[Bug 2115447] Re: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

Massimiliano Pellizzer Fri, 18 Jul 2025 01:45:45 -0700

** Description changed:

+ [ Impact ]
+ 
+ fs/ceph,selinux: fix NULL pointer dereference on CephFS write with
+ SELinux in permissive mode
+ 
+ A NULL pointer dereference occurs in the Ceph kernel client (CephFS)
+ when a file is created on a mounted CephFS volume while SELinux is
+ enabled in permissive mode.
+ 
+ [   86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
+ [   86.679238] #PF: supervisor read access in kernel mode
+ [   86.679859] #PF: error_code(0x0000) - not-present page
+ [   86.680445] PGD 0 P4D 0
+ [   86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
+ [   86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic 
#65-Ubuntu
+ [   86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
Desktop Reference Platform, BIOS 6.00 11/12/2020
+ [   86.682716] RIP: 0010:memcpy_orig+0x54/0x130
+ [   86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 
d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 
f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
+ [   86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
+ [   86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 
0000000000000000
+ [   86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: 
ffff9aeb6123a02d
+ [   86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 
0000000000000000
+ [   86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 
0000000000000025
+ [   86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: 
ffffa79300b2f8e4
+ [   86.687888] FS:  0000724d07b47740(0000) GS:ffff9aec77c00000(0000) 
knlGS:0000000000000000
+ [   86.688416] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ [   86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 
00000000001706f0
+ [   86.689541] Call Trace:
+ [   86.690124]  <TASK>
+ [   86.690704]  ? show_regs+0x6d/0x80
+ [   86.691256]  ? __die+0x24/0x80
+ [   86.691807]  ? page_fault_oops+0x99/0x1b0
+ [   86.692426]  ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
+ [   86.692991]  ? __bad_area_nosemaphore+0x19e/0x2c0
+ [   86.693563]  ? find_vma+0x34/0x60
+ [   86.694214]  ? bad_area_nosemaphore+0x16/0x30
+ [   86.694835]  ? do_user_addr_fault+0x29d/0x670
+ [   86.695439]  ? exc_page_fault+0x83/0x1b0
+ [   86.696024]  ? asm_exc_page_fault+0x27/0x30
+ [   86.696614]  ? memcpy_orig+0x54/0x130
+ [   86.697202]  ? ceph_pagelist_append+0x124/0x150 [libceph]
+ [   86.697995]  ceph_security_init_secctx+0xce/0x1f0 [ceph]
+ [   86.698733]  ceph_new_inode+0x80/0xe0 [ceph]
+ [   86.699484]  ceph_atomic_open+0x3b2/0x9d0 [ceph]
+ [   86.700239]  ? may_create+0x141/0x150
+ [   86.700903]  lookup_open.isra.0+0x3a9/0x570
+ [   86.701534]  open_last_lookups+0x14f/0x400
+ [   86.702196]  path_openat+0x99/0x2d0
+ [   86.702815]  do_filp_open+0xaf/0x170
+ [   86.703475]  do_sys_openat2+0xb3/0xe0
+ [   86.704098]  __x64_sys_openat+0x55/0xa0
+ [   86.704804]  x64_sys_call+0x1eb1/0x25a0
+ [   86.705437]  do_syscall_64+0x7f/0x180
+ [   86.706120]  ? filemap_map_pages+0x2fe/0x4c0
+ [   86.706792]  ? __lruvec_stat_mod_folio+0x70/0xc0
+ [   86.707444]  ? do_read_fault+0x112/0x200
+ [   86.708157]  ? do_fault+0xf0/0x260
+ [   86.708850]  ? handle_pte_fault+0x114/0x1d0
+ [   86.709519]  ? __handle_mm_fault+0x654/0x800
+ [   86.710216]  ? __count_memcg_events+0x6b/0x120
+ [   86.710884]  ? count_memcg_events.constprop.0+0x2a/0x50
+ [   86.711505]  ? handle_mm_fault+0xad/0x380
+ [   86.712136]  ? do_user_addr_fault+0x334/0x670
+ [   86.712778]  ? irqentry_exit_to_user_mode+0x7b/0x260
+ [   86.713433]  ? irqentry_exit+0x43/0x50
+ [   86.714111]  ? clear_bhb_loop+0x15/0x70
+ [   86.714777]  ? clear_bhb_loop+0x15/0x70
+ [   86.715330]  ? clear_bhb_loop+0x15/0x70
+ [   86.715844]  entry_SYSCALL_64_after_hwframe+0x78/0x80
+ [   86.716378] RIP: 0033:0x724d0791b175
+ [   86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de 
fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 
f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
+ [   86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 
0000000000000101
+ [   86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 
0000724d0791b175
+ [   86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 
00000000ffffff9c
+ [   86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 
0000000000000000
+ [   86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 
00007ffd9c153635
+ [   86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 
0000000000000001
+ [   86.721596]  </TASK>
+ 
+ [ Fix ]
+ 
+ The issue must be solved modifying kernel code as follows:
+ - In the SELinux hook selinux_dentry_init_security(), remove a faulty cast 
when
+   assigning the context pointer is removed, allowing the LSM to populate
+   the context buffer correctly, avoinding the NULL pointer dereference
+ - In ceph_security_init_secctx(), add the missing encoding of the xattr name
+   and it's length to the pagelist
+ 
+ [ Test Plan ]
+ 
+ The issue can be reproduced (before) and the fix tested (after)
+ following the steps below:
+ 
+ $ sudo snap install microceph
+ $ sudo microceph cluster bootstrap
+ $ sudo microceph.ceph osd crush rule rm replicated_rule
+ $ sudo microceph.ceph osd crush rule create-replicated single default osd
+ $ sudo microceph disk add /dev/sdb --wipe
+ $ sudo microceph.ceph config set global osd_pool_default_size 1
+ $ sudo microceph.ceph osd pool create cephfs_metadata 8
+ $ sudo microceph.ceph osd pool create cephfs_data 8
+ $ sudo microceph.ceph fs new cephfs cephfs_metadata cephfs_data
+ $ sudo apt install selinux-basics selinux-policy-default -y && sudo 
selinux-activate
+ $ sudo reboot
+ 
+ $ sudo mkdir -p /mnt/cephfs
+ $ sudo microceph.ceph auth get-or-create client.admin mon 'allow *' mds 
'allow *' osd 'allow *' mgr 'allow *'
+ $ sudo mount -t ceph $(hostname -I | awk '{print $1}'):6789:/ /mnt/cephfs -o 
name=admin,secret=
+ $ sudo touch /mnt/cephfs/test.txt
+ $ ll /mnt/cephfs/
+ 
+ [ Regression Potential ]
+ 
+ This fix modifies how SELinux provides security context data
+ to the CephFS client and how that data is encoded for transmission.
+ A regression could cause incorrect xattr encoding,
+ resulting in file creation failures (EPERM or EIO) or LSM labeling errors.
+ If the context pointer is mishandled, memory corruption or crashes may occur.
+ Additionally, malformed pagelist encoding could cause client-MDS
+ protocol mismatches.
+  
+ ---
+ 
  Upgraded ceph cluster running ceph to 24.04.2 from Ubuntu 22. Turning on
  selinux (permissive), hit a kernel null reference when mounting cephfs
  and trying to touch a file:
  
  1. Update cluster to 24.04
  
  2. Verify ceph is working as intended (able to mount cephFS, write out a
  file, unmount, etc.)
  
  3. Installed selinux packages
  
  4. Added following to grub on all 3 cluster members:
  "audit=1 audit_backlog_limit=8192 panic=10 security=selinux selinux=1 
apparmor=0"
  
  5. Selinux policy is permissive:
  root@ceph0:~# sestatus
  SELinux status:                 enabled
  SELinuxfs mount:                /sys/fs/selinux
  SELinux root directory:         /etc/selinux
  Loaded policy name:             default
  Current mode:                   permissive
  Mode from config file:          permissive
  Policy MLS status:              enabled
  Policy deny_unknown status:     allowed
  Memory protection checking:     actual (secure)
  Max kernel policy version:      33
  root@ceph0:~#
  
  6. Mounted ceph fs:
  mount -t ceph admin@.cephfs=/ /var/lib/libvirt/images -o ms_mode=secure
  
  7. attempted to write a file, did not complete and null reference reported:
  [   86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
  [   86.679238] #PF: supervisor read access in kernel mode
  [   86.679859] #PF: error_code(0x0000) - not-present page
  [   86.680445] PGD 0 P4D 0
  [   86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
  [   86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic 
#65-Ubuntu
  [   86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX 
Desktop Reference Platform, BIOS 6.00 11/12/2020
  [   86.682716] RIP: 0010:memcpy_orig+0x54/0x130
  [   86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 
d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 
f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
  [   86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
  [   86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 
0000000000000000
  [   86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: 
ffff9aeb6123a02d
  [   86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 
0000000000000000
  [   86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 
0000000000000025
  [   86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: 
ffffa79300b2f8e4
  [   86.687888] FS:  0000724d07b47740(0000) GS:ffff9aec77c00000(0000) 
knlGS:0000000000000000
  [   86.688416] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [   86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 
00000000001706f0
  [   86.689541] Call Trace:
  [   86.690124]  <TASK>
  [   86.690704]  ? show_regs+0x6d/0x80
  [   86.691256]  ? __die+0x24/0x80
  [   86.691807]  ? page_fault_oops+0x99/0x1b0
  [   86.692426]  ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
  [   86.692991]  ? __bad_area_nosemaphore+0x19e/0x2c0
  [   86.693563]  ? find_vma+0x34/0x60
  [   86.694214]  ? bad_area_nosemaphore+0x16/0x30
  [   86.694835]  ? do_user_addr_fault+0x29d/0x670
  [   86.695439]  ? exc_page_fault+0x83/0x1b0
  [   86.696024]  ? asm_exc_page_fault+0x27/0x30
  [   86.696614]  ? memcpy_orig+0x54/0x130
  [   86.697202]  ? ceph_pagelist_append+0x124/0x150 [libceph]
  [   86.697995]  ceph_security_init_secctx+0xce/0x1f0 [ceph]
  [   86.698733]  ceph_new_inode+0x80/0xe0 [ceph]
  [   86.699484]  ceph_atomic_open+0x3b2/0x9d0 [ceph]
  [   86.700239]  ? may_create+0x141/0x150
  [   86.700903]  lookup_open.isra.0+0x3a9/0x570
  [   86.701534]  open_last_lookups+0x14f/0x400
  [   86.702196]  path_openat+0x99/0x2d0
  [   86.702815]  do_filp_open+0xaf/0x170
  [   86.703475]  do_sys_openat2+0xb3/0xe0
  [   86.704098]  __x64_sys_openat+0x55/0xa0
  [   86.704804]  x64_sys_call+0x1eb1/0x25a0
  [   86.705437]  do_syscall_64+0x7f/0x180
  [   86.706120]  ? filemap_map_pages+0x2fe/0x4c0
  [   86.706792]  ? __lruvec_stat_mod_folio+0x70/0xc0
  [   86.707444]  ? do_read_fault+0x112/0x200
  [   86.708157]  ? do_fault+0xf0/0x260
  [   86.708850]  ? handle_pte_fault+0x114/0x1d0
  [   86.709519]  ? __handle_mm_fault+0x654/0x800
  [   86.710216]  ? __count_memcg_events+0x6b/0x120
  [   86.710884]  ? count_memcg_events.constprop.0+0x2a/0x50
  [   86.711505]  ? handle_mm_fault+0xad/0x380
  [   86.712136]  ? do_user_addr_fault+0x334/0x670
  [   86.712778]  ? irqentry_exit_to_user_mode+0x7b/0x260
  [   86.713433]  ? irqentry_exit+0x43/0x50
  [   86.714111]  ? clear_bhb_loop+0x15/0x70
  [   86.714777]  ? clear_bhb_loop+0x15/0x70
  [   86.715330]  ? clear_bhb_loop+0x15/0x70
  [   86.715844]  entry_SYSCALL_64_after_hwframe+0x78/0x80
  [   86.716378] RIP: 0033:0x724d0791b175
  [   86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de 
fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 
f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
  [   86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 
0000000000000101
  [   86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 
0000724d0791b175
  [   86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 
00000000ffffff9c
  [   86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 
0000000000000000
  [   86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 
00007ffd9c153635
  [   86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 
0000000000000001
  [   86.721596]  </TASK>
  
  ProblemType: Bug
  DistroRelease: Ubuntu 24.04
  Package: linux-image-6.8.0-62-generic 6.8.0-62.65
  ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
  Uname: Linux 6.8.0-62-generic x86_64
  AlsaDevices:
-  total 0
-  crw-rw----. 1 root audio 116,  1 Jun 26 19:53 seq
-  crw-rw----. 1 root audio 116, 33 Jun 26 19:53 timer
+  total 0
+  crw-rw----. 1 root audio 116,  1 Jun 26 19:53 seq
+  crw-rw----. 1 root audio 116, 33 Jun 26 19:53 timer
  AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
  ApportVersion: 2.28.1-0ubuntu3.7
  Architecture: amd64
  ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
  AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', 
'/dev/snd/timer'] failed with exit code 1:
- CRDA: N/A
+  CRDA: N/A
  CasperMD5CheckResult: pass
  CloudArchitecture: x86_64
  CloudID: none
  CloudName: none
  CloudPlatform: none
  CloudSubPlatform: config
  Date: Thu Jun 26 20:01:43 2025
  InstallationDate: Installed on 2024-03-19 (464 days ago)
  InstallationMedia: Ubuntu-Server 22.04.4 LTS "Jammy Jellyfish" - Release 
amd64 (20240216.1)
  IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
  Lsusb: Error: command ['lsusb'] failed with exit code 1:
  Lsusb-t:
-  
+ 
  Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1:
  MachineType: VMware, Inc. VMware Virtual Platform
  PciMultimedia:
-  
+ 
  ProcEnviron:
-  LANG=en_US.UTF-8
-  PATH=(custom, no user)
-  SHELL=/bin/bash
-  TERM=xterm-256color
-  XDG_RUNTIME_DIR=<set>
+  LANG=en_US.UTF-8
+  PATH=(custom, no user)
+  SHELL=/bin/bash
+  TERM=xterm-256color
+  XDG_RUNTIME_DIR=<set>
  ProcFB: 0 vmwgfxdrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-62-generic 
root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 ipv6.disable=1 audit=1 
audit_backlog_limit=8192 panic=10 security=selinux selinux=1 apparmor=0
  RelatedPackageVersions:
-  linux-restricted-modules-6.8.0-62-generic N/A
-  linux-backports-modules-6.8.0-62-generic  N/A
-  linux-firmware                            20240318.git3b128b60-0ubuntu2.13
+  linux-restricted-modules-6.8.0-62-generic N/A
+  linux-backports-modules-6.8.0-62-generic  N/A
+  linux-firmware                            20240318.git3b128b60-0ubuntu2.13
  RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
  SourcePackage: linux
  UpgradeStatus: Upgraded to noble on 2025-06-26 (0 days ago)
  dmi.bios.date: 11/12/2020
  dmi.bios.release: 4.6
  dmi.bios.vendor: Phoenix Technologies LTD
  dmi.bios.version: 6.00
  dmi.board.name: 440BX Desktop Reference Platform
  dmi.board.vendor: Intel Corporation
  dmi.board.version: None
  dmi.chassis.asset.tag: No Asset Tag
  dmi.chassis.type: 1
  dmi.chassis.vendor: No Enclosure
  dmi.chassis.version: N/A
  dmi.ec.firmware.release: 0.0
  dmi.modalias: 
dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd11/12/2020:br4.6:efr0.0:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:sku:
  dmi.product.name: VMware Virtual Platform
  dmi.product.version: None
  dmi.sys.vendor: VMware, Inc.


-- 
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2115447

Title:
  Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2115447/+subscriptions


-- 
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs

[Bug 2115447] Re: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

Reply via email to