Reported by Michael Simms: Any user can crash init with a single command Version-Release number of selected component (if applicable): Fedora 9, patched to latest as of 90 minutes ago How reproducible: Always. May have to run the command 2-3 times but it always crashes the kernel in the end. Steps to Reproduce: 1.as ANY user - start a shell 2.gdb any_executable 1 3.There will be a kerneloops and usually a kernel crash or hang Actual results: Kernel blows up Expected results: Kernel doesnt blow up, permission denied for process init Additional info:
Thanks Michael. This is reproducible with kernel-2.6.26.3-29.fc9 on x86 and x86_64. [eugene@localhost ~]$ gdb /bin/sh 1 GNU gdb Fedora (6.8-21.fc9) Copyright (C) 2008 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu"... (no debugging symbols found) Attaching to program: /bin/sh, process 1 [...] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 IP: [<ffffffff8106a404>] utrace_control+0x56/0x231 PGD 132d0b067 PUD 1249bf067 PMD 2e08f067 PTE 0 Oops: 0000 [1] SMP CPU 0 Modules linked in: aes_x86_64 aes_generic ipt_MASQUERADE iptable_nat nf_nat bridge bnep rfcomm l2cap ib_iser rdma_cm ib_cm iw_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi scsi_transport_iscsi fuse sunrpc ipt_REJECT nf_conntrack_ipv4 iptable_filter ip_tables ip6t_REJECT xt_tcpudp nf_conntrack_ipv6 xt_state nf_conntrack ip6table_filter ip6_tables x_tables cpufreq_ondemand acpi_cpufreq freq_table dm_multipath ipv6 uinput kvm_intel kvm sr_mod cdrom thinkpad_acpi hwmon snd_hda_intel pcspkr joydev arc4 ecb firewire_ohci crypto_blkcipher sdhci firewire_core snd_seq_dummy mmc_core crc_itu_t ricoh_mmc snd_seq_oss yenta_socket snd_seq_midi_event rsrc_nonstatic iTCO_wdt snd_seq iTCO_vendor_support i2c_i801 snd_seq_device sg ata_piix snd_pcm_oss snd_mixer_oss iwl3945 snd_pcm rfkill mac80211 snd_timer snd_page_alloc snd_hwdep cfg80211 snd soundcore battery ac video output bay i915 wmi drm e1000e i2c_algo_bit hci_usb pata_acpi ata_generic i2c_core bluetooth dm_snapshot dm_zero dm_mirror dm_log dm_mod ahci libata sd_mod scsi_mod ext3 jbd mbcache uhci_hcd ohci_hcd ehci_hcd [last unloaded: microcode] Pid: 25599, comm: gdb Not tainted 2.6.26.3-29.fc9.x86_64 #1 RIP: 0010:[<ffffffff8106a404>] [<ffffffff8106a404>] utrace_control+0x56/0x231 RSP: 0018:ffff8100228fbeb8 EFLAGS: 00010246 RAX: 0000000000000202 RBX: ffff81013b064000 RCX: 0000000000000013 RDX: 0000000000000006 RSI: 0000000000000000 RDI: ffff81013b064020 RBP: ffff8100228fbef8 R08: 0000000000000006 R09: 0000000000000001 R10: 0000000000000000 R11: ffff81013bab8000 R12: 00000000ffffffff R13: ffff81013b064000 R14: ffff81013bab8000 R15: 0000000000000000 FS: 00007f6058d6f780(0000) GS:ffffffff81417000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000028 CR3: 0000000115875000 CR4: 00000000000026e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process gdb (pid: 25599, threadinfo ffff8100228fa000, task ffff81013a45ad40) Stack: ffff810000000006 ffff81013bab8000 ffff8100228fbed8 ffff81013bab8000 00000000ffffffff 0000000000000246 ffff81013bab85f8 0000000000000000 ffff8100228fbf38 ffffffff8103f78b ffff8100228fbf18 ffff81013bab8000 Call Trace: [<ffffffff8103f78b>] ptrace_attach+0x144/0x174 [<ffffffff8103f8bd>] sys_ptrace+0x54/0xaf [<ffffffff8100c291>] tracesys+0xd0/0xd5 Code: 00 48 85 db 74 41 83 bf 28 02 00 00 20 74 38 48 8d 7b 20 89 55 c0 e8 6b 24 23 00 4d 8b ae e0 05 00 00 44 8b 45 c0 49 39 dd 75 0c <49> 8b 47 28 48 3d 00 e2 2b 81 75 05 fe 43 20 eb 0b 49 81 fd 00 RIP [<ffffffff8106a404>] utrace_control+0x56/0x231 RSP <ffff8100228fbeb8> CR2: 0000000000000028
rhel-5 and upstream kernels appear to be unaffected. Tested with kernel-2.6.18-116.el5.i686 and 2.6.27-rc7.i686. [test@dell-pe1650-1 ~]$ gdb /bin/sh 1 [...] Attaching to program: /bin/sh, process 1 ptrace: Operation not permitted. /home/test/1: No such file or directory. utrace_control came from F-9/linux-2.6-utrace.patch.
2.6.26.5 kernels for f-8 and f-9 got pushed yesterday. 2.6.26.5-28.fc8 2.6.26.5-45.fc9
Reference: http://article.gmane.org/gmane.comp.security.oss.general/1003
This is fixed in 2.6.26.5-45.fc9. Thanks.