knlGS:0000000000000000
> [52399.299297] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [52399.299311] CR2: 0000000000000010 CR3: 000000045514c000 CR4: 0000000000360770
> [52399.299328] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
> [52399.299344] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
> [52399.299361] Stack:
> [52399.299366] ffff88045a2e3e08 ffffffff812d7a33 0000000000000000 ffff88045a2e3e50
> [52399.299387] ffffffff812d57a7 ffff88045a1d0a30 ffff88045a2e3e78 ffff880456f7f681
> [52399.299407] 000000003f010000 ffff880456f7f380 ffff88045a1d09c0 ffff880457b43000
> [52399.299427] Call Trace:
> [52399.299436] [<ffffffff812d7a33>] __key_link+0x33/0x40
> [52399.299450] [<ffffffff812d57a7>] __key_instantiate_and_link+0x87/0xf0
> [52399.299467] [<ffffffff812d66de>] key_create_or_update+0x32e/0x420
> [52399.299482] [<ffffffff812d7e20>] SyS_add_key+0x110/0x210
> [52399.299497] [<ffffffff8109ea6c>] ? schedule_tail+0x5c/0xb0
> [52399.299512] [<ffffffff81748830>] system_call_fastpath+0x1a/0x1f
> [52399.299526] Code: 48 85 d2 74 0a 48 8b 8f e8 00 00 00 48 89 0a 48 83 c0 08 48 39 f0 75 e4 48 8b 87 00 01 00 00 48 85 c0 74 0a 48 8b 97 08 01 00 00 <48> 89 10 48 8b 87 10 01 00 00 48 85 c0 74 0a 48 8b 97 18 01 00
> [52399.299625] RIP [<ffffffff81387a77>] assoc_array_apply_edit+0x67/0x110
> [52399.299642] RSP <ffff88045a2e3df0>
> [52399.299650] CR2: 0000000000000010
> [52399.302015] ---[ end trace 0f3e00901ea9f056 ]---
>
> Test result after the patch:
> $ sudo /opt/ltp/testcases/bin/add_key04
> tst_test.c:1015: INFO: Timeout per run is 0h 05m 00s
> add_key04.c:80: PASS: didn't crash while filling keyring
>
> Summary:
> passed 1
> failed 0
> skipped 0
> warnings 0
>
> [Regression-potential]
> Low risk for causing regression.
> No additional function was added, only an identifier got removed.
> This fix has already landed in Xenial / Artful, and it's still in the mainline
> tree since then.
>
> David Howells (1):
>   assoc_array: Fix a buggy node-splitting case
>
>  lib/assoc_array.c | 51 +++++++++++++++++----------------------------------
>  1 file changed, 17 insertions(+), 34 deletions(-)
>
> --
> 1.9.1
>
>
> --
> kernel-team mailing list
> [hidden email]
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

--
kernel-team mailing list
[hidden email]
https://lists.ubuntu.com/mailman/listinfo/kernel-team