Ubuntu
linux package

AppArmor onexec transition causes WARN kernel stack trace

Bug #1838627 reported by John Johansen on 2019-08-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Incomplete	Undecided	Unassigned
	Xenial	Fix Released	Undecided	John Johansen

Bug Description

microk8s has reported on issue with the Xenial kernel where apparmor causes the following kernel stack trace due to an apparmor AA_BUG condition being triggered.

[ 225.236085] ------------[ cut here ]------------
[ 225.236104] WARNING: CPU: 1 PID: 13726 at /build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136 aa_audit_file+0x16e/0x180()
[ 225.236109] AppArmor WARN aa_audit_file: ((!(&sa)->apparmor_audit_data->request)):
[ 225.236113] Modules linked in:
[ 225.236118] btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
[ 225.236305] snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6 ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e intel_ips ptp i2c_algo_bit
[ 225.236420] pps_core drm_kms_helper nvme syscopyarea sysfillrect sysimgblt fb_sys_fops ahci drm libahci video fjes
[ 225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P W OE 4.4.0-154-generic #181-Ubuntu
[ 225.236451] Hardware name: System manufacturer System Product Name/PRIME H270-PRO, BIOS 0323 01/04/2017
[ 225.236456] 0000000000000286 fa217f3573a84520 ffff88033ade39d0 ffffffff8140b481
[ 225.236464] ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08 ffffffff81085432
[ 225.236477] ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88 ffff88033ade3d88
[ 225.236484] Call Trace:
[ 225.236498] [<ffffffff8140b481>] dump_stack+0x63/0x82
[ 225.236509] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[ 225.236518] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[ 225.236527] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[ 225.236536] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[ 225.236544] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[ 225.236554] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[ 225.236562] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[ 225.236571] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[ 225.236581] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[ 225.236589] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[ 225.236596] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[ 225.236608] [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[ 225.236617] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[ 225.236624] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[ 225.236633] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[ 225.236642] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[ 225.236651] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[ 225.236661] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[ 225.236671] [<ffffffff81863f15>] stub_execve+0x5/0x5
[ 225.236678] [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[ 225.236684] ---[ end trace 6b2beaa85ae31c29 ]---

This is caused when the change_onexec api is used and permitted by the profile but the task has the NO_NEW_PRIVS flag set causing the domain transition specified in the change_onexec request to fail.

Tags:

CVE References

Revision history for this message

John Johansen (jjohansen) wrote on 2019-08-01:

0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch Edit (5.6 KiB, text/plain)

Fix selected and backported from a larger patch that originally landed in Zesty and subsequently landed in upstream.

Changed in linux (Ubuntu Xenial):
assignee:	nobody → John Johansen (jjohansen)
status:	New → Confirmed

Revision history for this message

John Johansen (jjohansen) wrote on 2019-08-01:

The patch has been tested against a reproducer and fixes the issue.

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-08-01: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1838627

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: xenial

Ubuntu Foundations Team Bug Bot (crichton) on 2019-08-01

tags:

added: patch

Kleber Sacilotto de Souza (kleber-souza) on 2019-08-12

Changed in linux (Ubuntu Xenial):
status:	Confirmed → In Progress

Khaled El Mously (kmously) on 2019-08-13

Changed in linux (Ubuntu Xenial):
status:	In Progress → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2019-08-15:

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

John Johansen (jjohansen) on 2019-08-26

tags:

added: verification-done-xenial
removed: verification-needed-xenial

Revision history for this message

Launchpad Janitor (janitor) wrote on 2019-09-02:

Download full text (5.5 KiB)

This bug was fixed in the package linux - 4.4.0-161.189

---------------
linux (4.4.0-161.189) xenial; urgency=medium

* xenial/linux: 4.4.0-161.189 -proposed tracker (LP: #1841544)

  * flock not mediated by 'k' (LP: 1658219)
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being, enforced on
      cache check"

* Packaging resync (LP: #1786013)
- [Packaging] resync getabis

linux (4.4.0-160.188) xenial; urgency=medium

* xenial/linux: 4.4.0-160.188 -proposed tracker (LP: #1840021)

* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts

  * EeePC 1005px laptop backlight is off after system boot up (LP: #1837117)
    - platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from
      asus_nb_wmi

  * CVE-2019-10638
    - [Config] CONFIG_TEST_HASH=n
    - siphash: add cryptographically secure PRF
    - inet: switch IP ID generator to siphash

  * Stacked onexec transitions fail when under NO NEW PRIVS restrictions
    (LP: #1839037)
    - SAUCE: apparmor: fix nnp subset check failure, when stacking

* AppArmor onexec transition causes WARN kernel stack trace (LP: #1838627)
- SAUCE: apparmor: fix audit failures when performing profile transitions

  * flock not mediated by 'k' (LP: 1658219) // Ubuntu 16.04: read access
    incorrectly implies 'm' rule (LP: 1838090)
    - SAUCE: apparmor: flock mediation is not being, enforced on cache check

  * bcache: bch_allocator_thread(): hung task timeout (LP: #1784665) // Tight
    timeout for bcache removal causes spurious failures (LP: #1796292)
    - SAUCE: bcache: fix deadlock in bcache_allocator

  * bcache: bch_allocator_thread(): hung task timeout (LP: #1784665)
    - bcache: improve bcache_reboot()
    - bcache: add journal statistic
    - bcache: fix high CPU occupancy during journal
    - bcache: fix incorrect sysfs output value of strip size
    - bcache: fix error return value in memory shrink
    - bcache: fix using of loop variable in memory shrink
    - bcache: Fix indentation
    - bcache: Add __printf annotation to __bch_check_keys()
    - bcache: Annotate switch fall-through
    - bcache: Fix kernel-doc warnings
    - bcache: Remove an unused variable
    - bcache: Suppress more warnings about set-but-not-used variables
    - bcache: Reduce the number of sparse complaints about lock imbalances
    - bcache: Move couple of functions to sysfs.c

  * CVE-2019-3900
    - vhost: introduce vhost_vq_avail_empty()
    - vhost_net: tx batching
    - vhost_net: do not stall on zerocopy depletion
    - vhost-net: set packet weight of tx polling to 2 * vq size
    - vhost_net: use packet weight for rx handler, too
    - vhost_net: introduce vhost_exceeds_weight()
    - vhost: introduce vhost_exceeds_weight()
    - vhost_net: fix possible infinite loop
    - vhost: scsi: add weight support

* Xenial: ZFS deadlock in shrinker path with xattrs (LP: #1839521)
- SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu28

* CVE-2019-13648
- powerpc/tm: Fix oops on sigreturn on systems without TM

* CVE-2018-20856
- block: blk_init_allocated_queue() set q->fq as NULL in the fail case

* CVE-2019-14283
- floppy: fix out-of-bound...

This bug was fixed in the package linux - 4.4.0-161.189

---------------
linux (4.4.0-161.189) xenial; urgency=medium

* xenial/linux: 4.4.0-161.189 -proposed tracker (LP: #1841544)

* flock not mediated by 'k' (LP: 1658219)
    - Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being, enforced on
      cache check"

* Packaging resync (LP: #1786013)
    - [Packaging] resync getabis

linux (4.4.0-160.188) xenial; urgency=medium

* xenial/linux: 4.4.0-160.188 -proposed tracker (LP: #1840021)

* Packaging resync (LP: #1786013)
    - [Packaging] update helper scripts

* EeePC 1005px laptop backlight is off after system boot up (LP: #1837117)
    - platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from
      asus_nb_wmi

* CVE-2019-10638
    - [Config] CONFIG_TEST_HASH=n
    - siphash: add cryptographically secure PRF
    - inet: switch IP ID generator to siphash

* Stacked onexec transitions fail when under NO NEW PRIVS restrictions
    (LP: #1839037)
    - SAUCE: apparmor: fix nnp subset check failure, when stacking

* AppArmor onexec transition causes WARN kernel stack trace (LP: #1838627)
    - SAUCE: apparmor: fix audit failures when performing profile transitions

* flock not mediated by 'k' (LP: 1658219) // Ubuntu 16.04: read access
    incorrectly implies 'm' rule (LP: 1838090)
    - SAUCE: apparmor: flock mediation is not being, enforced on cache check

* Xenial: ZFS deadlock in shrinker path with xattrs (LP: #1839521)
    - SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu28

* CVE-2019-13648
    - powerpc/tm: Fix oops on sigreturn on systems without TM

* CVE-2018-20856
    - block: blk_init_allocated_queue() set q->fq as NULL in the fail case

* CVE-2019-14283
    - floppy: fix out-of-bounds read in copy_buffer

* CVE-2019-14284
    - floppy: fix div-by-zero in setup_format_params

* Xenial update: 4.4.186 upstream stable release (LP: #1838467)
    - Input: elantech - enable middle button support on 2 ThinkPads
    - samples, bpf: fix to change the buffer size for read()
    - mac80211: mesh: fix RCU warning
    - dt-bindings: can: mcp251x: add mcp25625 support
    - can: mcp251x: add support for mcp25625
    - Input: imx_keypad - make sure keyboard can always wake up system
    - ARM: davinci: da850-evm: call regulator_has_full_constraints()
    - ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
    - md: fix for divide error in status_resync
    - bnx2x: Check if transceiver implements DDM before access
    - udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
    - x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
    - x86/tls: Fix possible spectre-v1 in do_get_thread_area()
    - mwifiex: Abort at too short BSS descriptor element
    - fscrypt: don't set policy for a dead directory
    - mwifiex: Don't abort on small, spec-compliant vendor IEs
    - USB: serial: ftdi_sio: add ID for isodebug v1
    - USB: serial: option: add support for GosunCn ME3630 RNDIS mode
    - usb: gadget: ether: Fix race between gether_disconnect and rx_submit
    - usb: renesas_usbhs: add a workaround for a race condition of workqueue
    - staging: comedi: dt282x: fix a null pointer deref on interrupt
    - staging: comedi: amplc_pci230: fix null pointer deref on interrupt
    - carl9170: fix misuse of device driver API
    - VMCI: Fix integer overflow in VMCI handle arrays
    - MIPS: Remove superfluous check for __linux__
    - e1000e: start network tx queue only when link is up
    - perf/core: Fix perf_sample_regs_user() mm check
    - ARM: omap2: remove incorrect __init annotation
    - be2net: fix link failure after ethtool offline test
    - ppp: mppe: Add softdep to arc4
    - sis900: fix TX completion
    - dm verity: use message limit for data block corruption message
    - kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR
    - ARC: hide unused function unw_hdr_alloc
    - s390: fix stfle zero padding
    - s390/qdio: (re-)initialize tiqdio list entries
    - s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
    - KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock
    - Linux 4.4.186

-- Stefan Bader <stefan.bader@canonical.com>  Tue, 27 Aug 2019 09:49:19 +0200

Changed in linux (Ubuntu Xenial):
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Patches

0001-UBUNTU-SAUCE-apparmor-fix-audit-failures-when-perfor.patch Edit

Add patch

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

AppArmor onexec transition causes WARN kernel stack trace

Bug Description

CVE References

Other bug subscribers

Patches

Remote bug watches

Ubuntu
linux package