[Kernel-packages] [Bug 1970482] Re: Xenial: kernel BUG/Oops/crash in fuse_readdir() due to CVE-2020-36322 backport

Thu, 01 Sep 2022 06:26:24 -0700 

The fix has been released on Xenial ESM (kernel version 4.4.0-224.257).

$ git log --oneline -1 341e4f5e9e07
341e4f5e9e07 UBUNTU: SAUCE: fuse: fix bad !inode in fuse_direntplus_link()

$ git describe --contains 341e4f5e9e07
Ubuntu-4.4.0-224.257~6


** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1970482

Title:
  Xenial: kernel BUG/Oops/crash in fuse_readdir() due to CVE-2020-36322
  backport

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  Fix Released

Bug description:
  [Impact]

   * Users might hit kernel BUG/Oops/crash with fuse filesystems
     on Xenial kernel 4.4.0-222.255 and later (backport from 4.9),
     including the derivative/optimized kernels (linux-aws below).

   * Introduced by the backport from 4.9 for CVE-2020-36322 [1]
     [1] https://ubuntu.com/security/CVE-2020-36322

   * Offending commit 8deb786162e1 ("fuse: fix bad inode")
   
     linux-xenial$ git log --oneline origin/master-prep -- fs/fuse/dir.c | head 
-n1
     8deb786162e1 fuse: fix bad inode

     linux-xenial$ git describe --contains 8deb786162e1
     Ubuntu-4.4.0-222.255~6
     
  [Fix]

    * Check for non-NULL inode pointer before fuse_is_bad(inode)
      in fuse_direntplus_link().
      
    * (This is the only modified function/patch hunk which seems
      to have issues; all others dereference 'inode' w/out check
      at some point, even before this patch).

  [Test Case]

   * Not available at the moment.
   
  [Regression Potential]

   * Probably none, as this changes the hunk/code behavior to
     what it was before the offending patch/backport w/ issue
     was applied (where fuse_is_bad() wasn't called at all if
     inode is NULL), and makes sense with the patch applied;
     also, this same form is used in another hunk, where NULL
     was checked.

  [Example Stacktrace]

        kernel: BUG: unable to handle kernel NULL pointer dereference at 
00000000000002c0
        kernel: IP: [<ffffffff8132ae16>] fuse_readdir+0x376/0x700
        kernel: PGD 1e3e02c067 PUD 1c8b2aa067 PMD 0
        kernel: Oops: 0000 [#5] SMP
        kernel: Modules linked in: <...>
        kernel: CPU: 1 PID: 12133 Comm: php-fpm Tainted: G      D         
4.4.0-1138-aws #152-Ubuntu
        kernel: Hardware name: Amazon EC2 m5a.8xlarge/, BIOS 1.0 10/16/2017
        kernel: task: ffff881bcf164600 ti: ffff881bcffec000 task.ti: 
ffff881bcffec000
        kernel: RIP: 0010:[<ffffffff8132ae16>]  [<ffffffff8132ae16>] 
fuse_readdir+0x376/0x700
        kernel: RSP: 0018:ffff881bcffefe10  EFLAGS: 00010206
        kernel: RAX: ffffc9000524bd00 RBX: 00000000000001a0 RCX: 
0000000000000000
        kernel: RDX: 0000000000000001 RSI: ffffc9000524bd00 RDI: 
ffff881ed25bf3d8
        kernel: RBP: ffff881bcffefea0 R08: 0000000000000000 R09: 
0000000000000050
        kernel: R10: ffff881b942a0c68 R11: ffff881ed25bf380 R12: 
ffff881b942a0bd0
        kernel: R13: ffff880f8ced0d80 R14: ffff881f25cb1800 R15: 
ffff881ed25bf380
        kernel: FS:  00007f884d100740(0000) GS:ffff880fb8c40000(0000) 
knlGS:0000000000000000
        kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        kernel: CR2: 00000000000002c0 CR3: 0000001cbc963000 CR4: 
00000000003406f0
        kernel: Stack:
        kernel:  ffff881bcffefef0 0000000000441d7f ffff880fb1c6a000 
ffff881b942a0bf8
        kernel:  0000000000000000 ffff881f25cb1800 ffffea006e50a800 
ffff881b942a0ca0
        kernel:  00000000ae046100 ffff880fae046100 000000361c41ec1e 
ffff881b942a0c68
        kernel: Call Trace:
        kernel:  [<ffffffff8122d018>] iterate_dir+0x98/0x120
        kernel:  [<ffffffff8112f0db>] ? __audit_syscall_entry+0xab/0xf0
        kernel:  [<ffffffff8122d589>] SyS_getdents+0x99/0x110
        kernel:  [<ffffffff8122d0a0>] ? iterate_dir+0x120/0x120
        kernel:  [<ffffffff81848f9b>] entry_SYSCALL_64_fastpath+0x22/0xd0
        kernel: Code: 49 39 80 38 02 00 00 75 12 41 0f b7 00 41 33 44 24 64 f6 
c4 f0 0f 84 72 02 00 00 4c 89 ff 4c 89 45 90 e8 ae 65 f0 ff 4c 8b 45 90 <49> 8b 
80 c0 02 00 00 4c 89 ff a8 08 0f 85 67 02 00 00 e8 63 5c
        kernel: RIP  [<ffffffff8132ae16>] fuse_readdir+0x376/0x700
        kernel:  RSP <ffff881bcffefe10>
        kernel: CR2: 00000000000002c0
        kernel: ---[ end trace f89ac23b1e9bb24c ]---

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1970482/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to