Open Sound System

[o01eg]

Get kernel panic when jabber client play multiple sounds about new messages:

Code: Select all

[46165.423882] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
[46165.423900] IP: [<ffffffffa0e8cb05>] vmix_detach_audiodev+0x1f5/0x2e0 [osscore]
[46165.423915] PGD 3c9a7067 PUD 3c95b067 PMD 0
[46165.423925] Oops: 0000 [#1] PREEMPT SMP
[46165.423933] last sysfs file: /sys/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/model
[46165.423939] CPU 3


Full log: http://paste.pocoo.org/show/341196/

[cesium]

A) Can you paste the output of 'ossinfo -v3'?
B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).

[igorzwx]

Get kernel panic when jabber client play multiple sounds about new messages:

Code: Select all

[46165.423882] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030


Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

Clever attack exploits fully-patched Linux kernel
'NULL pointer' bug plagues even super max versions
http://www.theregister.co.uk/2009/07/17 ... l_exploit/

[o01eg]

A) Can you paste the output of 'ossinfo -v3'?

http://paste.pocoo.org/show/341229/

B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).

Yes, I have got it already four times, but only now try to get logs.

Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

I have PulseAudio installed, but I don't use it. I also don't use SELinux.

[igorzwx]

A) Can you paste the output of 'ossinfo -v3'?

http://paste.pocoo.org/show/341229/

B) Is this reproducible? (i.e. always happens with jabber, etc., or just this once).

Yes, I have got it already four times, but only now try to get logs.

Do you have PulseAudio (or libpulse) installed, or a kind of SELinux?

I have PulseAudio installed, but I don't use it. I also don't use SELinux.

If you have PulseAudio installed, it may explain the phenomenon.
Have you tried to remove it?

[o01eg]

PulseAudio don't work in kernel-mode, it cann't crash kernel. As I see in logs, crash caused in "play" process from sox-14.3.0.
It look as conncurency bug.

[igorzwx]

PulseAudio don't work in kernel-mode

It seems that it does:

Clever attack exploits fully-patched Linux kernel
'NULL pointer' bug plagues even super max versions
...The exploit works only when a security extension knows as SELinux, or Security-Enhanced Linux, is enabled. Conversely, it also works when audio software known as PulseAudio is installed.
http://www.theregister.co.uk/2009/07/17 ... l_exploit/

[cesium]

Yea, I'm sure Pulse has nothing to do with it.

o01eg: Can you try a small experiment?
A) Add "vmix_no_autoattach=1" line to /usr/lib/oss/conf/osscore.conf
B) Add "vmixctl attach -c8 /dev/oss/oss_hdaudio0/pcm0 /dev/oss/oss_hdaudio0/pcmin0" line (before the "exit 0", of course) to /usr/lib/oss/soundon.user
C) Do "sudo chmod +x /usr/lib/oss/soundon.user"
D) Restart OSS, with "sudo soundoff" and "sudo soundon" commands.
E) Test again if it crashes.

[o01eg]

Do I need to get kernel crash?

[cesium]

Nope. Just want to know if it crashes.

[igorzwx]

Yea, I'm sure Pulse has nothing to do with it.

If it has nothing to do with PulseAudio, it might be a security problem of OSS4, which might be exploited by botnets
http://www.google.com/search?q=linux%20 ... 8&oe=UTF-8
http://www.theregister.co.uk/2009/07/17 ... l_exploit/

If I am not mistaken, you have already told something about innovations in vmix, which make it similar to PulseAudio. Right?

See also: http://www.theregister.co.uk/2011/02/09 ... _problems/
Watch the video clip: http://www.youtube.com/watch?v=ovfYBa1EHm4
read the discussion on the forum: http://forums.theregister.co.uk/forum/1 ... _problems/
and a blog post here: http://blogs.iss.net/archive/Shmoocon2011.html

[cesium]

There is a difference between "crash/panic" to "exploitable hole". I don't think there's a way a userland program can get its own code executed here.

[igorzwx]

There is a difference between "crash/panic" to "exploitable hole". I don't think there's a way a userland program can get its own code executed here.

Imagine a scenario: "provoke a kernel crash and utilize it to compromise the system".
You may ask the IMB security experts, e.g. Jon Larimer, of IBM's X-Force security division http://www.theregister.co.uk/2011/02/09 ... _problems/

[o01eg]

Can I or you get more detailed information about crash with this backtrace? I have kernel and modules binary and .map files.

[cesium]

Perhaps, but I am no expert (or dev - the OSS devs are at the oss-devel mailing list). Right now, I'm curious to find out whether it's a sync issue or an overflow issue (very likely the first, but I want to make sure). We could add calls to print out output to dmesg around the last function in the trace, but I don't know if you could recover the dmesg after the panic (I guess serial console would work, but requires some hw? And you'll have to rebuild OSS to allow this):

Code: Select all

diff -r 09a210f84f55 kernel/framework/vmix_core/vmix_core.c
--- a/kernel/framework/vmix_core/vmix_core.c   Thu Jan 06 07:55:36 2011 +0200
+++ b/kernel/framework/vmix_core/vmix_core.c   Sat Feb 19 14:59:17 2011 +0200
@@ -2246,6 +2246,7 @@
   vmix_portc_t *portc;
   vmix_mixer_t *mixer = mixer_;

+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, mixer_, num_clientdevs);
   if (mixer->disabled) /* Vmix is disabled for the time being */
      return OSS_ENXIO;

@@ -2266,6 +2267,7 @@
     break;
   }
   MUTEX_EXIT_IRQRESTORE (mixer->mutex, flags);
+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, portc, engine_num);
 
/*
  * Create a new engine and use it
@@ -2284,6 +2286,7 @@
      }

   portc = audio_engines[engine_num]->portc;
+cmn_err (CE_CONT, "%d | %p %d\n", __LINE__, portc, engine_num);

   /* portc->open_pending = 1; // This was done already by create_vmix_engine() */
   return engine_num;