Bug#1038945: linux: kernel null pointer dereference loading an invalid AppArmor profile, regression since 6.1

Fri, 23 Jun 2023 07:39:36 -0700 

Source: linux
Version: 6.3.7-1
Severity: normal
X-Debbugs-Cc: appar...@packages.debian.org
Control: affects -1 + apparmor quake4

The AppArmor profile in quake4:i386 from src:game-data-packager (attached
as "bad.txt") is loaded successfully by Debian 12 and older, albeit with
some warnings about uses of sanitized_helper in the xdgopen child profile
(which were probably always wrong).

Since unstable was upgraded from Linux 6.1 to 6.3, I get a null pointer
dereference when I load that profile, and the boot process hangs and
will not complete.

The null pointer dereference is easily reproduced by logging in to a
virtual machine recently generated by autopkgtest-build-qemu, as root,
and loading the offending profile with `apparmor_parser -Tr bad.txt`:

Jun 23 14:19:01 host kernel: audit: type=1400 audit(1687529941.812:11): 
apparmor="STATUS" operation="profile_replace" profile="unconfined" 
name="quake4" pid=1098 comm="apparmor_parser"
Jun 23 14:19:01 host kernel: audit: type=1400 audit(1687529941.836:12): 
apparmor="STATUS" operation="profile_load" profile="unconfined" 
name="quake4//xdgopen" pid=1098 comm="apparmor_parser"
Jun 23 14:19:01 host kernel: BUG: kernel NULL pointer dereference, address: 
0000000000000030
Jun 23 14:19:01 host kernel: #PF: supervisor read access in kernel mode
Jun 23 14:19:01 host kernel: #PF: error_code(0x0000) - not-present page
Jun 23 14:19:01 host kernel: PGD 0 P4D 0 
Jun 23 14:19:01 host kernel: Oops: 0000 [#1] PREEMPT SMP PTI
Jun 23 14:19:01 host kernel: CPU: 0 PID: 1098 Comm: apparmor_parser Not tainted 
6.3.0-1-amd64 #1  Debian 6.3.7-1
Jun 23 14:19:01 host kernel: Hardware name: QEMU Standard PC (Q35 + ICH9, 
2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Jun 23 14:19:01 host kernel: RIP: 0010:aafs_create.constprop.0+0x6a/0x110
Jun 23 14:19:01 host kernel: Code: 39 9e 48 89 0c 24 89 c3 e8 23 5c f0 ff 85 c0 
74 19 48 63 e8 48 83 c4 10 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc 
cc <4d> 8b 54 24 30 4d 8d ba a0 00 00 00 4c 89 54 24 08 4c 89 ff e8 1d
Jun 23 14:19:01 host kernel: RSP: 0018:ffffa809c0797c80 EFLAGS: 00010246
Jun 23 14:19:01 host kernel: RAX: 0000000000000000 RBX: 00000000000041ed RCX: 
0000000000000000
Jun 23 14:19:01 host kernel: RDX: 0000000000000001 RSI: ffffffff9e393768 RDI: 
0000000000000000
Jun 23 14:19:01 host kernel: RBP: ffffffff9c632b8a R08: 0000000000000000 R09: 
0000000000000000
Jun 23 14:19:01 host kernel: R10: ffff8e2941d22340 R11: 0000000000000000 R12: 
0000000000000000
Jun 23 14:19:01 host kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 
0000000000000000
Jun 23 14:19:01 host kernel: FS:  00007f7d64f2c740(0000) 
GS:ffff8e2ab7c00000(0000) knlGS:0000000000000000
Jun 23 14:19:01 host kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 23 14:19:01 host kernel: CR2: 0000000000000030 CR3: 000000010d3e2003 CR4: 
0000000000370ef0
Jun 23 14:19:01 host kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
Jun 23 14:19:01 host kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400
Jun 23 14:19:01 host kernel: Call Trace:
Jun 23 14:19:01 host kernel:  <TASK>
Jun 23 14:19:01 host kernel:  ? __die+0x23/0x70
Jun 23 14:19:01 host kernel:  ? page_fault_oops+0x17d/0x4c0
Jun 23 14:19:01 host kernel:  ? exc_page_fault+0x74/0x170
Jun 23 14:19:01 host kernel:  ? asm_exc_page_fault+0x26/0x30
Jun 23 14:19:01 host kernel:  ? aafs_create.constprop.0+0x6a/0x110
Jun 23 14:19:01 host kernel:  __aafs_profile_mkdir+0x366/0x400
Jun 23 14:19:01 host kernel:  aa_replace_profiles+0x844/0x1270
Jun 23 14:19:01 host kernel:  policy_update+0xbf/0x150
Jun 23 14:19:01 host kernel:  profile_replace+0xa5/0x120
Jun 23 14:19:01 host kernel:  ? security_file_permission+0x33/0x60
Jun 23 14:19:01 host kernel:  vfs_write+0xc8/0x410
Jun 23 14:19:01 host kernel:  ? fpregs_assert_state_consistent+0x26/0x50
Jun 23 14:19:01 host kernel:  ? exit_to_user_mode_prepare+0x40/0x1d0
Jun 23 14:19:01 host kernel:  ksys_write+0x6f/0xf0
Jun 23 14:19:01 host kernel:  do_syscall_64+0x5c/0xc0
