AppArmor onexec transition causes WARN kernel stack trace

Bug #1838627 reported by John Johansen on 2019-08-01
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
John Johansen

Bug Description

microk8s has reported on issue with the Xenial kernel where apparmor causes the following kernel stack trace due to an apparmor AA_BUG condition being triggered.

[ 225.236085] ------------[ cut here ]------------
[ 225.236104] WARNING: CPU: 1 PID: 13726 at /build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
[ 225.236109] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
[ 225.236113] Modules linked in:
[ 225.236118] btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
[ 225.236305] snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e intel_ips ptp i2c_algo_bit
[ 225.236420] pps_core drm_kms_helper nvme syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm libahci video fjes
[ 225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P W OE 4.4.0-154-generic #181-Ubuntu
[ 225.236451] Hardware name: System manufacturer System Product Name/PRIME H270-PRO, BIOS 0323 01/04/2017
[ 225.236456] 0000000000000286 fa217f3573a84520 ffff88033ade39d0 ffffffff8140b481
[ 225.236464] ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08 ffffffff81085432
[ 225.236477] ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88 ffff88033ade3d88
[ 225.236484] Call Trace:
[ 225.236498] [<ffffffff8140b481>] dump_stack+0x63/0x82
[ 225.236509] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[ 225.236518] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[ 225.236527] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[ 225.236536] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[ 225.236544] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[ 225.236554] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[ 225.236562] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[ 225.236571] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[ 225.236581] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[ 225.236589] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[ 225.236596] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[ 225.236608] [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[ 225.236617] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[ 225.236624] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[ 225.236633] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[ 225.236642] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[ 225.236651] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[ 225.236661] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[ 225.236671] [<ffffffff81863f15>] stub_execve+0x5/0x5
[ 225.236678] [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[ 225.236684] ---[ end trace 6b2beaa85ae31c29 ]---

This is caused when the change_onexec api is used and permitted by the profile but the task has the NO_NEW_PRIVS flag set causing the domain transition specified in the change_onexec request to fail.

John Johansen (jjohansen) wrote :

Fix selected and backported from a larger patch that originally landed in Zesty and subsequently landed in upstream.

Changed in linux (Ubuntu Xenial):
assignee: nobody → John Johansen (jjohansen)
status: New → Confirmed
John Johansen (jjohansen) wrote :

The patch has been tested against a reproducer and fixes the issue.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1838627

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: xenial
tags: added: patch
Changed in linux (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (5.5 KiB)

This bug was fixed in the package linux - 4.4.0-161.189

---------------
linux (4.4.0-161.189) xenial; urgency=medium

  * xenial/linux: 4.4.0-161.189 -proposed tracker (LP: #1841544)

  * flock not mediated by 'k' (LP: 1658219)
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being, enforced on
      cache check"

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis

linux (4.4.0-160.188) xenial; urgency=medium

  * xenial/linux: 4.4.0-160.188 -proposed tracker (LP: #1840021)

  * Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

  * EeePC 1005px laptop backlight is off after system boot up (LP: #1837117)
    - platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from
      asus_nb_wmi

  * CVE-2019-10638
    - [Config] CONFIG_TEST_HASH=n
    - siphash: add cryptographically secure PRF
    - inet: switch IP ID generator to siphash

  * Stacked onexec transitions fail when under NO NEW PRIVS restrictions
    (LP: #1839037)
    - SAUCE: apparmor: fix nnp subset check failure, when stacking

  * AppArmor onexec transition causes WARN kernel stack trace (LP: #1838627)
    - SAUCE: apparmor: fix audit failures when performing profile transitions

  * flock not mediated by 'k' (LP: 1658219) // Ubuntu 16.04: read access
    incorrectly implies 'm' rule (LP: 1838090)
    - SAUCE: apparmor: flock mediation is not being, enforced on cache check

  * bcache: bch_allocator_thread(): hung task timeout (LP: #1784665) // Tight
    timeout for bcache removal causes spurious failures (LP: #1796292)
    - SAUCE: bcache: fix deadlock in bcache_allocator

  * bcache: bch_allocator_thread(): hung task timeout (LP: #1784665)
    - bcache: improve bcache_reboot()
    - bcache: add journal statistic
    - bcache: fix high CPU occupancy during journal
    - bcache: fix incorrect sysfs output value of strip size
    - bcache: fix error return value in memory shrink
    - bcache: fix using of loop variable in memory shrink
    - bcache: Fix indentation
    - bcache: Add __printf annotation to __bch_check_keys()
    - bcache: Annotate switch fall-through
    - bcache: Fix kernel-doc warnings
    - bcache: Remove an unused variable
    - bcache: Suppress more warnings about set-but-not-used variables
    - bcache: Reduce the number of sparse complaints about lock imbalances
    - bcache: Move couple of functions to sysfs.c

  * CVE-2019-3900
    - vhost: introduce vhost_vq_avail_empty()
    - vhost_net: tx batching
    - vhost_net: do not stall on zerocopy depletion
    - vhost-net: set packet weight of tx polling to 2 * vq size
    - vhost_net: use packet weight for rx handler, too
    - vhost_net: introduce vhost_exceeds_weight()
    - vhost: introduce vhost_exceeds_weight()
    - vhost_net: fix possible infinite loop
    - vhost: scsi: add weight support

  * Xenial: ZFS deadlock in shrinker path with xattrs (LP: #1839521)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu28

  * CVE-2019-13648
    - powerpc/tm: Fix oops on sigreturn on systems without TM

  * CVE-2018-20856
    - block: blk_init_allocated_queue() set q->fq as NULL in the fail case

  * CVE-2019-14283
    - floppy: fix out-of-bound...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers