Bug 1448223 – [abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1448223 - [abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV

Summary:	[abrt] kpartx: set_delimiter(): kpartx killed by SIGSEGV

Status:	CLOSED ERRATA

Aliases:	None

Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	device-mapper-multipath (Show other bugs)
Sub Component:
Version:	7.4
Hardware:	x86_64 Unspecified

Priority	unspecified Severity unspecified
Target Milestone:	rc
Target Release:	---
Assigned To:	Ben Marzinski
QA Contact:	Lin Li
Docs Contact:

URL:	https://retrace.fedoraproject.org/faf...
Whiteboard:	abrt_hash:7c9aeaa942cbac975a8c77735b3...
Keywords:

Depends On:	1447832
Blocks:	1469559
	Show dependency tree / graph

Reported:	2017-05-04 16:58 EDT by Ben Marzinski
Modified:	2018-04-10 12:10 EDT (History)
CC List:	11 users (show)

See Also:
Fixed In Version:	device-mapper-multipath-0.4.9-112.el7
Doc Type:	Bug Fix
Doc Text:	Cause: If kpartx was passes something other than a file or a block device or a badly formed pathname, it could read off the end of the device string, and crash. Consequence: kpartx was crashing instead of failing gracefully, when it was called with invalid options Fix: kpartx now is more careful with it's string processing, and it also simply exits if not passed a file or a block device. Result: kpartx no longer crashes when called with invalid options.
Story Points:	---
Clone Of:	1447832
Environment:
Last Closed:	2018-04-10 12:10:28 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHEA-2018:0884	normal	SHIPPED_LIVE	device-mapper-multipath bug fix and enhancement update	2018-04-10 09:47:14 EDT

Groups: None (edit)

Description Ben Marzinski 2017-05-04 16:58:04 EDT

+++ This bug was initially created as a clone of Bug #1447832 +++

Version-Release number of selected component:
kpartx-0.4.9-83.fc25

Additional info:
reporter:       libreport-2.8.0
backtrace_rating: 4
cmdline:        kpartx -l /
crash_function: set_delimiter
executable:     /usr/sbin/kpartx
global_pid:     2449
kernel:         4.10.13-200.fc25.x86_64
pkg_fingerprint: 4089 D8F2 FDB1 9C98
pkg_vendor:     Fedora Project
runlevel:       N 5
type:           CCpp
uid:            0

Truncated backtrace:
Thread no. 1 (1 frames)
 #0 set_delimiter at kpartx.c:117

--- Additional comment from sedrubal on 2017-05-03 21:47:21 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:23 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:24 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:26 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:28 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:29 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:31 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:34 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:36 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:38 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:40 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:41 EDT ---



--- Additional comment from sedrubal on 2017-05-03 21:47:43 EDT ---



--- Additional comment from Ben Marzinski on 2017-05-04 16:56:08 EDT ---

Thanks for the report. This will only happen if you run kpartx on something other than a regular file or a block device. I'll fix it up so that it handles this
gracefully.

Comment 3 Ben Marzinski 2017-09-19 20:08:45 EDT

kpartx was crashing when it was run on something that was not a block device or regular file.  It now fails gracefully in these situations.

Comment 4 sedrubal 2017-09-21 05:57:36 EDT

If you write

> it could read off the end of the device string, and crash.

do you think it is possible to exploit this bug? Is it worth for a CVE?

Comment 5 Ben Marzinski 2017-09-22 11:30:44 EDT

(In reply to sedrubal from comment #4)
> If you write
> 
> > it could read off the end of the device string, and crash.
> 
> do you think it is possible to exploit this bug? Is it worth for a CVE?

Not that I can think of.  In the first place, you can only call kpartx as root. There's no possibility of writing any data to this memory.  kpartx doesn't have information in memory that would be dangerous to reveal, and if it tries to access something outside its memory, it will crash. I don't think this is any more dangerous than any other bug with a program deferencing an invalid pointer.

Comment 7 Lin Li 2017-12-21 22:02:39 EST

Reproduced on device-mapper-multipath-0.4.9-111.el7 
1, # rpm -qa | grep multipath
device-mapper-multipath-0.4.9-111.el7.x86_64
device-mapper-multipath-libs-0.4.9-111.el7.x86_64

2, # kpartx -l /
Missing major number for persistent device.
Couldn't create ioctl argument.
Missing major number for persistent device.
Couldn't create ioctl argument.
Segmentation fault  <-------------------------

3, # dmesg
[83221.401992] kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]

4, check /var/log/messages:
Dec 22 03:46:43 localhost kernel: kpartx[513]: segfault at 7ffe00000001 ip 0000000000402b33 sp 00007ffe116823f0 error 4 in kpartx[400000+8000]



Verified on device-mapper-multipath-0.4.9-118.el7
1, # rpm -qa | grep multipath
device-mapper-multipath-debuginfo-0.4.9-118.el7.x86_64
device-mapper-multipath-libs-0.4.9-118.el7.x86_64
device-mapper-multipath-devel-0.4.9-118.el7.x86_64
device-mapper-multipath-sysvinit-0.4.9-118.el7.x86_64
device-mapper-multipath-0.4.9-118.el7.x86_64

2, # kpartx -l /
invalid device: /      <-----------tips invalid device: /

3, # dmesg
   No Segmentation fault

4, check /var/log/messages:
No Segmentation fault

Comment 10 errata-xmlrpc 2018-04-10 12:10:28 EDT

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0884

Note You need to log in before you can comment on or make changes to this bug.