[Kernel-packages] [Bug 1948470] Re: aufs: kernel bug with apparmor and fuseblk

[Mauricio Faria de Oliveira]

Steps to Reproduce:

1) test app

        # cat openat.c
        #include <stdio.h>
        #include <fcntl.h>

        int main() {
                int rc;
                rc = openat(AT_FDCWD, "test", O_RDWR | O_CREAT | S_IRWXU);
                if (rc < 0) {
                        perror("openat");
                        return 1;
                }
                return 0;
        }

        # gcc -o openat openat.c

2) ntfs-3g mount (fuseblk)

        # truncate -s 1g ntfs.img
        # DEV=$(losetup -f --show ntfs.img)
        # mkfs.ntfs --fast $DEV

        # mkdir ntfs
        # mount -t ntfs-3g $DEV ntfs

        # mount | grep ntfs | grep fuseblk
        /dev/loop6 on /home/ubuntu/ntfs type fuseblk 
(rw,relatime,user_id=0,group_id=0,allow_other,blksize=4096)

3) aufs mount (with 'test' file in the read-only branch)

        # mkdir ro aufs
        # touch ro/test
        # mount -t aufs -o br=ntfs:ro none aufs

4) enable apparmor for the test app (even in complain mode with aa-
genprof)

        # aa-genprof ./openat &
        ...
        Please start the application to be profiled in
        another window and exercise its functionality now.
        ...
        <press enter>
        [1]+  Stopped                 aa-genprof ./openat

5) remove 'test' file from read-write branch (still exists in read-only
branch)

        # cd aufs
        # rm test

6) run the test app

        # ../openat
        Killed

7) check kernel logs

        # dmesg

** Description changed:

- aufs: kernel bug with apparmor and fuseblk
- 
  [Impact]
  
-  * AppArmor-enabled applications on the aufs filesystem
-    might hit a kernel bug when getting file attributes.
-  
-  * The aufs filesystem explicitly assigns a NULL pointer
-    to `struct path.mnt` for `vfs_getattr()`, which calls
-    into AppArmor that checks `struct path.mnt->mnt_flags`,
-    triggering a kernel NULL pointer dereference.
-    
-  * This is almost 10 years old [1,2], reproducible w/ the
-    Linux v3.2 kernel, but it's rare as apparently it needs
-    a fuseblk mount as an aufs branch, and file creation/
-    open (O_CREAT), with a filename that exists only in a
-    lower aufs branch. On Linux v5.15-rc* it doesn't need
-    AppArmor anymore.
+  * AppArmor-enabled applications on the aufs filesystem
+    might hit a kernel bug when getting file attributes.
+ 
+  * The aufs filesystem explicitly assigns a NULL pointer
+    to `struct path.mnt` for `vfs_getattr()`, which calls
+    into AppArmor that checks `struct path.mnt->mnt_flags`,
+    triggering a kernel NULL pointer dereference.
+ 
+  * This is almost 10 years old [1,2], reproducible w/ the
+    Linux v3.2 kernel, but it's rare as apparently it needs
+    a fuseblk mount as an aufs branch, and file creation/
+    open (O_CREAT), with a filename that exists only in a
+    lower aufs branch. On Linux v5.15-rc* it doesn't need
+    AppArmor anymore.
  
  [Fix]
  
-  * The patch fixing this issue does set `struct path.mnt`
-    properly, by taking `struct path` as parameter instead
-    of just `struct dentry` (and making up an incomplete
-    `struct path` w/ that `dentry` and `mnt = NULL`.)
-  
-  * Since it changes the signature of a key, leaf function
-    with several callers, the patch is a bit long/refactor,
-    but it has been tested by the upstream aufs maintainer
-    with a private test-suite.
-    
+  * The patch fixing this issue does set `struct path.mnt`
+    properly, by taking `struct path` as parameter instead
+    of just `struct dentry` (and making up an incomplete
+    `struct path` w/ that `dentry` and `mnt = NULL`.)
+ 
+  * Since it changes the signature of a key, leaf function
+    with several callers, the patch is a bit long/refactor,
+    but it has been tested by the upstream aufs maintainer
+    with a private test-suite.
+ 
  [Test Plan]
  
-  * Synthetic reproducer available in [1] and comment #1.
+  * Synthetic reproducer available in [1] and comment #1.
  
