kernel BUG at fs/attr.c:287 when using shiftfs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Seth Forshee |
Bug Description
SRU Justification
Impact: It is possible to hit a BUG statement in notify_change() with shiftfs (below). This occurs when one of ATTR_KILL_SUID or ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs to notify_change(), and the BUG statement is hit due to ATTR_MODE being set with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.
Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE if one of these bits is set, allowning the lower fs to interpret the kill bits in its own way. Also fix a bug where changes to the attrs from setattr_prepare() are not propagated to the attrs used for the lower fs.
Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below).
Test Case: Tested in the lxd CI environment where the bug was originally discovered. No regressions were seen, and the BUG statement was not hit.
---
[18558.819079] ------------[ cut here ]------------
[18558.819082] kernel BUG at fs/attr.c:287!
[18558.823490] invalid opcode: 0000 [#1] SMP PTI
[18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P O 5.0.0-10-generic #11+shiftfsv201
[18558.838152] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[18558.872092] RIP: 0010:notify_
[18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18558.896179] RSP: 0018:ffffb706db
[18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18558.938616] FS: 00007fe41f03904
[18558.946928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[18558.975018] Call Trace:
[18558.977810] ? setattr_
[18558.982160] shiftfs_
[18558.986149] notify_
[18558.990014] chown_common+
[18558.993917] do_fchownat+
[18558.997551] __x64_sys_
[18559.001522] do_syscall_
[18559.005481] entry_SYSCALL_
[18559.010652] RIP: 0033:0x7fe41e9193e7
[18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0 e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
[18559.033294] RSP: 002b:00007fff73
[18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX: 00007fe41e9193e7
[18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00005614237e0190
[18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09: 000000000000002e
[18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12: 00007fff73c8a210
[18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15: 00000000ffffffff
[18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO) zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_
[18559.161878] ---[ end trace a06dfd01d379d33b ]---
[18559.166628] RIP: 0010:notify_
[18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18559.190333] RSP: 0018:ffffb706db
[18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18559.236285] FS: 00007fe41f03904
[18559.244522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Changed in linux (Ubuntu): | |
status: | In Progress → Fix Committed |
tags: | added: cscc |
This bug was fixed in the package linux - 5.0.0-13.14
---------------
linux (5.0.0-13.14) disco; urgency=medium
* linux: 5.0.0-13.14 -proposed tracker (LP: #1824819)
* Display only has 640x480 (LP: #1824677)
- Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default"
* shiftfs: use after free when checking mount options (LP: #1824735)
- SAUCE: shiftfs: prevent use-after-free when verifying mount options
linux (5.0.0-12.13) disco; urgency=medium
* linux: 5.0.0-12.13 -proposed tracker (LP: #1824726)
* Linux 5.0 black screen on boot, display flickers (i915 regression with
certain laptop panels) (LP: #1824216)
- drm/i915/dp: revert back to max link rate and lane count on eDP
* kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717)
- SAUCE: shiftfs: fix passing of attrs to underaly for setattr
-- Seth Forshee <email address hidden> Mon, 15 Apr 2019 09:11:23 -0500