Bug 652972 - NULL pointer dereference in nameidata_to_filp after avc denial
Summary: NULL pointer dereference in nameidata_to_filp after avc denial
Keywords:
Status: CLOSED INSUFFICIENT_DATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 14
Hardware: Unspecified
OS: Unspecified
low
medium
Target Milestone: ---
Assignee: Kernel Maintainer List
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2010-11-13 22:01 UTC by Enrico Scholz
Modified: 2011-10-11 19:47 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-10-11 19:47:26 UTC
Type: ---


Attachments (Terms of Use)

Description Enrico Scholz 2010-11-13 22:01:04 UTC
Description of problem:

Trying to open a file on an NFS4 (krb5i) mounted partion and denying
this by SELinux policy causes a kernel oops:

[ 1841.233320] type=1400 audit(1289684788.194:30): avc:  denied  { open } for  pid=6211 comm="python" name=".bitbake.elito.conf" dev=0:16 ino=41932 scontext=unconfined_u:unconfined_r:build_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
[ 1841.234331] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
[ 1841.234339] IP: [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234350] PGD 121de4067 PUD 135a1b067 PMD 0
[ 1841.234359] Oops: 0000 [#1] SMP
[ 1841.234365] last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
[ 1841.234370] CPU 0
[ 1841.234372] Modules linked in: fuse ip6_tables ebtable_nat ebtables nfsd exportfs coretemp des_generic nfs fscache nfs_acl rpcsec_gss_krb5 auth_rpcgss lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf bridge stp llc iptable_nat nf_nat xt_pkttype xt_physdev ipt_LOG xt_limit sha256_generic cryptd aes_x86_64 aes_generic cbc dm_crypt kvm_intel kvm uinput snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device ftdi_sio snd_pcm snd_timer snd e1000e soundcore usbserial tpm_infineon snd_page_alloc serio_raw iTCO_wdt iTCO_vendor_support microcode usb_storage ata_generic pata_acpi i915 drm_kms_helper drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan]
[ 1841.234498]
[ 1841.234501] Pid: 6211, comm: python Not tainted 2.6.35.6-48.fc14.x86_64 #1 D2314-A3/ESPRIMO P5916 iAMT
[ 1841.234505] RIP: 0010:[<ffffffff811163e7>]  [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234510] RSP: 0018:ffff880121e49d48  EFLAGS: 00010286
[ 1841.234513] RAX: fffffffffffffff3 RBX: ffff880121e49e28 RCX: 0000000000000002
[ 1841.234516] RDX: 0000000000000000 RSI: 000000000000012f RDI: ffff880121e49e28
[ 1841.234519] RBP: ffff880121e49d58 R08: ffff8801093829c0 R09: 0000000000000000
[ 1841.234521] R10: 00000000000006ab R11: 0000000000000002 R12: 0000000000000000
[ 1841.234524] R13: 0000000000008000 R14: 0000000000000000 R15: ffff880114aba000
[ 1841.234528] FS:  00007feb797f1720(0000) GS:ffff880002000000(0000) knlGS:0000000000000000
[ 1841.234531] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1841.234534] CR2: 000000000000000b CR3: 0000000130f76000 CR4: 00000000000006f0
[ 1841.234537] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1841.234539] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1841.234543] Process python (pid: 6211, threadinfo ffff880121e48000, task ffff880133315d00)
[ 1841.234545] Stack:
[ 1841.234547]  0000000000000000 0000000000008000 ffff880121e49da8 ffffffff81122048
[ 1841.234553] <0> ffff8801093829c0 0000002400000024 ffff880121e49d88 ffff880121e49e28
[ 1841.234560] <0> 0000000000008000 0000000000000024 0000000000000000 0000000000008001
[ 1841.234568] Call Trace:
[ 1841.234573]  [<ffffffff81122048>] do_last+0x457/0x5d4
[ 1841.234578]  [<ffffffff811223f5>] do_filp_open+0x230/0x5e1
[ 1841.234583]  [<ffffffff81467b5d>] ? _cond_resched+0xe/0x22
[ 1841.234589]  [<ffffffff81221660>] ? might_fault+0x21/0x23
[ 1841.234593]  [<ffffffff81221760>] ? __strncpy_from_user+0x1f/0x4e
[ 1841.234597]  [<ffffffff8112b619>] ? alloc_fd+0x74/0x11f
[ 1841.234601]  [<ffffffff81116477>] do_sys_open+0x64/0x110
[ 1841.234605]  [<ffffffff81116543>] sys_open+0x20/0x22
[ 1841.234610]  [<ffffffff81009cf2>] system_call_fastpath+0x16/0x1b
[ 1841.234612] Code: 49 63 c6 41 5e c9 c3 55 48 89 e5 48 83 ec 10 0f 1f 44 00 00 65 48 8b 04 25 00 cc 00 00 4c 8b 80 40 04 00 00 48 8b 87 90 00 00 00 <48> 83 78 18 00 75 16 4c 8b 4f 08 48 8b 37 31 c9 48 89 c2 4c 89
[ 1841.234683] RIP  [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234688]  RSP <ffff880121e49d48>
[ 1841.234690] CR2: 000000000000000b
[ 1841.234694] ---[ end trace 281ed826b18e4c83 ]---

[ 1923.454549] type=1400 audit(1289684870.416:31): avc:  denied  { open } for  pid=6236 comm="python" name=".bitbake.elito.conf" dev=0:16 ino=41932 scontext=unconfined_u:unconfined_r:build_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
[ 1923.455475] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
[ 1923.455481] IP: [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1923.455492] PGD 1149c7067 PUD 114b69067 PMD 0



Version-Release number of selected component (if applicable):

kernel-2.6.35.6-48.fc14.x86_64

Comment 1 Enrico Scholz 2010-11-17 12:40:50 UTC
oops is at

/usr/src/debug/kernel-2.6.35.fc14/linux-2.6.35.x86_64/fs/open.c:789
ffffffff811163e7:       48 83 78 18 00          cmpq   $0x0,0x18(%rax) <<<

with rax being 0xfffffffffffffff3 (-13 == -EACCESS)

Comment 2 Josh Boyer 2011-08-31 16:40:11 UTC
Does this still happen on the latest f14 or f15 kernel?

Comment 3 Dave Jones 2011-10-11 19:47:26 UTC
unlikely to be fixed in f14, due to the limited time remaining in its lifecycle.


Note You need to log in before you can comment on or make changes to this bug.