  [Regression Potential]
  
-  * Regressions would probably manifest as kernel errors
-    mostly in the lookup and open paths, but more subtle
-    manifestations would be possible as well.
-  
-  * The patch modifies a fair number of functions, even if
-    doing so in simple ways. The synthetic reproducer only
-    covers one of those functions. 
-   
-  * The other code paths have been tested by the maintainer
-    w/ the mainline kernel, and should be equivalent to our
-    kernel as none of such changed for cherry-pick/backport.
-    
-  * The upstream aufs maintainer runs a private test suite
-    that covers several features and use cases of aufs, so
-    hopefully that provides some relief to take this patch.
-    
+  * Regressions would probably manifest as kernel errors
+    mostly in the lookup and open paths, but more subtle
+    manifestations would be possible as well.
+ 
+  * The patch modifies a fair number of functions, even if
+    doing so in simple ways. The synthetic reproducer only
+    covers one of those functions.
+ 
+  * The other code paths have been tested by the maintainer
+    w/ the mainline kernel, and should be equivalent to our
+    kernel as none of such changed for cherry-pick/backport.
+ 
+  * The upstream aufs maintainer runs a private test suite
+    that covers several features and use cases of aufs, so
+    hopefully that provides some relief to take this patch.
+ 
  [Other Info]
  
-  * Impish no longer ships aufs; no fix needed.
-  * Hirsute/Focal/Bionic do/need it.
-  * Hirsute/Focal are clean cherry-picks.
-  * Bionic is a trivial backport.
-  
+  * Impish no longer ships aufs; no fix needed.
+  * Hirsute/Focal/Bionic do/need it.
+  * Hirsute/Focal are clean cherry-picks.
+  * Bionic is a trivial backport.
+ 
  [1] https://sourceforge.net/p/aufs/mailman/message/37363599/
  [2] 
https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic
  
  [Kernel Traces]
  
  BUG: kernel NULL pointer dereference, address: 0000000000000010
  ...
  CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure 
#60~18.04.1-Ubuntu
  Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 
090008 12/07/2018
  RIP: 0010:aa_path_name+0x55/0x370
  ...
  Call Trace:
  ? request_wait_answer+0xc4/0x200
  path_name+0x60/0xe0
  profile_path_perm.part.9+0x57/0xa0
  aa_path_perm+0xe2/0x130
  common_perm+0x59/0x130
  common_perm_cond+0x4c/0x70
  apparmor_inode_getattr+0x1d/0x20
  security_inode_getattr+0x35/0x50
  vfs_getattr+0x21/0x40
  vfsub_update_h_iattr+0x95/0xb0 [aufs]
  ? lookup_dcache+0x44/0x70
  ? lookup_one_len+0x66/0x90
  vfsub_lookup_one_len+0x50/0x70 [aufs]
  au_sio_lkup_one+0x8e/0xa0 [aufs]
  au_lkup_dentry+0x3fa/0x660 [aufs]
  aufs_lookup.part.35+0x11c/0x210 [aufs]
  aufs_atomic_open+0xec/0x3c0 [aufs]
  path_openat+0xe30/0x16a0
  ? aufs_lookup+0x30/0x30 [aufs]
  ? path_openat+0xe30/0x16a0
  ? unlock_page_memcg+0x12/0x20
  ? filemap_map_pages+0x17d/0x3b0
  do_filp_open+0x9b/0x110
  ? __check_object_size+0xdb/0x1b0
  ? __alloc_fd+0xb2/0x170
  do_sys_open+0x1ba/0x2e0
  ? do_sys_open+0x1ba/0x2e0
  __x64_sys_openat+0x20/0x30
  do_syscall_64+0x5e/0x200
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x4a06fa

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1948470

Title:
  aufs: kernel bug with apparmor and fuseblk

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Bionic:
  In Progress
Status in linux source package in Focal:
  In Progress
Status in linux source package in Hirsute:
  In Progress
Status in linux source package in Impish:
  Invalid
Status in linux source package in Jammy:
  Invalid

Bug description:
  [Impact]

   * AppArmor-enabled applications on the aufs filesystem
     might hit a kernel bug when getting file attributes.

