Bug 240456

Summary: CVE-2006-7203 oops in compat_sys_mount() when data pointer is NULL
Product: Red Hat Enterprise Linux 5 Reporter: Marcel Holtmann <holtmann>
Component: kernelAssignee: Jerome Marchand <jmarchan>
Status: CLOSED ERRATA QA Contact: Martin Jenner <mjenner>
Severity: high Docs Contact:
Priority: medium    
Version: 5.0CC: coughlan, security-response-team, staubach, steved
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard: impact=important,source=bugzilla,reported=20070511,public=20070515
Fixed In Version: RHSA-2007-0376 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-06-14 14:54:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 239767    

Description Marcel Holtmann 2007-05-17 17:13:25 UTC 
OpenVZ/Virtuozzo linux kernel team has discovered the following issue on the
latest RHEL5 kernel:
unprivileged user is able to crash the node by running 32-bit "mount -t smbfs ..."

Issue was fixed in mainstream:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff_plain;h=822191a2fa1584a29c3224ab328507adcaeac1ab

[test@dhcp0-43 tmp]$ uname -a
Linux dhcp0-43.sw.ru 2.6.18-8.1.3.el5 #1 SMP Mon Apr 16 15:54:14 EDT 2007 x86_64
x86_64 x86_64 GNU/Linux
[test@dhcp0-43 tmp]$ id
uid=502(test) gid=502(test) groups=502(test)
[test@dhcp0-43 tmp]$ file /tmp/mount
/tmp/mount: setuid ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), for GNU/Linux 2.2.5,
stripped
[test@dhcp0-43 tmp]$ /tmp/mount -t smbfs // /mnt
mount: only root can do that

>>>> Hmm, will try to strace it

[test@dhcp0-43 tmp]$ strace /tmp/mount -t smbfs // /mnt
execve("/tmp/mount", ["/tmp/mount", "-t", "smbfs", "//", "/mnt"], [/* 23 vars
*/]) = 0
[ Process PID=2689 runs in 32 bit mode. ]
brk(0)                                  = 0x805e000
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xfffffffff7ffd000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat64(0x3, 0xffc66d74)                = 0
mmap2(NULL, 79905, PROT_READ, MAP_PRIVATE, 3, 0) = 0xfffffffff7fe9000
close(3)                                = 0
open("/lib/libc.so.6", O_RDONLY)        = 3
read(3, "\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000\17j"..., 512) = 512
fstat64(0x3, 0xffc66dd8)                = 0
mmap2(0x68b000, 1295780, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) =
0x68b000
mmap2(0x7c2000, 12288, PROT_READ|PROT_WRITE,
MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x137) = 0x7c2000
mmap2(0x7c5000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS,
-1, 0) = 0x7c5000
close(3)                                = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0xfffffffff7fe8000
set_thread_area(0xffc672c0)             = 0
mprotect(0x7c2000, 8192, PROT_READ)     = 0
mprotect(0x687000, 4096, PROT_READ)     = 0
munmap(0xf7fe9000, 79905)               = 0
brk(0)                                  = 0x805e000
brk(0x807f000)                          = 0x807f000
umask(022)                              = 02
open("/dev/null", O_RDWR|O_LARGEFILE)   = 3
close(3)                                = 0
getuid32()                              = 502
geteuid32()                             = 502
lstat64(0x8057caf, 0xffc674c0)          = 0
stat64(0xffc67150, 0xffc670f0)          = -1 ENOENT (No such file or directory)
rt_sigprocmask(SIG_BLOCK, ~[TRAP SEGV RTMIN RT_1], NULL, 8) = 0
mount("//", "/mnt", "smbfs", MS_MGC_VAL, NULL <unfinished ...>
+++ killed by SIGKILL +++
Process 2689 detached

>>>>>>>>>>>>>> CRASH

Unable to handle kernel NULL pointer dereference at 0000000000000000 RIP:
 [<ffffffff800e9d7d>] compat_sys_mount+0x9c/0x241
PGD f0c4067 PUD f141067 PMD 0
Oops: 0000 [1] SMP
last sysfs file: /devices/pci0000:00/0000:00:10.0/host0/target0:0:0/0:0:0:0/vendor
CPU 0
Modules linked in: xt_length ipt_ttl xt_tcpmss ipt_TCPMSS iptable_mangle
iptable_filter xt_multiport xt_limit ipt_tos ipt_REJECT ip_tables autofs4 hidp
rfcomm l2cap bluetooth sunrpc 8021q bridge nfnetlink ip6t_REJECT xt_tcpudp
ip6table_filter ip6_tables x_tables ipv6 video sbs i2c_ec i2c_core button
battery asus_acpi acpi_memhot plug ac lp sg floppy e1000 pcspkr shpchp
parport_pc serio_raw parport ide_cd cdrom dm_snapshot dm_zero dm_mirror dm_mod
mptspi mptscsih mptbase scsi_transport_spi sd_mod scsi_mod ext3 jbd ehci_hcd
ohci_hcd uhci_hcd
Pid: 2689, comm: mount Not tainted 2.6.18-8.1.3.el5 #1
RIP: 0010:[<ffffffff800e9d7d>]  [<ffffffff800e9d7d>] compat_sys_mount+0x9c/0x241
RSP: 0018:ffff81000f35df38  EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff81000f0be000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffffffff802849b1 RDI: ffff81000f0be005
RBP: ffff810017c4e000 R08: 0000000000001000 R09: ffff81000f0f0000
R10: 000000000805e468 R11: 0000000000000001 R12: 000000000805e458
R13: 0000000000000000 R14: 00000000c0ed0000 R15: 0000000000000000
FS:  00002aaaaaac1260(0000) GS:ffffffff8038a000(0063) knlGS:00000000f7fe86c0
CS:  0010 DS: 002b ES: 002b CR0: 000000008005003b
CR2: 0000000000000000 CR3: 000000000f118000 CR4: 00000000000006e0
Process mount (pid: 2689, threadinfo ffff81000f35c000, task ffff81000ffd2080)
Stack:  0000000000000000 ffff81000f0f0000 0000000000000000 ffff81000f0be000
 000000000805e458 000000000805e468 0000000000000000 0000000000000000
 0000000000000000 ffffffff8005f194 0000000000000000 0000000000000000
Call Trace:
 [<ffffffff8005f194>] cstar_do_call+0x1b/0x65


Code: 83 3a 06 0f 85 3a 01 00 00 0f b7 42 0c 89 42 14 0f b7 42 0a
RIP  [<ffffffff800e9d7d>] compat_sys_mount+0x9c/0x241
 RSP <ffff81000f35df38>
CR2: 0000000000000000
Comment 7 Jerome Marchand 2007-05-23 15:26:53 UTC 
fixed in build 2.6.18-8.1.5.el5
Comment 9 Mike Gahagan 2007-06-08 20:06:15 UTC 
verified with 2.6.18-8.1.5.el5xen using testcase in bz239767
Comment 11 Red Hat Bugzilla 2007-06-14 14:54:57 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2007-0376.html