RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1448223 - [abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV
Summary: [abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: device-mapper-multipath
Version: 7.4
Hardware: x86_64
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ben Marzinski
QA Contact: Lin Li
URL: https://retrace.fedoraproject.org/faf...
Whiteboard: abrt_hash:7c9aeaa942cbac975a8c77735b3...
Depends On: 1447832
Blocks: 1469559
TreeView+ depends on / blocked
 
Reported: 2017-05-04 20:58 UTC by Ben Marzinski
Modified: 2021-09-03 12:08 UTC (History)
11 users (show)

Fixed In Version: device-mapper-multipath-0.4.9-112.el7
Doc Type: Bug Fix
Doc Text:
Cause: If kpartx was passes something other than a file or a block device or a badly formed pathname, it could read off the end of the device string, and crash. Consequence: kpartx was crashing instead of failing gracefully, when it was called with invalid options Fix: kpartx now is more careful with it's string processing, and it also simply exits if not passed a file or a block device. Result: kpartx no longer crashes when called with invalid options.
Clone Of: 1447832
Environment:
Last Closed: 2018-04-10 16:10:28 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0884 0 normal SHIPPED_LIVE device-mapper-multipath bug fix and enhancement update 2018-04-10 13:47:14 UTC

Description Ben Marzinski 2017-05-04 20:58:04 UTC 
+++ This bug was initially created as a clone of Bug #1447832 +++

Version-Release number of selected component:
kpartx-0.4.9-83.fc25

Additional info:
reporter:       libreport-2.8.0
backtrace_rating: 4
cmdline:        kpartx -l /
crash_function: set_delimiter
executable:     /usr/sbin/kpartx
global_pid:     2449
kernel:         4.10.13-200.fc25.x86_64
pkg_fingerprint: 4089 D8F2 FDB1 9C98
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (1 frames)
 #0 set_delimiter at kpartx.c:117

--- Additional comment from sedrubal on 2017-05-03 21:47:21 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:23 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:24 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:26 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:28 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:29 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:31 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:34 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:36 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:38 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:40 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:41 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:43 EDT ---



--- Additional comment from Ben Marzinski on 2017-05-04 16:56:08 EDT ---

Thanks for the report. This will only happen if you run kpartx on something other than a regular file or a block device. I'll fix it up so that it handles this
gracefully.
Comment 3 Ben Marzinski 2017-09-20 00:08:45 UTC 
kpartx was crashing when it was run on something that was not a block device or regular file.  It now fails gracefully in these situations.
Comment 4 sedrubal 2017-09-21 09:57:36 UTC 
If you write

> it could read off the end of the device string, and crash.

do you think it is possible to exploit this bug? Is it worth for a CVE?
Comment 5 Ben Marzinski 2017-09-22 15:30:44 UTC 
(In reply to sedrubal from comment #4)
> If you write
> 
> > it could read off the end of the device string, and crash.
> 
> do you think it is possible to exploit this bug? Is it worth for a CVE?

Not that I can think of.  In the first place, you can only call kpartx as root. There's no possibility of writing any data to this memory.  kpartx doesn't have information in memory that would be dangerous to reveal, and if it tries to access something outside its memory, it will crash. I don't think this is any more dangerous than any other bug with a program deferencing an invalid pointer.
Comment 7 Lin Li 2017-12-22 03:02:39 UTC 
Reproduced on device-mapper-multipath-0.4.9-111.el7 
1, # rpm -qa | grep multipath
device-mapper-multipath-0.4.9-111.el7.x86_64
device-mapper-multipath-libs-0.4.9-111.el7.x86_64

2, # kpartx -l /
Missing major number for persistent device.
Couldn't create ioctl argument.
Missing major number for persistent device.
Couldn't create ioctl argument.
Segmentation fault  <-------------------------

3, # dmesg
[83221.401992] kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]

4, check /var/log/messages:
Dec 22 03:46:43 localhost kernel: kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]



Verified on device-mapper-multipath-0.4.9-118.el7
1, # rpm -qa | grep multipath
device-mapper-multipath-debuginfo-0.4.9-118.el7.x86_64
device-mapper-multipath-libs-0.4.9-118.el7.x86_64
device-mapper-multipath-devel-0.4.9-118.el7.x86_64
device-mapper-multipath-sysvinit-0.4.9-118.el7.x86_64
device-mapper-multipath-0.4.9-118.el7.x86_64

2, # kpartx -l /
invalid device: /      <-----------tips invalid device: /

3, # dmesg
   No Segmentation fault

4, check /var/log/messages:
No Segmentation fault
Comment 10 errata-xmlrpc 2018-04-10 16:10:28 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0884
Note You need to log in before you can comment on or make changes to this bug.