[Bug 717209] New: /proc/[PID]/attr/current overwrite Null pointer dereference
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c0 Summary: /proc/[PID]/attr/current overwrite Null pointer dereference Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: Other Status: NEW Severity: Normal Priority: P5 - None Component: Kernel AssignedTo: kernel-maintainers@forge.provo.novell.com ReportedBy: suse-beta@cboltz.de QAContact: qa@suse.de Found By: Beta-Customer Blocker: --- Description stolen from https://bugs.launchpad.net/apparmor/+bug/789409 - you can find more details there. I can reproduce this bug on 11.4 with all updates installed. I can't reproduce it on 11.3. I don't know if Factory is affected because I don't have a Factory installation right now. -------------------------------------------------------------------------------- Crashes application attempting improperly formatted write to /proc/<pid>/attr/current Fix: Upstream commit a5b2c5b2ad5853591a6cac6134cd0f599a720865 Test Case: echo 'AAA AAA' > /proc/$$/attr/current The terminal/shell/tab the command is run in will crash and a kernel Bug will be logged === test case (from gnome-terminal+bash): emanuel@emanuel-desktop:~$ echo 'AAA AAA' > /proc/$$/attr/current # the tab crashed emanuel@emanuel-desktop:~$ dmesg | tail -n 28 # on other tab in gnome-terminal [107353.169116] ------------[ cut here ]------------ [107353.169142] kernel BUG at /build/buildd/linux-2.6.38/security/apparmor/audit.c:183! [107353.169159] invalid opcode: 0000 [#7] SMP [107353.169176] last sysfs file: /sys/devices/pci0000:00/0000:00:0d.0/host2/target2:0:0/2:0:0:0/block/sda/sda1/uevent [107353.169193] Modules linked in: nls_utf8 isofs vesafb binfmt_misc vboxsf snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq ppdev snd_timer snd_seq_device snd joydev psmouse parport_pc serio_raw vboxguest soundcore i2c_piix4 snd_page_alloc lp parport usbhid ahci hid e1000 libahci [107353.169251] [107353.169268] Pid: 8851, comm: bash Tainted: G D 2.6.38-8-generic #42-Ubuntu innotek GmbH VirtualBox [107353.169289] EIP: 0060:[<c1244939>] EFLAGS: 00210246 CPU: 0 [107353.169313] EIP is at aa_audit+0x129/0x160 [107353.169329] EAX: 00000002 EBX: f2c35eb4 ECX: 000000d0 EDX: 00000000 [107353.169344] ESI: 00000008 EDI: f2c35f1c EBP: f2c35e90 ESP: f2c35e84 [107353.169360] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [107353.169376] Process bash (pid: 8851, ti=f2c34000 task=c6c01940 task.ti=f2c34000) [107353.169389] Stack: [107353.169402] 00000004 00000008 f2c35f1c f2c35f2c c1249a95 f2c35eb4 00000000 d0e4e000 [107353.169424] 00000000 d0e4e004 d0dd0aa4 d0e4e004 00000007 00000000 00000000 00000000 [107353.169784] 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 [107353.169808] Call Trace: [107353.169832] [<c1249a95>] apparmor_setprocattr+0x205/0x210 [107353.169856] [<c121c40e>] security_setprocattr+0x1e/0x30 [107353.169877] [<c1171c26>] proc_pid_attr_write+0xe6/0x100 [107353.169896] [<c11271a2>] vfs_write+0xa2/0x170 [107353.169915] [<c1171b40>] ? proc_pid_attr_write+0x0/0x100 [107353.169932] [<c1127482>] sys_write+0x42/0x70 [107353.169955] [<c1509bf4>] syscall_call+0x7/0xb [107353.169969] Code: 00 00 8b 4b 04 85 c9 74 19 31 d2 b8 09 00 00 00 e8 2d cb e1 ff 8b 43 40 e9 62 ff ff ff 90 8d 74 26 00 64 8b 0d ec 54 83 c1 eb de <0f> 0b 83 3d 18 a2 90 c1 01 74 16 83 7a 3c 01 74 10 8b 0d 1c a2 [107353.170048] EIP: [<c1244939>] aa_audit+0x129/0x160 SS:ESP 0068:f2c35e84 [107353.170073] ---[ end trace 824fc722cb1d8e19 ]--- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c1 Leonardo Chiquitto <lchiquitto@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lchiquitto@suse.com, | |meissner@suse.com AssignedTo|kernel-maintainers@forge.pr |jeffm@suse.com |ovo.novell.com | --- Comment #1 from Leonardo Chiquitto <lchiquitto@suse.com> 2011-10-13 15:54:34 UTC --- As any user can crash the system due to this bug, I believe it qualifies as a security issue (CC'ing Marcus). I confirmed that mainline commit a5b2c5b2ad resolves the problem on openSUSE 11.4. Jeff, please, do you think you could commit it for the next update? Factory (kernel 3.1-rc) is not affected because the fix was committed upstream on 3.0-rc2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c2 --- Comment #2 from Marcus Meissner <meissner@suse.com> 2011-10-16 09:49:49 UTC --- it seems to only kill the current task via Ooops. is there any other effect on the running kernel? but it needs to be fixed, yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c3 --- Comment #3 from Leonardo Chiquitto <lchiquitto@suse.com> 2011-10-17 10:03:43 UTC --- If you have Kdump configured, it's enough to trigger a crash dump. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c4 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de Summary|/proc/[PID]/attr/current |VUL-1: kernel: |overwrite Null pointer |/proc/[PID]/attr/current |dereference |overwrite Null pointer | |dereference --- Comment #4 from Marcus Meissner <meissner@suse.com> 2011-10-17 12:21:29 UTC --- Then it is a security relevant bug (local denial of service), yes. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c5 --- Comment #5 from Marcus Meissner <meissner@suse.com> 2011-10-17 12:32:51 UTC --- CVE requested -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c6 --- Comment #6 from Sebastian Krahmer <krahmer@suse.com> 2011-10-17 13:25:08 UTC --- CVE-2011-3619 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c7 Ludwig Nussel <lnussel@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium --- Comment #7 from Ludwig Nussel <lnussel@suse.com> 2011-11-03 15:35:33 CET --- p5- -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c8 Jeff Mahoney <jeffm@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #8 from Jeff Mahoney <jeffm@suse.com> 2012-02-22 16:21:56 UTC --- Committed to 11.4 repo. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c9 --- Comment #9 from Michal Hocko <mhocko@suse.com> 2012-03-13 11:45:53 CET --- Just for reference the issue seems to be introduced by b5e95b48 in 2.6.36-rc1 (and fixed in 3.0-rc2). So nothing else bug 11.4 is affected. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard| |obs:running:553:low -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:553:low |obs:running:553:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c10 --- Comment #10 from Swamp Workflow Management <swamp@suse.de> 2012-06-28 08:11:39 UTC --- openSUSE-SU-2012:0799-1: An update that solves 25 vulnerabilities and has 22 fixes is now available. Category: security (moderate) Bug References: 466279,651219,653260,655696,676204,681186,681639,683671,689860,703410,707332,711941,713430,714455,717209,717749,721366,726045,726600,729247,730118,731673,732908,737624,738644,740448,740703,740745,744658,745832,746980,747038,747660,748859,749569,750079,750959,756203,756840,757278,758243,758260,758813,759545,760902,765102,765320 CVE References: CVE-2009-4020,CVE-2010-3873,CVE-2010-4164,CVE-2010-4249,CVE-2011-1083,CVE-2011-1173,CVE-2011-2517,CVE-2011-2700,CVE-2011-2909,CVE-2011-2928,CVE-2011-3619,CVE-2011-3638,CVE-2011-4077,CVE-2011-4086,CVE-2011-4330,CVE-2012-0038,CVE-2012-0044,CVE-2012-0207,CVE-2012-1090,CVE-2012-1097,CVE-2012-1146,CVE-2012-2119,CVE-2012-2123,CVE-2012-2136,CVE-2012-2663 Sources used: openSUSE 11.4 (src): kernel-docs-2.6.37.6-0.20.2, kernel-source-2.6.37.6-0.20.1, kernel-syms-2.6.37.6-0.20.1, preload-1.2-6.17.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Status Whiteboard|obs:running:553:moderate |obs:running:553:moderate | |obs:running:1049:moderate -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=717209 https://bugzilla.novell.com/show_bug.cgi?id=717209#c11 --- Comment #11 from Swamp Workflow Management <swamp@suse.de> 2012-11-05 09:12:39 UTC --- openSUSE-SU-2012:1439-1: An update that solves 26 vulnerabilities and has 28 fixes is now available. Category: security (moderate) Bug References: 466279,651219,653260,655696,676204,681186,681639,683671,689860,703410,707332,711941,713430,714455,717209,717749,721366,726045,726600,729247,730118,731673,732908,734056,737624,738644,740448,740703,740745,744658,745832,746980,747038,747660,748859,749569,750079,750959,755546,756203,756840,757278,758243,758260,758813,759545,760902,765102,765320,769408,769784,769896,774285,781134 CVE References: CVE-2009-4020,CVE-2010-3873,CVE-2010-4164,CVE-2010-4249,CVE-2011-1083,CVE-2011-1173,CVE-2011-2517,CVE-2011-2700,CVE-2011-2909,CVE-2011-2928,CVE-2011-3619,CVE-2011-3638,CVE-2011-4077,CVE-2011-4086,CVE-2011-4110,CVE-2011-4330,CVE-2012-0038,CVE-2012-0044,CVE-2012-0207,CVE-2012-1090,CVE-2012-1097,CVE-2012-1146,CVE-2012-2119,CVE-2012-2123,CVE-2012-2136,CVE-2012-2663 Sources used: openSUSE 11.4 (src): kernel-docs-2.6.37.6-24.2, kernel-source-2.6.37.6-24.1, kernel-syms-2.6.37.6-24.1, preload-1.2-6.19.1 -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=717209 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:553:moderate |obs:running:553:moderate |obs:running:1049:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.novell.com/show_bug.cgi?id=717209 Swamp Workflow Management <swamp@suse.de> changed: What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|obs:running:553:moderate | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com