Thanks!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1743792
Title:
kernel panic on ioctl(TUNSETIFF) with a dev name with '/'
Status in linux package in Ubuntu:
Fix Released
Bug description:
Executing the attached program with either `sudo` or `unshare -r -n` causes
kernel panic.
Mostly running just once is enough to hit the issue, but not 100%
deterministic.
[ 121.718035] BUG: unable to handle kernel NULL pointer dereference at
(null)
[ 121.726006] IP: (null)
[ 121.729333] PGD 0
[ 121.729334] P4D 0
[ 121.731445]
[ 121.735149] Oops: 0010 [#1] SMP PTI
[ 121.738747] Modules linked in: nf_conntrack_netlink nfnetlink xfrm_user
xfrm_algo xt_addrtype xt_conntrack br_netfilter overlay xt_CHECKSUM
iptable_mangle ipt_MASQUERADE nf_nat_masquerade_ipv4 iptable_nat
nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 n
f_nat nf_conntrack xt_tcpudp bridge stp llc ip6table_filter ip6_tables
iptable_filter binfmt_misc zfs(PO) zunicode(PO) zavl(PO) zcommon(PO)
znvpair(PO) spl(O) ppdev input_leds mac_hid i2c_piix4 pvpanic parport_pc
parport sb_edac serio_raw intel_rapl_perf
ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi
scsi_transport_iscsi ip_tables x_tables autofs4 btrfs raid10 raid456
async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq
libcrc32c raid1 raid0 multipath linear crct1
0dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc
[ 121.809474] aesni_intel aes_x86_64 crypto_simd glue_helper cryptd psmouse
virtio_net virtio_scsi
[ 121.818453] CPU: 0 PID: 0 Comm: swapper/0 Tainted: P O
4.13.0-25-generic #29-Ubuntu
[ 121.827338] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[ 121.836674] task: ffffffffad212480 task.stack: ffffffffad200000
[ 121.842693] RIP: 0010: (null)
[ 121.846544] RSP: 0018:ffff9e253fc03e80 EFLAGS: 00010206
[ 121.851868] RAX: 0000000000000000 RBX: 0000000000000100 RCX:
0000000000000100
[ 121.859111] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 121.866438] RBP: ffff9e253fc03eb0 R08: fffffffffffffff8 R09:
000000000000000f
[ 121.873680] R10: 0000000045fc5cc2 R11: 000000000edc6924 R12:
ffff9e253fc03ed0
[ 121.880918] R13: ffff9e251a7ef140 R14: 0000000000000000 R15:
0000000000000000
[ 121.888158] FS: 0000000000000000(0000) GS:ffff9e253fc00000(0000)
knlGS:0000000000000000
[ 121.896377] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 121.902225] CR2: 0000000000000000 CR3: 000000035b60a003 CR4:
00000000001606f0
[ 121.909463] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[ 121.916699] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[ 121.923935] Call Trace:
[ 121.926482] <IRQ>
[ 121.928599] ? call_timer_fn+0x33/0x130
[ 121.932539] run_timer_softirq+0x40f/0x470
[ 121.936738] ? kvm_clock_get_cycles+0x1e/0x20
[ 121.941195] ? ktime_get+0x40/0xa0
[ 121.944725] ? native_apic_msr_write+0x2b/0x40
[ 121.949359] __do_softirq+0xde/0x2a5
[ 121.953040] irq_exit+0xb6/0xc0
[ 121.956290] smp_apic_timer_interrupt+0x68/0x90
[ 121.960922] apic_timer_interrupt+0x9f/0xb0
[ 121.965206] </IRQ>
[ 121.967417] RIP: 0010:native_safe_halt+0x6/0x10
[ 121.972058] RSP: 0018:ffffffffad203de0 EFLAGS: 00000246 ORIG_RAX:
ffffffffffffff10
[ 121.979726] RAX: 0000000000000000 RBX: ffffffffad212480 RCX:
0000000000000000
[ 121.986965] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
0000000000000000
[ 121.994210] RBP: ffffffffad203de0 R08: 000000209c1b3133 R09:
ffff9e252d00fe00
[ 122.001446] R10: 0000000000000000 R11: 7fffffffffffffff R12:
0000000000000000
[ 122.008700] R13: ffffffffad212480 R14: 0000000000000000 R15:
0000000000000000
[ 122.015942] default_idle+0x20/0x100
[ 122.019635] arch_cpu_idle+0xf/0x20
[ 122.023229] default_idle_call+0x23/0x30
[ 122.027267] do_idle+0x17d/0x200
[ 122.030598] cpu_startup_entry+0x73/0x80
[ 122.034631] rest_init+0xbc/0xc0
[ 122.037962] start_kernel+0x4c5/0x4e6
[ 122.041726] ? early_idt_handler_array+0x120/0x120
[ 122.046622] x86_64_start_reservations+0x24/0x26
[ 122.051338] x86_64_start_kernel+0x13a/0x15d
[ 122.055710] secondary_startup_64+0x9f/0xa0
[ 122.059992] Code: Bad RIP value.
[ 122.063415] RIP: (null) RSP: ffff9e253fc03e80
[ 122.068738] CR2: 0000000000000000
[ 122.072159] ---[ end trace 6975f2922c493ef4 ]---
[ 122.076874] Kernel panic - not syncing: Fatal exception in interrupt
[ 122.084613] Kernel Offset: 0x2b000000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
[ 122.095591] Rebooting in 10 seconds..
[ 132.021415] ACPI MEMORY or I/O RESET_REG.
The issue happens on Ubuntu 17.10 amd64, kernel 4.13.0-25-generic #29-Ubuntu,
running on a GCP n1-standard-4 instance.
However, the issue don't seem to happen on CentOS 7 and Debian 9.
I haven't tried the latest vanilla kernel.
I'm going to report this as a security issue, as an unprivileged user
can easily crash the system with `unshare -r -n`.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1743792/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
