grsecurity forums

[ncopa]

when calling socket(PF_INET, SOCK_DGRAM, IPPROTO_ICMP) I get this:

Code: Select all

[  275.687872] BUG: unable to handle kernel NULL pointer dereference at            (nil)
[  275.687909] IP: [<ffffffff813096b4>] ping_init_sock+0xc0/0xdb
[  275.687935] PGD 0
[  275.687945] Oops: 0002 [#1] SMP
[  275.687961] Modules linked in: hid_apple hidp veth i915 drm_kms_helper drm intel_gtt agpgart cfbfillrect cfbimgblt i2c_algo_bit cfbcopyarea bridge stp llc ipv6 bnep 8021q mrp tun kvm_intel kvm af_packet shpchp snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_codec_generic uvcvideo snd_hda_intel videobuf2_core ppdev btusb parport_pc parport bluetooth 6lowpan_iphc rfkill iTCO_wdt snd_usb_audio tpm_tis snd_usbmidi_lib snd_hda_codec snd_rawmidi snd_seq_device iTCO_vendor_support psmouse snd_pcm snd_hwdep e1000e tpm mei_me snd_timer videodev snd media videobuf2_vmalloc videobuf2_memops soundcore e1000 mousedev evdev serio_raw firmware_class ptp mei processor lpc_ich mfd_core pps_core usbkbd hid_generic usbmouse usbhid hid dm_mod raid1 fbcon font bitblit fbcon_rotate fbcon_ccw fbcon_ud fbcon_cw softcursor
[  275.688310]  tileblit fb fbdev ehci_pci ehci_hcd i2c_i801 i2c_core sr_mod cdrom ahci libahci libata video backlight button loop ext4 jbd2 crc16 ext3 mbcache jbd usb_storage usbcore usb_common sd_mod scsi_mod crc_t10dif crct10dif_common
[  275.688415] CPU: 7 PID: 4254 Comm: fping Not tainted 3.14.6-1-grsec #2-Alpine
[  275.688441] Hardware name: Dell Inc. OptiPlex 790/0HY9JP, BIOS A07 09/10/2011
[  275.688466] task: ffff8800bd0f6180 ti: ffff8800bd0f67b8 task.ti: ffff8800bd0f67b8
[  275.688494] RIP: 0010:[<ffffffff813096b4>]  [<ffffffff813096b4>] ping_init_sock+0xc0/0xdb
[  275.688525] RSP: 0018:ffffc9001a77be60  EFLAGS: 00010287
[  275.688544] RAX: ffffffff815b8040 RBX: 0000000000000000 RCX: 00000000000003e9
[  275.688569] RDX: 0000000000000000 RSI: 0000000000000002 RDI: 0000000000000064
[  275.688595] RBP: ffffc9001a77be68 R08: 000000000000c350 R09: ffff88020eb90218
[  275.688619] R10: 0000000000000008 R11: 0000000000000000 R12: ffff8800c342d400
[  275.688644] R13: ffffffff815b8040 R14: 0000000000000000 R15: ffff88020eb90000
[  275.688670] FS:  0000092f7ddf4328(0000) GS:ffff88022dce0000(0000) knlGS:0000000000000000
[  275.688698] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  275.688719] CR2: 0000000000000000 CR3: 000000020eba6000 CR4: 00000000000607b0
[  275.688744] Stack:
[  275.688752]  0000000000000001 ffffc9001a77beb0 ffffffff812ff00b 0000000000000002
[  275.688783]  ffffffff815bdb50 0000000000000002 ffff8800c342d400 ffffffff813b5fd0
[  275.688813]  0000000000000001 0000000000000000 ffffc9001a77bef8 ffffffff8128c67c
[  275.688844] Call Trace:
[  275.688856]  [<ffffffff812ff00b>] inet_create+0x227/0x2ab
[  275.688877]  [<ffffffff8128c67c>] __sock_create+0x145/0x1b6
[  275.688897]  [<ffffffff8128c718>] sock_create+0x2b/0x2d
[  275.688917]  [<ffffffff8128cadc>] SyS_socket+0x22/0x91
[  275.688937]  [<ffffffff81338f35>] system_call_fastpath+0x16/0x1b
[  275.688959] Code: 8b 94 c2 90 00 00 00 45 8b 14 b2 44 39 d7 77 05 45 39 c2 76 14 48 ff c6 eb e0 44 29 c9 48 ff c0 eb c4 bb f3 ff ff ff eb 02 31 db <f0> ff 0a 71 05 f0 ff 02 cd 04 74 02 eb 08 48 89 d7 e8 a5 50 d5
[  275.689104] RIP  [<ffffffff813096b4>] ping_init_sock+0xc0/0xdb
[  275.689127]  RSP <ffffc9001a77be60>
[  275.689139] CR2: 0000000000000000
[  275.699250] ---[ end trace 2ae210604d8ea4d6 ]---


This is with x86_64 3.14.6 kernel + grsecurity-3.0-3.14.6-201406101411.patch

[minipli]

That's a bug in grsec, best seen by looking at the change the patch does to ping_init_sock():

Code: Select all

 int ping_init_sock(struct sock *sk)
 {
        struct net *net = sock_net(sk);
        kgid_t group = current_egid();
        struct group_info *group_info;
        int i, j, count;
        kgid_t low, high;
        int ret = 0;
 
        inet_get_ping_group_range_net(net, &low, &high);
        if (gid_lte(low, group) && gid_lte(group, high))
-               return 0;
+               goto out_release_group;
 
        group_info = get_current_groups();
        count = group_info->ngroups;
        for (i = 0; i < group_info->nblocks; i++) {
                int cp_count = min_t(int, NGROUPS_PER_BLOCK, count);
                for (j = 0; j < cp_count; j++) {
                        kgid_t gid = group_info->blocks[i][j];
                        if (gid_lte(low, gid) && gid_lte(gid, high))
                                goto out_release_group;
                }
 
                count -= cp_count;
        }
 
        ret = -EACCES;
 
 out_release_group:
        put_group_info(group_info);
        return ret;
 }


So if the calling user is not in the allowed group range it'll call put_group_info(group_info) with group_info being an uninitialized pointer. In your case, a NULL pointer, though.

[ncopa]

From IRC:

<minipli> ncopa: it's a bug in grsec
<minipli> ncopa: revert the chang to net/ipv4/ping.c:262
<minipli> ncopa: make it a return 0, again
<minipli> ncopa: it's trying to dereference an uninitialized pointer by the put_group_info() call, though NULL in your case

So my guess is that this is the fix:

Code: Select all

--- ./net/ipv4/ping.c.orig
+++ ./net/ipv4/ping.c
@@ -259,7 +259,7 @@
 
        inet_get_ping_group_range_net(net, &low, &high);
        if (gid_lte(low, group) && gid_lte(group, high))
-               goto out_release_group;
+               return 0;
 
        group_info = get_current_groups();
        count = group_info->ngroups;