** Description changed: + SRU Justification (apparmor) + + 1. impact of the bug is medium for stable releases. There are two parts + to this bug: the kernel side OOPSing when a the parser generates invalid + tables, and the parser generating correct tables. The lucid kernel + should receive the fix sometime in the future, but the userspace should + also be fixed. + + The kernel bug was a broken test in verifying the dfa next/check table + size (so the userspace bug was not caught when it should have been). + This means that it can at times reference beyond the dfa table (by at + most 255 entries). + + The userspace bug is that the next/check table is not correctly padded + with 0 entries, so that it is impossible to reference beyond the end of + the table when in the states that use the end of the table for their + references. + + + 2. This has been addressed during the maverick development cycle. + + 3. This is r1392 from the apparmor-2.5 branch. The commit mistakenly + references a different bug (599450), but the text is: "Changes the table + resizing so that there is always sufficient high entries in the table, + preventing bounds violations from occurring." + + 4. TEST CASE: there are multiple possible test cases + 4.1 Load a profile against a patched kernel (the maverick kernel can be used for this or a patched Lucid Kernel). The kernel will reject the profile with the following message in the logs + AppArmor DFA next/check upper bounds error fixed, upgrade user space tools + + 4.2 The dfa verifier can be run against a profiles dfa in user space, + but the checker is not part of the distro or easy to use atm as it + requires manually extracting the tables from the profile. The full + userspace profile verifier isn't available yet. + + 4.3 A profile can be compiled using the parser pre and post patching, and compared using a hex editor. The components of the profile that are changed are the size of the table and at the end of dfa table several 0 entries padding out the table. To do this choose a small profile eg. usr.sbin.tcpdump and run + ./apparmor_parser -S <profile> >out.file + ./apparmor_parser-patched -S <profile> >out.file2 + + The dfa table generated starts with the string aadfa\0 followed by a 4 + byte (little endian blob size - this will differ), follow by the actual + table header with various table size (some of these will change) and + then the actual tables which almost fill the rest of the profile. + Towards the end of the profile there should be extra 0's. And then the + closing data of the profile which should not change. The data within + the profile should not change beyond the couple of size entries and the + 0 padding at the end. + + + 5. The regression potential is considered low as the patch just pads out the table to make sure there are no bounds violations. The patch was pushed in maverick during its development cycle and showed no regressions. This is an important reliability fix for people who are affected (this has affected at least one Canonical server). + + Hi, Since last week I am experiencing a problem which seems related to apparmor. Kernel is crashing at aa_dfa_match_len+0xd9/0xf0, and a trace like the the following appears on my system logs: - - May 17 01:57:04 mplaptop kernel: [ 6430.314093] PGD 1002063 PUD 0 - May 17 01:57:04 mplaptop kernel: [ 6430.314101] CPU 1 + May 17 01:57:04 mplaptop kernel: [ 6430.314093] PGD 1002063 PUD 0 + May 17 01:57:04 mplaptop kernel: [ 6430.314101] CPU 1 May 17 01:57:04 mplaptop kernel: [ 6430.314103] Modules linked in: xts gf128mul binfmt_misc ppdev vboxnetadp vboxnetflt vboxdrv sha256_generic cryptd aes_x86_64 aes_generic dm_crypt joydev snd_hda_codec_realtek ipt_REJECT ipt_LOG xt_limit xt_tcpudp ipt_addrtype xt_state dell_wmi arc4 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm ip6table_filter ip6_tables snd_seq_dummy nf_nat_irc snd_seq_oss nf_conntrack_irc snd_seq_midi nf_nat_ftp snd_rawmidi nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 snd_seq_midi_event nf_conntrack_ftp snd_seq nf_conntrack iwlagn iptable_filter snd_timer snd_seq_device iwlcore ip_tables snd uvcvideo videodev v4l1_compat v4l2_compat_ioctl32 x_tables mac80211 sdhci_pci dell_laptop dcdbas sdhci led_class nvidia(P) soundcore snd_page_alloc cfg80211 psmouse serio_raw uinput lp parport usbhid hid fbcon tileblit font bitblit ohci1394 softcursor ieee1394 r8169 mii ahci vga16fb vgastate intel_agp video output May 17 01:57:04 mplaptop kernel: [ 6430.314159] Pid: 5065, comm: gnome-panel Tainted: P D 2.6.32-22-generic #33-Ubuntu Vostro1710 May 17 01:57:04 mplaptop kernel: [ 6430.314161] RIP: 0010:[<ffffffff8127dc49>] [<ffffffff8127dc49>] aa_dfa_match_len+0xd9/0xf0 May 17 01:57:04 mplaptop kernel: [ 6430.314170] RSP: 0018:ffff880116649d20 EFLAGS: 00010216 May 17 01:57:04 mplaptop kernel: [ 6430.314172] RAX: 0000000000000039 RBX: ffff880051285a8c RCX: 0000000000000039 May 17 01:57:04 mplaptop kernel: [ 6430.314174] RDX: ffff88011e65a4f1 RSI: 0000000053726599 RDI: ffff88011e65a4f1 May 17 01:57:04 mplaptop kernel: [ 6430.314176] RBP: ffff880116649d38 R08: 0000000000000000 R09: ffff88012bbfc40c May 17 01:57:04 mplaptop kernel: [ 6430.314177] R10: ffff88009697606c R11: ffff88011e65a4ff R12: ffff88012bbfc20c May 17 01:57:04 mplaptop kernel: [ 6430.314179] R13: ffff88011e65a4de R14: ffff88011e65a4de R15: 0000000000000000 May 17 01:57:04 mplaptop kernel: [ 6430.314181] FS: 00007f689ffe17e0(0000) GS:ffff880028300000(0000) knlGS:0000000000000000 May 17 01:57:04 mplaptop kernel: [ 6430.314183] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 May 17 01:57:04 mplaptop kernel: [ 6430.314185] CR2: ffff8801d2a48f3e CR3: 0000000111c91000 CR4: 00000000000026e0 May 17 01:57:04 mplaptop kernel: [ 6430.314187] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 May 17 01:57:04 mplaptop kernel: [ 6430.314189] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 May 17 01:57:04 mplaptop kernel: [ 6430.314191] Process gnome-panel (pid: 5065, threadinfo ffff880116648000, task ffff8801360a8000) May 17 01:57:04 mplaptop kernel: [ 6430.314194] ffff880096976ea0 0000000000000001 ffff88011e65a4de ffff880116649d68 May 17 01:57:04 mplaptop kernel: [ 6430.314197] <0> ffffffff8127dc9a ffff880116649db8 ffff88012e58b800 0000000000000000 May 17 01:57:04 mplaptop kernel: [ 6430.314200] <0> ffff88013fc022a8 ffff880116649db8 ffffffff8127e7d3 ffff88012e58b818 May 17 01:57:04 mplaptop kernel: [ 6430.314206] [<ffffffff8127dc9a>] aa_dfa_match+0x3a/0x50 May 17 01:57:04 mplaptop kernel: [ 6430.314209] [<ffffffff8127e7d3>] aa_find_attach+0x93/0xf0 May 17 01:57:04 mplaptop kernel: [ 6430.314211] [<ffffffff8127f80b>] apparmor_bprm_set_creds+0x36b/0x530 May 17 01:57:04 mplaptop kernel: [ 6430.314215] [<ffffffff8108998e>] ? up_write+0xe/0x10 May 17 01:57:04 mplaptop kernel: [ 6430.314219] [<ffffffff812507e3>] security_bprm_set_creds+0x13/0x20 May 17 01:57:04 mplaptop kernel: [ 6430.314223] [<ffffffff81149431>] prepare_binprm+0xb1/0x110 May 17 01:57:04 mplaptop kernel: [ 6430.314225] [<ffffffff8114a29c>] do_execve+0x1ac/0x300 May 17 01:57:04 mplaptop kernel: [ 6430.314229] [<ffffffff812bbdda>] ? strncpy_from_user+0x4a/0x90 May 17 01:57:04 mplaptop kernel: [ 6430.314233] [<ffffffff810115ba>] sys_execve+0x4a/0x80 May 17 01:57:04 mplaptop kernel: [ 6430.314236] [<ffffffff8101360a>] stub_execve+0x6a/0xc0 May 17 01:57:04 mplaptop kernel: [ 6430.314265] RSP <ffff880116649d20> May 17 01:57:04 mplaptop kernel: [ 6430.314268] ---[ end trace 2b51de9f06402b92 ]--- Sometimes it does not seem to have visible effects, other times it renders the system unusable. When that happens, I often need to reboot several times, as the issue appears again on the next boot process. My system is an up-to-date lucid, installation mostly by default but with several dm_crypt partitions over LVM, and virtualbox-ose installed. I have also enabled the firefox apparmor profile and several other custom profiles. Note that I am sometimes experienced another extrange apparmor behavior, as it attaches (randomly) a profile to a process that has not a profile defined (lets say, for example, it attaches the firefox profile to gedit). I experienced that 2 or 3 times, I will try to give you more information next time I see it, maybe it is related to this. Finally, just note that this problem seems related to bug #529288.
-- Lucid: system becomes unstable randomly, seems related with apparmor https://bugs.launchpad.net/bugs/581525 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
