Possible regression on 3.13.0-102.149~precise1 x86_64 (gce)

Bug #1644302 reported by Po-Hsu Lin on 2016-11-23
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Critical
John Johansen
Trusty
Undecided
Unassigned

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1644302

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: precise
Tyler Hicks (tyhicks) wrote :

Considering that https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/trusty/commit/?h=master-next&id=74a2b3a087989058f29a195c706e2740fbfed258 between Ubuntu-3.13.0-101.148 and Ubuntu-3.13.0-102.149, I think this is a potentially serious regression.

That patch was to fix a bug (bug 1634753) in the mount mediation code and the AppArmor mount regression test is what's failing:

1469. running mount
1470. /tmp/testlibL70YBl/source/precise/apparmor-2.7.102/tests/regression/apparmor/prologue.inc: line 146: 23372 Killed $testexec "$@" > $outfile 2>&1
1471. Error: mount failed. Test 'MOUNT (confined)' was expected to 'fail'. Reason for failure 'killed by signal 9'
1472. /tmp/testlibL70YBl/source/precise/apparmor-2.7.102/tests/regression/apparmor/prologue.inc: line 146: 23401 Killed $testexec "$@" > $outfile 2>&1
1473. Error: mount failed. Test 'MOUNT (confined)' was expected to 'fail'. Reason for failure 'killed by signal 9'
1474. umount: /tmp/sdtest.23329-22431-D4qkot/mountpoint: not mounted

Assigning to John so that he can take a look.

Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
importance: Undecided → Critical
status: Incomplete → New
tags: added: bot-stop-nagging
Steve Beattie (sbeattie) wrote :
Download full text (6.7 KiB)

I'm able to reproduce this on an amd64 guest with the lts-backport-trusty kernel installed, though I get a different signal:

ubuntu@sec-precise-amd64:~/tmp/apparmor-2.7.102/tests/regression/apparmor$ sudo sh -c 'VERBOSE=1 bash mount.sh'
ok: MOUNT (unconfined)
ok: UMOUNT (unconfined)
/home/ubuntu/tmp/apparmor-2.7.102/tests/regression/apparmor/prologue.inc: line 130: 1955 Segmentation fault $testexec "$@" > $outfile 2>&1
Error: mount failed. Test 'MOUNT (confined)' was expected to 'fail'. Reason for failure 'killed by signal 11'
/home/ubuntu/tmp/apparmor-2.7.102/tests/regression/apparmor/prologue.inc: line 130: 1983 Segmentation fault $testexec "$@" > $outfile 2>&1
Error: mount failed. Test 'MOUNT (confined)' was expected to 'fail'. Reason for failure 'killed by signal 11'
umount: /tmp/sdtest.1910-26089-jAP0bK/mountpoint: not mounted

Oddly, it does *not* reproduce on trusty with the trusty kernel. Checking dmesg, there are oops related to the failing tests:

[ 149.340700] type=1400 audit(1479925322.639:66): apparmor="STATUS" operation="profile_load" profile="unconfined" name="/home/ubuntu/tmp/apparmor-2.7.102/tests/regression/apparmor/mount" pid=1951 comm="apparmor_parser"
[ 149.347436] general protection fault: 0000 [#3] SMP
[ 149.347443] Modules linked in: snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_seq_device psmouse kvm_amd snd_timer serio_raw kvm snd soundcore snd_page_alloc vmwgfx ttm bnep drm mac_hid i2c_piix4 parport_pc ppdev rfcomm lp parport bluetooth floppy pata_acpi
[ 149.347461] CPU: 0 PID: 1955 Comm: mount Tainted: G D 3.13.0-102-generic #149~precise1-Ubuntu
[ 149.347464] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014
[ 149.347480] task: ffff88002b7be000 ti: ffff88002bdda000 task.ti: ffff88002bdda000
[ 149.347482] RIP: 0010:[<ffffffff8133815c>] [<ffffffff8133815c>] aa_new_mount+0x1ec/0x3f0
[ 149.347488] RSP: 0018:ffff88002bddbda8 EFLAGS: 00010246
[ 149.347490] RAX: 70656c65742f6269 RBX: ffff88002c2cc830 RCX: ffff88002bddbe48
[ 149.347491] RDX: ffff88002d038000 RSI: 0000000000000000 RDI: ffff88002bddbe20
[ 149.347492] RBP: ffff88002bddbe88 R08: ffff88002bddbe50 R09: ffff88002bddbe50
[ 149.347494] R10: ffff88002d03a000 R11: 0000000000000005 R12: ffff88002d038000
[ 149.347495] R13: ffff88002eec0dd0 R14: ffff88002bddbed8 R15: 0000000000000001
[ 149.347509] FS: 00007fe19e83f700(0000) GS:ffff88002fc00000(0000) knlGS:0000000000000000
[ 149.347511] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 149.347512] CR2: 00007fe19e2a8e80 CR3: 000000002ab22000 CR4: 00000000000007f0
[ 149.347515] Stack:
[ 149.347517] ffff88002bddbed8 ffff880029944020 0000000000000000 ffff880029dbf120
[ 149.347519] ffff88002bddbdf8 ffffffff811de862 ffff880029944020 0000000000000000
[ 149.347522] 0000000000000000 0000000000000000 ffff88002bddbeb8 ffffffff811dea00
[ 149.347524] Call Trace:
[ 149.347529] [<ffffffff811de862>] ? do_path_lookup+0x32/0x40
[ 149.347532] [<ffffffff811dea00>] ? vfs_path_lookup+0x20/0x70
[ 149.347534] [<ffffffff8132ed8d>] apparmor_sb_mount+0x9d/0x110
[ 149.347538] [<ffffffff812f0...

Read more...

Brad Figg (brad-figg) wrote :

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1644302

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Steve Beattie (sbeattie) wrote :

One difference between the userspaces in precise and trusty is that the trusty version supports mount rules.

Also, Luis noticed that in aa_new_mount(), "struct path dev_path" is redefined, and thus shadowed. He's doing a test kernel with the following patch applied:

diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c
index 076200ece0f5..f59937529ba4 100644
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -517,8 +517,6 @@ int aa_new_mount(struct aa_label *label, const char *orig_dev_name,
                put_filesystem(fstype);

                if (requires_dev) {
- struct path dev_path;
-
                        if (!dev_name || !*dev_name) {
                                error = -ENOENT;
                                goto out;

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Steve Beattie (sbeattie) wrote :

Okay, I can confirm that Luis' patch fixes the oops and test failures that I am seeing.

Also, the mount.sh test in the apparmor userspace package is a bit broken, even when things are working correctly, it aborts early (but does an exit 0, so it doesn't get noticed), skipping 3 of the tests. Attached is a patch to be applied via QRT to at least run all the existing tests, for review before applying.

Seth Arnold (seth-arnold) wrote :

Steve, this patch looks good to me.

Thanks

Luis Henriques (henrix) on 2016-11-24
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed

The verification of the Stable Release Update for linux-lts-trusty has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-103.150

---------------
linux (3.13.0-103.150) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1644489

  * Possible regression on 3.13.0-102.149~precise1 x86_64 (gce) (LP: #1644302)
    - SAUCE: apparmor: delete extra variable dev_path

linux (3.13.0-102.149) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1640581

  * lxc-attach to malicious container allows access to host (LP: #1639345)
    - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
      uids/gids"
    - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
      checks

  * Syntax error extra parenthesis linux-headers-3.13.0-100/Makefile
    (LP: #1636625)
    - Makefile: fix extra parenthesis typo when CC_STACKPROTECTOR_REGULAR is
      enabled

  * Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721)
    - lib/bitmap.c: conversion routines to/from u32 array
    - kernel.h: define u8, s8, u32, etc. limits
    - net: ethtool: add new ETHTOOL_xLINKSETTINGS API
    - PCI/MSI: Add pci_msix_vec_count()
    - etherdevice: Use ether_addr_copy to copy an Ethernet address
    - net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)
    - [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver)

  * CVE-2016-8658
    - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

  * CVE-2016-7425
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()

  * srcname from mount rule corrupted under load (LP: #1634753)
    - SAUCE: apparmor: fix sleep in critical section

  * ghash-clmulni-intel module fails to load (LP: #1633058)
    - crypto: ghash-clmulni - Fix load failure
    - crypto: cryptd - Assign statesize properly

 -- Luis Henriques <email address hidden> Thu, 24 Nov 2016 09:56:54 +0000

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Dimitrenko (paviliong6) on 2017-07-04
Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers