FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Ubuntu > Ubuntu Kernel Team

 
 
LinkBack Thread Tools
 
Old 11-10-2009, 05:29 PM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: Fix Oops when in apparmor_bprm_set_creds

BugLink: http://bugs.launchpad.net/bugs/437258

SRU Justification: This can cause an oops at 000068. This will happen to
all processes confined or unconfined when name resolution fails at exec.
This can happen in a couple different cases, applications like psxe, and mugen
munge the process during their decrompress and set up links so that a valid
name does not exist. The other way that this can happen is executing code
from a path that has been lazily unmounted. This can occur with nfs and
automounters, or any mount point that gets unmounted with lazy unmount allowed.


If name resolution fails due on exec and a profile is not defined
then AppArmor will cause an oops due to a broken conditional leading to
dereferencing a profile pointer that is null.

Signed-off-by: John Johansen <john.johansen@canonical.com>
---
ubuntu/apparmor/domain.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/ubuntu/apparmor/domain.c b/ubuntu/apparmor/domain.c
index aa25be2..128e527 100644
--- a/ubuntu/apparmor/domain.c
+++ b/ubuntu/apparmor/domain.c
@@ -248,7 +248,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
sa.base.error = aa_get_name(&bprm->file->f_path, 0, &buffer,
(char **) &sa.name);
if (sa.base.error) {
- if (profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
+ if (!profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
sa.base.error = 0;
sa.base.info = "Exec failed name resolution";
sa.name = bprm->filename;
--
1.6.3.3


--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-12-2009, 10:14 AM
Andy Whitcroft
 
Default UBUNTU: SAUCE: AppArmor: Fix Oops when in apparmor_bprm_set_creds

On Tue, Nov 10, 2009 at 10:29:10AM -0800, John Johansen wrote:
> BugLink: http://bugs.launchpad.net/bugs/437258
>
> SRU Justification: This can cause an oops at 000068. This will happen to
> all processes confined or unconfined when name resolution fails at exec.
> This can happen in a couple different cases, applications like psxe, and mugen
> munge the process during their decrompress and set up links so that a valid
> name does not exist. The other way that this can happen is executing code
> from a path that has been lazily unmounted. This can occur with nfs and
> automounters, or any mount point that gets unmounted with lazy unmount allowed.
>
>
> If name resolution fails due on exec and a profile is not defined
> then AppArmor will cause an oops due to a broken conditional leading to
> dereferencing a profile pointer that is null.
>
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
> ubuntu/apparmor/domain.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/ubuntu/apparmor/domain.c b/ubuntu/apparmor/domain.c
> index aa25be2..128e527 100644
> --- a/ubuntu/apparmor/domain.c
> +++ b/ubuntu/apparmor/domain.c
> @@ -248,7 +248,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
> sa.base.error = aa_get_name(&bprm->file->f_path, 0, &buffer,
> (char **) &sa.name);
> if (sa.base.error) {
> - if (profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
> + if (!profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
> sa.base.error = 0;
> sa.base.info = "Exec failed name resolution";
> sa.name = bprm->filename;

If profile can be NULL then we would OOPS before. I am assuming we do
not care about the error here, in that case.

Acked-by: Andy Whitcroft <apw@canonical.com>

-apw

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 
Old 11-12-2009, 03:20 PM
John Johansen
 
Default UBUNTU: SAUCE: AppArmor: Fix Oops when in apparmor_bprm_set_creds

Andy Whitcroft wrote:
> On Tue, Nov 10, 2009 at 10:29:10AM -0800, John Johansen wrote:
>> BugLink: http://bugs.launchpad.net/bugs/437258
>>
>> SRU Justification: This can cause an oops at 000068. This will happen to
>> all processes confined or unconfined when name resolution fails at exec.
>> This can happen in a couple different cases, applications like psxe, and mugen
>> munge the process during their decrompress and set up links so that a valid
>> name does not exist. The other way that this can happen is executing code
>> from a path that has been lazily unmounted. This can occur with nfs and
>> automounters, or any mount point that gets unmounted with lazy unmount allowed.
>>
>>
>> If name resolution fails due on exec and a profile is not defined
>> then AppArmor will cause an oops due to a broken conditional leading to
>> dereferencing a profile pointer that is null.
>>
>> Signed-off-by: John Johansen <john.johansen@canonical.com>
>> ---
>> ubuntu/apparmor/domain.c | 2 +-
>> 1 files changed, 1 insertions(+), 1 deletions(-)
>>
>> diff --git a/ubuntu/apparmor/domain.c b/ubuntu/apparmor/domain.c
>> index aa25be2..128e527 100644
>> --- a/ubuntu/apparmor/domain.c
>> +++ b/ubuntu/apparmor/domain.c
>> @@ -248,7 +248,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
>> sa.base.error = aa_get_name(&bprm->file->f_path, 0, &buffer,
>> (char **) &sa.name);
>> if (sa.base.error) {
>> - if (profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
>> + if (!profile || profile->flags & PFLAG_IX_ON_NAME_ERROR)
>> sa.base.error = 0;
>> sa.base.info = "Exec failed name resolution";
>> sa.name = bprm->filename;
>
> If profile can be NULL then we would OOPS before. I am assuming we do
> not care about the error here, in that case.
>
Right profile could be NULL so we would OOPS before. We do care about the error it gets logged, and in the enforcing (profile) case the execution will be failed unless the special IX_ON_NAME_ERROR is set, which causes the execution to inherit the current confinement. In the unconfined case AppArmor doesn't fail the execution because it is supposed to have no effect beyond what DAC is enforcing.

jj

--
kernel-team mailing list
kernel-team@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/kernel-team
 

Thread Tools




All times are GMT. The time now is 06:33 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org