Description
Was found in the Linux kernels implementation (UEK6) of reading SVC RDMA counters. Reading the counter sysctl panics the system. This allows a local attacker with local access ot be able to create a denial of service while the system reboots.
The panic log is pasted below:
[ 54.696004] BUG: unable to handle page fault for address: 00005633bd69cd50
[ 54.696166] #PF: supervisor write access in kernel mode
[ 54.696321] #PF: error_code(0x0003) - permissions violation
[ 54.696481] PGD 438f0d067 P4D 438f0d067 PUD 41656a067 PMD 437e7c067 PTE 80000003ea5e9867
[ 54.696665] Oops: 0003 [#1] SMP NOPTI
[ 54.696844] CPU: 13 PID: 3918 Comm: sysctl Kdump: loaded Tainted: P OE 5.4.17-2102.203.6.el8uek.x86_64 #2
[ 54.697047] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1.fc35 04/01/2014
[ 54.697278] RIP: 0010:memcpy_erms+0x6/0x9
[ 54.697486] Code: ff ff ff 90 eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 54.697964] RSP: 0018:ffffc1bacb323dd0 EFLAGS: 00010297
[ 54.698208] RAX: 00005633bd69cd50 RBX: 0000000000000002 RCX: 0000000000000002
[ 54.698462] RDX: 0000000000000002 RSI: ffffc1bacb323ddf RDI: 00005633bd69cd50
[ 54.698731] RBP: ffffc1bacb323e18 R08: ffffc1bacb323ee8 R09: 0000000000000000
[ 54.698992] R10: 0000000000000000 R11: ffffc1bacb323de0 R12: ffffc1bacb323ee8
[ 54.699257] R13: ffffc1bacb323e38 R14: 00005633bd69cd50 R15: 0000000000000002
[ 54.699529] FS: 00007f7c04190940(0000) GS:ffff9d122f940000(0000) knlGS:0000000000000000
[ 54.699817] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 54.700102] CR2: 00005633bd69cd50 CR3: 0000000437e76003 CR4: 0000000000360ee0
[ 54.700401] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 54.700712] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 54.701015] Call Trace:
[ 54.701330] ? svcrdma_counter_handler+0xbe/0x10c [rpcrdma]
[ 54.701667] proc_sys_call_handler+0x1a0/0x1ad
[ 54.702057] proc_sys_read+0x11/0x13
[ 54.702428] __vfs_read+0x1b/0x34
[ 54.702778] vfs_read+0x99/0x152
[ 54.703109] ksys_read+0x61/0xd2
[ 54.703445] __x64_sys_read+0x1a/0x1c
[ 54.703803] do_syscall_64+0x60/0x1cb
[ 54.704155] entry_SYSCALL_64_after_hwframe+0x170/0x0
[ 54.704498] RIP: 0033:0x7f7c035305b5
[ 54.704857] Code: fe ff ff 50 48 8d 3d 82 f7 09 00 e8 85 fe 01 00 0f 1f 44 00 00 f3 0f 1e fa 48 8d 05 e5 6f 2d 00 8b 00 85 c0 75 0f 31 c0 0f 05 <48> 3d 00 f0 ff ff 77 53 c3 66 90 41 54 49 89 d4 55 48 89 f5 53 89
[ 54.705593] RSP: 002b:00007ffd1cdbfc38 EFLAGS: 00000246 ORIG_RAX: 0000000000000000
[ 54.705984] RAX: ffffffffffffffda RBX: 00005633bd6b33a0 RCX: 00007f7c035305b5
[ 54.706373] RDX: 0000000000002000 RSI: 00005633bd69cd50 RDI: 0000000000000006
[ 54.706774] RBP: 0000000000000d68 R08: 00005633bd69ed50 R09: 0000000000000003
[ 54.707166] R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000002000
[ 54.707560] R13: 00005633bd69ed60 R14: 0000000000000000 R15: 0000000000000000
[ 54.707966] Modules linked in: binfmt_misc dm_mod vhost_net vhost vhost_iotlb tap xt_CHECKSUM ipt_MASQUERADE xt_conntrack ipt_REJECT nf_reject_ipv4 nft_compat nft_counter nft_chain_nat nf_tables nfnetlink tun bridge rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache rpcrdma rdma_ucm ib_srpt ib_isert iscsi_target_mod target_core_mod ib_iser libiscsi scsi_transport_iscsi rdma_cm iw_cm ib_cm openvswitch 8021q garp mrp nf_conncount stp nf_nat llc nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 intel_rapl_msr intel_rapl_common isst_if_common sunrpc i40iw ib_uverbs skx_edac nfit ib_core libnvdimm x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel iTCO_wdt iTCO_vendor_support kvm ipmi_ssif irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel rapl intel_cstate acpi_ipmi mei_me intel_uncore ioatdma ipmi_si i2c_i801 pcspkr mei joydev lpc_ich dca wmi ipmi_devintf ipmi_msghandler acpi_power_meter acpi_pad xfs libcrc32c sd_mod t10_pi sg ast i2c_algo_bit drm_vram_helper
This is fixed by upstream commit: 3292739 sysctl: pass kernel pointers to ->proc_handler