Discussion:
Pidgin, 4.14 and App Armor Oops.
Zephaniah E. Loss-Cutler-Hull
2017-11-21 05:17:16 UTC
Permalink
Note: I am not subscribed to either list, please try and keep me on the
CC list.

Alright, I am running Ubuntu 16.04, with a 4.14 kernel.

When I start up pidgin, I get the following in dmesg:

[   73.598446] audit: type=1400 audit(1511239699.316:81):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/pidgin"
name="/home/warp/.purple/plugins/libfacebook.so" pid=10675 comm="pidgin"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[   73.598639] audit: type=1400 audit(1511239699.316:82):
apparmor="DENIED" operation="file_mmap" profile="/usr/bin/pidgin"
name="/home/warp/.purple/plugins/libfacebook.so" pid=10675 comm="pidgin"
requested_mask="m" denied_mask="m" fsuid=1000 ouid=1000
[   74.599770] audit: type=1400 audit(1511239700.318:83):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/dev/" pid=10675 comm="pidgin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
[   74.608247] audit: type=1400 audit(1511239700.326:84):
apparmor="DENIED" operation="file_mmap" profile="gst_plugin_scanner"
name="/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-plugin-scanner"
pid=10815 comm="gst-plugin-scan" requested_mask="m" denied_mask="m"
fsuid=1000 ouid=0
[   74.628037] audit: type=1400 audit(1511239700.346:85):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/dev/" pid=10675 comm="pidgin" requested_mask="r" denied_mask="r"
fsuid=1000 ouid=0
[   75.754067] audit: type=1400 audit(1511239701.472:86):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/home/warp/.local/share/applications/javaws/" pid=10675
comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=1000
[   75.756574] audit: type=1400 audit(1511239701.475:87):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/usr/local/share/applications/" pid=10675 comm="pidgin"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   75.756803] audit: type=1400 audit(1511239701.475:88):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/usr/local/share/applications/mimeinfo.cache" pid=10675
comm="pidgin" requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   75.757292] audit: type=1400 audit(1511239701.475:89):
apparmor="DENIED" operation="open" profile="/usr/bin/pidgin"
name="/usr/share/applications/kde4/" pid=10675 comm="pidgin"
requested_mask="r" denied_mask="r" fsuid=1000 ouid=0
[   76.178568] BUG: unable to handle kernel paging request at
ffffffff0eee3bc0
[   76.178579] IP: audit_signal_cb+0x6c/0xe0
[   76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
[   76.178586] Oops: 0000 [#1] PREEMPT SMP
[   76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
[   76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
4.14.0-f1-dirty #135
[   76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
[   76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
[   76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
[   76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
[   76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
0000000000000000
[   76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
ffff9c7a9493d800
[   76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
ffffa09b02a4fc46
[   76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
ffffa09b02a4fd40
[   76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
0000000000000001
[   76.178646] FS:  00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
knlGS:0000000000000000
[   76.178648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
00000000001606f0
[   76.178652] Call Trace:
[   76.178660]  common_lsm_audit+0x1da/0x780
[   76.178665]  ? d_absolute_path+0x60/0x90
[   76.178669]  ? aa_check_perms+0xcd/0xe0
[   76.178672]  aa_check_perms+0xcd/0xe0
[   76.178675]  profile_signal_perm.part.0+0x90/0xa0
[   76.178679]  aa_may_signal+0x16e/0x1b0
[   76.178686]  apparmor_task_kill+0x51/0x120
[   76.178690]  security_task_kill+0x44/0x60
[   76.178695]  group_send_sig_info+0x25/0x60
[   76.178699]  kill_pid_info+0x36/0x60
[   76.178703]  SYSC_kill+0xdb/0x180
[   76.178707]  ? preempt_count_sub+0x92/0xd0
[   76.178712]  ? _raw_write_unlock_irq+0x13/0x30
[   76.178716]  ? task_work_run+0x6a/0x90
[   76.178720]  ? exit_to_usermode_loop+0x80/0xa0
[   76.178723]  entry_SYSCALL_64_fastpath+0x13/0x94
[   76.178727] RIP: 0033:0x7f8b0e58b767
[   76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
000000000000003e
[   76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
00007f8b0e58b767
[   76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
000000000000263b
[   76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
0000000000000001
[   76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
0000000000000000
[   76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
0000000000000000
[   76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
[   76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
[   76.178796] CR2: ffffffff0eee3bc0
[   76.178799] ---[ end trace 514af9529297f1a3 ]---


And then pidgin ends up as an unkillable zombie.

This seems rather reproducible.


My kernel .config is attached, and I am happy to send along anything
else that might be needed to track this down.

Thank you,
Zephaniah E. Loss-Cutler-Hull.
Tetsuo Handa
2017-11-22 06:49:59 UTC
Permalink
Post by Zephaniah E. Loss-Cutler-Hull
This seems rather reproducible.
It seems to me that audit_signal_cb() is reading a pointer value rather than
signal number, for the address of aad(sa)->peer and aad(&sa)->signal are the
same due to use of "union" inside "struct apparmor_audit_data".
Thus, I think that this is an AppArmor side problem.

struct apparmor_audit_data {
int error;
int type;
const char *op;
struct aa_label *label;
const char *name;
const char *info;
u32 request;
u32 denied;
union {
/* these entries require a custom callback fn */
struct {
struct aa_label *peer;
struct {
const char *target;
kuid_t ouid;
} fs;
};
struct {
struct aa_profile *profile;
const char *ns;
long pos;
} iface;
int signal;
struct {
int rlim;
unsigned long max;
} rlim;
struct {
const char *src_name;
const char *type;
const char *trans;
const char *data;
unsigned long flags;
} mnt;
};
};

static int profile_signal_perm(struct aa_profile *profile,
struct aa_profile *peer, u32 request,
struct common_audit_data *sa)
{
struct aa_perms perms;

if (profile_unconfined(profile) ||
!PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))
return 0;

aad(sa)->peer = &peer->label; // Overwrites aad(sa)->signal value.
profile_match_signal(profile, peer->base.hname, aad(sa)->signal,
&perms);
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); // Oops
}

static int aa_signal_cross_perm(struct aa_profile *sender,
struct aa_profile *target,
struct common_audit_data *sa)
{
return xcheck(profile_signal_perm(sender, target, MAY_WRITE, sa),
profile_signal_perm(target, sender, MAY_READ, sa));
}

int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
{
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);

aad(&sa)->signal = map_signal_num(sig); // Writes aad(sa)->signal value.
return xcheck_labels_profiles(sender, target, aa_signal_cross_perm,
&sa);
}

Loading...