Jun 23 14:19:01 host kernel:  ? syscall_exit_to_user_mode+0x1b/0x40
Jun 23 14:19:01 host kernel:  ? do_syscall_64+0x6b/0xc0
Jun 23 14:19:01 host kernel:  ? exit_to_user_mode_prepare+0x40/0x1d0
Jun 23 14:19:01 host kernel:  ? syscall_exit_to_user_mode+0x1b/0x40
Jun 23 14:19:01 host kernel:  ? do_syscall_64+0x6b/0xc0
Jun 23 14:19:01 host kernel:  ? do_syscall_64+0x6b/0xc0
Jun 23 14:19:01 host kernel:  ? do_syscall_64+0x6b/0xc0
Jun 23 14:19:01 host kernel:  entry_SYSCALL_64_after_hwframe+0x72/0xdc
Jun 23 14:19:01 host kernel: RIP: 0033:0x7f7d650270e0
Jun 23 14:19:01 host kernel: Code: 40 00 48 8b 15 21 9d 0d 00 f7 d8 64 89 02 48 
c7 c0 ff ff ff ff eb b7 0f 1f 00 80 3d 01 25 0e 00 00 74 17 b8 01 00 00 00 0f 
05 <48> 3d 00 f0 ff ff 77 58 c3 0f 1f 80 00 00 00 00 48 83 ec 28 48 89
Jun 23 14:19:01 host kernel: RSP: 002b:00007ffd587e0358 EFLAGS: 00000202 
ORIG_RAX: 0000000000000001
Jun 23 14:19:01 host kernel: RAX: ffffffffffffffda RBX: 00005592d8b2ef10 RCX: 
00007f7d650270e0
Jun 23 14:19:01 host kernel: RDX: 00000000000049c9 RSI: 00005592d9023330 RDI: 
0000000000000004
Jun 23 14:19:01 host kernel: RBP: 00000000000049c9 R08: 00000000000049c9 R09: 
0000000000000000
Jun 23 14:19:01 host kernel: R10: 0000000000000000 R11: 0000000000000202 R12: 
00005592d9023330
Jun 23 14:19:01 host kernel: R13: 0000000000000004 R14: 0000000000000007 R15: 
00005592d8b61b30
Jun 23 14:19:01 host kernel:  </TASK>
Jun 23 14:19:01 host kernel: Modules linked in: isofs binfmt_misc 
intel_rapl_msr intel_rapl_common intel_pmc_core kvm_intel kvm irqbypass 
ghash_clmulni_intel sha512_ssse3 sha512_generic snd_hda_codec_generic 
ledtrig_audio snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec 
snd_hda_core aesni_intel snd_hwdep crypto_simd cryptd snd_pcm qxl rapl 
drm_ttm_helper snd_timer ttm snd virtio_rng iTCO_wdt intel_pmc_bxt 
iTCO_vendor_support pcspkr drm_kms_helper watchdog rng_core soundcore 
virtio_balloon joydev button evdev serio_raw sg fuse loop drm efi_pstore dm_mod 
configfs qemu_fw_cfg ip_tables x_tables autofs4 ext4 crc16 mbcache jbd2 
crc32c_generic hid_generic usbhid hid sr_mod cdrom sd_mod t10_pi crc64_rocksoft 
crc64 crc_t10dif ahci crct10dif_generic libahci xhci_pci virtio_net 
net_failover libata xhci_hcd sym53c8xx scsi_transport_spi crct10dif_pclmul 
crct10dif_common failover virtio_console crc32_pclmul i2c_i801 psmouse scsi_mod 
usbcore i2c_smbus crc32c_intel lpc_ich virtio_pci virtio_pci_legacy_dev 
virtio_pci_modern_dev virtio
Jun 23 14:19:01 host kernel:  scsi_common usb_common virtio_ring
Jun 23 14:19:01 host kernel: CR2: 0000000000000030
Jun 23 14:19:01 host kernel: ---[ end trace 0000000000000000 ]---
Jun 23 14:19:01 host kernel: RIP: 0010:aafs_create.constprop.0+0x6a/0x110
Jun 23 14:19:01 host kernel: Code: 39 9e 48 89 0c 24 89 c3 e8 23 5c f0 ff 85 c0 
74 19 48 63 e8 48 83 c4 10 48 89 e8 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc 
cc <4d> 8b 54 24 30 4d 8d ba a0 00 00 00 4c 89 54 24 08 4c 89 ff e8 1d
Jun 23 14:19:01 host kernel: RSP: 0018:ffffa809c0797c80 EFLAGS: 00010246
Jun 23 14:19:01 host kernel: RAX: 0000000000000000 RBX: 00000000000041ed RCX: 
0000000000000000
Jun 23 14:19:01 host kernel: RDX: 0000000000000001 RSI: ffffffff9e393768 RDI: 
0000000000000000
Jun 23 14:19:01 host kernel: RBP: ffffffff9c632b8a R08: 0000000000000000 R09: 
0000000000000000
Jun 23 14:19:01 host kernel: R10: ffff8e2941d22340 R11: 0000000000000000 R12: 
0000000000000000
Jun 23 14:19:01 host kernel: R13: 0000000000000000 R14: 0000000000000000 R15: 
0000000000000000
Jun 23 14:19:01 host kernel: FS:  00007f7d64f2c740(0000) 
GS:ffff8e2ab7c00000(0000) knlGS:0000000000000000
Jun 23 14:19:01 host kernel: CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
Jun 23 14:19:01 host kernel: CR2: 0000000000000030 CR3: 000000010d3e2003 CR4: 
0000000000370ef0
Jun 23 14:19:01 host kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 
0000000000000000
Jun 23 14:19:01 host kernel: DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 
0000000000000400
Jun 23 14:19:01 host kernel: note: apparmor_parser[1098] exited with irqs 
disabled

