srcname from mount rule corrupted under load

Bug #1634753 reported by Jamie Strandboge on 2016-10-19
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
Critical
John Johansen
linux (Ubuntu)
Critical
Unassigned
Precise
Undecided
Unassigned
Trusty
High
Unassigned
Xenial
Critical
Unassigned
Yakkety
Critical
Unassigned

Bug Description

This came up in snapd spread tests but can be reproduced with:

In an i386 up to date 16.04 VM:

1. in one terminal, run this:

$ cat reproducer.sh
#!/bin/sh
set -e
sudo sysctl -w kernel.printk_ratelimit=0
sudo snap install hello-world || true

count=0
while /bin/true ; do
    count=$((count+1))
    if [ `echo "$count % 100" | bc` -eq 0 ]; then
        echo "$count runs"
    fi
    hello-world > /dev/null || {
      tail -100 /var/log/syslog | grep DEN && exit
    }
    sudo cat /run/snapd/ns/hello-world.mnt 2>/dev/null || sudo /usr/lib/snapd/snap-discard-ns hello-world
done

2. in another terminal run:
$ while /bin/true ;do sudo apparmor_parser -r /etc/apparmor.d/* >/dev/null 2>&1 ; done

3. In another terminal:
$ tail -f /var/log/syslog|grep DEN

This is not limited to i386.

CVE References

Changed in linux (Ubuntu):
status: New → Triaged
Changed in linux (Ubuntu Xenial):
status: New → Triaged
Changed in linux (Ubuntu Yakkety):
status: New → Triaged
Changed in linux (Ubuntu):
importance: Undecided → Critical
Changed in linux (Ubuntu Xenial):
importance: Undecided → Critical
Changed in linux (Ubuntu Yakkety):
importance: Undecided → Critical
Seth Arnold (seth-arnold) wrote :

Is _only_ srcname being corrupted?

Back In The Day it was common for the kernel ring buffer for messages to overflow and overwrite messages, but of course it did not care what was being overwritten.

The kernel ring buffer is larger now, so it should be less common, but not impossible if the logging device is too slow to keep up with the rate of message generation.

If log messages must be kept intact, perhaps auditd makes more sense.

Or is something else going on?

Thanks

Changed in linux (Ubuntu Yakkety):
status: Triaged → Invalid
Changed in linux (Ubuntu Trusty):
status: New → Triaged
Changed in linux (Ubuntu Precise):
status: New → Invalid
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
tags: added: kernel-da-key
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-45.66

---------------
linux (4.4.0-45.66) xenial; urgency=low

  * CVE-2016-5195
    - SAUCE: mm: remove gup_flags FOLL_WRITE games from __get_user_pages()

  * srcname from mount rule corrupted under load (LP: #1634753)
    - SAUCE: apparmor: fix sleep in critical section

 -- Stefan Bader <email address hidden> Wed, 19 Oct 2016 11:24:20 +0200

Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Released
status: Triaged → Fix Released
Tim Gardner (timg-tpi) on 2016-10-26
Changed in linux (Ubuntu Trusty):
status: Triaged → Fix Committed
Luis Henriques (henrix) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Po-Hsu Lin (cypressyew) wrote :

To verify this bug on Trusty, we will need to verify this one first https://bugs.launchpad.net/ubuntu/trusty/+source/systemd/+bug/1616422

And due to snapd is not officially available on Trusty (not even in proposed yet), I think it's ok to skip the verification task for Trusty.

Luis, can you confirm that do we need to verify this on Trusty?
Thanks!

Po-Hsu Lin (cypressyew) wrote :

Now I can run snap on Trusty from lp:1616422

I tried with the steps described in the bug, but I don't know what's that expected output:

I got this from reproducer.sh:
1300 runs
cannot change apparmor hat of the support process for mount namespace capture. errmsg: No child processes
support process for mount namespace capture exited abnormally

Nothing from step 2 and 3

description: updated
John Johansen (jjohansen) wrote :

I have done some light testing on this, trying to develop a none snap based test to verify it. The test is no where near as reliable as the snappy test. I haven't been able to trigger the bug on the new kernel yet, with the caveat that it could just be the test. I am inclined to declare this verified.

tags: added: verification-done-trusty
removed: verification-needed-trusty

The verification of the Stable Release Update for linux-lts-trusty has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-103.150

---------------
linux (3.13.0-103.150) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1644489

  * Possible regression on 3.13.0-102.149~precise1 x86_64 (gce) (LP: #1644302)
    - SAUCE: apparmor: delete extra variable dev_path

linux (3.13.0-102.149) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1640581

  * lxc-attach to malicious container allows access to host (LP: #1639345)
    - Revert "UBUNTU: ptrace: being capable wrt a process requires mapped
      uids/gids"
    - (upstream) mm: Add a user_ns owner to mm_struct and fix ptrace permission
      checks

  * Syntax error extra parenthesis linux-headers-3.13.0-100/Makefile
    (LP: #1636625)
    - Makefile: fix extra parenthesis typo when CC_STACKPROTECTOR_REGULAR is
      enabled

  * Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721)
    - lib/bitmap.c: conversion routines to/from u32 array
    - kernel.h: define u8, s8, u32, etc. limits
    - net: ethtool: add new ETHTOOL_xLINKSETTINGS API
    - PCI/MSI: Add pci_msix_vec_count()
    - etherdevice: Use ether_addr_copy to copy an Ethernet address
    - net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)
    - [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver)

  * CVE-2016-8658
    - brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()

  * CVE-2016-7425
    - scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()

  * srcname from mount rule corrupted under load (LP: #1634753)
    - SAUCE: apparmor: fix sleep in critical section

  * ghash-clmulni-intel module fails to load (LP: #1633058)
    - crypto: ghash-clmulni - Fix load failure
    - crypto: cryptd - Assign statesize properly

 -- Luis Henriques <email address hidden> Thu, 24 Nov 2016 09:56:54 +0000

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Changed in apparmor:
status: In Progress → Invalid
Changed in linux (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers