Public bug reported: [Impact]
* Users might hit kernel BUG/Oops/crash with fuse filesystems on Xenial kernel 4.4.0-222.255 and later (backport from 4.9), including the derivative/optimized kernels (linux-aws below). * Introduced by the backport from 4.9 for CVE-2020-36322 [1] [1] https://ubuntu.com/security/CVE-2020-36322 * Offending commit 8deb786162e1 ("fuse: fix bad inode") linux-xenial$ git log --oneline origin/master-prep -- fs/fuse/dir.c | head -n1 8deb786162e1 fuse: fix bad inode linux-xenial$ git describe --contains 8deb786162e1 Ubuntu-4.4.0-222.255~6 [Fix] * Check for non-NULL inode pointer before fuse_is_bad(inode) in fuse_direntplus_link(). * (This is the only modified function/patch hunk which seems to have issues; all others dereference 'inode' w/out check at some point, even before this patch). [Test Case] * Not available at the moment. [Regression Potential] * Probably none, as this changes the hunk/code behavior to what it was before the offending patch/backport w/ issue was applied (where fuse_is_bad() wasn't called at all if inode is NULL), and makes sense with the patch applied; also, this same form is used in another hunk, where NULL was checked. [Example Stacktrace] kernel: BUG: unable to handle kernel NULL pointer dereference at 00000000000002c0 kernel: IP: [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: PGD 1e3e02c067 PUD 1c8b2aa067 PMD 0 kernel: Oops: 0000 [#5] SMP kernel: Modules linked in: <...> kernel: CPU: 1 PID: 12133 Comm: php-fpm Tainted: G D 4.4.0-1138-aws #152-Ubuntu kernel: Hardware name: Amazon EC2 m5a.8xlarge/, BIOS 1.0 10/16/2017 kernel: task: ffff881bcf164600 ti: ffff881bcffec000 task.ti: ffff881bcffec000 kernel: RIP: 0010:[<ffffffff8132ae16>] [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: RSP: 0018:ffff881bcffefe10 EFLAGS: 00010206 kernel: RAX: ffffc9000524bd00 RBX: 00000000000001a0 RCX: 0000000000000000 kernel: RDX: 0000000000000001 RSI: ffffc9000524bd00 RDI: ffff881ed25bf3d8 kernel: RBP: ffff881bcffefea0 R08: 0000000000000000 R09: 0000000000000050 kernel: R10: ffff881b942a0c68 R11: ffff881ed25bf380 R12: ffff881b942a0bd0 kernel: R13: ffff880f8ced0d80 R14: ffff881f25cb1800 R15: ffff881ed25bf380 kernel: FS: 00007f884d100740(0000) GS:ffff880fb8c40000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00000000000002c0 CR3: 0000001cbc963000 CR4: 00000000003406f0 kernel: Stack: kernel: ffff881bcffefef0 0000000000441d7f ffff880fb1c6a000 ffff881b942a0bf8 kernel: 0000000000000000 ffff881f25cb1800 ffffea006e50a800 ffff881b942a0ca0 kernel: 00000000ae046100 ffff880fae046100 000000361c41ec1e ffff881b942a0c68 kernel: Call Trace: kernel: [<ffffffff8122d018>] iterate_dir+0x98/0x120 kernel: [<ffffffff8112f0db>] ? __audit_syscall_entry+0xab/0xf0 kernel: [<ffffffff8122d589>] SyS_getdents+0x99/0x110 kernel: [<ffffffff8122d0a0>] ? iterate_dir+0x120/0x120 kernel: [<ffffffff81848f9b>] entry_SYSCALL_64_fastpath+0x22/0xd0 kernel: Code: 49 39 80 38 02 00 00 75 12 41 0f b7 00 41 33 44 24 64 f6 c4 f0 0f 84 72 02 00 00 4c 89 ff 4c 89 45 90 e8 ae 65 f0 ff 4c 8b 45 90 <49> 8b 80 c0 02 00 00 4c 89 ff a8 08 0f 85 67 02 00 00 e8 63 5c kernel: RIP [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: RSP <ffff881bcffefe10> kernel: CR2: 00000000000002c0 kernel: ---[ end trace f89ac23b1e9bb24c ]--- ** Affects: linux (Ubuntu) Importance: Undecided Status: Invalid ** Affects: linux (Ubuntu Xenial) Importance: High Assignee: Mauricio Faria de Oliveira (mfo) Status: In Progress ** Changed in: linux (Ubuntu) Status: New => In Progress ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => In Progress ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => High ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo) ** Changed in: linux (Ubuntu) Status: In Progress => Fix Released ** Changed in: linux (Ubuntu) Status: Fix Released => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1970482 Title: Xenial: kernel BUG/Oops/crash in fuse_readdir() due to CVE-2020-36322 backport Status in linux package in Ubuntu: Invalid Status in linux source package in Xenial: In Progress Bug description: [Impact] * Users might hit kernel BUG/Oops/crash with fuse filesystems on Xenial kernel 4.4.0-222.255 and later (backport from 4.9), including the derivative/optimized kernels (linux-aws below). * Introduced by the backport from 4.9 for CVE-2020-36322 [1] [1] https://ubuntu.com/security/CVE-2020-36322 * Offending commit 8deb786162e1 ("fuse: fix bad inode") linux-xenial$ git log --oneline origin/master-prep -- fs/fuse/dir.c | head -n1 8deb786162e1 fuse: fix bad inode linux-xenial$ git describe --contains 8deb786162e1 Ubuntu-4.4.0-222.255~6 [Fix] * Check for non-NULL inode pointer before fuse_is_bad(inode) in fuse_direntplus_link(). * (This is the only modified function/patch hunk which seems to have issues; all others dereference 'inode' w/out check at some point, even before this patch). [Test Case] * Not available at the moment. [Regression Potential] * Probably none, as this changes the hunk/code behavior to what it was before the offending patch/backport w/ issue was applied (where fuse_is_bad() wasn't called at all if inode is NULL), and makes sense with the patch applied; also, this same form is used in another hunk, where NULL was checked. [Example Stacktrace] kernel: BUG: unable to handle kernel NULL pointer dereference at 00000000000002c0 kernel: IP: [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: PGD 1e3e02c067 PUD 1c8b2aa067 PMD 0 kernel: Oops: 0000 [#5] SMP kernel: Modules linked in: <...> kernel: CPU: 1 PID: 12133 Comm: php-fpm Tainted: G D 4.4.0-1138-aws #152-Ubuntu kernel: Hardware name: Amazon EC2 m5a.8xlarge/, BIOS 1.0 10/16/2017 kernel: task: ffff881bcf164600 ti: ffff881bcffec000 task.ti: ffff881bcffec000 kernel: RIP: 0010:[<ffffffff8132ae16>] [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: RSP: 0018:ffff881bcffefe10 EFLAGS: 00010206 kernel: RAX: ffffc9000524bd00 RBX: 00000000000001a0 RCX: 0000000000000000 kernel: RDX: 0000000000000001 RSI: ffffc9000524bd00 RDI: ffff881ed25bf3d8 kernel: RBP: ffff881bcffefea0 R08: 0000000000000000 R09: 0000000000000050 kernel: R10: ffff881b942a0c68 R11: ffff881ed25bf380 R12: ffff881b942a0bd0 kernel: R13: ffff880f8ced0d80 R14: ffff881f25cb1800 R15: ffff881ed25bf380 kernel: FS: 00007f884d100740(0000) GS:ffff880fb8c40000(0000) knlGS:0000000000000000 kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 kernel: CR2: 00000000000002c0 CR3: 0000001cbc963000 CR4: 00000000003406f0 kernel: Stack: kernel: ffff881bcffefef0 0000000000441d7f ffff880fb1c6a000 ffff881b942a0bf8 kernel: 0000000000000000 ffff881f25cb1800 ffffea006e50a800 ffff881b942a0ca0 kernel: 00000000ae046100 ffff880fae046100 000000361c41ec1e ffff881b942a0c68 kernel: Call Trace: kernel: [<ffffffff8122d018>] iterate_dir+0x98/0x120 kernel: [<ffffffff8112f0db>] ? __audit_syscall_entry+0xab/0xf0 kernel: [<ffffffff8122d589>] SyS_getdents+0x99/0x110 kernel: [<ffffffff8122d0a0>] ? iterate_dir+0x120/0x120 kernel: [<ffffffff81848f9b>] entry_SYSCALL_64_fastpath+0x22/0xd0 kernel: Code: 49 39 80 38 02 00 00 75 12 41 0f b7 00 41 33 44 24 64 f6 c4 f0 0f 84 72 02 00 00 4c 89 ff 4c 89 45 90 e8 ae 65 f0 ff 4c 8b 45 90 <49> 8b 80 c0 02 00 00 4c 89 ff a8 08 0f 85 67 02 00 00 e8 63 5c kernel: RIP [<ffffffff8132ae16>] fuse_readdir+0x376/0x700 kernel: RSP <ffff881bcffefe10> kernel: CR2: 00000000000002c0 kernel: ---[ end trace f89ac23b1e9bb24c ]--- To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1970482/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
