kernel-packages team mailing list archive

Thread
Date
[Bug 581525] Re: Lucid: system becomes unstable randomly, seems related with apparmor

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Mathew Hodson <mathew.hodson@xxxxxxxxx>
Date: Thu, 12 Feb 2015 07:01:45 -0000
Reply-to: Bug 581525 <581525@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** CVE removed: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-4249

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/581525

Title:
  Lucid: system becomes unstable randomly, seems related with apparmor

Status in apparmor package in Ubuntu:
  Fix Released
Status in linux package in Ubuntu:
  Fix Released
Status in apparmor source package in Lucid:
  Fix Released
Status in linux source package in Lucid:
  Fix Released
Status in apparmor source package in Maverick:
  Fix Released
Status in linux source package in Maverick:
  Fix Released

Bug description:
  SRU Justification (apparmor)

  1. impact of the bug is medium for stable releases. There are two
  parts to this bug: the kernel side OOPSing when a the parser generates
  invalid tables, and the parser generating correct tables. The lucid
  kernel should receive the fix sometime in the future, but the
  userspace should also be fixed.

  The kernel bug was a broken test in verifying the dfa next/check table
  size (so the userspace bug was not caught when it should have been).
  This means that it can at times reference beyond the dfa table (by at
  most 255 entries).

  The userspace bug is that the next/check table is not correctly padded
  with 0 entries, so that it is impossible to reference beyond the end
  of the table when in the states that use the end of the table for
  their references.

  
  2. This has been addressed during the maverick development cycle.

  3. This is r1392 from the apparmor-2.5 branch. The commit mistakenly
  references a different bug (599450), but the text is: "Changes the
  table resizing so that there is always sufficient high entries in the
  table, preventing bounds violations from occurring."

  4. TEST CASE: there are multiple possible test cases
  4.1 Load a profile against a patched kernel (the maverick kernel can be used for this or a patched Lucid Kernel).  The kernel will reject the profile with the following message in the logs
      AppArmor DFA next/check upper bounds error fixed, upgrade user space tools

  4.2 The dfa verifier can be run against a profiles dfa in user space,
  but the checker is not part of the distro or easy to use atm as it
  requires manually extracting the tables from the profile.  The full
  userspace profile verifier isn't available yet.

  4.3 A profile can be compiled using the parser pre and post patching, and compared using a hex editor.  The components of the profile that are changed are the size of the table and at the end of dfa table several 0 entries padding out the table.  To do this choose a small profile eg. usr.sbin.tcpdump and run
  ./apparmor_parser -S <profile> >out.file
  ./apparmor_parser-patched -S <profile> >out.file2

  The dfa table generated starts with the string aadfa\0 followed by a 4
  byte (little endian blob size - this will differ), follow by the
  actual table header with various table size (some of these will
  change) and then the actual tables which almost fill the rest of the
  profile.  Towards the end of the profile there should be extra 0's.
  And then the closing data of the profile which should not change.  The
  data within the profile should not change beyond the couple of size
  entries and the 0 padding at the end.

  
  5. The regression potential is considered low as the patch just pads out the table to make sure there are no bounds violations. The patch was pushed in maverick during its development cycle and showed no regressions. This is an important reliability fix for people who are affected (this has affected at least one Canonical server).

  
  Hi,

  Since last week I am experiencing a problem which seems related to
  apparmor. Kernel is crashing at aa_dfa_match_len+0xd9/0xf0, and a
  trace like the the following appears on my system logs:

  May 17 01:57:04 mplaptop kernel: [ 6430.314093] PGD 1002063 PUD 0
  May 17 01:57:04 mplaptop kernel: [ 6430.314101] CPU 1
  May 17 01:57:04 mplaptop kernel: [ 6430.314103] Modules linked in: xts gf128mul binfmt_misc ppdev vboxnetadp vboxnetflt vboxdrv sha256_generic cryptd aes_x86_64 aes_generic dm_crypt joydev snd_hda_codec_realtek ipt_REJECT ipt_LOG xt_limit xt_tcpudp ipt_addrtype xt_state dell_wmi arc4 snd_hda_intel snd_hda_codec snd_hwdep snd_pcm_oss snd_mixer_oss snd_pcm ip6table_filter ip6_tables snd_seq_dummy nf_nat_irc snd_seq_oss nf_conntrack_irc snd_seq_midi nf_nat_ftp snd_rawmidi nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 snd_seq_midi_event nf_conntrack_ftp snd_seq nf_conntrack iwlagn iptable_filter snd_timer snd_seq_device iwlcore ip_tables snd uvcvideo videodev v4l1_compat v4l2_compat_ioctl32 x_tables mac80211 sdhci_pci dell_laptop dcdbas sdhci led_class nvidia(P) soundcore snd_page_alloc cfg80211 psmouse serio_raw uinput lp parport usbhid hid fbcon tileblit font bitblit ohci1394 softcursor ieee1394 r8169 mii ahci vga16fb vgastate intel_agp video output
  May 17 01:57:04 mplaptop kernel: [ 6430.314159] Pid: 5065, comm: gnome-panel Tainted: P      D    2.6.32-22-generic #33-Ubuntu Vostro1710
  May 17 01:57:04 mplaptop kernel: [ 6430.314161] RIP: 0010:[<ffffffff8127dc49>]  [<ffffffff8127dc49>] aa_dfa_match_len+0xd9/0xf0
  May 17 01:57:04 mplaptop kernel: [ 6430.314170] RSP: 0018:ffff880116649d20  EFLAGS: 00010216
  May 17 01:57:04 mplaptop kernel: [ 6430.314172] RAX: 0000000000000039 RBX: ffff880051285a8c RCX: 0000000000000039
  May 17 01:57:04 mplaptop kernel: [ 6430.314174] RDX: ffff88011e65a4f1 RSI: 0000000053726599 RDI: ffff88011e65a4f1
  May 17 01:57:04 mplaptop kernel: [ 6430.314176] RBP: ffff880116649d38 R08: 0000000000000000 R09: ffff88012bbfc40c
  May 17 01:57:04 mplaptop kernel: [ 6430.314177] R10: ffff88009697606c R11: ffff88011e65a4ff R12: ffff88012bbfc20c
  May 17 01:57:04 mplaptop kernel: [ 6430.314179] R13: ffff88011e65a4de R14: ffff88011e65a4de R15: 0000000000000000
  May 17 01:57:04 mplaptop kernel: [ 6430.314181] FS:  00007f689ffe17e0(0000) GS:ffff880028300000(0000) knlGS:0000000000000000
  May 17 01:57:04 mplaptop kernel: [ 6430.314183] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  May 17 01:57:04 mplaptop kernel: [ 6430.314185] CR2: ffff8801d2a48f3e CR3: 0000000111c91000 CR4: 00000000000026e0
  May 17 01:57:04 mplaptop kernel: [ 6430.314187] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  May 17 01:57:04 mplaptop kernel: [ 6430.314189] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
  May 17 01:57:04 mplaptop kernel: [ 6430.314191] Process gnome-panel (pid: 5065, threadinfo ffff880116648000, task ffff8801360a8000)
  May 17 01:57:04 mplaptop kernel: [ 6430.314194]  ffff880096976ea0 0000000000000001 ffff88011e65a4de ffff880116649d68
  May 17 01:57:04 mplaptop kernel: [ 6430.314197] <0> ffffffff8127dc9a ffff880116649db8 ffff88012e58b800 0000000000000000
  May 17 01:57:04 mplaptop kernel: [ 6430.314200] <0> ffff88013fc022a8 ffff880116649db8 ffffffff8127e7d3 ffff88012e58b818
  May 17 01:57:04 mplaptop kernel: [ 6430.314206]  [<ffffffff8127dc9a>] aa_dfa_match+0x3a/0x50
  May 17 01:57:04 mplaptop kernel: [ 6430.314209]  [<ffffffff8127e7d3>] aa_find_attach+0x93/0xf0
  May 17 01:57:04 mplaptop kernel: [ 6430.314211]  [<ffffffff8127f80b>] apparmor_bprm_set_creds+0x36b/0x530
  May 17 01:57:04 mplaptop kernel: [ 6430.314215]  [<ffffffff8108998e>] ? up_write+0xe/0x10
  May 17 01:57:04 mplaptop kernel: [ 6430.314219]  [<ffffffff812507e3>] security_bprm_set_creds+0x13/0x20
  May 17 01:57:04 mplaptop kernel: [ 6430.314223]  [<ffffffff81149431>] prepare_binprm+0xb1/0x110
  May 17 01:57:04 mplaptop kernel: [ 6430.314225]  [<ffffffff8114a29c>] do_execve+0x1ac/0x300
  May 17 01:57:04 mplaptop kernel: [ 6430.314229]  [<ffffffff812bbdda>] ? strncpy_from_user+0x4a/0x90
  May 17 01:57:04 mplaptop kernel: [ 6430.314233]  [<ffffffff810115ba>] sys_execve+0x4a/0x80
  May 17 01:57:04 mplaptop kernel: [ 6430.314236]  [<ffffffff8101360a>] stub_execve+0x6a/0xc0
  May 17 01:57:04 mplaptop kernel: [ 6430.314265]  RSP <ffff880116649d20>
  May 17 01:57:04 mplaptop kernel: [ 6430.314268] ---[ end trace 2b51de9f06402b92 ]---

  Sometimes it does not seem to have visible effects, other times it renders the system unusable. When that happens, I often need to reboot several times, as the issue appears again on the next boot process. My system is an up-to-date lucid, installation mostly by default but with several dm_crypt partitions over LVM, and virtualbox-ose installed. I have also enabled the firefox apparmor profile and several other custom profiles.
  Note that I am sometimes experienced another extrange apparmor behavior, as it attaches (randomly) a profile to a process that has not a profile defined (lets say, for example, it attaches the firefox profile to gedit). I experienced that 2 or 3 times, I will try to give you more information next time I see it, maybe it is related to this.
  Finally, just note that this problem seems related to bug #529288.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/apparmor/+bug/581525/+subscriptions