A null dereference crash occurs in memcpy() when preparing a new set of credentials for modification. A possible kmalloc-192 slab use-after-free.

Issue

• A null dereference crash occurs in memcpy() when preparing a new set of credentials for modification.

[7856208.535042] BUG: unable to handle kernel NULL pointer dereference at           (null)
[7856208.543899] IP: [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.549672] PGD 0 
[7856208.552088] Oops: 0000 [#1] SMP 
[7856208.555852] Modules linked in: rpcsec_gss_krb5 dm_round_robin mmfs26(OE) mmfslinux(OE) tracedev(OE) dell_rbu ib_srp(OE) scsi_transport_srp(OE) rdma_ucm(OE) ib_ucm(OE) rdma_cm(OE) iw_cm(OE) ib_ipoib(OE) ib_cm(OE) ib_uverbs(OE) ib_umad(OE) mlx5_ib(OE) mlx5_core(OE) mlx4_en(OE) vxlan ip6_udp_tunnel udp_tunnel intel_powerclamp coretemp kvm_intel kvm iTCO_wdt iTCO_vendor_support crc32_pclmul ipmi_devintf ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd sg pcspkr hpilo hpwdt sb_edac edac_core ipmi_si ipmi_msghandler wmi acpi_power_meter shpchp ioatdma dca lpc_ich mfd_core pcc_cpufreq dm_multipath binfmt_misc knem(OE) nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 mlx4_ib(OE) ib_sa(OE) ib_mad(OE) ib_core(OE) ib_addr(OE) ib_netlink(OE) ata_generic pata_acpi
[7856208.634919]  sd_mod crc_t10dif crct10dif_generic mgag200 crct10dif_pclmul syscopyarea crct10dif_common sysfillrect crc32c_intel sysimgblt drm_kms_helper serio_raw sfc ttm ata_piix mdio drm ptp libata pps_core mtd i2c_algo_bit hpsa mlx4_core(OE) i2c_core mlx_compat(OE) dm_mirror dm_region_hash dm_log dm_mod
[7856208.664713] CPU: 1 PID: 9876 Comm: sudo Tainted: G           OE  ------------   3.10.0-327.36.3.el7.x86_64 #1
[7856208.675985] Hardware name: HP ProLiant DL360p Gen8, BIOS P71 07/01/2015
[7856208.683858] task: ffff882ef39cf300 ti: ffff882da25ec000 task.ti: ffff882da25ec000
[7856208.692611] RIP: 0010:[<ffffffff81301626>]  [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.702194] RSP: 0018:ffff882da25efec8  EFLAGS: 00010286
[7856208.709382] RAX: ffff882d9322ea00 RBX: 0000000000000018 RCX: 0000000000000018
[7856208.718576] RDX: 0000000000000018 RSI: 0000000000000000 RDI: ffff882d9322ea00
[7856208.727950] RBP: ffff882da25efee0 R08: 0000000000019540 R09: ffff882f7f003c00
[7856208.737348] R10: 00007f499cc5b2e0 R11: 0000000000000246 R12: 0000000000000000
[7856208.746515] R13: 00000000ffffffff R14: 00000000ffffffff R15: 00000000ffffffff
[7856208.756014] FS:  00007f499df04800(0000) GS:ffff882f7f640000(0000) knlGS:0000000000000000
[7856208.766540] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[7856208.774385] CR2: 0000000000000000 CR3: 0000002eade6e000 CR4: 00000000001407e0
[7856208.783638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[7856208.792862] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[7856208.801943] Stack:
[7856208.805370]  ffffffff81186cb6 ffff882ea81d2300 ffff882ef39cf300 ffff882da25efef8
[7856208.815040]  ffffffff8128a75b ffff882ea81d2300 ffff882da25eff08 ffffffff81286366
[7856208.824412]  ffff882da25eff28 ffffffff810ac876 00000000ffffffff ffffffff8197e700
[7856208.834182] Call Trace:
[7856208.838368]  [<ffffffff81186cb6>] ? kmemdup+0x36/0x50
[7856208.845239]  [<ffffffff8128a75b>] selinux_cred_prepare+0x1b/0x30
[7856208.853015]  [<ffffffff81286366>] security_prepare_creds+0x16/0x20
[7856208.861249]  [<ffffffff810ac876>] prepare_creds+0xf6/0x1c0
[7856208.868513]  [<ffffffff81097613>] SyS_setresuid+0x93/0x210
[7856208.875628]  [<ffffffff81646b49>] system_call_fastpath+0x16/0x1b
[7856208.883292] Code: 43 58 48 2b 43 50 88 43 4e 5b 5d c3 66 0f 1f 84 00 00 00 00 00 e8 fb fb ff ff eb e2 90 90 90 90 90 90 90 90 90 48 89 f8 48 89 d1 <f3> a4 c3 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 20 4c 8b 06 4c 8b 
[7856208.907223] RIP  [<ffffffff81301626>] memcpy+0x6/0x110
[7856208.914137]  RSP <ffff882da25efec8>
[7856208.919388] CR2: 0000000000000000