I've just faced this crash UptoDate
me@nuc:~$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 18.04.3 LTS Release: 18.04 Codename: bionic Aug 10 16:14:47 nuc kernel: [12755.073641] detected buffer overflow in strcat Aug 10 16:14:47 nuc kernel: [12755.073660] ------------[ cut here ]------------ Aug 10 16:14:47 nuc kernel: [12755.073662] kernel BUG at /build/linux-hwe-zHO4ZF/linux-hwe-5.0.0/lib/string.c:1073! Aug 10 16:14:47 nuc kernel: [12755.073669] invalid opcode: 0000 [#1] SMP PTI Aug 10 16:14:47 nuc kernel: [12755.073673] CPU: 1 PID: 3135 Comm: deluged Not tainted 5.0.0-23-generic #24~18.04.1-Ubuntu Aug 10 16:14:47 nuc kernel: [12755.073675] Hardware name: /D54250WYK, BIOS WYLPT10H.86A.0047.2018.0303.1725 03/03/2018 Aug 10 16:14:47 nuc kernel: [12755.073682] RIP: 0010:fortify_panic+0x13/0x22 Aug 10 16:14:47 nuc kernel: [12755.073685] Code: 4c 89 e2 e8 b1 98 00 00 42 c6 04 20 00 48 89 d8 5b 41 5c 5d c3 0f 0b 55 48 89 fe 48 c7 c7 20 38 fb 86 48 89 e5 e8 72 5c 6e ff <0f> 0b 90 90 90 90 90 90 90 90 90 90 90 90 90 55 31 c9 48 89 fa 48 Aug 10 16:14:47 nuc kernel: [12755.073687] RSP: 0000:ffffb17381e779e0 EFLAGS: 00010282 Aug 10 16:14:47 nuc kernel: [12755.073690] RAX: 0000000000000022 RBX: 0000000000000000 RCX: 0000000000000000 Aug 10 16:14:47 nuc kernel: [12755.073692] RDX: 0000000000000000 RSI: ffff973e5b896448 RDI: ffff973e5b896448 Aug 10 16:14:47 nuc kernel: [12755.073694] RBP: ffffb17381e779e0 R08: 000000000000033e R09: ffffffff8776f698 Aug 10 16:14:47 nuc kernel: [12755.073696] R10: ffffb17381e77a90 R11: ffffb17381e77850 R12: ffff973dd6d15db0 Aug 10 16:14:47 nuc kernel: [12755.073698] R13: 00000000d33f5410 R14: 0000000000000000 R15: ffff973dd0dac200 Aug 10 16:14:47 nuc kernel: [12755.073701] FS: 00007ff3b0fd1700(0000) GS:ffff973e5b880000(0000) knlGS:0000000000000000 Aug 10 16:14:47 nuc kernel: [12755.073703] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 Aug 10 16:14:47 nuc kernel: [12755.073705] CR2: 00007ff3ad44f000 CR3: 000000011abf0003 CR4: 00000000001606e0 Aug 10 16:14:47 nuc kernel: [12755.073707] Call Trace: Aug 10 16:14:47 nuc kernel: [12755.073746] smb21_set_oplock_level+0x147/0x1a0 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073778] smb3_set_oplock_level+0x22/0x90 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073807] smb2_set_fid+0x76/0xb0 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073834] cifs_new_fileinfo+0x259/0x390 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073862] ? smb2_close_file+0x20/0x20 [cifs] Aug 10 16:14:47 nuc kernel: [12755.073887] ? cifs_new_fileinfo+0x259/0x390 [cifs] -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1824981 Title: cifs set_oplock buffer overflow in strcat Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Committed Status in linux source package in Cosmic: Won't Fix Status in linux source package in Disco: Fix Committed Status in linux source package in Eoan: Fix Released Bug description: [Impact] * We got reports of a kernel crash in cifs module with the following signature: detected buffer overflow in strcat kernel BUG at <...>/lib/string.c:1052! invalid opcode: 0000 [#1] SMP PTI RIP: 0010:fortify_panic+0x13/0x1f Call Trace: smb21_set_oplock_level+0xde/0x190 [cifs] smb3_set_oplock_level+0x22/0x90 [cifs] smb2_set_fid+0x76/0xb0 [cifs] cifs_new_fileinfo+0x268/0x3c0 [cifs] ? smb2_get_lease_key+0x40/0x40 [cifs] ? cifs_new_fileinfo+0x268/0x3c0 [cifs] cifs_open+0x57c/0x8d0 [cifs] do_dentry_open+0x1fe/0x320 [...] * By analyzing the code of smb21_set_oplock_level(), we've noticed the only way fortify function strcat() would get overflow was if the value of cinode->oplock got corrupted in a another thread leading to a buffer write bigger then buffer size. In this function, the 'message' buffer writes are governed by cinode->oplock, so only a different thread cleaning the oplock value would lead to 'message' overflow. * By the same time we worked this analysis, a fix was proposed upstream for this issue in the form of commit 6a54b2e002c9 ("cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()"), by the same reporter of this LP. The fix is simple and directly addresses this problem, so we hereby request its SRU into Bionic kernel - it's already present in linux stable branches. [Test case] * Unfortunately we cannot reproduce the issue. The patch proposed here was validated by us with xfstests (instructions followed from https://wiki.samba.org/index.php/Xfstesting-cifs) and fio. * Using xfstest with the exclusions proposed in the link above we managed to get the same results as a non-patched kernel, i.e., the same tests failed in both kernels, we didn't get worse results with the patch. Fio also didn't show noticeable performance regression with the patch. [Regression potential] * The patch was validated by the cifs filesystem maintainers and by the aforementioned tests; also, the scope is restricted to cifs only so the likelihood of regressions is considered low. The commit introduces no functional changes and the only affected path was just refactored in a way to prevent overflow and reduce race potential. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824981/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
