Skip to content

Interrupting a process leads to kernel panic on kernels kernels greater than 5.1.8

Low
leodido published GHSA-x4hx-7mm8-8w9j Apr 29, 2021

Package

falcosecurity/libs (Falco)

Affected versions

<94ca286

Patched versions

94ca286

Description

Impact

What kind of vulnerability is it? Who is impacted?

A bug in the driver (i.e., the kernel module) shipped with Falco could lead to a kernel panic (NULL pointer dereference) on some newer kernels when the user kills or interrupts a process. However, the bug should be seen more as a usability issue than a security problem.

PoC:

sleep 10 & (killall -9 sleep)

Backtrace:

[
70.681021] BUG: unable to handle kernel NULL pointer dereference at
0000000000000010
[...]
[
70.681355] Call Trace:
[
70.681370] ? record_event_consumer.part.4+0x300/0xb00 [sysdig_probe]
[
70.681388] record_event_all_consumers+0x76/0xb0 [sysdig_probe]
[
70.681406] signal_deliver_probe+0x48/0x70 [sysdig_probe]
[
70.681424] get_signal+0x352/0x760
[
70.681450] do_signal+0x36/0x640
[
70.681466] ? record_event_all_consumers+0x8b/0xb0 [sysdig_probe]
[
70.681484] ? syscall_exit_probe+0x11a/0x130 [sysdig_probe]
[
70.681500] exit_to_usermode_loop+0xbf/0xe0
[
70.681513] do_syscall_64+0x157/0x180
[
70.681530] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Only users using Falco versions before 0.18.0 with the kernel module on kernels greater than 5.1.8 are impacted.

Patches

Has the problem been patched? What versions should users upgrade to?

The problem has been addressed by commit 94ca286 on Jul 29, 2019.

Users should upgrade to Falco 0.18.0 or later.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

No workaround available, a version upgrade to 0.18.0 (which uses a Falco kernel module containing the above-mentioned commit) or later is needed.

References

Are there any links users can visit to find out more?

For Linux kernels greater than 5.1.8 get_signal passes a NULL pointer to the tracer function when the process is terminated, see https://elixir.bootlin.com/linux/v5.1.8/source/kernel/signal.c#L2444. The patch always verifies (also before accessing struct elements) whether the pointer passed by get_signal is NULL or not to avoid invalid memory access in record_event_consumer.

For more information

If you have any questions or comments about this advisory:

Severity

Low

CVE ID

No known CVE

Weaknesses

No CWEs

Credits