Thread (49 messages) 49 messages, 10 authors, 2019-02-09

WARNING in apparmor_secid_to_secctx

From: syzbot <hidden>
Date: 2018-09-02 05:03:58
Also in: lkml 

On Sun, Sep 2, 2018 at 6:52 AM, John Johansen
[off-list ref] wrote:
quoted
On 09/01/2018 09:33 PM, Dmitry Vyukov wrote:
quoted
On Sat, Sep 1, 2018 at 11:18 AM, John Johansen
[off-list ref] wrote:
quoted
On 08/29/2018 07:17 PM, syzbot wrote:
quoted
Hello,
quoted
quoted
quoted
quoted
syzbot found the following crash on:
quoted
quoted
quoted
quoted
HEAD commit:    817e60a7a2bb Merge branch 'nfp-add-NFP5000-support'
git tree:       net-next
console output:  
https://syzkaller.appspot.com/x/log.txt?x=1536d296400000
kernel config:   
https://syzkaller.appspot.com/x/.config?x=531a917630d2a492
dashboard link:  
https://syzkaller.appspot.com/bug?extid=21016130b0580a9de3b5
compiler:       gcc (GCC) 8.0.1 20180413 (experimental)
quoted
quoted
quoted
quoted
Unfortunately, I don't have any reproducer for this crash yet.
quoted
quoted
quoted
quoted
IMPORTANT: if you fix the bug, please add the following tag to the  
commit:
Reported-by: syzbot+21016130b0580a9de3b5 at syzkaller.appspotmail.com
quoted
quoted
quoted
<< snip >>
quoted
quoted
quoted
Patch sent directly to syzbot for testing
quoted
quoted
Hi John,
quoted
quoted
What do you mean? syzbot has not received any test requests for this,
and it would reply within half an hour or so. Where is that patch?
quoted
Hrmmm strange I followed the web instruction and attached the patch to  
the
reply. The patch is below, its also available at
quoted
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor  
4.18-syzbot-secid
Humm.. Maybe you did not send it to syzbot?  The command should be just:
#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
"git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor" does not  
look like a valid git repo address.

