Marcin Szewczyk reported and diagnosed a bug in Debian's kernel
packages that allows a denial of service (crash) by local users with
access to an aufs filesystem. The bug is in a Debian-specific patch,
not the upstream kernel or aufs code.
The current version in Debian 7 'wheezy' (3.2.81-1) and the current proposed update to Debian 8 'jessie' (3.16.36-1 are affected.
Ben.
On Tue, 2016-08-30 at 22:33 +0200, Marcin Szewczyk wrote:
> Hi,
>
> the wheezy kernel upgrade from 3.2.78-1 to 3.2.81-1 added the SETFL
> fcntl support code (#627782) which unfortunately results in a kernel
> Oops when the fcntl is called on a directory. This breaks e.g. copying
> files from an AUFS filesystem on a remote machine using scp.
>
> Minimal code to reproduce the problem:
> #v+
> #include <stdio.h>
> #include <stdlib.h>
> #include <fcntl.h>
>
> int main (int argc, char **argv) {
> const char *fname = NULL;
> int fd;
> if (argc != 2)
> exit (1);
> fname = argv[1];
> fd = open (fname, O_RDONLY|O_NONBLOCK);
> printf ("fd %d\n", fd);
> fcntl (fd, F_SETFL, O_RDONLY);
> return 0;
> }
> #v-
>
> Call the program on regular a file (nothing happens) and then on a
> directory (Oops).
>
> The Oops happens in fs/fcntl.c:
> #v+
> if (!error && filp->f_op->owner &&
> !strcmp(filp->f_op->owner->name, "aufs") &&
> strstr(filp->f_op->owner->version, "+setfl"))
> error = filp->f_op->setfl(filp, arg);
> #v-
>
> >
> > From fs/aufs/inode.c:
> #v+
> case S_IFREG:
> [...]
> inode->i_fop = &aufs_file_fop;
> [...]
> case S_IFDIR:
> [...]
> inode->i_fop = &aufs_dir_fop;
> #v-
>
> The aufs_file_fop structure sets the value of the .setfl member to
> aufs_setfl (f_op.c). aufs_dir_fop (dir.c) on the other hand does not.
>
> dmesg:
> #v+
> [42990.915100] aufs 3.2.x+setfl-debian
> [43046.383421] BUG: unable to handle kernel NULL pointer dereference
> at (null)
> [43046.384011] IP: [< (null)>] (null)
> [43046.384369] PGD 3d0f1067 PUD 3b8cc067 PMD 0
> [43046.384688] Oops: 0010 [#1] SMP
> [43046.385620] Call Trace:
> [...]
> [43046.385620] [<ffffffff81108701>] ? setfl+0xf1/0x157
> [43046.385620] [<ffffffff81108b9e>] ? sys_fcntl+0x1dc/0x3b0
> [43046.385620] [<ffffffff81358af2>] ? system_call_fastpath+0x16/0x1b
> #v-
>
> gdb:
> #v+
> 0xffffffff811086d3 <+195>: callq 0xffffffff811b2bd2 <strcmp>
> 0xffffffff811086d8 <+200>: test %eax,%eax
> 0xffffffff811086da <+202>: jne 0xffffffff81108705 <setfl+245>
> 0xffffffff811086dc <+204>: mov 0xb0(%r13),%rdi
> 0xffffffff811086e3 <+211>: mov $0xffffffff814dc9e4,%rsi
> 0xffffffff811086ea <+218>: callq 0xffffffff811b2e25 <strstr>
> 0xffffffff811086ef <+223>: test %rax,%rax
> 0xffffffff811086f2 <+226>: je 0xffffffff81108705 <setfl+245>
> 0xffffffff811086f4 <+228>: mov %rbp,%rsi
> 0xffffffff811086f7 <+231>: mov %rbx,%rdi
> 0xffffffff811086fa <+234>: callq *0xd0(%r14)
> 0xffffffff81108701 <+241>: test %eax,%eax
> #v-
>
> Naturally it happens both on i686 and amd64.
>
> BTW, changelog link on the package's page[1] is dead.
>
> Interesting changelog's part:
>
> * aufs: Make fcntl(F_SETFL, ...) work (Closes: #627782):
> - for aufs: new f_op->setfl() to support fcntl(F_SETFL)
> - aufs: implement new f_op->setfl()
> - fs: Fix ABI change for aufs F_SETFL fix
>
> Is there any chance for a fix in some future wheezy-lts update?
>
> [1] https://packages.debian.org/wheezy/linux-image-3.2.0-4-amd64
>
--
Ben Hutchings
Anthony's Law of Force: Don't force it, get a larger hammer.
Attachment:
signature.asc
Description: This is a digitally signed message part