AppArmor onexec transition causes WARN kernel stack trace
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Incomplete
|
Undecided
|
Unassigned | ||
Xenial |
Fix Released
|
Undecided
|
John Johansen |
Bug Description
microk8s has reported on issue with the Xenial kernel where apparmor causes the following kernel stack trace due to an apparmor AA_BUG condition being triggered.
[ 225.236085] ------------[ cut here ]------------
[ 225.236104] WARNING: CPU: 1 PID: 13726 at /build/
[ 225.236109] AppArmor WARN aa_audit_file: ((!(&sa)
[ 225.236113] Modules linked in:
[ 225.236118] btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c ctr ccm ipt_MASQUERADE nf_nat_
[ 225.236305] snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_
[ 225.236420] pps_core drm_kms_helper nvme syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm libahci video fjes
[ 225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P W OE 4.4.0-154-generic #181-Ubuntu
[ 225.236451] Hardware name: System manufacturer System Product Name/PRIME H270-PRO, BIOS 0323 01/04/2017
[ 225.236456] 0000000000000286 fa217f3573a84520 ffff88033ade39d0 ffffffff8140b481
[ 225.236464] ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08 ffffffff81085432
[ 225.236477] ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88 ffff88033ade3d88
[ 225.236484] Call Trace:
[ 225.236498] [<ffffffff8140b
[ 225.236509] [<ffffffff81085
[ 225.236518] [<ffffffff81085
[ 225.236527] [<ffffffff81397
[ 225.236536] [<ffffffff813a6
[ 225.236544] [<ffffffff81398
[ 225.236554] [<ffffffff8139a
[ 225.236562] [<ffffffff81242
[ 225.236571] [<ffffffff81355
[ 225.236581] [<ffffffff81359
[ 225.236589] [<ffffffff8139b
[ 225.236596] [<ffffffff81242
[ 225.236608] [<ffffffffc1439
[ 225.236617] [<ffffffff81356
[ 225.236624] [<ffffffff81356
[ 225.236633] [<ffffffff81358
[ 225.236642] [<ffffffff81222
[ 225.236651] [<ffffffff81224
[ 225.236661] [<ffffffff81224
[ 225.236671] [<ffffffff81863
[ 225.236678] [<ffffffff81863
[ 225.236684] ---[ end trace 6b2beaa85ae31c29 ]---
This is caused when the change_onexec api is used and permitted by the profile but the task has the NO_NEW_PRIVS flag set causing the domain transition specified in the change_onexec request to fail.
CVE References
tags: | added: patch |
Changed in linux (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
Changed in linux (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
tags: |
added: verification-done-xenial removed: verification-needed-xenial |
Fix selected and backported from a larger patch that originally landed in Zesty and subsequently landed in upstream.