[apparmor] Pidgin, 4.14, and App Armor Oops.

Zephaniah E. Loss-Cutler-Hull warp-spam_kernel at aehallh.com
Thu Nov 23 01:50:00 UTC 2017 

On 11/22/2017 07:57 AM, John Johansen wrote:
> 
> Can you verify the following patch fixes the problem for you

Confirmed, this does the trick nicely.

Tested-by: Zephaniah E. Loss-Cutler-Hull.
> 
> ---
> 
> From 6ba06322267ea931be5f1f559965120d1e09b030 Mon Sep 17 00:00:00 2001
> From: John Johansen <john.johansen at canonical.com>
> Date: Wed, 22 Nov 2017 07:33:38 -0800
> Subject: [PATCH] apparmor: fix oops in audit_signal_cb hook
> 
> The apparmor_audit_data struct ordering got messed up during a merge
> conflict, resulting in the signal integer and peer pointer being in
> a union instead of a struct together.
> 
> For most of the 4.13 and 4.14 life cycle, this was hidden by commit
> 651e28c5537abb39076d3949fb7618536f1d242e which fixed the
> apparmor_audit_data struct when its data was added. When that commit
> was reverted in -rc7 the signal audit bug was exposed, and
> unfortunately it never showed up in any of the testing until after
> 4.14 was released, and Shaun Khan, Zephaniah E. Loss-Cutler-Hull filed
> nearly simultaneous bug reports (with different oopes, the smaller of
> which is included below).
> 
> Full credit goes to Tetsuo Handa for jumping on this as well and
> noticing the audit data struct problem and reporting it.
> 
> Alright, trying again, this time with my mail settings to actually send
> as plain text, and with some more detail.
> 
> I am running Ubuntu 16.04, with a mainline 4.14 kernel.
> 
> [   76.178568] BUG: unable to handle kernel paging request at
> ffffffff0eee3bc0
> [   76.178579] IP: audit_signal_cb+0x6c/0xe0
> [   76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
> [   76.178586] Oops: 0000 [#1] PREEMPT SMP
> [   76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
> btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
> xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
> iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
> iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
> nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
> [   76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
> 4.14.0-f1-dirty #135
> [   76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
> 9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
> [   76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
> [   76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
> [   76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
> [   76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
> 0000000000000000
> [   76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
> ffff9c7a9493d800
> [   76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
> ffffa09b02a4fc46
> [   76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
> ffffa09b02a4fd40
> [   76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
> 0000000000000001
> [   76.178646] FS:  00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
> knlGS:0000000000000000
> [   76.178648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [   76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
> 00000000001606f0
> [   76.178652] Call Trace:
> [   76.178660]  common_lsm_audit+0x1da/0x780
> [   76.178665]  ? d_absolute_path+0x60/0x90
> [   76.178669]  ? aa_check_perms+0xcd/0xe0
> [   76.178672]  aa_check_perms+0xcd/0xe0
> [   76.178675]  profile_signal_perm.part.0+0x90/0xa0
> [   76.178679]  aa_may_signal+0x16e/0x1b0
> [   76.178686]  apparmor_task_kill+0x51/0x120
> [   76.178690]  security_task_kill+0x44/0x60
> [   76.178695]  group_send_sig_info+0x25/0x60
> [   76.178699]  kill_pid_info+0x36/0x60
> [   76.178703]  SYSC_kill+0xdb/0x180
> [   76.178707]  ? preempt_count_sub+0x92/0xd0
> [   76.178712]  ? _raw_write_unlock_irq+0x13/0x30
> [   76.178716]  ? task_work_run+0x6a/0x90
> [   76.178720]  ? exit_to_usermode_loop+0x80/0xa0
> [   76.178723]  entry_SYSCALL_64_fastpath+0x13/0x94
> [   76.178727] RIP: 0033:0x7f8b0e58b767
> [   76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
> 000000000000003e
> [   76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
> 00007f8b0e58b767
> [   76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
> 000000000000263b
> [   76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
> 0000000000000001
> [   76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
> 0000000000000000
> [   76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
> 0000000000000000
> [   76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
> 42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
> 00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
> [   76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
> [   76.178796] CR2: ffffffff0eee3bc0
> [   76.178799] ---[ end trace 514af9529297f1a3 ]---
> 
> Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
> Reported-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel at aehallh.com>
> Reported-by: Shuah Khan <shuahkh at osg.samsung.com>
> Reported-by: Tetsuo Handa <penguin-kernel at i-love.sakura.ne.jp>
> Signed-off-by: John Johansen <john.johansen at canonical.com>
> ---
>  security/apparmor/include/audit.h | 12 +++++++-----
>  1 file changed, 7 insertions(+), 5 deletions(-)
> 
> diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
> index 620e81169659..4ac095118717 100644
> --- a/security/apparmor/include/audit.h
> +++ b/security/apparmor/include/audit.h
> @@ -121,17 +121,19 @@ struct apparmor_audit_data {
>  		/* these entries require a custom callback fn */
>  		struct {
>  			struct aa_label *peer;
> -			struct {
> -				const char *target;
> -				kuid_t ouid;
> -			} fs;
> +			union {
> +				struct {
> +					const char *target;
> +					kuid_t ouid;
> +				} fs;
> +				int signal;
> +			};
>  		};
>  		struct {
>  			struct aa_profile *profile;
>  			const char *ns;
>  			long pos;
>  		} iface;
> -		int signal;
>  		struct {
>  			int rlim;
>  			unsigned long max;
> 


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/apparmor/attachments/20171122/e3cfab56/attachment-0001.sig>

More information about the AppArmor mailing list