kernel BUG at fs/attr.c:287 when using shiftfs

Bug #1824717 reported by Seth Forshee on 2019-04-14
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Seth Forshee

Bug Description

SRU Justification

Impact: It is possible to hit a BUG statement in notify_change() with shiftfs (below). This occurs when one of ATTR_KILL_SUID or ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs to notify_change(), and the BUG statement is hit due to ATTR_MODE being set with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.

Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE if one of these bits is set, allowning the lower fs to interpret the kill bits in its own way. Also fix a bug where changes to the attrs from setattr_prepare() are not propagated to the attrs used for the lower fs.

Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below).

Test Case: Tested in the lxd CI environment where the bug was originally discovered. No regressions were seen, and the BUG statement was not hit.

---

[18558.819079] ------------[ cut here ]------------
[18558.819082] kernel BUG at fs/attr.c:287!
[18558.823490] invalid opcode: 0000 [#1] SMP PTI
[18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P O 5.0.0-10-generic #11+shiftfsv201904110736
[18558.838152] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[18558.872092] RIP: 0010:notify_change+0x412/0x460
[18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18558.896179] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18558.938616] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000) knlGS:0000000000000000
[18558.946928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[18558.975018] Call Trace:
[18558.977810] ? setattr_prepare+0x178/0x200
[18558.982160] shiftfs_setattr+0xec/0x140
[18558.986149] notify_change+0x2d9/0x460
[18558.990014] chown_common+0x1c8/0x1e0
[18558.993917] do_fchownat+0x93/0xf0
[18558.997551] __x64_sys_chown+0x22/0x30
[18559.001522] do_syscall_64+0x5a/0x110
[18559.005481] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[18559.010652] RIP: 0033:0x7fe41e9193e7
[18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0 e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
[18559.033294] RSP: 002b:00007fff73c89d48 EFLAGS: 00000297 ORIG_RAX: 000000000000005c
[18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX: 00007fe41e9193e7
[18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00005614237e0190
[18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09: 000000000000002e
[18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12: 00007fff73c8a210
[18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15: 00000000ffffffff
[18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO) zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net aes_x86_64 nvme crypto_simd cryptd glue_helper net_failover psmouse nvme_core failover virtio_scsi i2c_piix4
[18559.161878] ---[ end trace a06dfd01d379d33b ]---
[18559.166628] RIP: 0010:notify_change+0x412/0x460
[18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18559.190333] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18559.236285] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000) knlGS:0000000000000000
[18559.244522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Seth Forshee (sforshee) on 2019-04-14
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-13.14

---------------
linux (5.0.0-13.14) disco; urgency=medium

  * linux: 5.0.0-13.14 -proposed tracker (LP: #1824819)

  * Display only has 640x480 (LP: #1824677)
    - Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default"

  * shiftfs: use after free when checking mount options (LP: #1824735)
    - SAUCE: shiftfs: prevent use-after-free when verifying mount options

linux (5.0.0-12.13) disco; urgency=medium

  * linux: 5.0.0-12.13 -proposed tracker (LP: #1824726)

  * Linux 5.0 black screen on boot, display flickers (i915 regression with
    certain laptop panels) (LP: #1824216)
    - drm/i915/dp: revert back to max link rate and lane count on eDP

  * kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717)
    - SAUCE: shiftfs: fix passing of attrs to underaly for setattr

 -- Seth Forshee <email address hidden> Mon, 15 Apr 2019 09:11:23 -0500

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Brad Figg (brad-figg) on 2019-07-24
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers