vmalloc failure leads to null ptr dereference in aa_dfa_next
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
AppArmor |
Invalid
|
Undecided
|
Unassigned | ||
linux (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Xenial |
Fix Released
|
Medium
|
Unassigned |
Bug Description
running stress-ng apparmor stressor with a vmalloc NULL return trips a null ptr dereference in aa_dfa_next:
$ uname -a
Linux ubuntu 4.4.0-24-generic #43
[ 46.271517] BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
[ 46.271641] IP: [<ffffffff8137a
[ 46.271743] PGD 39ebd067 PUD 39ebe067 PMD 0
[ 46.271833] Oops: 0000 [#1] SMP
[ 46.271926] Modules linked in: jitterentropy_rng algif_rng salsa20_generic salsa20_x86_64 camellia_generic camellia_
[ 46.273290] libcrc32c raid1 raid0 multipath linear 8139too crct10dif_pclmul crc32_pclmul qxl aesni_intel aes_x86_64 lrw gf128mul ttm drm_kms_helper glue_helper ablk_helper cryptd syscopyarea sysfillrect sysimgblt fb_sys_fops psmouse drm floppy 8139cp mii pata_acpi
[ 46.274250] CPU: 0 PID: 1349 Comm: stress-ng-appar Not tainted 4.4.0-24-generic #43
[ 46.274436] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-
[ 46.274632] task: ffff8800374be040 ti: ffff88003746c000 task.ti: ffff88003746c000
[ 46.274854] RIP: 0010:[<
[ 46.275072] RSP: 0018:ffff880037
[ 46.275450] RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000004a46
[ 46.275934] RDX: 0000000000000002 RSI: 0000000000000001 RDI: 0000000000000000
[ 46.276348] RBP: ffff88003746fd28 R08: ffff88003fc19f40 R09: ffff88003e001d00
[ 46.276757] R10: ffff88003da8e600 R11: ffff88003e001500 R12: ffff88003746fd48
[ 46.276979] R13: ffff88003acc4800 R14: ffff88003acc4894 R15: 0000000000000029
[ 46.277202] FS: 00007f7198a0f70
[ 46.277500] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 46.278006] CR2: 0000000000000020 CR3: 0000000039ebc000 CR4: 00000000001406f0
[ 46.278592] Stack:
[ 46.278846] ffff88003746fd28 ffffffff81383585 0000000000000000 0000000000000000
[ 46.279271] 000000003746fd00 0000000000000000 ffffc9000268e400 0000000000000000
[ 46.279860] ffff88003746fd40 0000000000000000 000000005833b243 ffff88003746fe28
[ 46.280311] Call Trace:
[ 46.280606] [<ffffffff81383
[ 46.280854] [<ffffffff81383
[ 46.281091] [<ffffffff81381
[ 46.281341] [<ffffffff811cf
[ 46.281610] [<ffffffff81377
[ 46.281887] [<ffffffff81377
[ 46.282169] [<ffffffff8120c
[ 46.282444] [<ffffffff8120c
[ 46.282728] [<ffffffff8120b
[ 46.283418] [<ffffffff8120d
[ 46.284188] [<ffffffff81825
[ 46.284753] Code: 0c 42 39 ce 74 d9 0f b6 02 41 0f b7 34 7b 84 c0 75 d9 eb c3 41 0f b7 34 44 eb 89 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 <48> 8b 47 20 4c 8b 5f 28 4c 8b 57 40 48 89 e5 4c 8b 4f 18 48 8d
[ 46.285401] RIP [<ffffffff8137a
information type: | Private Security → Public |
Changed in linux (Ubuntu Xenial): | |
status: | New → Fix Committed |
tags: | added: patch |
Changed in linux (Ubuntu): | |
status: | Incomplete → Fix Committed |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
tags: | added: aa-kernel |
Changed in apparmor: | |
status: | New → Invalid |
Colin,
do you want a deb to test or just a patch?