ACK/Cmnt: [H/F/B][PATCH 0/1] aufs: fix kernel bug with apparmor and fuseblk

Stefan Bader stefan.bader at canonical.com
Tue Oct 26 08:52:44 UTC 2021 

On 22.10.21 17:47, Mauricio Faria de Oliveira wrote:
> BugLink: https://bugs.launchpad.net/bugs/1948470
> 
> [Impact]
> 
>   * AppArmor-enabled applications on the aufs filesystem
>     might hit a kernel bug when getting file attributes.
> 
>   * The aufs filesystem explicitly assigns a NULL pointer
>     to `struct path.mnt` for `vfs_getattr()`, which calls
>     into AppArmor that checks `struct path.mnt->mnt_flags`,
>     triggering a kernel NULL pointer dereference.
> 
>   * This is almost 10 years old [1,2], reproducible w/ the
>     Linux v3.2 kernel, but it's rare as apparently it needs
>     a fuseblk mount as an aufs branch, and file creation/
>     open (O_CREAT), with a filename that exists only in a
>     lower aufs branch. On Linux v5.15-rc* it doesn't need
>     AppArmor anymore.
> 
> [Fix]
> 
>   * The patch fixing this issue does set `struct path.mnt`
>     properly, by taking `struct path` as parameter instead
>     of just `struct dentry` (and making up an incomplete
>     `struct path` w/ that `dentry` and `mnt = NULL`.)
> 
>   * Since it changes the signature of a key, leaf function
>     with several callers, the patch is a bit long/refactor,
>     but it has been tested by the upstream aufs maintainer
>     with a private test-suite.
> 
> [Test Plan]
> 
>   * Synthetic reproducer available in [1] and comment #1.
> 
> [Regression Potential]
> 
>   * Regressions would probably manifest as kernel errors
>     mostly in the lookup and open paths, but more subtle
>     manifestations would be possible as well.
> 
>   * The patch modifies a fair number of functions, even if
>     doing so in simple ways. The synthetic reproducer only
>     covers one of those functions.
> 
>   * The other code paths have been tested by the maintainer
>     w/ the mainline kernel, and should be equivalent to our
>     kernel as none of such changed for cherry-pick/backport.
> 
>   * The upstream aufs maintainer runs a private test suite
>     that covers several features and use cases of aufs, so
>     hopefully that provides some relief to take this patch.
> 
> [Other Info]
> 
>   * Impish no longer ships aufs; no fix needed.
>   * Hirsute/Focal/Bionic do/need it. (H only for backports)
>   * Hirsute/Focal are clean cherry-picks.
>   * Bionic is a trivial backport.
> 
> [1] https://sourceforge.net/p/aufs/mailman/message/37363599/
> [2] https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
> 
> [Kernel Traces]
> 
>      BUG: kernel NULL pointer dereference, address: 0000000000000010
>      ...
>      CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure
>      #60~18.04.1-Ubuntu
>      Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine,
>      BIOS 090008 12/07/2018
>      RIP: 0010:aa_path_name+0x55/0x370
>      ...
>      Call Trace:
>      ? request_wait_answer+0xc4/0x200
>      path_name+0x60/0xe0
>      profile_path_perm.part.9+0x57/0xa0
>      aa_path_perm+0xe2/0x130
>      common_perm+0x59/0x130
>      common_perm_cond+0x4c/0x70
>      apparmor_inode_getattr+0x1d/0x20
>      security_inode_getattr+0x35/0x50
>      vfs_getattr+0x21/0x40
>      vfsub_update_h_iattr+0x95/0xb0 [aufs]
>      ? lookup_dcache+0x44/0x70
>      ? lookup_one_len+0x66/0x90
>      vfsub_lookup_one_len+0x50/0x70 [aufs]
>      au_sio_lkup_one+0x8e/0xa0 [aufs]
>      au_lkup_dentry+0x3fa/0x660 [aufs]
>      aufs_lookup.part.35+0x11c/0x210 [aufs]
>      aufs_atomic_open+0xec/0x3c0 [aufs]
>      path_openat+0xe30/0x16a0
>      ? aufs_lookup+0x30/0x30 [aufs]
>      ? path_openat+0xe30/0x16a0
>      ? unlock_page_memcg+0x12/0x20
>      ? filemap_map_pages+0x17d/0x3b0
>      do_filp_open+0x9b/0x110
>      ? __check_object_size+0xdb/0x1b0
>      ? __alloc_fd+0xb2/0x170
>      do_sys_open+0x1ba/0x2e0
>      ? do_sys_open+0x1ba/0x2e0
>      __x64_sys_openat+0x20/0x30
>      do_syscall_64+0x5e/0x200
>      entry_SYSCALL_64_after_hwframe+0x44/0xa9
>      RIP: 0033:0x4a06fa
> 
> J. R. Okajima (1):
>    aufs: bugfix, stop omitting path->mnt
> 
>   fs/aufs/cpup.c     |  6 ++--
>   fs/aufs/dentry.c   | 35 ++++++++++++--------
>   fs/aufs/dentry.h   |  2 +-
>   fs/aufs/dirren.c   |  9 +++--
>   fs/aufs/export.c   |  2 +-
>   fs/aufs/i_op_del.c | 11 +++++--
>   fs/aufs/i_op_ren.c | 14 +++++---
>   fs/aufs/plink.c    | 62 +++++++++++++++++------------------
>   fs/aufs/vfsub.c    | 33 +++++++++++--------
>   fs/aufs/vfsub.h    | 10 +++---
>   fs/aufs/whout.c    | 82 ++++++++++++++++++++++++----------------------
>   fs/aufs/whout.h    |  4 +--
>   fs/aufs/xino.c     | 11 ++++---
>   13 files changed, 156 insertions(+), 125 deletions(-)
> 
I would flag the patch as "UBUNTU: SAUCE" when applying as this is not (and 
cannot be since aufs is not) an upstream change.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20211026/c403a7b0/attachment-0001.sig>

More information about the kernel-team mailing list