Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1448223

Summary: [abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV
Product: Red Hat Enterprise Linux 7 Reporter: Ben Marzinski <bmarzins>
Component: device-mapper-multipathAssignee: Ben Marzinski <bmarzins>
Status: CLOSED ERRATA QA Contact: Lin Li <lilin>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.4CC: agk, bmarzins, extras-qa, fedora, heinzm, jbrassow, lilin, lvm-team, msnitzer, prajnoha, prockai
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Unspecified   
URL: https://retrace.fedoraproject.org/faf/reports/bthash/8b9900d9e87e18787862f46c43aa3157f4d72907
Whiteboard: abrt_hash:7c9aeaa942cbac975a8c77735b31c10d5f628205;
Fixed In Version: device-mapper-multipath-0.4.9-112.el7 Doc Type: Bug Fix
Doc Text:
Cause: If kpartx was passes something other than a file or a block device or a badly formed pathname, it could read off the end of the device string, and crash. Consequence: kpartx was crashing instead of failing gracefully, when it was called with invalid options Fix: kpartx now is more careful with it's string processing, and it also simply exits if not passed a file or a block device. Result: kpartx no longer crashes when called with invalid options.
 Story Points: ---
Clone Of: 1447832 Environment:
Last Closed: 2018-04-10 16:10:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1447832    
Bug Blocks: 1469559    

Description Ben Marzinski 2017-05-04 20:58:04 UTC 
+++ This bug was initially created as a clone of Bug #1447832 +++

Version-Release number of selected component:
kpartx-0.4.9-83.fc25

Additional info:
reporter:       libreport-2.8.0
backtrace_rating: 4
cmdline:        kpartx -l /
crash_function: set_delimiter
executable:     /usr/sbin/kpartx
global_pid:     2449
kernel:         4.10.13-200.fc25.x86_64
pkg_fingerprint: 4089 D8F2 FDB1 9C98
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (1 frames)
 #0 set_delimiter at kpartx.c:117

--- Additional comment from sedrubal on 2017-05-03 21:47:21 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:23 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:24 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:26 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:28 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:29 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:31 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:34 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:36 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:38 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:40 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:41 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:43 EDT ---



--- Additional comment from Ben Marzinski on 2017-05-04 16:56:08 EDT ---

Thanks for the report. This will only happen if you run kpartx on something other than a regular file or a block device. I'll fix it up so that it handles this
gracefully.
Comment 3 Ben Marzinski 2017-09-20 00:08:45 UTC 
kpartx was crashing when it was run on something that was not a block device or regular file.  It now fails gracefully in these situations.
Comment 4 sedrubal 2017-09-21 09:57:36 UTC 
If you write

> it could read off the end of the device string, and crash.

do you think it is possible to exploit this bug? Is it worth for a CVE?
Comment 5 Ben Marzinski 2017-09-22 15:30:44 UTC 
(In reply to sedrubal from comment #4)
> If you write
> 
> > it could read off the end of the device string, and crash.
> 
> do you think it is possible to exploit this bug? Is it worth for a CVE?

Not that I can think of.  In the first place, you can only call kpartx as root. There's no possibility of writing any data to this memory.  kpartx doesn't have information in memory that would be dangerous to reveal, and if it tries to access something outside its memory, it will crash. I don't think this is any more dangerous than any other bug with a program deferencing an invalid pointer.
Comment 7 Lin Li 2017-12-22 03:02:39 UTC 
Reproduced on device-mapper-multipath-0.4.9-111.el7 
1, # rpm -qa | grep multipath
device-mapper-multipath-0.4.9-111.el7.x86_64
device-mapper-multipath-libs-0.4.9-111.el7.x86_64

2, # kpartx -l /
Missing major number for persistent device.
Couldn't create ioctl argument.
Missing major number for persistent device.
Couldn't create ioctl argument.
Segmentation fault  <-------------------------

3, # dmesg
[83221.401992] kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]

4, check /var/log/messages:
Dec 22 03:46:43 localhost kernel: kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]



Verified on device-mapper-multipath-0.4.9-118.el7
1, # rpm -qa | grep multipath
device-mapper-multipath-debuginfo-0.4.9-118.el7.x86_64
device-mapper-multipath-libs-0.4.9-118.el7.x86_64
device-mapper-multipath-devel-0.4.9-118.el7.x86_64
device-mapper-multipath-sysvinit-0.4.9-118.el7.x86_64
device-mapper-multipath-0.4.9-118.el7.x86_64

2, # kpartx -l /
invalid device: /      <-----------tips invalid device: /

3, # dmesg
   No Segmentation fault

4, check /var/log/messages:
No Segmentation fault
Comment 10 errata-xmlrpc 2018-04-10 16:10:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0884