Ubuntu
linux package

kernel BUG at fs/attr.c:287 when using shiftfs

Bug #1824717 reported by Seth Forshee
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Seth Forshee

Bug Description

SRU Justification

Impact: It is possible to hit a BUG statement in notify_change() with shiftfs (below). This occurs when one of ATTR_KILL_SUID or ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs to notify_change(), and the BUG statement is hit due to ATTR_MODE being set with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.

Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE if one of these bits is set, allowning the lower fs to interpret the kill bits in its own way. Also fix a bug where changes to the attrs from setattr_prepare() are not propagated to the attrs used for the lower fs.

Regression Potential: Limited to shiftfs, matches the behavior of other stacked filesystems, and has been tested (see below).

Test Case: Tested in the lxd CI environment where the bug was originally discovered. No regressions were seen, and the BUG statement was not hit.

---

[18558.819079] ------------[ cut here ]------------
[18558.819082] kernel BUG at fs/attr.c:287!
[18558.823490] invalid opcode: 0000 [#1] SMP PTI
[18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P O 5.0.0-10-generic #11+shiftfsv201904110736
[18558.838152] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
[18558.872092] RIP: 0010:notify_change+0x412/0x460
[18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18558.896179] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18558.938616] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000) knlGS:0000000000000000
[18558.946928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[18558.975018] Call Trace:
[18558.977810] ? setattr_prepare+0x178/0x200
[18558.982160] shiftfs_setattr+0xec/0x140
[18558.986149] notify_change+0x2d9/0x460
[18558.990014] chown_common+0x1c8/0x1e0
[18558.993917] do_fchownat+0x93/0xf0
[18558.997551] __x64_sys_chown+0x22/0x30
[18559.001522] do_syscall_64+0x5a/0x110
[18559.005481] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[18559.010652] RIP: 0033:0x7fe41e9193e7
[18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0 e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
[18559.033294] RSP: 002b:00007fff73c89d48 EFLAGS: 00000297 ORIG_RAX: 000000000000005c
[18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX: 00007fe41e9193e7
[18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00005614237e0190
[18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09: 000000000000002e
[18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12: 00007fff73c8a210
[18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15: 00000000ffffffff
[18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO) zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net aes_x86_64 nvme crypto_simd cryptd glue_helper net_failover psmouse nvme_core failover virtio_scsi i2c_piix4
[18559.161878] ---[ end trace a06dfd01d379d33b ]---
[18559.166628] RIP: 0010:notify_change+0x412/0x460
[18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c 89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18559.190333] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18559.236285] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000) knlGS:0000000000000000
[18559.244522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400

Tags: cscc
Seth Forshee (sforshee)
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-13.14

---------------
linux (5.0.0-13.14) disco; urgency=medium

  * linux: 5.0.0-13.14 -proposed tracker (LP: #1824819)

  * Display only has 640x480 (LP: #1824677)
    - Revert "UBUNTU: SAUCE: drm/nouveau: Disable nouveau driver by default"

  * shiftfs: use after free when checking mount options (LP: #1824735)
    - SAUCE: shiftfs: prevent use-after-free when verifying mount options

linux (5.0.0-12.13) disco; urgency=medium

  * linux: 5.0.0-12.13 -proposed tracker (LP: #1824726)

  * Linux 5.0 black screen on boot, display flickers (i915 regression with
    certain laptop panels) (LP: #1824216)
    - drm/i915/dp: revert back to max link rate and lane count on eDP

  * kernel BUG at fs/attr.c:287 when using shiftfs (LP: #1824717)
    - SAUCE: shiftfs: fix passing of attrs to underaly for setattr

 -- Seth Forshee <email address hidden> Mon, 15 Apr 2019 09:11:23 -0500

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.