* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it.
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
aufs: kernel bug with apparmor and fuseblk
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer >mnt_flags` ,
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt-
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer pick/backport.
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed. Focal/Bionic do/need it.
* Hirsute/
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https:/ /sourceforge. net/p/aufs/ mailman/ message/ 37363599/ /unix.stackexch ange.com/ questions/ 324571/ docker- run-causing- kernel- panic
[2] https:/
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010 path_name+ 0x55/0x370 wait_answer+ 0xc4/0x200 path_perm. part.9+ 0x57/0xa0 perm+0xe2/ 0x130 perm+0x59/ 0x130 perm_cond+ 0x4c/0x70 inode_getattr+ 0x1d/0x20 inode_getattr+ 0x35/0x50 0x21/0x40 h_iattr+ 0x95/0xb0 [aufs] dcache+ 0x44/0x70 one_len+ 0x66/0x90 one_len+ 0x50/0x70 [aufs] lkup_one+ 0x8e/0xa0 [aufs] dentry+ 0x3fa/0x660 [aufs] part.35+ 0x11c/0x210 [aufs] open+0xec/ 0x3c0 [aufs] 0xe30/0x16a0 0x30/0x30 [aufs] 0xe30/0x16a0 page_memcg+ 0x12/0x20 map_pages+ 0x17d/0x3b0 open+0x9b/ 0x110 object_ size+0xdb/ 0x1b0 fd+0xb2/ 0x170 open+0x1ba/ 0x2e0 open+0x1ba/ 0x2e0 openat+ 0x20/0x30 64+0x5e/ 0x200 64_after_ hwframe+ 0x44/0xa9
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_
...
Call Trace:
? request_
path_name+0x60/0xe0
profile_
aa_path_
common_
common_
apparmor_
security_
vfs_getattr+
vfsub_update_
? lookup_
? lookup_
vfsub_lookup_
au_sio_
au_lkup_
aufs_lookup.
aufs_atomic_
path_openat+
? aufs_lookup+
? path_openat+
? unlock_
? filemap_
do_filp_
? __check_
? __alloc_
do_sys_
? do_sys_
__x64_sys_
do_syscall_
entry_SYSCALL_
RIP: 0033:0x4a06fa