[apparmor] Possible Bug

John Johansen john.johansen at canonical.com
Thu Mar 31 16:30:01 UTC 2016 

On 03/31/2016 07:37 AM, Valdis.Kletnieks at vt.edu wrote:
> On Thu, 31 Mar 2016 10:04:47 -0230, Roger H Newell said:
> 
>> I think I may have stumbled upon a USB bug. Before I send it off to
> 
> Looks like an apparmor bug, not USB. Quite likely the same problem as these
> guys hit, as the traceback is the same:
> 
> http://askubuntu.com/questions/748119/ubuntu-15-10-hangs-after-suspend-resume-inspiron-7559
> https://github.com/IRATI/stack/issues/470
> (And other hits)
> 
> Seems to be a long-standing issue, that second link is from Feb 2015. On
> the other hand, all the hits appear to be in mailing lists *other* than
> ones where apparmor guys were likely to see it.
> 
> I'm adding a cc: to the apparmor guys.
> 
hrmm, the only thing apparmor is doing in this kernel here is a kzalloc and
assigning it to f_security, expanding out the aa_alloc_file_context
abstraction (which should probably just be dropped) we get.

  	file->f_security =  kzalloc(sizeof(struct aa_file_cxt), GFP_KERNEL);
	if (!file->f_security)
		return -ENOMEM;
	return 0;

So unless we are getting a NULL for the file I don't see how apparmor can be
causing the NULL pointer dereference

The kzalloc() called from apparmor could certainly be tripping this but that
would indicate some memory corruption in the slab/slub already existing.


>> I was having a problem mounting up a USB drive, so I had a look at
>> dmesg. The output is as follows. I'm running 4.5.0+ from gregs
>> staging-testing tree.
>>
>> [952620.256859] usb 1-6: new high-speed USB device number 4 using ehci-pci
>> [952620.389797] usb 1-6: New USB device found, idVendor=0781, idProduct=5530
>> [952620.389807] usb 1-6: New USB device strings: Mfr=1, Product=2, SerialNumber=3
>> [952620.389813] usb 1-6: Product: Cruzer
>> [952620.389818] usb 1-6: Manufacturer: SanDisk
>> [952620.389823] usb 1-6: SerialNumber: 20060876510A09733592
>> [952620.397158] BUG: unable to handle kernel NULL pointer dereference at 0000000000000805
>> [952620.397309] IP: [<ffffffff811e636b>] kmem_cache_alloc_trace+0x7b/0x1e0
>> [952620.397427] PGD 3db56067 PUD cb6cd067 PMD 0
>> [952620.397511] Oops: 0000 [#1] SMP
>> [952620.397573] Modules linked in: binfmt_misc snd_hda_codec_realtek
>> snd_hda_codec_generic snd_hda_codec_hdmi snd_hda_intel snd_hda_codec
>> snd_hda_core snd_hwdep snd_pcm snd_seq_midi snd_seq_midi_event
>> snd_rawmidi snd_seq snd_seq_device snd_timer edac_mce_amd snd joydev
>> kvm_amd input_leds edac_core kvm soundcore serio_raw k10temp i2c_piix4
>> 8250_fintek asus_atk0110 mac_hid irqbypass parport_pc ppdev lp parport
>> autofs4 pata_acpi hid_generic usbhid hid amdkfd amd_iommu_v2 radeon
>> i2c_algo_bit ttm drm_kms_helper syscopyarea sysfillrect sysimgblt
>> fb_sys_fops drm psmouse ahci pata_atiixp libahci r8169 mii wmi
>> [952620.398620] CPU: 1 PID: 18445 Comm: mtp-probe Not tainted 4.5.0+ #28
>> [952620.398726] Hardware name: System manufacturer System Product Name/M5A78L-M LX PLUS, BIOS 0402    09/20/2011
>> [952620.398884] task: ffff88009bf68d00 ti: ffff8800499f0000 task.ti: ffff8800499f0000
>> [952620.399006] RIP: 0010:[<ffffffff811e636b>]  [<ffffffff811e636b>] kmem_cache_alloc_trace+0x7b/0x1e0
>> [952620.399158] RSP: 0018:ffff8800499f3c70  EFLAGS: 00010206
>> [952620.399246] RAX: 0000000000000000 RBX: 00000000024080c0 RCX: 000000000ae98088
>> [952620.399362] RDX: 000000000ae98087 RSI: 00000000024080c0 RDI: 0000000000019b20
>> [952620.399477] RBP: ffff8800499f3cb0 R08: ffff88012fc59b20 R09: ffff88012b003cc0
>> [952620.399593] R10: 0000000000000805 R11: fefefefefefefeff R12: 00000000024080c0
>> [952620.399709] R13: ffffffff813736d3 R14: 00007f9bfa435040 R15: ffff88012b003cc0
>> [952620.399826] FS:  00007f550c9a48c0(0000) GS:ffff88012fc40000(0000) knlGS:0000000000000000
>> [952620.399956] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
>> [952620.400050] CR2: 0000000000000805 CR3: 00000000ce839000 CR4: 00000000000006e0
>> [952620.400165] Stack:
>> [952620.400201]  00000000024080c0 ffffffff8120bb2c 0000000000000002 ffff88000227d500
>> [952620.400335]  ffff88000227d500 ffff8800499f3ef4 00007f9bfa435040 ffff8800499f3de0
>> [952620.400467]  ffff8800499f3cc8 ffffffff813736d3 ffffffff81c9fe80 ffff8800499f3ce8
>> [952620.400599] Call Trace:
>> [952620.400649]  [<ffffffff8120bb2c>] ? get_empty_filp+0x5c/0x1c0
>> [952620.400748]  [<ffffffff813736d3>] apparmor_file_alloc_security+0x23/0x40
>> [952620.400861]  [<ffffffff81335b53>] security_file_alloc+0x33/0x50
>> [952620.400961]  [<ffffffff8120bb6a>] get_empty_filp+0x9a/0x1c0
>> [952620.401057]  [<ffffffff812176ce>] path_openat+0x2e/0x1400
>> [952620.401149]  [<ffffffff8121661a>] ? walk_component+0x3a/0x470
>> [952620.401246]  [<ffffffff812146c9>] ? path_init+0x1d9/0x330
>> [952620.401339]  [<ffffffff811a6e85>] ? __inc_zone_page_state+0x35/0x40
>> [952620.401444]  [<ffffffff81219454>] ? putname+0x54/0x60
>> [952620.401530]  [<ffffffff8121a38e>] do_filp_open+0x7e/0xe0
>> [952620.401620]  [<ffffffff811e64b5>] ? kmem_cache_alloc_trace+0x1c5/0x1e0
>> [952620.401728]  [<ffffffff811e629a>] ? kmem_cache_alloc+0x17a/0x1d0
>> [952620.401829]  [<ffffffff812194b6>] ? getname_flags+0x56/0x1f0
>> [952620.401924]  [<ffffffff81227606>] ? __alloc_fd+0x46/0x190
>> [952620.402016]  [<ffffffff81208984>] do_sys_open+0x124/0x210
>> [952620.402107]  [<ffffffff81207d48>] ? SyS_access+0x1e8/0x230
>> [952620.402200]  [<ffffffff81208a8e>] SyS_open+0x1e/0x20
>> [952620.402286]  [<ffffffff817ec736>] entry_SYSCALL_64_fastpath+0x1e/0xa8
>> [952620.402391] Code: 08 65 4c 03 05 3f 3e e2 7e 49 83 78 10 00 4d 8b 10 0f 84 14 01 00 00 4d 85 d2 0f 84 0b 01 00 00 49 63 41 20 48 8d 4a 01 49 8b 39 <49> 8b 1c 02 4c 89 d0 65 48 0f c7 0f 0f 94 c0 84 c0 74 bb 49 63
>> [952620.402934] RIP  [<ffffffff811e636b>] kmem_cache_alloc_trace+0x7b/0x1e0
>> [952620.403047]  RSP <ffff8800499f3c70>
>> [952620.403106] CR2: 0000000000000805
>> [952620.445606] ---[ end trace e7adb7015192b3a3 ]---
>

More information about the AppArmor mailing list