Bug 98301

Summary: Kernel null pointer dereference when sandboxing
Product: Other Reporter: Steven Stewart-Gallus (sstewartgallus00)
Component: OtherAssignee: other_other
Status: RESOLVED CODE_FIX    
Severity: normal CC: luto
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 4.0.2 Subsystem:
Regression: No Bisected commit-id:

Description Steven Stewart-Gallus 2015-05-13 21:38:18 UTC 
I get a kernel null pointer dereference when sandboxing my program.  I
have cut a lot of the fat off my program and uploaded this variant to
https://gitgud.net/sstewartgallus/linted/tree/fucked-up.  You
configure it with autoconf (2.69) and then run
./scripts/arch/configure-x86_64-linux-gnu and then run make and then
run ./scripts/test.

I get the bug on kernel 4.0.2.

My system hardware:

    description: Notebook
    product: Aspire V3-111P (Aspire V3-111P_0843_1_11)
    vendor: Acer
    version: V1.11
    serial: NXMP0AA002428180507610
    width: 64 bits
    capabilities: smbios-2.7 dmi-2.7 vsyscall32
    configuration: chassis=notebook family=Type1Family sku=Aspire V3-111P_0843_1_11 uuid=FCB19F75-B966-4915-B37A-7DBF1C616D21
  *-core
       description: Motherboard
       product: Roxy
       vendor: Acer
       physical id: 0
       version: Type2 - A01 Board Version
       serial: NBMNU11002428180507610
       slot: Type2 - Board Chassis Location
     *-firmware
          description: BIOS
          vendor: Insyde Corp.
          physical id: 0
          version: V1.11
          date: 06/13/2014
          size: 64KiB
          capacity: 4032KiB
          capabilities: pci upgrade shadowing cdboot bootselect edd int9keyboard int14serial int17printer int10video acpi usb zipboot biosbootspecification netboot
     *-cpu
          description: CPU
          product: Intel(R) Celeron(R) CPU  N2930  @ 1.83GHz
          vendor: Intel Corp.
          physical id: 4
          bus info: cpu@0
          version: Intel(R) Celeron(R) CPU  N2930  @ 1.83GHz
          slot: CPU 1
          size: 1747MHz
          capacity: 1747MHz
          width: 64 bits
          clock: 83MHz
          capabilities: x86-64 fpu fpu_exception wp vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx rdtscp constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 cx16 xtpr pdcm sse4_1 sse4_2 movbe popcnt tsc_deadline_timer rdrand lahf_lm 3dnowprefetch ida arat epb dtherm tpr_shadow vnmi flexpriority ept vpid tsc_adjust smep erms cpufreq
          configuration: cores=4 enabledcores=4 threads=1
        *-cache:0
             description: L1 cache
             physical id: 7
             slot: Unknown
             size: 32KiB
             capacity: 32KiB
             capabilities: synchronous internal write-back instruction
        *-cache:1
             description: L2 cache
             physical id: 8
             slot: Unknown
             size: 1MiB
             capacity: 1MiB
             capabilities: synchronous internal write-back unified
     *-cache
          description: L1 cache
          physical id: 6
          slot: Unknown
          size: 24KiB
          capacity: 24KiB
          capabilities: synchronous internal write-back data
     *-memory
          description: System Memory
          physical id: e
          slot: System board or motherboard
          size: 4GiB
        *-bank
             description: SODIMM DDR3 Synchronous 1333 MHz (0.8 ns)
             product: M471B5173DB0-YK0
             vendor: Samsung
             physical id: 0
             serial: 22141621
             slot: DIMM0
             size: 4GiB
             width: 64 bits
             clock: 1333MHz (0.8ns)
     *-pci
          description: Host bridge
          product: Atom Processor Z36xxx/Z37xxx Series SoC Transaction Register
          vendor: Intel Corporation
          physical id: 100
          bus info: pci@0000:00:00.0
          version: 0e
          width: 32 bits
          clock: 33MHz
          configuration: driver=iosf_mbi_pci
          resources: irq:0
        *-display
             description: VGA compatible controller
             product: Atom Processor Z36xxx/Z37xxx Series Graphics & Display
             vendor: Intel Corporation
             physical id: 2
             bus info: pci@0000:00:02.0
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pm msi vga_controller bus_master cap_list rom
             configuration: driver=i915 latency=0
             resources: irq:264 memory:90000000-903fffff memory:80000000-8fffffff ioport:2050(size=8)
        *-storage
             description: SATA controller
             product: Intel Corporation
             vendor: Intel Corporation
             physical id: 13
             bus info: pci@0000:00:13.0
             version: 0e
             width: 32 bits
             clock: 66MHz
             capabilities: storage msi pm ahci_1.0 bus_master cap_list
             configuration: driver=ahci latency=0
             resources: irq:262 ioport:2048(size=8) ioport:205c(size=4) ioport:2040(size=8) ioport:2058(size=4) ioport:2020(size=32) memory:9091f000-9091f7ff
        *-usb
             description: USB controller
             product: Atom Processor Z36xxx/Z37xxx Series USB xHCI
             vendor: Intel Corporation
             physical id: 14
             bus info: pci@0000:00:14.0
             version: 0e
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi xhci bus_master cap_list
             configuration: driver=xhci_hcd latency=0
             resources: irq:261 memory:90900000-9090ffff
        *-generic
             description: Encryption controller
             product: Atom Processor Z36xxx/Z37xxx Series Trusted Execution Engine
             vendor: Intel Corporation
             physical id: 1a
             bus info: pci@0000:00:1a.0
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pm msi bus_master cap_list
             configuration: driver=mei_txe latency=0
             resources: irq:265 memory:90800000-908fffff memory:90700000-907fffff
        *-multimedia
             description: Audio device
             product: Atom Processor Z36xxx/Z37xxx Series High Definition Audio Controller
             vendor: Intel Corporation
             physical id: 1b
             bus info: pci@0000:00:1b.0
             version: 0e
             width: 64 bits
             clock: 33MHz
             capabilities: pm msi bus_master cap_list
             configuration: driver=snd_hda_intel latency=0
             resources: irq:266 memory:90910000-90913fff
        *-pci:0
             description: PCI bridge
             product: Intel Corporation
             vendor: Intel Corporation
             physical id: 1c
             bus info: pci@0000:00:1c.0
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode cap_list
             configuration: driver=pcieport
             resources: irq:16 ioport:3000(size=4096)
        *-pci:1
             description: PCI bridge
             product: Intel Corporation
             vendor: Intel Corporation
             physical id: 1c.1
             bus info: pci@0000:00:1c.1
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:17 ioport:4000(size=4096) memory:90600000-906fffff
           *-network
                description: Wireless interface
                product: QCA9565 / AR9565 Wireless Network Adapter
                vendor: Qualcomm Atheros
                physical id: 0
                bus info: pci@0000:02:00.0
                logical name: wlan0
                version: 01
                serial: 9c:ad:97:a4:01:c5
                width: 64 bits
                clock: 33MHz
                capabilities: pm msi pciexpress bus_master cap_list rom ethernet physical wireless
                configuration: broadcast=yes driver=ath9k driverversion=4.0.2-gnu firmware=N/A ip=10.19.159.85 latency=0 link=yes multicast=yes wireless=IEEE 802.11bgn
                resources: irq:17 memory:90600000-9067ffff memory:90680000-9068ffff
        *-pci:2
             description: PCI bridge
             product: Intel Corporation
             vendor: Intel Corporation
             physical id: 1c.2
             bus info: pci@0000:00:1c.2
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pci pciexpress msi pm normal_decode bus_master cap_list
             configuration: driver=pcieport
             resources: irq:18 ioport:1000(size=4096) memory:90500000-905fffff ioport:90400000(size=1048576)
           *-network
                description: Ethernet interface
                product: RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
                vendor: Realtek Semiconductor Co., Ltd.
                physical id: 0
                bus info: pci@0000:03:00.0
                logical name: eth0
                version: 0c
                serial: c4:54:44:a0:e9:73
                size: 10Mbit/s
                capacity: 1Gbit/s
                width: 64 bits
                clock: 33MHz
                capabilities: pm msi pciexpress msix vpd bus_master cap_list ethernet physical tp mii 10bt 10bt-fd 100bt 100bt-fd 1000bt 1000bt-fd autonegotiation
                configuration: autonegotiation=on broadcast=yes driver=r8169 driverversion=2.3LK-NAPI duplex=half latency=0 link=no multicast=yes port=MII speed=10Mbit/s
                resources: irq:263 ioport:1000(size=256) memory:90500000-90500fff memory:90400000-90403fff
        *-isa
             description: ISA bridge
             product: Atom Processor Z36xxx/Z37xxx Series Power Control Unit
             vendor: Intel Corporation
             physical id: 1f
             bus info: pci@0000:00:1f.0
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: isa bus_master cap_list
             configuration: driver=lpc_ich latency=0
             resources: irq:0
        *-serial UNCLAIMED
             description: SMBus
             product: Intel Corporation
             vendor: Intel Corporation
             physical id: 1f.3
             bus info: pci@0000:00:1f.3
             version: 0e
             width: 32 bits
             clock: 33MHz
             capabilities: pm cap_list
             configuration: latency=0
             resources: memory:90919000-9091901f ioport:2000(size=32)
     *-scsi
          physical id: 1
          logical name: scsi0
          capabilities: emulated
        *-disk
             description: ATA Disk
             product: WDC WD5000LPVX-2
             vendor: Western Digital
             physical id: 0.0.0
             bus info: scsi@0:0.0.0
             logical name: /dev/sda
             version: 1A01
             serial: WD-WX41A644RK22
             size: 465GiB (500GB)
             capabilities: gpt-1.00 partitioned partitioned:gpt
             configuration: ansiversion=5 guid=63473c3c-79ec-466e-a780-96225f1b13f9 sectorsize=4096
           *-volume:0
                description: Windows FAT volume
                vendor: mkfs.fat
                physical id: 1
                bus info: scsi@0:0.0.0,1
                logical name: /dev/sda1
                logical name: /boot/efi
                version: FAT32
                serial: f3c3-b9c5
                size: 510MiB
                capacity: 511MiB
                capabilities: boot fat initialized
                configuration: FATs=2 filesystem=fat mount.fstype=vfat mount.options=rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=iso8859-1,shortname=mixed,errors=remount-ro state=mounted
           *-volume:1
                description: EXT4 volume
                vendor: Linux
                physical id: 2
                bus info: scsi@0:0.0.0,2
                logical name: /dev/sda2
                logical name: /
                version: 1.0
                serial: d19acfc0-af48-4114-acea-7fb0e2e60ea2
                size: 461GiB
                capacity: 461GiB
                capabilities: journaled extended_attributes large_files huge_files dir_nlink recover extents ext4 ext2 initialized
                configuration: created=2014-10-17 17:07:24 filesystem=ext4 lastmountpoint=/ modified=2015-05-13 12:43:49 mount.fstype=ext4 mount.options=rw,relatime,errors=remount-ro,data=ordered mounted=2015-05-13 12:43:49 state=mounted
           *-volume:2
                description: Linux swap volume
                vendor: Linux
                physical id: 3
                bus info: scsi@0:0.0.0,3
                logical name: /dev/sda3
                version: 1
                serial: 764d72d2-e3ff-4e5b-aeaf-b8ad7e3e85fc
                size: 3976MiB
                capacity: 3976MiB
                capabilities: nofs swap initialized
                configuration: filesystem=swap pagesize=4095
Comment 1 Steven Stewart-Gallus 2015-05-24 18:29:32 UTC 
The bug still occurs on Linux 4.04.

