*** This bug is a security vulnerability *** You have been subscribed to a public security bug by Seth Arnold (seth-arnold):
A NULL pointer dereference was discovered in “tcp_splice_read”. The problem was originally found by syzbot, https://syzkaller.appspot.com/bug?id=506214c97a1af183589a4caf4a8fa162a9f56cbd. It is reproduced by the root user in the docker container or host on Ubuntu 18.04.6 LTS with Linux 4.15.0-163-generic. It is reproduced on Ubuntu 18.04.6 LTS with Linux Ubuntu-4.15.0-164.172 also. The bug reproducer is built from https://raw.githubusercontent.com/dvyukov/syzkaller-repros/master/linux/506214c97a1af183589a4caf4a8fa162a9f56cbd.c. It doesn't reproduce in Ubuntu 20.04.3 LTS with Linux 5.4.0-91-generic and Linux mainline v5.16-rc4. Mainline commit 07603b230895 (ChangeLog-5.1) fixes issue of propagate file from SMC to TCP socket. There are steps to reproduce in the Docker container: ----------------------------------------------------------- docker pull ubuntu docker run -ti ubuntu bash apt update apt install gcc wget wget https://raw.githubusercontent.com/dvyukov/syzkaller-repros/master/linux/506214c97a1af183589a4caf4a8fa162a9f56cbd.c gcc ./506214c97a1af183589a4caf4a8fa162a9f56cbd.c -static -pthread -o 506214c97a1af183589a4caf4a8fa162a9f56cbd ./506214c97a1af183589a4caf4a8fa162a9f56cbd The kernel crash contains as a result: ---------------------------------------- root@2d6b356e151a:/# ./506214c97a1af183589a4caf4a8fa162a9f56cbd BUG: unable to handle kernel NULL pointer dereference at 0000000000000041 IP: tcp_splice_read+0x5f/0x2b0 PGD 8000000133bd3067 P4D 8000000133bd3067 PUD 12e34b067 PMD 0 Oops: 0000 [#1] SMP PTI Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: smc veth xt_conntrack ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype iptable_filter iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack br_netfilter bridge t sysimgblt aesni_intel fb_sys_fops aes_x86_64 crypto_simd glue_helper cryptd psmouse drm floppy e1000 virtio_blk pata_acpi i2c_piix4 CPU: 1 PID: 4601 Comm: 506214c97a1af18 Not tainted 4.15.0-163-generic #171-Ubuntu Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 RIP: 0010:tcp_splice_read+0x5f/0x2b0 RSP: 0018:ffffb50cc381fdb0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff9079f86952c0 RCX: 0000000000010000 RDX: 0000000000000000 RSI: 00000000fffffe01 RDI: ffffffff95e523a0 RBP: ffffb50cc381fe20 R08: 0000000000000002 R09: ffffffffc096e2c0 R10: 0000000000000000 R11: 0000000000000000 R12: ffff9079f1af7c40 R13: ffffffffffffffe3 R14: ffff9079edeebbd8 R15: 0000000000010000 FS: 0000000001a56880(0000) GS:ffff9079ffd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000041 CR3: 00000001309b2001 CR4: 0000000000360ee0 Call Trace: smc_splice_read+0x96/0xa0 [smc] sock_splice_read+0x25/0x30 do_splice_to+0x79/0x90 SyS_splice+0x6dd/0x730 do_syscall_64+0x73/0x130 entry_SYSCALL_64_after_hwframe+0x41/0xa6 ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: linux-image-4.15.0-163-generic 4.15.0-163.171 ProcVersionSignature: Ubuntu 4.15.0-163.171-generic 4.15.18 Uname: Linux 4.15.0-163-generic x86_64 AlsaDevices: total 0 crw-rw---- 1 root audio 116, 1 Dec 7 15:27 seq crw-rw---- 1 root audio 116, 33 Dec 7 15:27 timer AplayDevices: Error: [Errno 2] No such file or directory: 'aplay': 'aplay' ApportVersion: 2.20.9-0ubuntu7.27 Architecture: amd64 ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord': 'arecord' AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1: Date: Tue Dec 7 15:28:46 2021 InstallationDate: Installed on 2021-11-29 (7 days ago) InstallationMedia: Ubuntu-Server 18.04.6 LTS "Bionic Beaver" - Release amd64 (20210915) IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig': 'iwconfig' Lsusb: Error: command ['lsusb'] failed with exit code 1: MachineType: QEMU Standard PC (i440FX + PIIX, 1996) PciMultimedia: ProcEnviron: TERM=vt220 PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=en_US.UTF-8 SHELL=/bin/bash ProcFB: 0 bochsdrmfb ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.15.0-163-generic root=UUID=8688c2d4-18cc-4c67-b9a9-dc3d4f4ed3f2 ro console=ttyS0 oops=panic panic=86400 ftrace_dump_on_oops=orig_cpu slub_debug=FZ maybe-ubiquity crashkernel=512M-:192M RelatedPackageVersions: linux-restricted-modules-4.15.0-163-generic N/A linux-backports-modules-4.15.0-163-generic N/A linux-firmware 1.173.20 RfKill: Error: [Errno 2] No such file or directory: 'rfkill': 'rfkill' SourcePackage: linux UpgradeStatus: No upgrade log present (probably fresh install) dmi.bios.date: 04/01/2014 dmi.bios.vendor: SeaBIOS dmi.bios.version: 1.13.0-1ubuntu1.1 dmi.chassis.type: 1 dmi.chassis.vendor: QEMU dmi.chassis.version: pc-i440fx-focal dmi.modalias: dmi:bvnSeaBIOS:bvr1.13.0-1ubuntu1.1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-focal:cvnQEMU:ct1:cvrpc-i440fx-focal: dmi.product.name: Standard PC (i440FX + PIIX, 1996) dmi.product.version: pc-i440fx-focal dmi.sys.vendor: QEMU ** Affects: linux (Ubuntu) Importance: Undecided Status: New ** Tags: amd64 apport-bug bionic uec-images -- NULL pointer dereference in tcp_splice_read https://bugs.launchpad.net/bugs/1953520 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