   * The aufs filesystem explicitly assigns a NULL pointer
     to `struct path.mnt` for `vfs_getattr()`, which calls
     into AppArmor that checks `struct path.mnt->mnt_flags`,
     triggering a kernel NULL pointer dereference.

   * This is almost 10 years old [1,2], reproducible w/ the
     Linux v3.2 kernel, but it's rare as apparently it needs
     a fuseblk mount as an aufs branch, and file creation/
     open (O_CREAT), with a filename that exists only in a
     lower aufs branch. On Linux v5.15-rc* it doesn't need
     AppArmor anymore.

  [Fix]

   * The patch fixing this issue does set `struct path.mnt`
     properly, by taking `struct path` as parameter instead
     of just `struct dentry` (and making up an incomplete
     `struct path` w/ that `dentry` and `mnt = NULL`.)

   * Since it changes the signature of a key, leaf function
     with several callers, the patch is a bit long/refactor,
     but it has been tested by the upstream aufs maintainer
     with a private test-suite.

  [Test Plan]

   * Synthetic reproducer available in [1] and comment #1.

  [Regression Potential]

   * Regressions would probably manifest as kernel errors
     mostly in the lookup and open paths, but more subtle
     manifestations would be possible as well.

   * The patch modifies a fair number of functions, even if
     doing so in simple ways. The synthetic reproducer only
     covers one of those functions.

   * The other code paths have been tested by the maintainer
     w/ the mainline kernel, and should be equivalent to our
     kernel as none of such changed for cherry-pick/backport.

   * The upstream aufs maintainer runs a private test suite
     that covers several features and use cases of aufs, so
     hopefully that provides some relief to take this patch.

  [Other Info]

   * Impish no longer ships aufs; no fix needed.
   * Hirsute/Focal/Bionic do/need it.
   * Hirsute/Focal are clean cherry-picks.
   * Bionic is a trivial backport.

  [1] https://sourceforge.net/p/aufs/mailman/message/37363599/
  [2] 
https://unix.stackexchange.com/questions/324571/docker-run-causing-kernel-panic

  [Kernel Traces]

  BUG: kernel NULL pointer dereference, address: 0000000000000010
  ...
  CPU: 23 PID: 17623 Comm: drone-agent Not tainted 5.4.0-1058-azure 
#60~18.04.1-Ubuntu
  Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS 
090008 12/07/2018
  RIP: 0010:aa_path_name+0x55/0x370
  ...
  Call Trace:
  ? request_wait_answer+0xc4/0x200
  path_name+0x60/0xe0
  profile_path_perm.part.9+0x57/0xa0
  aa_path_perm+0xe2/0x130
  common_perm+0x59/0x130
  common_perm_cond+0x4c/0x70
  apparmor_inode_getattr+0x1d/0x20
  security_inode_getattr+0x35/0x50
  vfs_getattr+0x21/0x40
  vfsub_update_h_iattr+0x95/0xb0 [aufs]
  ? lookup_dcache+0x44/0x70
  ? lookup_one_len+0x66/0x90
  vfsub_lookup_one_len+0x50/0x70 [aufs]
  au_sio_lkup_one+0x8e/0xa0 [aufs]
  au_lkup_dentry+0x3fa/0x660 [aufs]
  aufs_lookup.part.35+0x11c/0x210 [aufs]
  aufs_atomic_open+0xec/0x3c0 [aufs]
  path_openat+0xe30/0x16a0
  ? aufs_lookup+0x30/0x30 [aufs]
  ? path_openat+0xe30/0x16a0
  ? unlock_page_memcg+0x12/0x20
  ? filemap_map_pages+0x17d/0x3b0
  do_filp_open+0x9b/0x110
  ? __check_object_size+0xdb/0x1b0
  ? __alloc_fd+0xb2/0x170
  do_sys_open+0x1ba/0x2e0
  ? do_sys_open+0x1ba/0x2e0
  __x64_sys_openat+0x20/0x30
  do_syscall_64+0x5e/0x200
  entry_SYSCALL_64_after_hwframe+0x44/0xa9
  RIP: 0033:0x4a06fa

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1948470/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp