[apparmor] [Bug 789409] Re: /proc/[PID]/attr/current overwrite Null pointer dereference

John Johansen john.johansen at canonical.com
Wed Jun 15 22:03:19 UTC 2011 

** Description changed:

+ SRU Justification:
+ 
+ Impact: Crashes application attempting improperly formatted write to
+ /proc/<pid>/attr/current
+ 
+ Fix: Upstream commit a5b2c5b2ad5853591a6cac6134cd0f599a720865
+ 
+ Test Case: echo 'AAA AAA' > /proc/$$/attr/current
+            The terminal/shell/tab the command is run in will crash and a kernel Bug will be logged
+ 
+ ===
+ 
  test case (from gnome-terminal+bash):
- emanuel at emanuel-desktop:~$ echo 'AAA AAA' > /proc/$$/attr/current # the tab crashed 
+ emanuel at emanuel-desktop:~$ echo 'AAA AAA' > /proc/$$/attr/current # the tab crashed
  emanuel at emanuel-desktop:~$ dmesg | tail -n 28 # on other tab in gnome-terminal
  [107353.169116] ------------[ cut here ]------------
  [107353.169142] kernel BUG at /build/buildd/linux-2.6.38/security/apparmor/audit.c:183!
- [107353.169159] invalid opcode: 0000 [#7] SMP 
+ [107353.169159] invalid opcode: 0000 [#7] SMP
  [107353.169176] last sysfs file: /sys/devices/pci0000:00/0000:00:0d.0/host2/target2:0:0/2:0:0:0/block/sda/sda1/uevent
  [107353.169193] Modules linked in: nls_utf8 isofs vesafb binfmt_misc vboxsf snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq ppdev snd_timer snd_seq_device snd joydev psmouse parport_pc serio_raw vboxguest soundcore i2c_piix4 snd_page_alloc lp parport usbhid ahci hid e1000 libahci
- [107353.169251] 
+ [107353.169251]
  [107353.169268] Pid: 8851, comm: bash Tainted: G      D     2.6.38-8-generic #42-Ubuntu innotek GmbH VirtualBox
  [107353.169289] EIP: 0060:[<c1244939>] EFLAGS: 00210246 CPU: 0
  [107353.169313] EIP is at aa_audit+0x129/0x160
  [107353.169329] EAX: 00000002 EBX: f2c35eb4 ECX: 000000d0 EDX: 00000000
  [107353.169344] ESI: 00000008 EDI: f2c35f1c EBP: f2c35e90 ESP: f2c35e84
  [107353.169360]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
  [107353.169376] Process bash (pid: 8851, ti=f2c34000 task=c6c01940 task.ti=f2c34000)
  [107353.169389] Stack:
  [107353.169402]  00000004 00000008 f2c35f1c f2c35f2c c1249a95 f2c35eb4 00000000 d0e4e000
  [107353.169424]  00000000 d0e4e004 d0dd0aa4 d0e4e004 00000007 00000000 00000000 00000000
  [107353.169784]  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  [107353.169808] Call Trace:
  [107353.169832]  [<c1249a95>] apparmor_setprocattr+0x205/0x210
  [107353.169856]  [<c121c40e>] security_setprocattr+0x1e/0x30
  [107353.169877]  [<c1171c26>] proc_pid_attr_write+0xe6/0x100
  [107353.169896]  [<c11271a2>] vfs_write+0xa2/0x170
  [107353.169915]  [<c1171b40>] ? proc_pid_attr_write+0x0/0x100
  [107353.169932]  [<c1127482>] sys_write+0x42/0x70
  [107353.169955]  [<c1509bf4>] syscall_call+0x7/0xb
- [107353.169969] Code: 00 00 8b 4b 04 85 c9 74 19 31 d2 b8 09 00 00 00 e8 2d cb e1 ff 8b 43 40 e9 62 ff ff ff 90 8d 74 26 00 64 8b 0d ec 54 83 c1 eb de <0f> 0b 83 3d 18 a2 90 c1 01 74 16 83 7a 3c 01 74 10 8b 0d 1c a2 
+ [107353.169969] Code: 00 00 8b 4b 04 85 c9 74 19 31 d2 b8 09 00 00 00 e8 2d cb e1 ff 8b 43 40 e9 62 ff ff ff 90 8d 74 26 00 64 8b 0d ec 54 83 c1 eb de <0f> 0b 83 3d 18 a2 90 c1 01 74 16 83 7a 3c 01 74 10 8b 0d 1c a2
  [107353.170048] EIP: [<c1244939>] aa_audit+0x129/0x160 SS:ESP 0068:f2c35e84
  [107353.170073] ---[ end trace 824fc722cb1d8e19 ]---
  
  tested on : Ubuntu 11.04 32 bit inside VirtualBox .

