A null dereference crash occurs in memcpy() when preparing a new set of credentials for modification. A possible kmalloc-192 slab use-after-free.

Solution Unverified - Updated -

Issue

  • A null dereference crash occurs in memcpy() when preparing a new set of credentials for modification.
[7856208.535042] BUG: unable to handle kernel NULL pointer dereference at           (null)
[7856208.543899] IP: [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.549672] PGD 0 
[7856208.552088] Oops: 0000 [#1] SMP 
[7856208.555852] Modules linked in: rpcsec_gss_krb5 dm_round_robin mmfs26(OE) mmfslinux(OE) tracedev(OE) dell_rbu ib_srp(OE) scsi_transport_srp(OE) rdma_ucm(OE) ib_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_uverbs(OE) ib_umad(OE) mlx5_ib(OE) mlx5_core(OE) mlx4_en(OE) vxlan ip6_udp_tunnel udp_tunnel intel_powerclamp coretemp kvm_intel kvm iTCO_wdt iTCO_vendor_support crc32_pclmul ipmi_devintf ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd sg pcspkr hpilo hpwdt sb_edac edac_core ipmi_si ipmi_msghandler wmi acpi_power_meter shpchp ioatdma dca lpc_ich mfd_core pcc_cpufreq dm_multipath binfmt_misc knem(OE) nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 mlx4_ib(OE) ib_sa(OE) ib_mad(OE) ib_core(OE) ib_addr(OE) ib_netlink(OE) ata_generic pata_acpi
[7856208.634919]  sd_mod crc_t10dif crct10dif_generic mgag200 crct10dif_pclmul syscopyarea crct10dif_common sysfillrect crc32c_intel sysimgblt drm_kms_helper serio_raw sfc ttm ata_piix mdio drm ptp libata pps_core mtd i2c_algo_bit hpsa mlx4_core(OE) i2c_core mlx_compat(OE) dm_mirror dm_region_hash dm_log dm_mod
[7856208.664713] CPU: 1 PID: 9876 Comm: sudo Tainted: G           OE  ------------   3.10.0-327.36.3.el7.x86_64 #1
[7856208.675985] Hardware name: HP ProLiant DL360p Gen8, BIOS P71 07/01/2015
[7856208.683858] task: ffff882ef39cf300 ti: ffff882da25ec000 task.ti: ffff882da25ec000
[7856208.692611] RIP: 0010:[<ffffffff81301626>]  [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.702194] RSP: 0018:ffff882da25efec8  EFLAGS: 00010286
[7856208.709382] RAX: ffff882d9322ea00 RBX: 0000000000000018 RCX: 0000000000000018
[7856208.718576] RDX: 0000000000000018 RSI: 0000000000000000 RDI: ffff882d9322ea00
[7856208.727950] RBP: ffff882da25efee0 R08: 0000000000019540 R09: ffff882f7f003c00
[7856208.737348] R10: 00007f499cc5b2e0 R11: 0000000000000246 R12: 0000000000000000
[7856208.746515] R13: 00000000ffffffff R14: 00000000ffffffff R15: 00000000ffffffff
[7856208.756014] FS:  00007f499df04800(0000) GS:ffff882f7f640000(0000) knlGS:0000000000000000
[7856208.766540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[7856208.774385] CR2: 0000000000000000 CR3: 0000002eade6e000 CR4: 00000000001407e0
[7856208.783638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[7856208.792862] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[7856208.801943] Stack:
[7856208.805370]  ffffffff81186cb6 ffff882ea81d2300 ffff882ef39cf300 ffff882da25efef8
[7856208.815040]  ffffffff8128a75b ffff882ea81d2300 ffff882da25eff08 ffffffff81286366
[7856208.824412]  ffff882da25eff28 ffffffff810ac876 00000000ffffffff ffffffff8197e700
[7856208.834182] Call Trace:
[7856208.838368]  [<ffffffff81186cb6>] ? kmemdup+0x36/0x50
[7856208.845239]  [<ffffffff8128a75b>] selinux_cred_prepare+0x1b/0x30
[7856208.853015]  [<ffffffff81286366>] security_prepare_creds+0x16/0x20
[7856208.861249]  [<ffffffff810ac876>] prepare_creds+0xf6/0x1c0
[7856208.868513]  [<ffffffff81097613>] SyS_setresuid+0x93/0x210
[7856208.875628]  [<ffffffff81646b49>] system_call_fastpath+0x16/0x1b
[7856208.883292] Code: 43 58 48 2b 43 50 88 43 4e 5b 5d c3 66 0f 1f 84 00 00 00 00 00 e8 fb fb ff ff eb e2 90 90 90 90 90 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b 
[7856208.907223] RIP  [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.914137]  RSP <ffff882da25efec8>
[7856208.919388] CR2: 0000000000000000

Environment

  • Red Hat Enterprise Linux 7.2 (kernel-3.10.0-327.36.3.el7)
  • mmfslinux and mmfs26 are installed and loaded

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content