View Issue Details

IDProjectCategoryView StatusLast Update
0018395CentOS-8kernelpublic2022-02-04 01:22
Reporterwmealing Assigned To 
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionno change required 
Summary0018395: CVE- sysctl parameter read causes kernel panic ( rpcrdma module )
DescriptionA flaw was found in the Linux kernels implementation of reading SVC RDMA counters. Reading the counter sysctl panics the system. This allows a local attacker with local access ot be able to create a denial of service while the system reboots.

The original source code uses memcpy, the fix uses copy_to_user since the target address is userspace (ie not kernel space) but for all I know this could be triggered into a more advanced exploit but I do not have the time to follow through with that.

The new kernel version causes a kernel panic. The panic log is pasted below. The bug affects various systems shown in the beaker job filter [0]. Core dumps can be found in the link [2]. Full console logs are in the beaker or the link [1]. The first occurrence of the problem was in kernel-4.18.0-356.el8.


[ 1339.261908] BUG: unable to handle kernel paging request at 000055dc312274b0
[ 1339.268868] PGD 8000000da0ce0067 P4D 8000000da0ce0067 PUD ce34ef067 PMD d23238067 PTE 8000000e02dcc867
[ 1339.278168] Oops: 0003 [#1] SMP PTI
[ 1339.281661] CPU: 43 PID: 9983 Comm: sysctl Kdump: loaded Not tainted 4.18.0-356.el8.x86_64 #1
[ 1339.290180] Hardware name: Supermicro Super Server/X11DDW-L, BIOS 2.0b 03/07/2018
[ 1339.297660] RIP: 0010:memcpy_erms+0x6/0x10
[ 1339.301769] Code: 90 90 90 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 1339.320514] RSP: 0018:ffff961088a9fe28 EFLAGS: 00010297
[ 1339.325739] RAX: 000055dc312274b0 RBX: 0000000000000002 RCX: 0000000000000002
[ 1339.332873] RDX: 0000000000000002 RSI: ffff961088a9fe37 RDI: 000055dc312274b0
[ 1339.340004] RBP: ffff961088a9ff08 R08: 0000000000000000 R09: 0000000000000000
[ 1339.347139] R10: ffff961088a9fe80 R11: ffff961088a9fe38 R12: ffff961088a9fe80
[ 1339.354270] R13: 000055dc312274b0 R14: 0000000000000002 R15: ffffffffc0fb4e00
[ 1339.361405] FS: 00007f41084b0940(0000) GS:ffff8ad00fcc0000(0000) knlGS:0000000000000000
[ 1339.369490] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1339.375236] CR2: 000055dc312274b0 CR3: 0000000ce0c98005 CR4: 00000000007726e0
[ 1339.382368] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1339.389503] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1339.396635] PKRU: 55555554
[ 1339.399345] Call Trace:
[ 1339.401803] svcrdma_counter_handler+0xc1/0x110 [rpcrdma]
[ 1339.407218] proc_sys_call_handler+0x1a5/0x1c0
[ 1339.411663] vfs_read+0x91/0x140
[ 1339.414894] ksys_read+0x4f/0xb0
[ 1339.418126] do_syscall_64+0x5b/0x1a0
[ 1339.421794] entry_SYSCALL_64_after_hwframe+0x65/0xca
[ 1339.426846] RIP: 0033:0x7f410784c5a5
[ 1339.430425] Code: fe ff ff 50 48 8d 3d 92 f7 09 00 e8 85 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 f5 6f 2d 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[ 1339.449171] RSP: 002b:00007ffd4e265d98 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 1339.456739] RAX: ffffffffffffffda RBX: 000055dc31226f00 RCX: 00007f410784c5a5
[ 1339.463872] RDX: 0000000000002000 RSI: 000055dc312274b0 RDI: 0000000000000006
[ 1339.471004] RBP: 0000000000000d68 R08: 000055dc3121a7c0 R09: 0000000000000003
[ 1339.478134] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000002000
[ 1339.485269] R13: 000055dc3121a7d0 R14: 0000000000000000 R15: 0000000000000000
[ 1339.492404] Modules linked in: binfmt_misc dm_mod vhost_net vhost vhost_iotlb tap xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_tables nfnetlink tun bridge rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache rpcrdma rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm openvswitch 8021q garp mrp nf_conncount stp nf_nat llc nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_msr intel_rapl_common isst_if_common sunrpc i40iw ib_uverbs skx_edac nfit ib_core libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt iTCO_vendor_support kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate acpi_ipmi mei_me intel_uncore ioatdma ipmi_si i2c_i801 pcspkr mei joydev lpc_ich dca wmi ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sd_mod t10_pi sg ast i2c_algo_bit drm_vram_helper

I believe that this if fixed by upstream commit: 32927393dc1c sysctl: pass kernel pointers to ->proc_handler and it may already be fixed in your repositories, i have not investigated.

It is awaiting a CVE and I will update you when it becomes available, The sibling redhat bug is RHBZ#2048359

Steps To Reproduce1. Boot the system with kernel kernel-4.18.0-356.el8. on rdma enabled hardware, it might be possible to do this with software RDMA too
2. Wait a few minutes
3. cat /proc/sys/sunrpc/svc_rdma/rdma_stat_read

*Panic*
Additional InformationLooks like this is already fixed, maybe you loverly peeps have it fixed too.
This issue is not considered to be embargoed at this time.

Thank you, have a good day.
Tagspanic, security

Activities

wmealing

wmealing

2022-02-01 05:43

reporter  

wasted.gif (1,564,151 bytes)
toracat

toracat

2022-02-03 22:26

manager   ~0038844

Stream-related bugs need to be reported to Red Hat. For details, please see:

https://wiki.centos.org/ReportBugs
wmealing

wmealing

2022-02-04 00:47

reporter   ~0038845

Sure, that sounds like a perfectly logical thing to do. I dont' imagine centos streams users will ever know they are affected by a CVE that never gets an RHSA.. but thats a differnet problem.

I'd close this bug, but I can't see a close button.

Issue History

Date Modified Username Field Change
2022-02-01 05:43 wmealing New Issue
2022-02-01 05:43 wmealing Tag Attached: panic
2022-02-01 05:43 wmealing Tag Attached: security
2022-02-01 05:43 wmealing File Added: wasted.gif
2022-02-03 22:26 toracat Note Added: 0038844
2022-02-04 00:47 wmealing Note Added: 0038845
2022-02-04 01:22 toracat Status new => closed
2022-02-04 01:22 toracat Resolution open => no change required