4.18-syzbot-secid
quoted
---
quoted
 From 22dad84baabf4174f11f5e9b34a05529084fa29c Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Sat, 1 Sep 2018 01:57:52 -0700
Subject: [PATCH] apparmor: fix apparmor_secid_to_secctx incorrect debug
  triggering  WARN_ON
quoted
apparmor_secid_to_secctx() has a bad debug statement tripping on a
condition handle by the code.  When kconfig SECURITY_APPARMOR_DEBUG is
enabled the debug WARN_ON will trip when **secdata is NULL resulting
in the following trace.
quoted
------------[ cut here ]------------
AppArmor WARN apparmor_secid_to_secctx: ((!secdata)):
WARNING: CPU: 0 PID: 14826 at security/apparmor/secid.c:82  
apparmor_secid_to_secctx+0x2b5/0x2f0 security/apparmor/secid.c:82
Kernel panic - not syncing: panic_on_warn set ...
quoted
CPU: 0 PID: 14826 Comm: syz-executor1 Not tainted 4.19.0-rc1+ #193
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS  
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113
  panic+0x238/0x4e7 kernel/panic.c:184
  __warn.cold.8+0x163/0x1ba kernel/panic.c:536
  report_bug+0x252/0x2d0 lib/bug.c:186
  fixup_bug arch/x86/kernel/traps.c:178 [inline]
  do_error_trap+0x1fc/0x4d0 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:316
  invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:993
RIP: 0010:apparmor_secid_to_secctx+0x2b5/0x2f0  
security/apparmor/secid.c:82
Code: c7 c7 40 66 58 87 e8 6a 6d 0f fe 0f 0b e9 6c fe ff ff e8 3e aa 44  
fe 48 c7 c6 80 67 58 87 48 c7 c7 a0 65 58 87 e8 4b 6d 0f fe <0f> 0b e9  
3f fe ff ff 48 89 df e8 fc a7 83 fe e9 ed fe ff ff bb f4
RSP: 0018:ffff8801ba1bed10 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8801ba1beed0 RCX: ffffc9000227e000
RDX: 0000000000018482 RSI: ffffffff8163ac01 RDI: 0000000000000001
RBP: ffff8801ba1bed30 R08: ffff8801b80ec080 R09: ffffed003b603eca
R10: ffffed003b603eca R11: ffff8801db01f657 R12: 0000000000000001
R13: 0000000000000000 R14: 0000000000000000 R15: ffff8801ba1beed0
  security_secid_to_secctx+0x63/0xc0 security/security.c:1314
  ctnetlink_secctx_size net/netfilter/nf_conntrack_netlink.c:621 [inline]
  ctnetlink_nlmsg_size net/netfilter/nf_conntrack_netlink.c:659 [inline]
  ctnetlink_conntrack_event+0x303/0x1470  
net/netfilter/nf_conntrack_netlink.c:706
  nf_conntrack_eventmask_report+0x55f/0x930  
net/netfilter/nf_conntrack_ecache.c:151
  nf_conntrack_event_report  
include/net/netfilter/nf_conntrack_ecache.h:112 [inline]
  nf_ct_delete+0x33c/0x5d0 net/netfilter/nf_conntrack_core.c:601
  nf_ct_iterate_cleanup+0x48c/0x5e0 net/netfilter/nf_conntrack_core.c:1892
  nf_ct_iterate_cleanup_net+0x23c/0x2d0  
net/netfilter/nf_conntrack_core.c:1974
  ctnetlink_flush_conntrack net/netfilter/nf_conntrack_netlink.c:1226  
[inline]
  ctnetlink_del_conntrack+0x66c/0x850  
net/netfilter/nf_conntrack_netlink.c:1258
  nfnetlink_rcv_msg+0xd88/0x1070 net/netfilter/nfnetlink.c:228
  netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2454
  nfnetlink_rcv+0x1c0/0x4d0 net/netfilter/nfnetlink.c:560
  netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
  netlink_unicast+0x5a0/0x760 net/netlink/af_netlink.c:1343
  netlink_sendmsg+0xa18/0xfc0 net/netlink/af_netlink.c:1908
  sock_sendmsg_nosec net/socket.c:621 [inline]
  sock_sendmsg+0xd5/0x120 net/socket.c:631
  ___sys_sendmsg+0x7fd/0x930 net/socket.c:2114
  __sys_sendmsg+0x11d/0x290 net/socket.c:2152
  __do_sys_sendmsg net/socket.c:2161 [inline]
  __se_sys_sendmsg net/socket.c:2159 [inline]
  __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2159
  do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
  entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457089
Code: fd b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89  
f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01  
f0 ff ff 0f 83 cb b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f7bc6e03c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f7bc6e046d4 RCX: 0000000000457089
RDX: 0000000000000000 RSI: 0000000020d65000 RDI: 0000000000000003
RBP: 00000000009300a0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000004d4588 R14: 00000000004c8d5c R15: 0000000000000000
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..
quoted
Fixes: c092921219d2 ("apparmor: add support for mapping secids and using  
secctxes")
Reported-by: syzbot+21016130b0580a9de3b5 at syzkaller.appspotmail.com
Signed-off-by: John Johansen <john.johansen@canonical.com>
---
  security/apparmor/secid.c | 1 -
  1 file changed, 1 deletion(-)
quoted
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
index f2f22d00db18..4ccec1bcf6f5 100644
--- a/security/apparmor/secid.c
+++ b/security/apparmor/secid.c
@@ -79,7 +79,6 @@ int apparmor_secid_to_secctx(u32 secid, char  
**secdata, u32 *seclen)
         struct aa_label *label = aa_secid_to_label(secid);
         int len;
quoted
-       AA_BUG(!secdata);
         AA_BUG(!seclen);
quoted
         if (!label)
--
2.17.1




quoted
--
You received this message because you are subscribed to the Google  
Groups "syzkaller-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send  
an email to syzkaller-bugs+unsubscribe at googlegroups.com.
To view this discussion on the web visit  
https://groups.google.com/d/msgid/syzkaller-bugs/09def4f1-7dd8-ba41-139a-0c6f3be2db78%40canonical.com.
For more options, visit https://groups.google.com/d/optout.
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help