vmalloc failure leads to null ptr dereference in aa_dfa_next

Colin,

do you want a deb to test or just a patch?

Punt me a patch, I can quickly build and test it

Colin, I've got 3 patches for the dfa unpack, sorry should have dumped them to an mbox

These don't build against Xenial for me:

  CC security/apparmor/apparmorfs.o
/home/cking/vmalloc/ubuntu-xenial/security/apparmor/apparmorfs.c: In function 'aa_mk_null_file':
/home/cking/vmalloc/ubuntu-xenial/security/apparmor/apparmorfs.c:1215:2: error: implicit declaration of function 'inode_lock' [-Werror=implicit-function-declaration]
  inode_lock(d_inode(parent));
  ^
/home/cking/vmalloc/ubuntu-xenial/security/apparmor/apparmorfs.c:1241:2: error: implicit declaration of function 'inode_unlock' [-Werror=implicit-function-declaration]
  inode_unlock(d_inode(parent));
  ^

oops sorry picked them from my 4.7 rebase

Colin,

only the 2nd patch needed to be fixed. Attached

Getting a null ptr deref in a different place now

[ 17.514600] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 17.514745] IP: [<ffffffff8137a956>] aa_dfa_next+0x6/0x70
[ 17.514851] PGD 3bee2067 PUD 3bee3067 PMD 0
[ 17.514950] Oops: 0000 [#1] SMP
[ 17.515046] Modules linked in: snd_hda_codec_generic ppdev snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_pcm snd_timer snd input_leds joydev serio_raw soundcore i2c_piix4 parport_pc 8250_fintek parport mac_hid ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul 8139too qxl aesni_intel aes_x86_64 lrw gf128mul ttm drm_kms_helper glue_helper ablk_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse 8139cp mii drm pata_acpi floppy
[ 17.515885] CPU: 0 PID: 1102 Comm: stress-ng-appar Not tainted 4.4.0-24-generic #43
[ 17.516021] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 17.516166] task: ffff8800351f6040 ti: ffff88003bef4000 task.ti: ffff88003bef4000
[ 17.516324] RIP: 0010:[<ffffffff8137a956>] [<ffffffff8137a956>] aa_dfa_next+0x6/0x70
[ 17.516482] RSP: 0018:ffff88003bef7ca8 EFLAGS: 00010282
[ 17.516627] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000004a46
[ 17.516776] RDX: 0000000000000002 RSI: 0000000000000000 RDI: 0000000000000000
[ 17.516929] RBP: ffff88003bef7d28 R08: ffff88003fc19f40 R09: ffff88003e001d00
[ 17.517085] R10: ffff88003c233050 R11: 000000000001a6e0 R12: ffff88003bef7d48
[ 17.517242] R13: ffff880037a54000 R14: ffff880037a54094 R15: 0000000000000029
[ 17.517404] FS: 00007f138f3d1700(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[ 17.517572] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 17.517738] CR2: 0000000000000020 CR3: 000000003bee1000 CR4: 00000000001406f0
[ 17.517916] Stack:
[ 17.518084] ffff88003bef7d28 ffffffff8138363a 0000000000000000 0000000000000000
[ 17.518271] 000000003bef7d00 0000000000000000 ffffc90001355400 0000000000000000
[ 17.518460] ffff88003bef7d40 0000000000000000 00000000bd06c533 ffff88003bef7e28
[ 17.518675] Call Trace:
[ 17.518902] [<ffffffff8138363a>] ? unpack_profile+0x5ca/0x970
[ 17.519119] [<ffffffff81383b89>] aa_unpack+0xe9/0x450
[ 17.519345] [<ffffffff81381f47>] aa_replace_profiles+0x77/0xb70
[ 17.519601] [<ffffffff811cf81b>] ? vmalloc+0x6b/0x70
[ 17.519852] [<ffffffff813771af>] policy_update+0x9f/0x1f0
[ 17.520618] [<ffffffff81377313>] profile_replace+0x13/0x20
[ 17.521767] [<ffffffff8120c5f8>] __vfs_write+0x18/0x40
[ 17.522195] [<ffffffff8120cf89>] vfs_write+0xa9/0x1a0
[ 17.522441] [<ffffffff8120bf1f>] ? do_sys_open+0x1bf/0x2a0
[ 17.522672] [<ffffffff8120dc45>] SyS_write+0x55/0xc0
[ 17.522915] [<ffffffff81825d72>] entry_SYSCALL_64_fastpath+0x16/0x71
[ 17.523162] Code: 0c 42 39 ce 74 d9 0f b6 02 41 0f b7 34 7b 84 c0 75 d9 eb c3 41 0f b7 34 44 eb 89 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 <48> 8b 47 20 4c 8b 5f...

Hey Colin thanks, it looks like I bungled patch 3. Here is a new version of it

Thanks, that works perfectly, I can't trip the bug at all.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1592547

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Pounded this for a while, cannot reproduce with the fix, marking it as verified

This bug was fixed in the package linux - 4.4.0-38.57

---------------
linux (4.4.0-38.57) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1620658

  * CIFS client: access problems after updating to kernel 4.4.0-29-generic
    (LP: #1612135)
    - Revert "UBUNTU: SAUCE: (namespace) Bypass sget() capability check for nfs"
    - fs: Call d_automount with the filesystems creds

  * apt-key add fails in overlayfs (LP: #1618572)
    - SAUCE: overlayfs: fix regression in whiteout detection

linux (4.4.0-37.56) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1618040

  * [Feature] Instruction decoder support for new SKX instructions- AVX512
    (LP: #1591655)
    - x86/insn: perf tools: Fix vcvtph2ps instruction decoding
    - x86/insn: Add AVX-512 support to the instruction decoder
    - perf tools: Add AVX-512 support to the instruction decoder used by Intel PT
    - perf tools: Add AVX-512 instructions to the new instructions test

  * [Ubuntu 16.04] FCoE Lun not visible in OS with inbox driver - Issue with
    ioremap() call on 32bit kernel (LP: #1608652)
    - lpfc: Correct issue with ioremap() call on 32bit kernel

  * [Feature] turbostat support for Skylake-SP server (LP: #1591802)
    - tools/power turbostat: decode more CPUID fields
    - tools/power turbostat: CPUID(0x16) leaf shows base, max, and bus frequency
    - tools/power turbostat: decode HWP registers
    - tools/power turbostat: Decode MSR_MISC_PWR_MGMT
    - tools/power turbostat: allow sub-sec intervals
    - tools/power turbostat: Intel Xeon x200: fix erroneous bclk value
    - tools/power turbostat: Intel Xeon x200: fix turbo-ratio decoding
    - tools/power turbostat: re-name "%Busy" field to "Busy%"
    - tools/power turbostat: add --out option for saving output in a file
    - tools/power turbostat: fix compiler warnings
    - tools/power turbostat: make fewer systems calls
    - tools/power turbostat: show IRQs per CPU
    - tools/power turbostat: show GFXMHz
    - tools/power turbostat: show GFX%rc6
    - tools/power turbostat: detect and work around syscall jitter
    - tools/power turbostat: indicate SMX and SGX support
    - tools/power turbostat: call __cpuid() instead of __get_cpuid()
    - tools/power turbostat: correct output for MSR_NHM_SNB_PKG_CST_CFG_CTL dump
    - tools/power turbostat: bugfix: TDP MSRs print bits fixing
    - tools/power turbostat: SGX state should print only if --debug
    - tools/power turbostat: print IRTL MSRs
    - tools/power turbostat: initial BXT support
    - tools/power turbostat: decode BXT TSC frequency via CPUID
    - tools/power turbostat: initial SKX support

  * [BYT] display hotplug doesn't work on console (LP: #1616894)
    - drm/i915/vlv: Make intel_crt_reset() per-encoder
    - drm/i915/vlv: Reset the ADPA in vlv_display_power_well_init()
    - drm/i915/vlv: Disable HPD in valleyview_crt_detect_hotplug()
    - drm/i915: Enable polling when we don't have hpd

  * [Feature]intel_idle enabling on Broxton-P (LP: #1520446)
    - intel_idle: add BXT support

  * [Feature] EDAC: Update driver for SKX-SP (LP: #1591815)
    - [Config] CONFIG_EDAC_SKX=m
    - EDAC, skx_edac: Ad...

This bug was fixed in the package linux - 4.8.0-11.12

---------------
linux (4.8.0-11.12) yakkety; urgency=low

  * change_hat is logging failures during expected hat probing (LP: #1615893)
    - SAUCE: apparmor: Fix auditing behavior for change_hat probing

  * deleted files outside of the namespace are not being treated as
    disconnected
    (LP: #1615892)
    - SAUCE: apparmor: deleted dentries can be disconnected

  * stacking to unconfined in a child namespace confuses mediation
    (LP: #1615890)
    - SAUCE: apparmor: special case unconfined when determining the mode

  * apparmor module parameters can be changed after the policy is locked
    (LP: #1615895)
    - SAUCE: apparmor: fix: parameters can be changed after policy is locked

  * AppArmor profile reloading causes an intermittent kernel BUG (LP:
    #1579135)
    - SAUCE: apparmor: fix vec_unique for vectors larger than 8

  * label vec reductions can result in reference labels instead of direct
    access
    to labels (LP: #1615889)
    - SAUCE: apparmor: reduction of vec to single entry is just that entry

  * profiles from different namespaces can block other namespaces from being
    able to load a profile (LP: #1615887)
    - SAUCE: apparmor: profiles in one ns can affect mediation in another ns

  * The label build for onexec when stacking is wrong (LP: #1615881)
    - SAUCE: apparmor: Fix label build for onexec stacking.

  * The inherit check for new to old label comparison for domain transitions
    is
    wrong (LP: #1615880)
    - SAUCE: apparmor: Fix new to old label comparison for domain transitions

  * warning stack trace while playing with apparmor namespaces (LP: #1593874)
    - SAUCE: apparmor: fix stack trace when removing namespace with profiles

  * __label_update proxy comparison test is wrong (LP: #1615878)
    - SAUCE: apparmor: Fix __label_update proxy comparison test

  * reading /sys/kernel/security/apparmor/profiles requires CAP_MAC_ADMIN
    (LP: #1560583)
    - SAUCE: apparmor: Allow ns_root processes to open profiles file
    - SAUCE: apparmor: Consult sysctl when reading profiles in a user ns

  * policy namespace stacking (LP: #1379535)
    - SAUCE: (no-up) apparmor: rebase of apparmor3.5-beta1 snapshot for 4.8
    - SAUCE: add a sysctl to enable unprivileged user ns AppArmor policy loading

  * Miscellaneous Ubuntu changes
    - [Debian] Dynamically determine linux udebs package name
    - [Debian] d-i -- fix dtb handling in new kernel-wedge form
    - SAUCE: apparmor: Fix FTBFS due to bad include path
    - SAUCE: apparmor: add data query support
    - [Config] Set CONFIG_SECURITY_APPARMOR_UNCONFINED_INIT=y

  * Miscellaneous upstream changes
    - fixup backout policy view capable for forward port
    - apparmor: fix: Rework the iter loop for label_update
    - apparmor: add more assertions for updates/merges to help catch errors
    - apparmor: Make pivot root transitions work with stacking
    - apparmor: convert delegating deleted files to mediate deleted files
    - apparmor: add missing parens. not a bug fix but highly recommended
    - apparmor: add a stack_version file to allow detection of bug fixes
    - apparmor: push path looku...