prevent kernel panic with overlayfs + shiftfs

Bug #1973620 reported by Andrea Righi
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Status tracked in Kinetic
Impish
Fix Released
Medium
Unassigned
Jammy
Fix Released
Medium
Unassigned
Kinetic
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

The patch that we have recently re-introduced to properly support overlayfs on top of shiftfs can introduce potential kernel panics, for example:

    BUG: kernel NULL pointer dereference, address: 0000000000000008
    [ 447.039738] #PF: supervisor read access in kernel mode
    [ 447.040369] #PF: error_code(0x0000) - not-present page
    [ 447.041002] PGD 0 P4D 0
    [ 447.041325] Oops: 0000 [#1] SMP NOPTI
    [ 447.041798] CPU: 0 PID: 73766 Comm: sudo Not tainted 5.15.0-28-generic #29~20.04.1-Ubuntu
    [ 447.042800] Hardware name: OpenStack Foundation OpenStack Nova, BIOS Ubuntu-1.8.2-1ubuntu1+esm1 04/01/2014
    [ 447.043979] RIP: 0010:aa_file_perm+0x3a/0x470
    [ 447.044565] Code: 54 53 48 83 ec 68 48 89 7d 80 89 4d 8c 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 63 05 01 0a 19 01 48 03 82 c0 00 00 00 <4c> 8b 68 08 f6 46 40 02 0f 85 d0 00 00 00 41 f6 45 40 02 0f 85 c5
    [ 447.046837] RSP: 0018:ffffaefe80a4bca8 EFLAGS: 00010246
    [ 447.047481] RAX: 0000000000000000 RBX: ffff96e4038abd01 RCX: 0000000000000004
    [ 447.048351] RDX: ffff96e4038abd00 RSI: ffff96e401215eb8 RDI: ffffffff9c22a2ac
    [ 447.049241] RBP: ffffaefe80a4bd38 R08: 0000000000000000 R09: 0000000000000000
    [ 447.050121] R10: 0000000000000000 R11: 0000000000000000 R12: ffff96e401215eb8
    [ 447.051040] R13: ffff96e4038abd00 R14: ffffffff9c22a2ac R15: 0000000000000004
    [ 447.051942] FS: 00007eff3c0f8c80(0000) GS:ffff96e45e400000(0000) knlGS:0000000000000000
    [ 447.052981] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    [ 447.053696] CR2: 0000000000000008 CR3: 0000000002be2000 CR4: 00000000003506f0
    [ 447.054571] Call Trace:
    [ 447.054883] <TASK>
    [ 447.055154] ? unlock_page_memcg+0x2f/0x40
    [ 447.055668] ? page_remove_rmap+0x4b/0x320
    [ 447.056180] common_file_perm+0x72/0x170
    [ 447.056669] apparmor_file_permission+0x1c/0x20
    [ 447.057237] security_file_permission+0x30/0x1a0
    [ 447.057898] rw_verify_area+0x35/0x60
    [ 447.058392] vfs_read+0x6d/0x1a0
    [ 447.058842] ksys_read+0xb1/0xe0
    [ 447.059276] __x64_sys_read+0x1a/0x20
    [ 447.059732] do_syscall_64+0x5c/0xc0
    [ 447.060183] ? __set_current_blocked+0x3b/0x60
    [ 447.060738] ? exit_to_user_mode_prepare+0x3d/0x1c0
    [ 447.061434] ? syscall_exit_to_user_mode+0x27/0x50
    [ 447.062099] ? do_syscall_64+0x69/0xc0
    [ 447.062603] ? irqentry_exit_to_user_mode+0x9/0x20
    [ 447.063210] ? irqentry_exit+0x19/0x30
    [ 447.063678] ? exc_page_fault+0x89/0x160
    [ 447.064165] ? asm_exc_page_fault+0x8/0x30
    [ 447.064675] entry_SYSCALL_64_after_hwframe+0x44/0xae
    [ 447.065298] RIP: 0033:0x7eff3c2cb002

[Test case]

It is really easy to trigger this specific kernel panic running the lxc autopackage test.

[Fix]

This bug happens because we don't need to decrement anymore the refcount for the previous vm_file value in ovl_vm_prfile_set(). So the fix simply consists of removing the unnecessary fput().

[Regression potential]

This patch affects only overlayfs (only when AUFS is enabled), so we may see regressions in overlayfs in kernels that have AUFS enabled (focal hwe and cloud kernels).

CVE References

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1973620

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Impish):
status: New → Incomplete
Changed in linux (Ubuntu Jammy):
status: New → Incomplete
Stefan Bader (smb)
Changed in linux (Ubuntu Jammy):
importance: Undecided → Medium
Changed in linux (Ubuntu Impish):
importance: Undecided → Medium
Changed in linux (Ubuntu Jammy):
status: Incomplete → In Progress
Changed in linux (Ubuntu Impish):
status: Incomplete → In Progress
Changed in linux (Ubuntu Impish):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Jammy):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux-hwe-5.13/5.13.0-46.51~20.04.1 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.15.0-36.37 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-jammy' to 'verification-done-jammy'. If the problem still exists, change the tag 'verification-needed-jammy' to 'verification-failed-jammy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-jammy
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the linux/5.13.0-52.59 kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-impish' to 'verification-done-impish'. If the problem still exists, change the tag 'verification-needed-impish' to 'verification-failed-impish'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-impish
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.13.0-52.59

---------------
linux (5.13.0-52.59) impish; urgency=medium

  * impish/linux: 5.13.0-52.59 -proposed tracker (LP: #1978628)

  * CVE-2022-28388
    - can: usb_8dev: usb_8dev_start_xmit(): fix double dev_kfree_skb() in error
      path

  * test_vxlan_under_vrf.sh in net from ubuntu_kernel_selftests failed (Check VM
    connectivity through VXLAN (underlay in the default VRF) [FAIL])
    (LP: #1871015)
    - selftests: net: test_vxlan_under_vrf: fix HV connectivity test
    - selftests: test_vxlan_under_vrf: Fix broken test case

  * [UBUNTU 20.04] CPU-MF: add extended counter set definitions for new IBM z16
    (LP: #1974433)
    - s390/cpumf: add new extended counter set for IBM z16

  * [UBUNTU 20.04] KVM nesting support leaks too much memory, might result in
    stalls during cleanup (LP: #1974017)
    - KVM: s390: vsie/gmap: reduce gmap_rmap overhead

  * [UBUNTU 20.04] Null Pointer issue in nfs code running Ubuntu on IBM Z
    (LP: #1968096)
    - NFS: Fix up nfs_ctx_key_to_expire()

  * prevent kernel panic with overlayfs + shiftfs (LP: #1973620)
    - SAUCE: overlayfs: prevent dereferencing struct file in ovl_vm_prfile_set()

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2022.05.30)

 -- Luke Nowakowski-Krijger <email address hidden> Wed, 15 Jun 2022 12:56:23 -0700

Changed in linux (Ubuntu Impish):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.0 KiB)

This bug was fixed in the package linux - 5.15.0-40.43

---------------
linux (5.15.0-40.43) jammy; urgency=medium

  * jammy/linux: 5.15.0-40.43 -proposed tracker (LP: #1978610)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2022.05.30)

  * [SRU][OEM-5.14/OEM-5.17/J][PATCH 0/2] Fix system hangs after s2idle on AMD
    A+A GPU (LP: #1975804)
    - Revert "drm/amd/pm: keep the BACO feature enabled for suspend"
    - drm/amd: Don't reset dGPUs if the system is going to s2idle

  * [SRU][OEM-5.14/OEM-5.17/J][PATCH 0/1] Read the discovery registers for
    AMD_SFH (LP: #1975798)
    - HID: amd_sfh: Add support for sensor discovery

  * [UBUNTU 20.04] CPU-MF: add extended counter set definitions for new IBM z16
    (LP: #1974433)
    - s390/cpumf: add new extended counter set for IBM z16

  * [UBUNTU 20.04] KVM nesting support leaks too much memory, might result in
    stalls during cleanup (LP: #1974017)
    - KVM: s390: vsie/gmap: reduce gmap_rmap overhead

  * [UBUNTU 20.04] Null Pointer issue in nfs code running Ubuntu on IBM Z
    (LP: #1968096)
    - NFS: Fix up nfs_ctx_key_to_expire()

  * Fix REG_WAIT timeout for Yellow Carp (LP: #1971417)
    - drm/amd/display: Clear encoder assignments when state cleared.
    - drm/amd/display: fix stale info in link encoder assignment
    - drm/amd/display: Query all entries in assignment table during updates.
    - drm/amd/display: Initialise encoder assignment when initialising dc_state

  * Enable hotspot feature for Realtek 8821CE (LP: #1969326)
    - rtw88: Add update beacon flow for AP mode
    - rtw88: 8821c: Enable TX report for management frames
    - rtw88: do PHY calibration while starting AP
    - rtw88: 8821c: fix debugfs rssi value
    - rtw88: add ieee80211:sta_rc_update ops

  * prevent kernel panic with overlayfs + shiftfs (LP: #1973620)
    - SAUCE: overlayfs: prevent dereferencing struct file in ovl_vm_prfile_set()

  * disable Intel DMA remapping by default (LP: #1971699)
    - Revert "UBUNTU: [Config] enable Intel DMA remapping options by default"

  * Mute/mic LEDs no function on Elitebook 630 (LP: #1974111)
    - ALSA: hda/realtek: fix right sounds and mute/micmute LEDs for HP machine

  * [Regression] Real-time Kernel Build Failure (LP: #1972899)
    - x86/mm: Include spinlock_t definition in pgtable.

  * build backport-iwlwifi-dkms as linux-modules-iwlwifi-ABI (LP: #1969434)
    - [Packaging] support standalone dkms module builds
    - [Packaging] drop do_<mod> arch specific configs

  * IPU6 camera has no function on Andrews MLK (LP: #1964983)
    - SAUCE: IPU6: 2022-03-11 alpha release for Andrews MLK
    - [Config] IPU6: enable OV02C10 sensor
    - SAUCE: IPU6: 2022-04-01 Andrews MLK PV release
    - SAUCE: spi: ljca: return when a sub-transaction first failed
    - SACUE: ljca: disable parallelly stub write
    - SAUCE: ljca: fix race condition issue in runtime PM
    - SAUCE: i2c-ljca: fix a null pointer access issue on tgl
    - SAUCE: ljca: fix a typo issue
    - SAUCE: ljca: assume stub enum failed as a warning
    - SAUCE: mei: cleanup header file including
    - SAUCE: intel_ulpss: Replaced by LJCA and remove
    ...

Read more...

Changed in linux (Ubuntu Jammy):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.19.0-15.15

---------------
linux (5.19.0-15.15) kinetic; urgency=medium

  * kinetic/linux: 5.19.0-15.15 -proposed tracker (LP: #1983335)

  * Miscellaneous Ubuntu changes
    - [Config] update annotations to support both gcc-11 and gcc-12

 -- Andrea Righi <email address hidden> Tue, 02 Aug 2022 09:23:01 +0200

Changed in linux (Ubuntu Kinetic):
status: Incomplete → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers