62261 – 3.11 regression: null pointer oops in aa_calc_profile_hash

Bug 62261 - 3.11 regression: null pointer oops in aa_calc_profile_hash

Summary: 3.11 regression: null pointer oops in aa_calc_profile_hash

Status:	NEW

Alias:	None

Product:	Other
Classification:	Unclassified
Component:	Loadable Security Modules (LSM) (show other bugs)
Hardware:	All Linux

Importance:	P1 normal
Assignee:	Other/LSM

URL:
Keywords:

Depends on:
Blocks:

Reported:	2013-09-27 22:56 UTC by Phillip Susi
Modified:	2013-09-30 03:03 UTC (History)
CC List:	1 user (show)

See Also:
Kernel Version:
Subsystem:
Regression:	Yes
Bisected commit-id:

Attachments
patch for BUG in aa_calc_profile_hash (3.41 KB, patch) 2013-09-29 14:01 UTC, John Johansen	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Description Phillip Susi 2013-09-27 22:56:58 UTC

BUG: unable to handle kernel NULL pointer dereference at           (null)
IP: [<ffffffff812dcbec>] aa_calc_profile_hash+0x11c/0x230
PGD 127388067 PUD 1267fe067 PMD 0 
Oops: 0000 [#1] SMP 
Modules linked in: bnep rfcomm btusb radeon joydev snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_pcm snd_page_alloc snd_seq_midi ttm ath3k snd_seq_midi_event snd_rawmidi drm_kms_helper bluetooth snd_seq psmouse drm eeepc_wmi asus_wmi snd_seq_device dm_multipath snd_timer sparse_keymap serio_raw scsi_dh snd video mxm_wmi lpc_ich soundcore i2c_algo_bit wmi binfmt_misc hid_generic hid_microsoft usbhid hid ahci e1000e libahci ptp pps_core
CPU: 2 PID: 1275 Comm: apparmor_parser Not tainted 3.11.0+ #27
Hardware name: System manufacturer System Product Name/P8P67 PRO REV 3.1, BIOS 1904 08/15/2011
task: ffff880126725dc0 ti: ffff880127f46000 task.ti: ffff880127f46000
RIP: 0010:[<ffffffff812dcbec>]  [<ffffffff812dcbec>] aa_calc_profile_hash+0x11c/0x230
RSP: 0018:ffff880127f47d20  EFLAGS: 00010246
RAX: 0000000410004d43 RBX: 0000000000001040 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000010 RDI: 0000000000000024
RBP: ffff880127f47d90 R08: ffff880127860000 R09: ffff880127f47d38
R10: 0000000000008000 R11: 0000000000000014 R12: ffff88012867b800
R13: 00000000000109fc R14: ffff88012867b800 R15: ffff88012867b800
FS:  00007fac4819a740(0000) GS:ffff88012f500000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000000 CR3: 00000001284fb000 CR4: 00000000000407e0
Stack:
 0000000500001f5c ffff8801269ab540 ffffffff00000000 ffff88012edf21c0
 0000000400000d24 0000000000000000 0000000000000000 0000000000000002
 0000000000000000 0000000000000000 0000000000000000 ffff880127f47ea8
Call Trace:
 [<ffffffff812d9ad5>] aa_unpack+0x2b5/0xc10
 [<ffffffff812d862d>] aa_replace_profiles+0x3d/0xa20
 [<ffffffff8115e555>] ? __vmalloc_node+0x35/0x40
 [<ffffffff812d4f90>] ? __aa_kvmalloc+0x80/0x90
 [<ffffffff812d2fc7>] profile_replace+0x37/0x50
 [<ffffffff8118d075>] vfs_write+0xc5/0x1e0
 [<ffffffff8118d562>] SyS_write+0x52/0xa0
 [<ffffffff8167cb46>] system_call_fastpath+0x1a/0x1f
Code: d8 48 89 da 48 c1 eb 22 48 8b 0c dd 40 f1 f1 81 48 c1 e8 0c 48 c1 ea 1b 48 85 c9 0f 84 fe 00 00 00 83 e2 7f 48 c1 e2 05 48 01 ca <48> 8b 12 48 c1 e0 06 89 75 d0 8b 3d 1c 7f c5 00 be d0 80 00 00 
RIP  [<ffffffff812dcbec>] aa_calc_profile_hash+0x11c/0x230
 RSP <ffff880127f47d20>
CR2: 0000000000000000
---[ end trace dd6bff1b01d8a270 ]---

Working on bisecting it now.

Comment 1 Phillip Susi 2013-09-28 00:03:47 UTC

Looks like this actually landed late in 3.11... I bisected it to this commit:

commit f8eb8a1324e81927b2c64823b2fc38386efd3fef
Author: John Johansen <john.johansen@canonical.com>
Date:   Wed Aug 14 11:27:36 2013 -0700

    apparmor: add the ability to report a sha1 hash of loaded policy
    
    Provide userspace the ability to introspect a sha1 hash value for each
    profile currently loaded.
    
    Signed-off-by: John Johansen <john.johansen@canonical.com>
    Acked-by: Seth Arnold <seth.arnold@canonical.com>

Comment 2 John Johansen 2013-09-29 13:59:17 UTC

No this isn't in 3.11 its part of the 3.12 pull request from the security tree. The original request went to the security tree around 3.11-rc5 to be queued for the 3.12 merge

This looks to be the vmalloc + hash interface with scatter gather lists problems that has been reported a couple times. We have a patch (attached) for this that has been in testing and I am sending out a pull request for.

Comment 3 John Johansen 2013-09-29 14:01:40 UTC

Created attachment 109921 [details]
patch for BUG in aa_calc_profile_hash

Comment 4 Phillip Susi 2013-09-30 01:09:40 UTC

Strange, I wonder why git describe describes it as following v3.11-rc2 instead of v3.11 final?

Comment 5 John Johansen 2013-09-30 03:03:21 UTC

Hrmmm, possibly the security tree that they went into was around v3.11-rc2? The apparmor request was pulled on Aug 15

https://lkml.org/lkml/2013/8/15/192

but the original pull request shows the security tree next branch (which I rebase against for a pull was at an earlier state (July 25)


The following changes since commit 9548906b2bb7ff09e12c013a55d669bef2c8e121:

  xattr: Constify ->name member of "struct xattr". (2013-07-25 19:30:03 +1000)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor for-security

for you to fetch changes up to f8eb8a1324e81927b2c64823b2fc38386efd3fef:

  apparmor: add the ability to report a sha1 hash of loaded policy (2013-08-14 11:42:08 -0700)

----------------------------------------------------------------
John Johansen (14):
      apparmor: enable users to query whether apparmor is enabled
      apparmor: add a features/policy dir to interface
      apparmor: provide base for multiple profiles to be replaced at once
      apparmor: convert profile lists to RCU based locking
      apparmor: change how profile replacement update is done
      apparmor: update how unconfined is handled
      apparmor: rework namespace free path
      apparmor: make free_profile available outside of policy.c
      apparmor: allow setting any profile into the unconfined state
      apparmor: add interface files for profiles and namespaces
      apparmor: add an optional profile attachment string for profiles
      apparmor: add the profile introspection file to interface
      apparmor: export set of capabilities supported by the apparmor module
      apparmor: add the ability to report a sha1 hash of loaded policy

Tetsuo Handa (1):
      apparmor: remove minimum size check for vmalloc()

 security/apparmor/Kconfig                 |  12 +
 security/apparmor/Makefile                |   7 +-
 security/apparmor/apparmorfs.c            | 636 +++++++++++++++++++++++++++++-
 security/apparmor/capability.c            |   5 +
 security/apparmor/context.c               |  16 +-
 security/apparmor/crypto.c                |  97 +++++
 security/apparmor/domain.c                |  24 +-
 security/apparmor/include/apparmor.h      |   6 +
 security/apparmor/include/apparmorfs.h    |  40 ++
 security/apparmor/include/audit.h         |   1 -
 security/apparmor/include/capability.h    |   4 +
 security/apparmor/include/context.h       |  15 +-
 security/apparmor/include/crypto.h        |  36 ++
 security/apparmor/include/policy.h        | 218 +++++++---
 security/apparmor/include/policy_unpack.h |  21 +-
 security/apparmor/lib.c                   |   5 -
 security/apparmor/lsm.c                   |  22 +-
 security/apparmor/policy.c                | 609 ++++++++++++++++------------
 security/apparmor/policy_unpack.c         | 135 +++++--
 security/apparmor/procattr.c              |   2 +-
 20 files changed, 1502 insertions(+), 409 deletions(-)
 create mode 100644 security/apparmor/crypto.c
 create mode 100644 security/apparmor/include/crypto.h

Note You need to log in before you can comment on or make changes to this bug.