| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 27 Nov 2017 10:08:55 -0800
From: John Johansen <john.johansen@...onical.com>
To: Shuah Khan <shuahkh@....samsung.com>
Cc: torvalds@...ux-foundation.org, linux-kernel@...r.kernel.org
Subject: Re: Linux 4.14 - BUG: unable to handle kernel paging request at
ffffffff3bbbe160 IP: audit_signal_cb+0x75/0xf0
On 11/21/2017 04:28 PM, Shuah Khan wrote:
> On 11/21/2017 04:53 PM, John Johansen wrote:
>> On 11/21/2017 10:02 AM, Shuah Khan wrote:
>>> On 11/21/2017 10:44 AM, John Johansen wrote:
>>>> On 11/21/2017 08:58 AM, Shuah Khan wrote:
>>>>> Hi John,
>>>>>
>>>>> I am seeing the following on my laptop. Unfortunately this is my primary
>>>>> system and my ability to bisect might be a bit limited. The system is
>>>>> running
>>>>>
>>>>> 4.14.0+ #4 SMP Tue Nov 14 19:25:58 MST 2017 x86_64 x86_64 x86_64 GNU/Linux
>>>>>
>>>>> on Ubuntu 17.10 base.
>>>>>
>>>>> Is this a known issue? Please see the dmesg excerpts below:
>>>>>
>>>> Its not. I'll start looking into it today
>>>>
>>>> Do you have any other information that you can send to me?
>>>>
>>>> Any particular task/work load that triggers this?
>>>> Can you tar up your /etc/apparmor.d/ and send that to me?
>>>>
>>>>
>>>
>>> Yeah. I forgot mention that detail :)
>>>
>> So my first attempts to replicate have failed.
>>
>> Can you confirm the sha of your kernel build? If its has some none upstream patches can you provide the sha your kernel is based on.
>>
>> My testing so far were based on bebc6082da0a9f5d47a1ea2edc099bf671058bd4
>>
>>
>> Can you also send me your kernel config so I can better replicate your build
>>
>
> commit bebc6082da0a9f5d47a1ea2edc099bf671058bd4 (tag: v4.14)
> Author: Linus Torvalds <torvalds@...ux-foundation.org>
> Date: Sun Nov 12 10:46:13 2017 -0800
>
> Linux 4.14
>
> The above is the top commit in my tree. Config attached.
>
thanks Shuah,
find below the latest revision of the patch. Nothing has changed code
wise but I have added Tested-by: entries for the 3 people of have
tested it and reported it working for them, and also added Cc: stable
entry.
---
>From d198240cace036c7d1e502fd20fe416df4fd8c24 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@...onical.com>
Date: Wed, 22 Nov 2017 07:33:38 -0800
Subject: [PATCH] apparmor: fix oops in audit_signal_cb hook
The apparmor_audit_data struct ordering got messed up during a merge
conflict, resulting in the signal integer and peer pointer being in
a union instead of a struct together.
For most of the 4.13 and 4.14 life cycle, this was hidden by commit
651e28c5537abb39076d3949fb7618536f1d242e which fixed the
apparmor_audit_data struct when its data was added. When that commit
was reverted in -rc7 the signal audit bug was exposed, and
unfortunately it never showed up in any of the testing until after
4.14 was released, and Shaun Khan, Zephaniah E. Loss-Cutler-Hull filed
nearly simultaneous bug reports (with different oopes, the smaller of
which is included below).
Full credit goes to Tetsuo Handa for jumping on this as well and
noticing the audit data struct problem and reporting it.
Alright, trying again, this time with my mail settings to actually send
as plain text, and with some more detail.
I am running Ubuntu 16.04, with a mainline 4.14 kernel.
[ 76.178568] BUG: unable to handle kernel paging request at
ffffffff0eee3bc0
[ 76.178579] IP: audit_signal_cb+0x6c/0xe0
[ 76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
[ 76.178586] Oops: 0000 [#1] PREEMPT SMP
[ 76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
[ 76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
4.14.0-f1-dirty #135
[ 76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
[ 76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
[ 76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
[ 76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
[ 76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
0000000000000000
[ 76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
ffff9c7a9493d800
[ 76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
ffffa09b02a4fc46
[ 76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
ffffa09b02a4fd40
[ 76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
0000000000000001
[ 76.178646] FS: 00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
knlGS:0000000000000000
[ 76.178648] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
00000000001606f0
[ 76.178652] Call Trace:
[ 76.178660] common_lsm_audit+0x1da/0x780
[ 76.178665] ? d_absolute_path+0x60/0x90
[ 76.178669] ? aa_check_perms+0xcd/0xe0
[ 76.178672] aa_check_perms+0xcd/0xe0
[ 76.178675] profile_signal_perm.part.0+0x90/0xa0
[ 76.178679] aa_may_signal+0x16e/0x1b0
[ 76.178686] apparmor_task_kill+0x51/0x120
[ 76.178690] security_task_kill+0x44/0x60
[ 76.178695] group_send_sig_info+0x25/0x60
[ 76.178699] kill_pid_info+0x36/0x60
[ 76.178703] SYSC_kill+0xdb/0x180
[ 76.178707] ? preempt_count_sub+0x92/0xd0
[ 76.178712] ? _raw_write_unlock_irq+0x13/0x30
[ 76.178716] ? task_work_run+0x6a/0x90
[ 76.178720] ? exit_to_usermode_loop+0x80/0xa0
[ 76.178723] entry_SYSCALL_64_fastpath+0x13/0x94
[ 76.178727] RIP: 0033:0x7f8b0e58b767
[ 76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
000000000000003e
[ 76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
00007f8b0e58b767
[ 76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
000000000000263b
[ 76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
0000000000000001
[ 76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
0000000000000000
[ 76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
0000000000000000
[ 76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
[ 76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
[ 76.178796] CR2: ffffffff0eee3bc0
[ 76.178799] ---[ end trace 514af9529297f1a3 ]---
Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
Reported-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@...allh.com>
Reported-by: Shuah Khan <shuahkh@....samsung.com>
Suggested-by: Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>
Tested-by: Ivan Kozik <ivan@...ios.org>
Tested-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@...allh.com>
Tested-by: Christian Boltz <apparmor@...ltz.de>
Cc: stable@...r.kernel.org
Signed-off-by: John Johansen <john.johansen@...onical.com>
---
security/apparmor/include/audit.h | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 620e81169659..4ac095118717 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -121,17 +121,19 @@ struct apparmor_audit_data {
/* these entries require a custom callback fn */
struct {
struct aa_label *peer;
- struct {
- const char *target;
- kuid_t ouid;
- } fs;
+ union {
+ struct {
+ const char *target;
+ kuid_t ouid;
+ } fs;
+ int signal;
+ };
};
struct {
struct aa_profile *profile;
const char *ns;
long pos;
} iface;
- int signal;
struct {
int rlim;
unsigned long max;
--
2.11.0
Powered by blists - more mailing lists