apparmor kernel null dereference when profile is removed after set to complain

Bug #475619 reported by Richard Lee
14
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
John Johansen
Karmic
Won't Fix
High
John Johansen

Bug Description

SRU Justicication: this bug can cause a null pointer dereference kernel oops. This will occur any time children profiles are attached to running processes. This can occur when change_hat, children profiles or profile learning is used.

Binary package hint: apparmor

Description: Ubuntu 9.10
Release: 9.10
Package: apparmor
System: Linux tehcomputer 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16 14:05:01 UTC 2009 x86_64 GNU/Linux

The following will cause a null dereference and a "kernel oops".

Steps:
1. Generate an apparmor profile for empathy (I can send my apparmor profile via email)
2. Make sure empathy can load and no messages are reported in audit.
  (Make sure gnome-help isn't allowed to execute by keeping it absent from the apparmor profile)
3. Enforce the empathy apparmor profile
4. Load empathy until empathy UI opens
5. Set empathy profile to complain
6. In empathy, click Help->Contents
7. Verify that audit is sending out complain messages as gnome-help opens with empathy help contents
8. Run apparmor_parser -R /etc/init.d/usr.bin.empathy

Result:
1. Nov 4 16:47:21 tehcomputer kern: [76781.229046] BUG: unable to handle kernel NULL pointer dereference at 0000000000000068

Revision history for this message
Richard Lee (rawk) wrote :
Revision history for this message
Kees Cook (kees) wrote :

Thanks! I've reproduced here. Looks like the steps are as you describe: set enforce, run application, set complain, remove, launch subprocess. I haven't managed to trigger it without the complain transition step. We'll investigate more and work on a fix for this.

Revision history for this message
John Johansen (jjohansen) wrote :

Yep, complain step isn't necessary any profile that has been replaced and then removed can trigger this.

Revision history for this message
John Johansen (jjohansen) wrote :

What is happen is removal of children profiles results in a ERR_PTR replacing the profile in the cred field. This used to be the way AppArmor indicated profile removal, but is no longer valid, the ERR_PTR gets filtered to a null pointer but the cred code now expects a profile and oops.

test kernel
http://kernel.ubuntu.com/~jj/linux-image-2.6.31-15-generic_2.6.31-15.50~jj_amd64.deb

Revision history for this message
Kees Cook (kees) wrote :

I can confirm that this fixes it for me. Thanks! My test was:

bug.c:
#include <stdio.h>
#include <unistd.h>

int main()
{
 printf("Started\n");
 system("./child");
 printf("Finished\n");
 return 0;
}

child.c:
#include <stdio.h>
#include <unistd.h>

int main()
{
 printf("Started child\n");
 sleep(10);
 system("cat /etc/motd");
 printf("Finished child\n");
 return 0;
}

/etc/apparmor.d/home.kees.bug:
#include <tunables/global>
/home/kees/bug flags=(complain) {
  #include <abstractions/base>
}

$ sudo aa-complain bug
$ ./bug & sleep 2; sudo /sbin/apparmor_parser -R /etc/apparmor.d/*bug

Revision history for this message
Richard Lee (rawk) wrote : Re: [Bug 475619] Re: apparmor kernel null dereference when profile is removed after set to complain

Thanks! I am setting up amd64 machine to test the immediate fix and will
update. I will test with empathy setup and update bug by afternoon today.

On Fri, Nov 6, 2009 at 10:22 AM, Kees Cook <email address hidden> wrote:

> I can confirm that this fixes it for me. Thanks! My test was:
>
> bug.c:
> #include <stdio.h>
> #include <unistd.h>
>
> int main()
> {
> printf("Started\n");
> system("./child");
> printf("Finished\n");
> return 0;
> }
>
> child.c:
> #include <stdio.h>
> #include <unistd.h>
>
> int main()
> {
> printf("Started child\n");
> sleep(10);
> system("cat /etc/motd");
> printf("Finished child\n");
> return 0;
> }
>
> /etc/apparmor.d/home.kees.bug:
> #include <tunables/global>
> /home/kees/bug flags=(complain) {
> #include <abstractions/base>
> }
>
> $ sudo aa-complain bug
> $ ./bug & sleep 2; sudo /sbin/apparmor_parser -R /etc/apparmor.d/*bug
>
> --
> apparmor kernel null dereference when profile is removed after set to
> complain
> https://bugs.launchpad.net/bugs/475619
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in “apparmor” package in Ubuntu: New
>
> Bug description:
> Binary package hint: apparmor
>
> Description: Ubuntu 9.10
> Release: 9.10
> Package: apparmor
> System: Linux tehcomputer 2.6.31-14-generic #48-Ubuntu SMP Fri Oct 16
> 14:05:01 UTC 2009 x86_64 GNU/Linux
>
> The following will cause a null dereference and a "kernel oops".
>
> Steps:
> 1. Generate an apparmor profile for empathy (I can send my apparmor profile
> via email)
> 2. Make sure empathy can load and no messages are reported in audit.
> (Make sure gnome-help isn't allowed to execute by keeping it absent from
> the apparmor profile)
> 3. Enforce the empathy apparmor profile
> 4. Load empathy until empathy UI opens
> 5. Set empathy profile to complain
> 6. In empathy, click Help->Contents
> 7. Verify that audit is sending out complain messages as gnome-help opens
> with empathy help contents
> 8. Run apparmor_parser -R /etc/init.d/usr.bin.empathy
>
> Result:
> 1. Nov 4 16:47:21 tehcomputer kern: [76781.229046] BUG: unable to handle
> kernel NULL pointer dereference at 0000000000000068
>

Revision history for this message
Richard Lee (rawk) wrote :

I verified it is fixed here repeating the same steps and test application.

description: updated
security vulnerability: yes → no
visibility: private → public
Stefan Bader (smb)
Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
status: New → Fix Committed
importance: Undecided → High
Andy Whitcroft (apw)
Changed in apparmor (Ubuntu Karmic):
status: New → Fix Committed
importance: Undecided → High
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted linux into karmic-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Kees Cook (kees)
Changed in apparmor (Ubuntu):
status: Fix Committed → Fix Released
Changed in apparmor (Ubuntu Karmic):
status: Fix Committed → Won't Fix
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-lucid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Bug attachments