kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69!

Bug #1626984 reported by Neil on 2016-09-23
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

I am runing sosreport on ubuntu 14.04.4 LTS which has upgrade the kernel to 4.4.0-38-generic, it get oops while copying /sys/module/apparmor/parameters/audit. and it also can be triggered with
cat /sys/module/apparmor/parameters/audit.

[ 213.174092] ------------[ cut here ]------------
[ 213.174130] kernel BUG at /build/linux-lts-xenial-_hWfOZ/linux-lts-xenial-4.4.0/security/apparmor/include/context.h:69!
[ 213.174187] invalid opcode: 0000 [#1] SMP
[ 213.174215] Modules linked in: ppdev lp joydev serio_raw parport_pc parport psmouse virtio_scsi floppy
[ 213.174283] CPU: 0 PID: 2246 Comm: cat Not tainted 4.4.0-38-generic #57~14.04.1-Ubuntu
[ 213.174324] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
[ 213.174380] task: ffff880037b15780 ti: ffff8800399c4000 task.ti: ffff8800399c4000
[ 213.174419] RIP: 0010:[<ffffffff813888a1>] [<ffffffff813888a1>] aa_current_raw_label.part.6+0x4/0x6
[ 213.174478] RSP: 0018:ffff8800399c7d60 EFLAGS: 00010246
[ 213.174506] RAX: 0000000000000000 RBX: ffff88003a426000 RCX: ffff88003e3802a0
[ 213.174542] RDX: ffff88003a426000 RSI: ffffffff81ddc0d8 RDI: ffff88003a426000
[ 213.174578] RBP: ffff8800399c7d60 R08: ffff88003e3802a0 R09: 0000000000000000
[ 213.174614] R10: 0000000000001000 R11: 0000000000000246 R12: ffffffff81e44ae0
[ 213.174658] R13: ffff88003e3802a0 R14: ffffffff81e4c220 R15: ffff88003c2b2e40
[ 213.174702] FS: 00007f7bea106740(0000) GS:ffff88003fc00000(0000) knlGS:0000000000000000
[ 213.174743] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 213.174781] CR2: 0000000000a40038 CR3: 000000003cdfa000 CR4: 00000000000006f0
[ 213.174819] Stack:
[ 213.174832] ffff8800399c7d88 ffffffff8136d58a ffff88003a426000 ffff88003a426000
[ 213.174885] ffff88003e3802a0 ffff8800399c7da0 ffffffff8136fda2 ffff88003e39c5f0
[ 213.174928] ffff8800399c7dd0 ffffffff8109a7e4 ffff88003c2b2e40 ffffffff81a170c0
[ 213.174971] Call Trace:
[ 213.174996] [<ffffffff8136d58a>] policy_view_capable+0x1ba/0x220
[ 213.175030] [<ffffffff8136fda2>] param_get_audit+0x12/0x50
[ 213.175062] [<ffffffff8109a7e4>] param_attr_show+0x54/0xa0
[ 213.175092] [<ffffffff8109a20d>] module_attr_show+0x1d/0x30
[ 213.175130] [<ffffffff8127a6e2>] sysfs_kf_seq_show+0xc2/0x1a0
[ 213.175162] [<ffffffff81278f73>] kernfs_seq_show+0x23/0x30
[ 213.175199] [<ffffffff81220d55>] seq_read+0xe5/0x350
[ 213.175227] [<ffffffff8127970d>] kernfs_fop_read+0x10d/0x170
[ 213.176170] [<ffffffff811fda18>] __vfs_read+0x18/0x40
[ 213.177101] [<ffffffff811fdfcf>] vfs_read+0x7f/0x130
[ 213.178016] [<ffffffff811feda6>] SyS_read+0x46/0xa0
[ 213.178932] [<ffffffff817fa336>] entry_SYSCALL_64_fastpath+0x16/0x75
[ 213.179814] Code: 80 3d 1a 7f b8 00 00 75 1d 55 be 2e 00 00 00 48 c7 c7 f0 2f cb 81 48 89 e5 e8 7c 50 cf ff 5d c6 05 fb 7e b8 00 01 c3 55 48 89 e5 <0f> 0b b8 01 00 00 00 3e 0f c1 07 ff c0 ff c8 7f 26 80 3d df 7e
[ 213.182634] RIP [<ffffffff813888a1>] aa_current_raw_label.part.6+0x4/0x6
[ 213.183528] RSP <ffff8800399c7d60>

CVE References

Neil (loyou) wrote :
description: updated
Changed in linux (Ubuntu):
status: New → Confirmed
Neil (loyou) wrote :

more information,
1. on ubuntu14.04.4, after this panic reproduced, all the 4.4.x kernel will get panic when cat /sys/module/apparmor/parameters/audit
2. on ubuntu14.04.5, it is fine with all 4.4.x kernels.

John Johansen (jjohansen) wrote :

In testing I have not been able to reproduce.

But from the oops it looks either like potentially like memory corruption, or corruption of the cred. The oops reports
  invalid opcode: 0000 [#1] SMP

however the piece of code triggering this is used all the time, so the more likely scenario is that the cred does not have the correct security labeling which would trigger an oops. The oops would not normally be an invalid opcode, but its possible the handling within the oops is triggering the invalid opcode.

The line of code triggering this oops is
 BUG_ON(!ctx || !ctx->label);

which going with the bad cred hypothesis means the actual problem is else where. Tracing down the conditions that cause the bad cred may be difficult.

With this being reported as fine in 14.04.5 with all 4.4.x kernels, and without further input to help trace down the conditions that cause this, I am inclined to close this bug as fixed.

Neil (loyou) wrote :

Sorry, I forget to tell that I have disable apparmor through kernel boot parameter:

GRUB_CMDLINE_LINUX="apparmor=0"

you can try with it.
I will try to get kdump for further checking.

Neil (loyou) wrote :

correct that ubuntu14.04.5 can also reproduce too.

Eric Desrochers (slashd) wrote :

At first glance, it seems the problem seems to be introduce with commit[1].

I notice the problem while running the sosreport kernel plugin[2] on a system with apparmor disable (apparmor=0).

[1] - commit
commit a3c6147c6f4132e943db2cff4e1a85887277fc2a
Author: John Johansen <email address hidden>
Date: Fri Mar 18 06:09:27 2016 -0700

    UBUNTU: SAUCE: (no-up) apparmor: sync of apparmor3.5-beta1 snapshot

[2] - sos/plugins/kernel.py
..
58 clocksource_path = "/sys/devices/system/clocksource/clocksource0/"
59 self.add_copy_spec([
60 "/proc/modules",
61 "/proc/sys/kernel/random/boot_id",
==> 62 "/sys/module/*/parameters",
63 "/sys/module/*/initstate",
64 "/sys/module/*/refcnt",
65 "/sys/module/*/taint",
66 "/sys/firmware/acpi/*",
..

- Eric

Eric Desrochers (slashd) wrote :

I was also able to reproduce using the above reproducer[1]

[1] - cat /sys/module/apparmor/parameters/audit

I think the problem here is that files in apparmor shouldn't be writable while apparmor is disable.
(-rw-------)

If I do :

# chmod 400 /sys/module/apparmor/parameters/audit (-r--------)

then

# cat /sys/module/apparmor/parameters/audit doesn't crash and displays : "Invalid argument", just like upstream kernel does.

- Eric

Eric Desrochers (slashd) wrote :

A patch[1] has been submitted to Kernel team ML, it is now waiting for kernel folks ACK and will then fall under the next kernel cycle.

[1] - Email subject :
[PATCH][Xenial][Zesty] UBUNTU: SAUCE: fix oops when disabled and module parameters, are accessed

Stefan Bader (smb) wrote :

For Zesty the change was already applied as "UBUNTU: SAUCE: apparmor: fix parameters so that the permission test is bypas
sed at boot" (see bug #1678048) in 4.10.0-17.19 (pre release).

Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux (Ubuntu Zesty):
status: New → Fix Released

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Eric Desrochers (slashd) wrote :

I have tested with 4.4.0-97 and I can't reproduce the above behavior now.

# uname -r
4.4.0-97-generic

# cat /sys/module/apparmor/parameters/audit
cat: /sys/module/apparmor/parameters/audit: Invalid argument

- Eric

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (7.8 KiB)

This bug was fixed in the package linux - 4.4.0-97.120

---------------
linux (4.4.0-97.120) xenial; urgency=low

  * linux: 4.4.0-97.120 -proposed tracker (LP: #1718149)

  * blk-mq: possible deadlock on CPU hot(un)plug (LP: #1670634)
    - [Config] s390x -- disable CONFIG_{DM, SCSI}_MQ_DEFAULT

  * Xenial update to 4.4.87 stable release (LP: #1715678)
    - irqchip: mips-gic: SYNC after enabling GIC region
    - i2c: ismt: Don't duplicate the receive length for block reads
    - i2c: ismt: Return EMSGSIZE for block reads with bogus length
    - ceph: fix readpage from fscache
    - cpumask: fix spurious cpumask_of_node() on non-NUMA multi-node configs
    - cpuset: Fix incorrect memory_pressure control file mapping
    - alpha: uapi: Add support for __SANE_USERSPACE_TYPES__
    - CIFS: remove endian related sparse warning
    - wl1251: add a missing spin_lock_init()
    - xfrm: policy: check policy direction value
    - drm/ttm: Fix accounting error when fail to get pages for pool
    - kvm: arm/arm64: Fix race in resetting stage2 PGD
    - kvm: arm/arm64: Force reading uncached stage2 PGD
    - epoll: fix race between ep_poll_callback(POLLFREE) and ep_free()/ep_remove()
    - crypto: algif_skcipher - only call put_page on referenced and used pages
    - Linux 4.4.87

  * Xenial update to 4.4.86 stable release (LP: #1715430)
    - scsi: isci: avoid array subscript warning
    - ALSA: au88x0: Fix zero clear of stream->resources
    - btrfs: remove duplicate const specifier
    - i2c: jz4780: drop superfluous init
    - gcov: add support for gcc version >= 6
    - gcov: support GCC 7.1
    - lightnvm: initialize ppa_addr in dev_to_generic_addr()
    - p54: memset(0) whole array
    - lpfc: Fix Device discovery failures during switch reboot test.
    - arm64: mm: abort uaccess retries upon fatal signal
    - x86/io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl
    - arm64: fpsimd: Prevent registers leaking across exec
    - scsi: sg: protect accesses to 'reserved' page array
    - scsi: sg: reset 'res_in_use' after unlinking reserved array
    - drm/i915: fix compiler warning in drivers/gpu/drm/i915/intel_uncore.c
    - Linux 4.4.86

  * Xenial update to 4.4.85 stable release (LP: #1714298)
    - af_key: do not use GFP_KERNEL in atomic contexts
    - dccp: purge write queue in dccp_destroy_sock()
    - dccp: defer ccid_hc_tx_delete() at dismantle time
    - ipv4: fix NULL dereference in free_fib_info_rcu()
    - net_sched/sfq: update hierarchical backlog when drop packet
    - ipv4: better IP_MAX_MTU enforcement
    - sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
    - tipc: fix use-after-free
    - ipv6: reset fn->rr_ptr when replacing route
    - ipv6: repair fib6 tree in failure case
    - tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
    - irda: do not leak initialized list.dev to userspace
    - net: sched: fix NULL pointer dereference when action calls some targets
    - net_sched: fix order of queue length updates in qdisc_replace()
    - mei: me: add broxton pci device ids
    - mei: me: add lewisburg device ids
    - Input: trackpoint - add new trackpoint firmware ID
    - Input: elan_i2c...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers