2021-10-22 14:58:09 |
Mauricio Faria de Oliveira |
bug |
|
|
added bug |
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Jammy |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
bug task added |
|
linux (Ubuntu Jammy) |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Focal |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
bug task added |
|
linux (Ubuntu Focal) |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Impish |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
bug task added |
|
linux (Ubuntu Impish) |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Bionic |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
bug task added |
|
linux (Ubuntu Bionic) |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
nominated for series |
|
Ubuntu Hirsute |
|
2021-10-22 14:58:23 |
Mauricio Faria de Oliveira |
bug task added |
|
linux (Ubuntu Hirsute) |
|
2021-10-22 14:58:35 |
Mauricio Faria de Oliveira |
linux (Ubuntu Jammy): status |
New |
Invalid |
|
2021-10-22 14:58:38 |
Mauricio Faria de Oliveira |
linux (Ubuntu Impish): status |
New |
Invalid |
|
2021-10-22 14:58:46 |
Mauricio Faria de Oliveira |
linux (Ubuntu Hirsute): status |
New |
In Progress |
|
2021-10-22 14:58:53 |
Mauricio Faria de Oliveira |
linux (Ubuntu Hirsute): importance |
Undecided |
Low |
|
2021-10-22 14:58:55 |
Mauricio Faria de Oliveira |
linux (Ubuntu Hirsute): assignee |
|
Mauricio Faria de Oliveira (mfo) |
|
2021-10-22 14:58:59 |
Mauricio Faria de Oliveira |
linux (Ubuntu Focal): status |
New |
In Progress |
|
2021-10-22 14:59:02 |
Mauricio Faria de Oliveira |
linux (Ubuntu Focal): importance |
Undecided |
Low |
|
2021-10-22 14:59:04 |
Mauricio Faria de Oliveira |
linux (Ubuntu Focal): assignee |
|
Mauricio Faria de Oliveira (mfo) |
|
2021-10-22 14:59:07 |
Mauricio Faria de Oliveira |
linux (Ubuntu Bionic): status |
New |
In Progress |
|
2021-10-22 14:59:09 |
Mauricio Faria de Oliveira |
linux (Ubuntu Bionic): importance |
Undecided |
Low |
|
2021-10-22 14:59:12 |
Mauricio Faria de Oliveira |
linux (Ubuntu Bionic): assignee |
|
Mauricio Faria de Oliveira (mfo) |
|
2021-10-22 15:01:11 |
Mauricio Faria de Oliveira |
description |
aufs: kernel bug with apparmor and fuseblk
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it.
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa |
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it.
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa |
|
2021-10-22 15:10:32 |
Mauricio Faria de Oliveira |
linux (Ubuntu Hirsute): status |
In Progress |
Invalid |
|
2021-10-22 15:10:41 |
Mauricio Faria de Oliveira |
linux (Ubuntu Hirsute): status |
Invalid |
In Progress |
|
2021-10-22 15:11:27 |
Mauricio Faria de Oliveira |
description |
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it.
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa |
[Impact]
* AppArmor-enabled applications on the aufs filesystem
might hit a kernel bug when getting file attributes.
* The aufs filesystem explicitly assigns a NULL pointer
to `struct path.mnt` for `vfs_getattr()`, which calls
into AppArmor that checks `struct path.mnt->mnt_flags`,
triggering a kernel NULL pointer dereference.
* This is almost 10 years old [1,2], reproducible w/ the
Linux v3.2 kernel, but it's rare as apparently it needs
a fuseblk mount as an aufs branch, and file creation/
open (O_CREAT), with a filename that exists only in a
lower aufs branch. On Linux v5.15-rc* it doesn't need
AppArmor anymore.
[Fix]
* The patch fixing this issue does set `struct path.mnt`
properly, by taking `struct path` as parameter instead
of just `struct dentry` (and making up an incomplete
`struct path` w/ that `dentry` and `mnt = NULL`.)
* Since it changes the signature of a key, leaf function
with several callers, the patch is a bit long/refactor,
but it has been tested by the upstream aufs maintainer
with a private test-suite.
[Test Plan]
* Synthetic reproducer available in [1] and comment #1.
[Regression Potential]
* Regressions would probably manifest as kernel errors
mostly in the lookup and open paths, but more subtle
manifestations would be possible as well.
* The patch modifies a fair number of functions, even if
doing so in simple ways. The synthetic reproducer only
covers one of those functions.
