[Kernel-packages] [Bug 1824981] Re: cifs set_oplock buffer overflow in strcat

Wed, 24 Apr 2019 00:21:36 -0700 

Yes, it happend once with 4.18.0-17 (see kernel.log below) and once with
4.15.0-48. Haven't seen this one on 4.15.0-46-generic or
4.15.0-47-generic before.


Apr 17 18:51:53  Linux version 4.18.0-17-generic (buildd@lgw01-amd64-021) (gcc 
version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #18~18.04.1-Ubuntu SMP Fri Mar 15 
15:27:12 UTC 2019 (Ubuntu 4.18.0-17.18~18.04.1-generic 4.18.20)
Apr 17 18:51:53  Command line: BOOT_IMAGE=/boot/vmlinuz-4.18.0-17-generic 
root=UUID=7d58d6b0-bdf2-4a7b-bfde-d28a5ea498f6 ro
[...]
Apr 17 21:01:31  CIFS VFS: error -95 on ioctl to get interface list
[...]
Apr 17 21:43:48  perf: interrupt took too long (6290 > 6260), lowering 
kernel.perf_event_max_sample_rate to 31750
Apr 17 21:57:28  BUG: unable to handle kernel NULL pointer dereference at 
0000000000000038
Apr 17 21:57:28  PGD 0 P4D 0
Apr 17 21:57:28  Oops: 0000 [#1] SMP PTI
Apr 17 21:57:28  CPU: 13 PID: 21224 Comm: kworker/13:2 Not tainted 
4.18.0-17-generic #18~18.04.1-Ubuntu
Apr 17 21:57:28  Hardware name: Dell Inc. PowerEdge R900/0X947H, BIOS 1.2.0 
11/11/2010
Apr 17 21:57:28  Workqueue: cifsoplockd cifs_oplock_break [cifs]
Apr 17 21:57:28  RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs]
Apr 17 21:57:28  Code: b0 49 39 c6 0f 84 2d 01 00 00 c7 45 c4 00 00 00 00 [...]
Apr 17 21:57:28  RSP: 0018:ffff9f6d481d7de8 EFLAGS: 00010246
Apr 17 21:57:28  RAX: 0000000000000000 RBX: ffff94016f151798 RCX: 
ffffe793bfc47c00
Apr 17 21:57:28  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 
ffff9401711f0000
Apr 17 21:57:28  RBP: ffff9f6d481d7e38 R08: 0000000000028160 R09: 
ffffe793bfc47c00
Apr 17 21:57:28  R10: 0000000000000002 R11: ffff9401711e0000 R12: 
0000000000000aaa
Apr 17 21:57:28  R13: ffff94016f151798 R14: ffff94016f151780 R15: 
ffff94016e435e00
Apr 17 21:57:28  FS:  0000000000000000(0000) GS:ffff94017f140000(0000) 
knlGS:0000000000000000
Apr 17 21:57:28  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 17 21:57:28  CR2: 0000000000000038 CR3: 0000000fdb406000 CR4: 
00000000000006e0
Apr 17 21:57:28  Call Trace:
Apr 17 21:57:28   ? cifs_revalidate_mapping+0x45/0x90 [cifs]
Apr 17 21:57:28   cifs_oplock_break+0x124/0x410 [cifs]
Apr 17 21:57:28   process_one_work+0x1fd/0x3f0
Apr 17 21:57:28   worker_thread+0x34/0x410
Apr 17 21:57:28   kthread+0x121/0x140
Apr 17 21:57:28   ? process_one_work+0x3f0/0x3f0
Apr 17 21:57:28   ? kthread_create_worker_on_cpu+0x70/0x70
Apr 17 21:57:28   ret_from_fork+0x35/0x40
Apr 17 21:57:28  Modules linked in: ipmi_si mpt3sas raid_class mptctl mptbase 
arc4 md4 cmac nls_utf8 cifs ccm fscache nf_conntrack_ipv4 nf_defrag_ipv4 
xt_conntrack nf_conntrack libcrc32c iptable_filter bpfilter dell_rbu 
binfmt_misc ipmi_ssif radeon ttm drm_kms_helper coretemp drm i2c_algo_bit 
fb_sys_fops syscopyarea sysfillrect gpio_ich kvm lpc_ich input_leds joydev 
sysimgblt ipmi_devintf irqbypass sch_fq_codel serio_raw dcdbas ipmi_msghandler 
mac_hid i7300_edac bonding lp parport ip_tables x_tables autofs4 ses enclosure 
scsi_transport_sas hid_generic usbhid hid psmouse bnx2 megaraid_sas pata_acpi 
[last unloaded: ipmi_si]
Apr 17 21:57:28  CR2: 0000000000000038
Apr 17 21:57:28  ---[ end trace 6742ba53428dc499 ]---
Apr 17 21:57:28  RIP: 0010:smb2_push_mandatory_locks+0xd5/0x5d0 [cifs]
Apr 17 21:57:28  Code: b0 49 39 c6 0f 84 2d 01 00 00 c7 45 c4 00 00 00 00 [...]
Apr 17 21:57:28  RSP: 0018:ffff9f6d481d7de8 EFLAGS: 00010246
Apr 17 21:57:28  RAX: 0000000000000000 RBX: ffff94016f151798 RCX: 
ffffe793bfc47c00
Apr 17 21:57:28  RDX: 0000000000000000 RSI: 0000000000000000 RDI: 
ffff9401711f0000
Apr 17 21:57:28  RBP: ffff9f6d481d7e38 R08: 0000000000028160 R09: 
ffffe793bfc47c00
Apr 17 21:57:28  R10: 0000000000000002 R11: ffff9401711e0000 R12: 
0000000000000aaa
Apr 17 21:57:28  R13: ffff94016f151798 R14: ffff94016f151780 R15: 
ffff94016e435e00
Apr 17 21:57:28  FS:  0000000000000000(0000) GS:ffff94017f140000(0000) 
knlGS:0000000000000000
Apr 17 21:57:28  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Apr 17 21:57:28  CR2: 0000000000000038 CR3: 0000000fdb406000 CR4: 
00000000000006e0
Apr 17 21:58:55  perf: interrupt took too long (7881 > 7862), lowering 
kernel.perf_event_max_sample_rate to 25250

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824981

Title:
  cifs set_oplock buffer overflow in strcat

Status in linux package in Ubuntu:
  Confirmed

Bug description:
  Ubuntu 18.04.2 LTS
  Linux SRV013 4.15.0-47-generic #50-Ubuntu SMP Wed Mar 13 10:44:52 UTC 2019 
x86_64 x86_64 x86_64 GNU/Linux

  DELL R740, 2 CPU (40 Cores, 80 Threads), 384 GiB RAM

  top - 12:39:53 up  3:41,  4 users,  load average: 66.19, 64.06, 76.90
  Tasks: 1076 total,   1 running, 675 sleeping,  12 stopped,   1 zombie
  %Cpu(s): 28.2 us,  0.3 sy,  0.0 ni, 71.5 id,  0.0 wa,  0.0 hi,  0.1 si,  0.0 
st
  KiB Mem : 39483801+total, 24077185+free, 57428284 used, 96637872 buff/cache
  KiB Swap:   999420 total,   999420 free,        0 used. 33477683+avail Mem


  We've seen the following bug many times since we introduced new
  machines running Ubuntu 18. Wasn't an issue older machines running
  Ubuntu 16. Three different machines are affected, so it's rather not a
  hardware issue.

  
  | detected buffer overflow in strcat
  | ------------[ cut here ]------------
  | kernel BUG at /build/linux-6ZmFRN/linux-4.15.0/lib/string.c:1052!
  | invalid opcode: 0000 [#1] SMP PTI
  | Modules linked in: [...]
  | Hardware name: Dell Inc. PowerEdge R740/0923K0, BIOS 1.6.11 11/20/2018
  | RIP: 0010:fortify_panic+0x13/0x22
  |  [...]
  | Call Trace:
  |  smb21_set_oplock_level+0x147/0x1a0 [cifs]
  |  smb3_set_oplock_level+0x22/0x90 [cifs]
  |  smb2_set_fid+0x76/0xb0 [cifs]
  |  cifs_new_fileinfo+0x259/0x390 [cifs]
  |  ? smb2_get_lease_key+0x40/0x40 [cifs]
  |  ? cifs_new_fileinfo+0x259/0x390 [cifs]
  |  cifs_open+0x3db/0x8d0 [cifs]
  |  [...]

  (Full dmesg output attached)

  After hitting this bug there are many cifs related dmesg entries,
  processes lock up and eventually the systems freezes.

  
  The share is mounted using:
  //server/share  /mnt/server/ cifs 
defaults,auto,iocharset=utf8,noperm,file_mode=0777,dir_mode=0777,credentials=/root/passwords/share,domain=myDomain,uid=myUser,gid=10513,mfsymlinks

  Currently we're testing the cifs mount options "cache=none" as the bug
  seems to be oplock related.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to