Thanks for commenting on this issue. I'm sorry we lost track of proper public attribution for the discovery.
Yes, you may use this CVE publicly. (And thanks for asking.) ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1743792 Title: kernel panic on ioctl(TUNSETIFF) with a dev name with '/' Status in linux package in Ubuntu: Fix Released Bug description: Executing the attached program with either `sudo` or `unshare -r -n` causes kernel panic. Mostly running just once is enough to hit the issue, but not 100% deterministic. [ 121.718035] BUG: unable to handle kernel NULL pointer dereference at (null) [ 121.726006] IP: (null) [ 121.729333] PGD 0 [ 121.729334] P4D 0 [ 121.731445] [ 121.735149] Oops: 0010 [#1] SMP PTI [ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO) znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc parport sb_edac serio_raw intel_rapl_perf ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct1 0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc [ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse virtio_net virtio_scsi [ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O 4.13.0-25-generic #29-Ubuntu [ 121.827338] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 [ 121.836674] task: ffffffffad212480 task.stack: ffffffffad200000 [ 121.842693] RIP: 0010: (null) [ 121.846544] RSP: 0018:ffff9e253fc03e80 EFLAGS: 00010206 [ 121.851868] RAX: 0000000000000000 RBX: 0000000000000100 RCX: 0000000000000100 [ 121.859111] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 121.866438] RBP: ffff9e253fc03eb0 R08: fffffffffffffff8 R09: 000000000000000f [ 121.873680] R10: 0000000045fc5cc2 R11: 000000000edc6924 R12: ffff9e253fc03ed0 [ 121.880918] R13: ffff9e251a7ef140 R14: 0000000000000000 R15: 0000000000000000 [ 121.888158] FS: 0000000000000000(0000) GS:ffff9e253fc00000(0000) knlGS:0000000000000000 [ 121.896377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 121.902225] CR2: 0000000000000000 CR3: 000000035b60a003 CR4: 00000000001606f0 [ 121.909463] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 121.916699] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 121.923935] Call Trace: [ 121.926482] <IRQ> [ 121.928599] ? call_timer_fn+0x33/0x130 [ 121.932539] run_timer_softirq+0x40f/0x470 [ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20 [ 121.941195] ? ktime_get+0x40/0xa0 [ 121.944725] ? native_apic_msr_write+0x2b/0x40 [ 121.949359] __do_softirq+0xde/0x2a5 [ 121.953040] irq_exit+0xb6/0xc0 [ 121.956290] smp_apic_timer_interrupt+0x68/0x90 [ 121.960922] apic_timer_interrupt+0x9f/0xb0 [ 121.965206] </IRQ> [ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10 [ 121.972058] RSP: 0018:ffffffffad203de0 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff10 [ 121.979726] RAX: 0000000000000000 RBX: ffffffffad212480 RCX: 0000000000000000 [ 121.986965] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 [ 121.994210] RBP: ffffffffad203de0 R08: 000000209c1b3133 R09: ffff9e252d00fe00 [ 122.001446] R10: 0000000000000000 R11: 7fffffffffffffff R12: 0000000000000000 [ 122.008700] R13: ffffffffad212480 R14: 0000000000000000 R15: 0000000000000000 [ 122.015942] default_idle+0x20/0x100 [ 122.019635] arch_cpu_idle+0xf/0x20 [ 122.023229] default_idle_call+0x23/0x30 [ 122.027267] do_idle+0x17d/0x200 [ 122.030598] cpu_startup_entry+0x73/0x80 [ 122.034631] rest_init+0xbc/0xc0 [ 122.037962] start_kernel+0x4c5/0x4e6 [ 122.041726] ? early_idt_handler_array+0x120/0x120 [ 122.046622] x86_64_start_reservations+0x24/0x26 [ 122.051338] x86_64_start_kernel+0x13a/0x15d [ 122.055710] secondary_startup_64+0x9f/0xa0 [ 122.059992] Code: Bad RIP value. [ 122.063415] RIP: (null) RSP: ffff9e253fc03e80 [ 122.068738] CR2: 0000000000000000 [ 122.072159] ---[ end trace 6975f2922c493ef4 ]--- [ 122.076874] Kernel panic - not syncing: Fatal exception in interrupt [ 122.084613] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 122.095591] Rebooting in 10 seconds.. [ 132.021415] ACPI MEMORY or I/O RESET_REG. The issue happens on Ubuntu 17.10 amd64, kernel 4.13.0-25-generic #29-Ubuntu, running on a GCP n1-standard-4 instance. However, the issue don't seem to happen on CentOS 7 and Debian 9. I haven't tried the latest vanilla kernel. I'm going to report this as a security issue, as an unprivileged user can easily crash the system with `unshare -r -n`. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1743792/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