Also, I took a picture of the backtrace that shows up on the console my phone.

The information on the screen says the NULL dereference occurs at pin_remove.

It also shows a backtrace of

drop_mountpoint
pin_kill
? woken_wake_function
mnt_pin_kill
cleanup_mnt
__cleanup_mnt
task_work_run
do_notify_resume
int_signal
Comment 2 Steven Stewart-Gallus 2015-05-24 19:27:27 UTC 
This appears to be the same or a similar bug as described at http://permalink.gmane.org/gmane.linux.kernel.containers/29340
Comment 3 Steven Stewart-Gallus 2015-05-27 20:37:33 UTC 
Rereading over information on how to submit bug reports I found that I should record the output of the script ./scripts/ver_linux. It gives:

Linux proteus 4.0.4-gnu #1 SMP Mon May 18 12:12:23 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
 
Gnu C                  4.8
Gnu make               3.81
binutils               2.24
util-linux             2.20.1
mount                  support
module-init-tools      15
e2fsprogs              1.42.9
jfsutils               1.1.15
reiserfsprogs          3.6.24
reiser4progs           1.0.7
xfsprogs               3.1.9
pcmciautils            018
quota-tools            4.01.
PPP                    2.4.5
Linux C Library        2.19
Dynamic linker (ldd)   2.19
Procps                 3.3.9
Net-tools              1.60
Kbd                    1.15.5
oprofile               0.9.9
Sh-utils               8.21
wireless-tools         30
Modules Loaded         uas usb_storage ctr ccm bnep rfcomm binfmt_misc intel_rapl intel_soc_dts_thermal intel_powerclamp coretemp snd_hda_codec_hdmi snd_hda_codec_realtek joydev ath3k kvm_intel snd_hda_codec_generic btusb acer_wmi snd_hda_intel sparse_keymap snd_hda_controller bluetooth snd_hda_codec kvm snd_hwdep snd_pcm hid_multitouch arc4 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_seq_midi ath9k snd_seq_midi_event uvcvideo ath9k_common ath9k_hw snd_rawmidi dm_multipath videobuf2_vmalloc ath videobuf2_memops videobuf2_core snd_seq mac80211 scsi_dh v4l2_common snd_seq_device cfg80211 videodev snd_timer media snd iosf_mbi cryptd soundcore serio_raw lpc_ich shpchp mei_txe 8250_fintek mei dw_dmac dw_dmac_core int3400_thermal processor_thermal_device int3403_thermal intel_smartconnect acpi_thermal_rel int340x_thermal_zone i2c_hid pwm_lpss_platform pwm_lpss spi_pxa2xx_platform i2c_designware_platform i2c_designware_core mac_hid nls_iso8859_1 parport_pc ppdev lp parport btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq raid1 raid0 multipath linear dm_mirror dm_region_hash dm_log hid_generic usbhid hid i915 i2c_algo_bit r8169 drm_kms_helper ahci mii libahci drm wmi video
Comment 4 Andy Lutomirski 2015-06-01 19:24:15 UTC 
This was introduced in 4.0.2 and is fixed by:

commit 820f9f147dcce2602eefd9b575bbbd9ea14f0953
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Thu Apr 2 16:35:48 2015 -0500

    fs_pin: Allow for the possibility that m_list or s_list go unused.

    This is needed to support lazily umounting locked mounts.  Because the
    entire unmounted subtree needs to stay together until there are no
    users with references to any part of the subtree.

    To support this guarantee that the fs_pin m_list and s_list nodes
    are initialized by initializing them in init_fs_pin allowing
    for the possibility that pin_insert_group does not touch them.

    Further use hlist_del_init in pin_remove so that there is
    a hlist_unhashed test before the list we attempt to update
    the previous list item.

    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>


commit cd4a40174b71acd021877341684d8bb1dc8ea4ae
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Wed Jan 7 14:28:26 2015 -0600

    mnt: Fail collect_mounts when applied to unmounted mounts

    The only users of collect_mounts are in audit_tree.c

    In audit_trim_trees and audit_add_tree_rule the path passed into
    collect_mounts is generated from kern_path passed an audit_tree
    pathname which is guaranteed to be an absolute path.   In those cases
    collect_mounts is obviously intended to work on mounted paths and
    if a race results in paths that are unmounted when collect_mounts
    it is reasonable to fail early.

    The paths passed into audit_tag_tree don't have the absolute path
    check.  But are used to play with fsnotify and otherwise interact with
    the audit_trees, so again operating only on mounted paths appears
    reasonable.

    Avoid having to worry about what happens when we try and audit
    unmounted filesystems by restricting collect_mounts to mounts
    that appear in the mount tree.
Comment 5 Steven Stewart-Gallus 2015-06-24 18:43:16 UTC 
Can confirm this bug is fixed.