apparmor kernel null dereference when profile is removed after set to complain
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
apparmor (Ubuntu) |
Fix Released
|
High
|
John Johansen | ||
Karmic |
Won't Fix
|
High
|
John Johansen |
Bug Description
SRU Justicication: this bug can cause a null pointer dereference kernel oops. This will occur any time children profiles are attached to running processes. This can occur when change_hat, children profiles or profile learning is used.
Binary package hint: apparmor
Description: Ubuntu 9.10
Release: 9.10
Package: apparmor
System: Linux tehcomputer 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC 2009 x86_64 GNU/Linux
The following will cause a null dereference and a "kernel oops".
Steps:
1. Generate an apparmor profile for empathy (I can send my apparmor profile via email)
2. Make sure empathy can load and no messages are reported in audit.
(Make sure gnome-help isn't allowed to execute by keeping it absent from the apparmor profile)
3. Enforce the empathy apparmor profile
4. Load empathy until empathy UI opens
5. Set empathy profile to complain
6. In empathy, click Help->Contents
7. Verify that audit is sending out complain messages as gnome-help opens with empathy help contents
8. Run apparmor_parser -R /etc/init.
Result:
1. Nov 4 16:47:21 tehcomputer kern: [76781.229046] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068
description: | updated |
security vulnerability: | yes → no |
visibility: | private → public |
Changed in apparmor (Ubuntu): | |
assignee: | nobody → John Johansen (jjohansen) |
status: | New → Fix Committed |
importance: | Undecided → High |
Changed in apparmor (Ubuntu Karmic): | |
status: | New → Fix Committed |
importance: | Undecided → High |
assignee: | nobody → John Johansen (jjohansen) |
Changed in apparmor (Ubuntu): | |
status: | Fix Committed → Fix Released |
Changed in apparmor (Ubuntu Karmic): | |
status: | Fix Committed → Won't Fix |
Thanks! I've reproduced here. Looks like the steps are as you describe: set enforce, run application, set complain, remove, launch subprocess. I haven't managed to trigger it without the complain transition step. We'll investigate more and work on a fix for this.