* The other code paths have been tested by the maintainer
w/ the mainline kernel, and should be equivalent to our
kernel as none of such changed for cherry-pick/backport.
* The upstream aufs maintainer runs a private test suite
that covers several features and use cases of aufs, so
hopefully that provides some relief to take this patch.
[Other Info]
* Impish no longer ships aufs; no fix needed.
* Hirsute/Focal/Bionic do/need it. (H only for backports)
* Hirsute/Focal are clean cherry-picks.
* Bionic is a trivial backport.
[1] https://sourceforge.net/p/aufs/mailman/message/37363599/
[2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
[Kernel Traces]
BUG: kernel NULL pointer dereference, address: 0000000000000010
...
CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure #60~18.04.1-Ubuntu
Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 090008 12/07/2018
RIP: 0010:aa_path_name+0x55/0x370
...
Call Trace:
? request_wait_answer+0xc4/0x200
path_name+0x60/0xe0
profile_path_perm.part.9+0x57/0xa0
aa_path_perm+0xe2/0x130
common_perm+0x59/0x130
common_perm_cond+0x4c/0x70
apparmor_inode_getattr+0x1d/0x20
security_inode_getattr+0x35/0x50
vfs_getattr+0x21/0x40
vfsub_update_h_iattr+0x95/0xb0 [aufs]
? lookup_dcache+0x44/0x70
? lookup_one_len+0x66/0x90
vfsub_lookup_one_len+0x50/0x70 [aufs]
au_sio_lkup_one+0x8e/0xa0 [aufs]
au_lkup_dentry+0x3fa/0x660 [aufs]
aufs_lookup.part.35+0x11c/0x210 [aufs]
aufs_atomic_open+0xec/0x3c0 [aufs]
path_openat+0xe30/0x16a0
? aufs_lookup+0x30/0x30 [aufs]
? path_openat+0xe30/0x16a0
? unlock_page_memcg+0x12/0x20
? filemap_map_pages+0x17d/0x3b0
do_filp_open+0x9b/0x110
? __check_object_size+0xdb/0x1b0
? __alloc_fd+0xb2/0x170
do_sys_open+0x1ba/0x2e0
? do_sys_open+0x1ba/0x2e0
__x64_sys_openat+0x20/0x30
do_syscall_64+0x5e/0x200
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x4a06fa |
|
2021-10-22 15:41:12 |
Mauricio Faria de Oliveira |
tags |
|
sts |
|
2021-10-22 16:35:48 |
Dexuan Cui |
bug |
|
|
added subscriber Dexuan Cui |
2021-11-04 16:55:55 |
Kleber Sacilotto de Souza |
linux (Ubuntu Bionic): status |
In Progress |
Fix Committed |
|
2021-11-04 16:55:57 |
Kleber Sacilotto de Souza |
linux (Ubuntu Focal): status |
In Progress |
Fix Committed |
|
2021-11-04 16:55:59 |
Kleber Sacilotto de Souza |
linux (Ubuntu Hirsute): status |
In Progress |
Fix Committed |
|
2021-11-09 12:39:50 |
Ubuntu Kernel Bot |
tags |
sts |
sts verification-needed-hirsute |
|
2021-11-09 12:42:47 |
Ubuntu Kernel Bot |
tags |
sts verification-needed-hirsute |
sts verification-needed-focal verification-needed-hirsute |
|
2021-11-09 12:45:59 |
Ubuntu Kernel Bot |
tags |
sts verification-needed-focal verification-needed-hirsute |
sts verification-needed-bionic verification-needed-focal verification-needed-hirsute |
|
2021-11-12 13:04:59 |
Mauricio Faria de Oliveira |
tags |
sts verification-needed-bionic verification-needed-focal verification-needed-hirsute |
sts verification-done-bionic verification-done-focal verification-done-hirsute |
|
2021-11-29 14:48:38 |
Launchpad Janitor |
linux (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2021-11-29 14:52:06 |
Launchpad Janitor |
linux (Ubuntu Focal): status |
Fix Committed |
Fix Released |
|
2021-11-29 14:57:38 |
Launchpad Janitor |
linux (Ubuntu Hirsute): status |
Fix Committed |
Fix Released |
|
2021-11-29 14:57:38 |
Launchpad Janitor |
cve linked |
|
2021-3744 |
|
2021-11-29 14:57:38 |
Launchpad Janitor |
cve linked |
|
2021-3764 |
|
2021-11-29 19:32:31 |
Dan Hill |
bug |
|
|
added subscriber Dan Hill |