"bug description: kernel warn in p9_trans_create_unix" in Linux Kernel Version 2.6.26

From: cheung wall
Date: Sun Dec 01 2024 - 23:31:00 EST


Hello,

I am writing to report a potential vulnerability identified in the
Linux Kernel version 2.6.26.
This issue was discovered using our custom vulnerability discovery
tool.

Affected File:

File: net/9p/trans_fd.c
Function: p9_trans_create_unix

Detailed call trace:

[ 1126.740669] RIP: 0010:[<ffffffffa0219318>] [<ffffffffa0219318>]
:9pnet:p9_trans_create_unix+0x64/0x180
[ 1126.740669] RSP: 0018:ffff81018ec3fb68 EFLAGS: 00000246
[ 1126.740669] RAX: 0000000000000000 RBX: 0000000000000003 RCX: ffffffffffffffff
[ 1126.740669] RDX: ffff81023bcee000 RSI: ffff81022e5bcfc0 RDI: 0000000000000000
[ 1126.740669] RBP: 0000000000000000 R08: ffff81022b98a000 R09: ffff8102318e5ef6
[ 1126.740669] R10: 0000000000000000 R11: ffffffff802f20a6 R12: ffff81022e5bcfc0
[ 1126.740669] R13: ffff81022e5bcfc0 R14: 0000000000002000 R15: 0000000000000001
[ 1126.740669] FS: 00007f20dd7116e0(0000) GS:ffff81023bce97c0(0000)
knlGS:0000000000000000
[ 1126.740669] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
[ 1126.740669] CR2: 0000000000000000 CR3: 000000019d47d000 CR4: 00000000000006e0
[ 1126.740669] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1126.740669] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1126.740669] Process a.out (pid: 15058, threadinfo ffff81018ec3e000,
task ffff8101f6502750)
[ 1126.740669] Stack: ffff81023b9c0550 0000000000000000
ffffffffa0116aa0 ffffffffa00f6899
[ 1126.740669] 0000000000000000 ffff810223007c60 ffff81022c95b7b0
ffff81022996dd70
[ 1126.740669] 00000000000b1943 ffff810238190c00 0000000000001000
ffffffff803208fb
[ 1126.740669] Call Trace:
[ 1126.740669] [<ffffffffa00f6899>] :jbd:do_get_write_access+0x378/0x3be
[ 1126.740933] [<ffffffff803208fb>] match_token+0x6d/0x1d2
[ 1126.740933] [<ffffffffa0215610>] :9pnet:p9_client_create+0x181/0x2b3
[ 1126.740933] [<ffffffff80276423>] get_page_from_freelist+0x45a/0x603
[ 1126.740933] [<ffffffff80320a44>] match_token+0x1b6/0x1d2
[ 1126.740933] [<ffffffffa022475a>] :9p:v9fs_session_init+0x289/0x32f
[ 1126.740933] [<ffffffffa02230ec>] :9p:v9fs_get_sb+0x6d/0x1d9
[ 1126.740933] [<ffffffff8029cbbc>] vfs_kern_mount+0x93/0x11b
[ 1126.740933] [<ffffffff8029cc97>] do_kern_mount+0x43/0xdc
[ 1126.740933] [<ffffffff802b16a9>] do_new_mount+0x5b/0x95
[ 1126.740933] [<ffffffff802b18a0>] do_mount+0x1bd/0x1e7
[ 1126.740933] [<ffffffff8027684e>] __alloc_pages_internal+0xd6/0x3bf
[ 1126.740933] [<ffffffff802b1954>] sys_mount+0x8a/0xce
[ 1126.740933] [<ffffffff8020beca>] system_call_after_swapgs+0x8a/0x8f
[ 1126.740933]
[ 1126.740933]
[ 1126.740933] Code: 07 e0 48 85 c0 49 89 c5 0f 84 24 01 00 00 fc 48
c7 40 20 20 8d 21 a0 48 c7 40 18 30 81 21 a0 48 83 c9 ff 49 89 c4 48
89 ef 31 c0 <f2> ae 48 f7 d1 48 ff c9 48 83 f9 6c 76 31 65 48 8b 04 25
00 00
[ 1126.740933] RIP [<ffffffffa0219318>] :9pnet:p9_trans_create_unix+0x64/0x180
[ 1126.740933] RSP <ffff81018ec3fb68>
[ 1126.740933] CR2: 0000000000000000
[ 1126.745832] ---[ end trace 9deab910d1f789fc ]---

Repro C Source Code: https://pastebin.com/jirvRhYm

Root Cause:

The root cause of this bug lies in the insufficient validation of
mount options passed to the p9_trans_create_unix function in the 9P
filesystem's Unix transport mechanism. Specifically, malformed or
incomplete options, such as
"trans=unix,access=client,nodevmap,aname=vboxnet1:em0+cpuset", lead to
unhandled edge cases during option parsing and socket initialization.
This causes the kernel to dereference an invalid or null pointer,
triggering a general protection fault. The lack of proper input checks
and error handling in the function results in memory corruption and
kernel instability when processing user-controlled mount requests.

Thank you for your time and attention.

Best regards

Wall