[Kernel-packages] [Bug 1743792] Re: kernel panic on ioctl(TUNSETIFF) with a dev name with '/'
Thanks! -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1743792 Title: kernel panic on ioctl(TUNSETIFF) with a dev name with '/' Status in linux package in Ubuntu: Fix Released Bug description: Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic. Mostly running just once is enough to hit the issue, but not 100% deterministic. [ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null) [ 121.726006] IP: (null) [ 121.729333] PGD 0 [ 121.729334] P4D 0 [ 121.731445] [ 121.735149] Oops: 0010 [#1] SMP PTI [ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct1 0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc [ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi [ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu [ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.836674] task: ad212480 task.stack: ad20 [ 121.842693] RIP: 0010: (null) [ 121.846544] RSP: 0018:9e253fc03e80 EFLAGS: 00010206 [ 121.851868] RAX: RBX: 0100 RCX: 0100 [ 121.859111] RDX: RSI: RDI: [ 121.866438] RBP: 9e253fc03eb0 R08: fff8 R09: 000f [ 121.873680] R10: 45fc5cc2 R11: 0edc6924 R12: 9e253fc03ed0 [ 121.880918] R13: 9e251a7ef140 R14: R15: [ 121.888158] FS: () GS:9e253fc0() knlGS: [ 121.896377] CS: 0010 DS: ES: CR0: 80050033 [ 121.902225] CR2: CR3: 00035b60a003 CR4: 001606f0 [ 121.909463] DR0: DR1: DR2: [ 121.916699] DR3: DR6: fffe0ff0 DR7: 0400 [ 121.923935] Call Trace: [ 121.926482] [ 121.928599] ? call_timer_fn+0x33/0x130 [ 121.932539] run_timer_softirq+0x40f/0x470 [ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20 [ 121.941195] ? ktime_get+0x40/0xa0 [ 121.944725] ? native_apic_msr_write+0x2b/0x40 [ 121.949359] __do_softirq+0xde/0x2a5 [ 121.953040] irq_exit+0xb6/0xc0 [ 121.956290] smp_apic_timer_interrupt+0x68/0x90 [ 121.960922] apic_timer_interrupt+0x9f/0xb0 [ 121.965206] [ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10 [ 121.972058] RSP: 0018:ad203de0 EFLAGS: 0246 ORIG_RAX: ff10 [ 121.979726] RAX: RBX: ad212480 RCX: [ 121.986965] RDX: RSI: RDI:
[Kernel-packages] [Bug 1743792] Re: kernel panic on ioctl(TUNSETIFF) with a dev name with '/'
For anyone coming here for information on CVE-2018-7191, 0ad646c81b2182f7fa67ec0c8c825e0ee165696d is the fix for the CVE and 5c25f65fd1e42685f7ccd80e0621829c105785d9 is a bugfix for the fix. The other commit mentioned, 93161922c658c714715686cd0cf69b090cb9bf1d, is unrelated to CVE-2018-7191. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1743792 Title: kernel panic on ioctl(TUNSETIFF) with a dev name with '/' Status in linux package in Ubuntu: Fix Released Bug description: Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic. Mostly running just once is enough to hit the issue, but not 100% deterministic. [ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null) [ 121.726006] IP: (null) [ 121.729333] PGD 0 [ 121.729334] P4D 0 [ 121.731445] [ 121.735149] Oops: 0010 [#1] SMP PTI [ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct1 0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc [ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi [ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu [ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.836674] task: ad212480 task.stack: ad20 [ 121.842693] RIP: 0010: (null) [ 121.846544] RSP: 0018:9e253fc03e80 EFLAGS: 00010206 [ 121.851868] RAX: RBX: 0100 RCX: 0100 [ 121.859111] RDX: RSI: RDI: [ 121.866438] RBP: 9e253fc03eb0 R08: fff8 R09: 000f [ 121.873680] R10: 45fc5cc2 R11: 0edc6924 R12: 9e253fc03ed0 [ 121.880918] R13: 9e251a7ef140 R14: R15: [ 121.888158] FS: () GS:9e253fc0() knlGS: [ 121.896377] CS: 0010 DS: ES: CR0: 80050033 [ 121.902225] CR2: CR3: 00035b60a003 CR4: 001606f0 [ 121.909463] DR0: DR1: DR2: [ 121.916699] DR3: DR6: fffe0ff0 DR7: 0400 [ 121.923935] Call Trace: [ 121.926482] [ 121.928599] ? call_timer_fn+0x33/0x130 [ 121.932539] run_timer_softirq+0x40f/0x470 [ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20 [ 121.941195] ? ktime_get+0x40/0xa0 [ 121.944725] ? native_apic_msr_write+0x2b/0x40 [ 121.949359] __do_softirq+0xde/0x2a5 [ 121.953040] irq_exit+0xb6/0xc0 [ 121.956290] smp_apic_timer_interrupt+0x68/0x90 [ 121.960922] apic_timer_interrupt+0x9f/0xb0 [ 121.965206] [ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10 [ 121.972058] RSP: 0018:ad203de0 EFLAGS: 0246 ORIG_RAX: ff10
[Kernel-packages] [Bug 1743792] Re: kernel panic on ioctl(TUNSETIFF) with a dev name with '/'
Thanks for commenting on this issue. I'm sorry we lost track of proper public attribution for the discovery. Yes, you may use this CVE publicly. (And thanks for asking.) ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1743792 Title: kernel panic on ioctl(TUNSETIFF) with a dev name with '/' Status in linux package in Ubuntu: Fix Released Bug description: Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic. Mostly running just once is enough to hit the issue, but not 100% deterministic. [ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null) [ 121.726006] IP: (null) [ 121.729333] PGD 0 [ 121.729334] P4D 0 [ 121.731445] [ 121.735149] Oops: 0010 [#1] SMP PTI [ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct1 0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc [ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi [ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu [ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.836674] task: ad212480 task.stack: ad20 [ 121.842693] RIP: 0010: (null) [ 121.846544] RSP: 0018:9e253fc03e80 EFLAGS: 00010206 [ 121.851868] RAX: RBX: 0100 RCX: 0100 [ 121.859111] RDX: RSI: RDI: [ 121.866438] RBP: 9e253fc03eb0 R08: fff8 R09: 000f [ 121.873680] R10: 45fc5cc2 R11: 0edc6924 R12: 9e253fc03ed0 [ 121.880918] R13: 9e251a7ef140 R14: R15: [ 121.888158] FS: () GS:9e253fc0() knlGS: [ 121.896377] CS: 0010 DS: ES: CR0: 80050033 [ 121.902225] CR2: CR3: 00035b60a003 CR4: 001606f0 [ 121.909463] DR0: DR1: DR2: [ 121.916699] DR3: DR6: fffe0ff0 DR7: 0400 [ 121.923935] Call Trace: [ 121.926482] [ 121.928599] ? call_timer_fn+0x33/0x130 [ 121.932539] run_timer_softirq+0x40f/0x470 [ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20 [ 121.941195] ? ktime_get+0x40/0xa0 [ 121.944725] ? native_apic_msr_write+0x2b/0x40 [ 121.949359] __do_softirq+0xde/0x2a5 [ 121.953040] irq_exit+0xb6/0xc0 [ 121.956290] smp_apic_timer_interrupt+0x68/0x90 [ 121.960922] apic_timer_interrupt+0x9f/0xb0 [ 121.965206] [ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10 [ 121.972058] RSP: 0018:ad203de0 EFLAGS: 0246 ORIG_RAX: ff10 [ 121.979726] RAX: 0
