[apparmor] [PATCH] Fix oops in audit_cb caused by overwriting ->peer

Goldwyn Rodrigues rgoldwyn at suse.de
Tue Mar 13 20:52:09 UTC 2018 

From: Goldwyn Rodrigues <rgoldwyn at suse.com>

*peer and rlim structs share the same space because of being declared
in a union. However, in audit_resource(), peer ends up overwriting
rlim information due to which we get the following oops while setting
limit.

P: audit_cb+0x63/0xf0
[  299.416498] PGD 12600e067 P4D 12600e067 PUD 126010067 PMD 0
[  299.416838] Oops: 0000 [#1] PREEMPT SMP PTI
  [  299.419942] CPU: 2 PID: 2506 Comm: libvirtd Tainted: G          I      4.15.4-appy+ #19
  [  299.420523] Hardware name: Dell Inc. Precision WorkStation T3500  /09KPNV, BIOS A15 03/28/2012
  [  299.421123] RIP: 0010:audit_cb+0x63/0xf0
  [  299.421723] RSP: 0018:ffffb43d487b7c58 EFLAGS: 00010292
  [  299.422335] RAX: 0000000007da3798 RBX: ffffb43d487b7d18 RCX: 0000000000000006
  [  299.422957] RDX: 0000000140000000 RSI: 0000000000000092 RDI: ffffffff9fe896c5
  [  299.423592] RBP: ffff8e6726331480 R08: 0000000000000000 R09: 0000000000002c4e
  [  299.424224] R10: ffffb43d487b7d08 R11: ffffffffa06f6aed R12: ffff8e6726331480
  [  299.424865] R13: ffffffff9f399c60 R14: ffff8e68829c0000 R15: 0000000000000001
  [  299.425516] FS:  00007f71a96ae700(0000) GS:ffff8e6894880000(0000) knlGS:0000000000000000
  [  299.426180] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  299.426840] CR2: ffffffffde971340 CR3: 00000003ede86000 CR4: 00000000000026e0
  [  299.427518] Call Trace:
[  299.428200]  common_lsm_audit+0x1dd/0x760
[  299.428879]  ? printk+0x43/0x4b
[  299.429565]  ? aa_audit+0x55/0x110
[  299.430254]  aa_audit+0x55/0x110
[  299.430949]  audit_resource+0xa7/0xc0
[  299.431649]  aa_task_setrlimit+0x176/0x200
[  299.432348]  apparmor_task_setrlimit+0xe2/0x160
[  299.433057]  ? apparmor_capable+0x94/0x120
[  299.433766]  security_task_setrlimit+0x44/0x60
[  299.434477]  do_prlimit.part.11+0x14c/0x290
[  299.435187]  SyS_prlimit64+0x195/0x210
[  299.435891]  do_syscall_64+0x79/0x140
[  299.436591]  entry_SYSCALL_64_after_hwframe+0x26/0x9b
[  299.437291] RIP: 0033:0x7f71b2994c9a
[  299.438000] RSP: 002b:00007f71a96ad8a8 EFLAGS: 00000246 ORIG_RAX: 000000000000012e
[  299.438716] RAX: ffffffffffffffda RBX: 0000000140000000 RCX: 00007f71b2994c9a
[  299.439441] RDX: 00007f71a96ad8b0 RSI: 0000000000000008 RDI: 0000000000004b4c
[  299.440169] RBP: 0000000000004b4c R08: 0000000000000000 R09: 0000000000000000
[  299.440897] R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
[  299.441622] R13: 00007f7140183990 R14: 00007f7190e8eac0 R15: 00007f714000f3b0
[  299.442344] Code: 2e 8c d4 ff 48 8b 43 18 48 c7 c7 b5 96 e8 9f 48 8b 70 38 e8 1a 8c d4 ff 48 8b 43 18 48 c7 c7 c5 96 e8 9f 48 8b 50 38 48 63 40 30 <48> 8b 34 c5 80 56 c5 9f e8 fa 8b d4 ff 48 8b 43 18 48 c7 c6 dd
[  299.443112] RIP: audit_cb+0x63/0xf0 RSP: ffffb43d487b7c58
[  299.443879] CR2: ffffffffde971340

Signed-off-by: Goldwyn Rodrigues <rgoldwyn at suse.com>
---
 security/apparmor/include/audit.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 4ac095118717..773aea850209 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -117,10 +117,10 @@ struct apparmor_audit_data {
 	const char *info;
 	u32 request;
 	u32 denied;
+	struct aa_label *peer;
 	union {
 		/* these entries require a custom callback fn */
 		struct {
-			struct aa_label *peer;
 			union {
 				struct {
 					const char *target;
-- 
2.16.2

More information about the AppArmor mailing list