kernel panic via the chromium browser
Submitted by akayn
Assigned to Nouveau Project
Link to original bug (#103689)
Description
Created attachment 135404
reproduction
there is an exploitable page fault that can be reliably triggered from the chromium sandbox can possibly lead to remote attackers causing a denial of service condition or possibly running system code.
this was found while fuzzing the chromium browser.
in order to reproduce you should run the given html page:
https://drive.google.com/open?id=15NzlWcu0vUPLPpEDuOMCpCWjWM4QrAx3
with the default installation of ubuntu desktop (details of the ver of the products given below..) with the Nouveau driver installed, this can be remotely exploitable.
this issue is referenced here: https://bugs.chromium.org/p/chromium/issues/detail?id=784062
details:
this should effect chrom-os too, https://chromium.googlesource.com/chromiumos/third_party/drm/+/292da616fe1f936ca78a3fa8e1b1b19883e343b6/nouveau/nouveau.h
this is the kernel stack:
comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:13 nitro kernel: [ 53.352636] audit: type=1400 audit(1510305733.908:25): apparmor="DENIED" operation="connect" profile="webbrowser-app" pid=1903 comm="webbrowser-app" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-3hDyoEr1" peer="unconfined"
Nov 10 11:22:14 nitro kernel: [ 53.450239] audit: type=1400 audit(1510305734.007:26): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [ 53.460449] audit: type=1400 audit(1510305734.015:27): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [ 53.460451] audit: type=1400 audit(1510305734.015:28): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/dev/dri/" pid=1903 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:14 nitro kernel: [ 53.517029] audit: type=1400 audit(1510305734.071:29): apparmor="DENIED" operation="connect" profile="webbrowser-app" pid=1903 comm="pool" family="unix" sock_type="stream" protocol=0 requested_mask="send receive connect" denied_mask="send connect" addr=none peer_addr="@/tmp/ibus/dbus-3hDyoEr1" peer="unconfined"
Nov 10 11:22:14 nitro kernel: [ 54.279158] audit: type=1400 audit(1510305734.830:30): apparmor="DENIED" operation="mkdir" profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903 comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:14 nitro kernel: [ 54.279160] audit: type=1400 audit(1510305734.830:31): apparmor="DENIED" operation="mkdir" profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903 comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:16 nitro kernel: [ 55.680138] audit: type=1400 audit(1510305736.218:32): apparmor="DENIED" operation="mkdir" profile="webbrowser-app" name="/home/yn/.config/ubuntu-ui-toolkit/" pid=1903 comm="webbrowser-app" requested_mask="c" denied_mask="c" fsuid=1000 ouid=1000
Nov 10 11:22:16 nitro kernel: [ 55.680140] audit: type=1400 audit(1510305736.222:33): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/sys/bus/" pid=1903 comm="webbrowser-app" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [ 58.301903] kauditd_printk_skb: 4 callbacks suppressed
Nov 10 11:22:18 nitro kernel: [ 58.301905] audit: type=1400 audit(1510305738.835:38): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [ 58.329002] audit: type=1400 audit(1510305738.863:39): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:18 nitro kernel: [ 58.329004] audit: type=1400 audit(1510305738.863:40): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/proc/1943/task/1943/status" pid=1903 comm="Chrome_FileUser" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
Nov 10 11:22:19 nitro kernel: [ 58.544021] audit: type=1400 audit(1510305739.075:41): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:24 nitro kernel: [ 63.790188] audit: type=1400 audit(1510305744.310:42): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:25 nitro kernel: [ 64.498110] audit: type=1400 audit(1510305745.013:43): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:25 nitro kernel: [ 65.002020] audit: type=1400 audit(1510305745.516:44): apparmor="DENIED" operation="open" profile="webbrowser-app" name="/home/yn/sus/foo.html" pid=1903 comm="Chrome_FileThre" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
Nov 10 11:22:34 nitro NetworkManager[803]: <warn>
[1510305754.6049] dhcp6 (eno1): request timed out
Nov 10 11:22:34 nitro NetworkManager[803]: <info>
[1510305754.6049] dhcp6 (eno1): state changed unknown -> timeout
Nov 10 11:22:34 nitro NetworkManager[803]: <info>
[1510305754.6057] dhcp6 (eno1): canceled DHCP transaction, DHCP client pid 1617
Nov 10 11:22:34 nitro NetworkManager[803]: <info>
[1510305754.6057] dhcp6 (eno1): state changed timeout -> done
Nov 10 11:24:37 nitro kernel: [ 196.887267] nouveau 0000:01:00.0: fifo: read fault at 002b8c0000 engine 00 [PGRAPH] client 10 [] reason 02 [PAGE_NOT_PRESENT] on channel 8 [003f986000 chromium-browse[2658]]
Nov 10 11:24:37 nitro kernel: [ 196.887274] nouveau 0000:01:00.0: fifo: gr engine fault on channel 8, recovering...