-- 
You received this bug notification because you are a member of AppArmor
Developers, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/789409

Title:
  /proc/[PID]/attr/current overwrite Null pointer dereference

Status in AppArmor Linux application security framework:
  Triaged
Status in “linux” package in Ubuntu:
  New

Bug description:
  SRU Justification:

  Impact: Crashes application attempting improperly formatted write to
  /proc/<pid>/attr/current

  Fix: Upstream commit a5b2c5b2ad5853591a6cac6134cd0f599a720865

  Test Case: echo 'AAA AAA' > /proc/$$/attr/current
             The terminal/shell/tab the command is run in will crash and a kernel Bug will be logged

  ===

  test case (from gnome-terminal+bash):
  emanuel at emanuel-desktop:~$ echo 'AAA AAA' > /proc/$$/attr/current # the tab crashed
  emanuel at emanuel-desktop:~$ dmesg | tail -n 28 # on other tab in gnome-terminal
  [107353.169116] ------------[ cut here ]------------
  [107353.169142] kernel BUG at /build/buildd/linux-2.6.38/security/apparmor/audit.c:183!
  [107353.169159] invalid opcode: 0000 [#7] SMP
  [107353.169176] last sysfs file: /sys/devices/pci0000:00/0000:00:0d.0/host2/target2:0:0/2:0:0:0/block/sda/sda1/uevent
  [107353.169193] Modules linked in: nls_utf8 isofs vesafb binfmt_misc vboxsf snd_intel8x0 snd_ac97_codec ac97_bus snd_pcm snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq ppdev snd_timer snd_seq_device snd joydev psmouse parport_pc serio_raw vboxguest soundcore i2c_piix4 snd_page_alloc lp parport usbhid ahci hid e1000 libahci
  [107353.169251]
  [107353.169268] Pid: 8851, comm: bash Tainted: G      D     2.6.38-8-generic #42-Ubuntu innotek GmbH VirtualBox
  [107353.169289] EIP: 0060:[<c1244939>] EFLAGS: 00210246 CPU: 0
  [107353.169313] EIP is at aa_audit+0x129/0x160
  [107353.169329] EAX: 00000002 EBX: f2c35eb4 ECX: 000000d0 EDX: 00000000
  [107353.169344] ESI: 00000008 EDI: f2c35f1c EBP: f2c35e90 ESP: f2c35e84
  [107353.169360]  DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
  [107353.169376] Process bash (pid: 8851, ti=f2c34000 task=c6c01940 task.ti=f2c34000)
  [107353.169389] Stack:
  [107353.169402]  00000004 00000008 f2c35f1c f2c35f2c c1249a95 f2c35eb4 00000000 d0e4e000
  [107353.169424]  00000000 d0e4e004 d0dd0aa4 d0e4e004 00000007 00000000 00000000 00000000
  [107353.169784]  00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
  [107353.169808] Call Trace:
  [107353.169832]  [<c1249a95>] apparmor_setprocattr+0x205/0x210
  [107353.169856]  [<c121c40e>] security_setprocattr+0x1e/0x30
  [107353.169877]  [<c1171c26>] proc_pid_attr_write+0xe6/0x100
  [107353.169896]  [<c11271a2>] vfs_write+0xa2/0x170
  [107353.169915]  [<c1171b40>] ? proc_pid_attr_write+0x0/0x100
  [107353.169932]  [<c1127482>] sys_write+0x42/0x70
  [107353.169955]  [<c1509bf4>] syscall_call+0x7/0xb
  [107353.169969] Code: 00 00 8b 4b 04 85 c9 74 19 31 d2 b8 09 00 00 00 e8 2d cb e1 ff 8b 43 40 e9 62 ff ff ff 90 8d 74 26 00 64 8b 0d ec 54 83 c1 eb de <0f> 0b 83 3d 18 a2 90 c1 01 74 16 83 7a 3c 01 74 10 8b 0d 1c a2
  [107353.170048] EIP: [<c1244939>] aa_audit+0x129/0x160 SS:ESP 0068:f2c35e84
  [107353.170073] ---[ end trace 824fc722cb1d8e19 ]---

  tested on : Ubuntu 11.04 32 bit inside VirtualBox .

To manage notifications about this bug go to:
https://bugs.launchpad.net/apparmor/+bug/789409/+subscriptions

More information about the AppArmor mailing list