I hit a kernel NULL pointer dereference caused by the following call chain:
do_coredump()
file_start_write(cprm.file) # cprm.file is NULL
file_inode(file) # NULL ptr deref
The `ispipe` path is followed in do_coredump(), and:
# cat /proc/sys/kernel/core_pattern
|/usr/lib/systemd/systemd-coredump %P %u %g %s %t %c %h
It seems that cprm.file can be NULL after the call to the usermode
helper, especially when setting CONFIG_STATIC_USERMODEHELPER=y and
CONFIG_STATIC_USERMODEHELPER_PATH="", which is the case for me.
One may say it's a strange combination of configuration options but I
think it should not crash the kernel anyway. As I don't know much about
coredumps in general and this code, I don't know what's the best way to
fix this issue in a clean and comprehensive way.
I attached the patch I used to temporarily work around this issue, if
that can clarify anything.
Thanks,
--
Thibaut Sautereau
CLIP OS developer
>From 613dfc60429c1fc5fc19e1c8662648620dc103af Mon Sep 17 00:00:00 2001
From: Thibaut Sautereau <thibaut.sautereau@xxxxxxxxxxx>
Date: Fri, 27 Mar 2020 16:34:59 +0100
Subject: [PATCH] coredump: FIXUP
---
fs/coredump.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/coredump.c b/fs/coredump.c
index b1ea7dfbd149..d0177b81345f 100644
--- a/fs/coredump.c
+++ b/fs/coredump.c
@@ -686,7 +686,7 @@ void do_coredump(const kernel_siginfo_t *siginfo)
UMH_WAIT_EXEC);
kfree(helper_argv);
- if (retval) {
+ if (retval || !cprm.file) {
printk(KERN_INFO "Core dump to |%s pipe failed\n",
cn.corename);
goto close_fail;
--
2.26.0