Nov 10 11:24:57 nitro kernel: [ 216.884429] ------------[ cut here ]------------
Nov 10 11:24:57 nitro kernel: [ 216.884467] WARNING: CPU: 2 PID: 1032 at /build/linux-hwe-lyR8gz/linux-hwe-4.10.0/drivers/gpu/drm/nouveau/nouveau_bo.c:1212 nouveau_bo_move_ntfy+0xa3/0xb0 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884467] Modules linked in: nls_utf8 udf crc_itu_t nls_iso8859_1 hid_multitouch intel_rapl x86_pkg_temp_thermal intel_powerclamp joydev coretemp kvm uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core irqbypass videodev media crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc snd_hda_codec_idt snd_hda_codec_generic aesni_intel snd_hda_intel aes_x86_64 snd_hda_codec crypto_simd glue_helper snd_hda_core cryptd snd_hwdep intel_cstate intel_rapl_perf snd_pcm arc4 input_leds rt2800pci serio_raw snd_seq_midi snd_seq_midi_event rt2800mmio rt2800lib rt2x00pci rt2x00mmio rt2x00lib mac80211 cfg80211 rtsx_pci_ms lpc_ich memstick eeprom_93cx6 snd_rawmidi snd_seq snd_seq_device snd_timer mac_hid snd shpchp mei_me ie31200_edac mei soundcore edac_core parport_pc ppdev lp parport autofs4
Nov 10 11:24:57 nitro kernel: [ 216.884494] uas usb_storage hid_generic usbhid hid nouveau rtsx_pci_sdmmc mxm_wmi i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect ahci sysimgblt fb_sys_fops libahci r8169 drm mii rtsx_pci video fjes wmi
Nov 10 11:24:57 nitro kernel: [ 216.884504] CPU: 2 PID: 1032 Comm: Xorg Not tainted 4.10.0-38-generic #42~16.04.1-Ubuntu
Nov 10 11:24:57 nitro kernel: [ 216.884505] Hardware name: Hewlett-Packard 23-d160ej/2ADC, BIOS 8.10 09/25/2012
Nov 10 11:24:57 nitro kernel: [ 216.884514] Call Trace:
Nov 10 11:24:57 nitro kernel: [ 216.884518] dump_stack+0x63/0x90
Nov 10 11:24:57 nitro kernel: [ 216.884520] __warn+0xcb/0xf0
Nov 10 11:24:57 nitro kernel: [ 216.884521] warn_slowpath_null+0x1d/0x20
Nov 10 11:24:57 nitro kernel: [ 216.884541] nouveau_bo_move_ntfy+0xa3/0xb0 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884545] ttm_bo_handle_move_mem+0x26c/0x610 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884547] ttm_bo_evict+0x13b/0x2e0 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884567] ? nvc0_fence_sync32+0x169/0x1a0 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884570] ttm_mem_evict_first+0x171/0x1f0 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884572] ttm_bo_mem_space+0x34a/0x4d0 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884575] ttm_bo_validate+0xd5/0x150 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884577] ttm_bo_init+0x2da/0x420 [ttm]
Nov 10 11:24:57 nitro kernel: [ 216.884596] nouveau_bo_new+0x1fb/0x310 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884613] ? nv10_bo_put_tile_region+0x80/0x80 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884631] nouveau_gem_new+0x83/0x150 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884649] nouveau_gem_ioctl_new+0x88/0x140 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884658] drm_ioctl+0x21b/0x4d0 [drm]
Nov 10 11:24:57 nitro kernel: [ 216.884676] ? nouveau_gem_new+0x150/0x150 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884678] ? ep_ptable_queue_proc+0xa0/0xa0
Nov 10 11:24:57 nitro kernel: [ 216.884696] nouveau_drm_ioctl+0x68/0xc0 [nouveau]
Nov 10 11:24:57 nitro kernel: [ 216.884698] do_vfs_ioctl+0xa1/0x5f0
Nov 10 11:24:57 nitro kernel: [ 216.884700] ? __sys_recvmsg+0x80/0x90
Nov 10 11:24:57 nitro kernel: [ 216.884701] SyS_ioctl+0x79/0x90
Nov 10 11:24:57 nitro kernel: [ 216.884703] entry_SYSCALL_64_fastpath+0x1e/0xad
Nov 10 11:24:57 nitro kernel: [ 216.884704] RIP: 0033:0x7fe5c4682f07
Nov 10 11:24:57 nitro kernel: [ 216.884705] RSP: 002b:00007fffb32b1638 EFLAGS: 00003246 ORIG_RAX: 0000000000000010
Nov 10 11:24:57 nitro kernel: [ 216.884706] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007fe5c4682f07
Nov 10 11:24:57 nitro kernel: [ 216.884706] RDX: 00007fffb32b1690 RSI: 00000000c0306480 RDI: 000000000000000e
Nov 10 11:24:57 nitro kernel: [ 216.884707] RBP: 0000558245e6bec0 R08: 00005582457911c0 R09: 00005582457912c0
Nov 10 11:24:57 nitro kernel: [ 216.884707] R10: 0000000000000020 R11: 0000000000003246 R12: 0000000000000001
Nov 10 11:24:57 nitro kernel: [ 216.884708] R13: 00007fffb32af1c0 R14: 0000000000000080 R15: 0000558245e6bec0
Nov 10 11:24:57 nitro kernel: [ 216.884731] ---[ end trace 50dc9d1f84044e6c ]---
\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00\00
Chrome Version : 62.0.3202.75 (Official Build) Built on Ubuntu
URLs (if applicable) :
Os: ubuntu 16.0.4 4.10.0-38-generic
Other browsers tested:
Add OK or FAIL, along with the version, after other browsers where you
have tested this issue:
Safari: ok
Firefox: ok
Edge: only linux
What steps will reproduce the problem?
(1) sudo apt install chromium-browser
(2) open chrome at the given html file.
(3)
What is the expected result?
error while parsing.
What happens instead?
kernel panic (pool overflow).
Please provide any additional information below. Attach a screenshot if
possible.
because the kernel will panic i cannot get an asan log from
asan-linux-release-514498.
i will note that this is a linux only problem.
additionally you may need to run this against a machine with 3rd party,
audio and graphics drivers (not on an aws box).
regards.
Attachment 135404, "reproduction":
panic.html