This doesn't seem like a security issue since you need CAP_MAC_ADMIN to
trigger it.

The attached "good.txt" works fine, and is what I'm going to use to
replace the profile in quake4:i386 to work around this. Please send any
advice/complaints/patches for the profile itself to game-data-packager
on the bug tracking system: making the profile better is out of scope
for this particular bug report.

(I'm aware that my throwaway VM image is now unsupported and needs
regenerating as merged-/usr, since it's non-merged-/usr and we are now
in the trixie release cycle, but I don't think that has anything to
do with the bug I'm reporting, which was originally reproduced on a
merged/-usr laptop.)

    smcv

-- System Information:
Debian Release: trixie/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
merged-usr: no
Architecture: amd64 (x86_64)

Kernel: Linux 6.3.0-1-amd64 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_DIE
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) (ignored: LC_ALL 
set to C.UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages linux-image-amd64 depends on:
ii  linux-image-6.3.0-1-amd64  6.3.7-1

linux-image-amd64 recommends no packages.

linux-image-amd64 suggests no packages.

-- no debconf information

# Quake 4 client AppArmor profile
# Copyright © 2016-2020 Simon McVittie
# SPDX-License-Identifier: FSFAP

#include <tunables/global>

profile quake4 /usr/lib/quake4/quake4{,smp}.x86 flags=(complain) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dri-common>
  #include <abstractions/dri-enumerate>
  #include <abstractions/mesa>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/private-files-strict>

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,

  /usr/lib/quake4/quake4.x86 mr,
  /usr/lib/quake4/quake4smp.x86 mr,
  /usr/lib/quake4/libSDL-1.2.id.so.0 mr,
  /usr/share/games/quake4/** r,
  owner @{HOME}/.quake4/** rwk,
  owner @{HOME}/.quake4/*/gamex86.so rwkm,

  # used by PulseAudio
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  # the audio and X abstractions don't allow mmapping these
  /dev/dri/* m,
  owner /{run,dev}/shm/pulse-shm* m,

  # udev device enumeration, input devices, video
  /etc/udev/udev.conf r,
  /run/udev/data/** r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/input/ r,
  @{sys}/class/sound/ r,
  @{sys}/devices/**/drm/** r,
  @{sys}/devices/**/input/** r,
  @{sys}/devices/**/sound/**/input*/** r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/pci*/**/config r,
  @{sys}/devices/pci*/**/revision r,

  /usr/bin/xdg-open Cxr -> xdgopen,
  /usr/share/games/game-data-packager-runtime/gdp-openurl Cxr -> xdgopen,

  profile xdgopen flags=(complain) {
    #include <abstractions/base>
    #include <abstractions/dbus-session-strict>
    #include <abstractions/ubuntu-browsers>
    #include <abstractions/ubuntu-helpers>

    /usr/bin/xdg-open rm,
    /{usr/,}bin/dash rmix,

    /usr/share/games/game-data-packager-runtime/gdp-openurl rm,
    /usr/bin/python3 rmix,
    dbus (send) bus=session peer=(name=org.freedesktop.portal.Desktop),
  }
}

# Quake 4 client AppArmor profile
# Copyright © 2016-2020 Simon McVittie
# SPDX-License-Identifier: FSFAP

#include <tunables/global>

profile quake4 /usr/lib/quake4/quake4{,smp}.x86 flags=(complain) {
  #include <abstractions/X>
  #include <abstractions/audio>
  #include <abstractions/base>
  #include <abstractions/dbus-session-strict>
  #include <abstractions/dri-common>
  #include <abstractions/dri-enumerate>
  #include <abstractions/mesa>
  #include <abstractions/nameservice>
  #include <abstractions/nvidia>
  #include <abstractions/private-files-strict>
  #include <abstractions/ubuntu-browsers>
  #include <abstractions/ubuntu-helpers>

  network inet dgram,
  network inet stream,
  network inet6 dgram,
  network inet6 stream,

  /usr/lib/quake4/quake4.x86 mr,
  /usr/lib/quake4/quake4smp.x86 mr,
  /usr/lib/quake4/libSDL-1.2.id.so.0 mr,
  /usr/share/games/quake4/** r,
  owner @{HOME}/.quake4/** rwk,
  owner @{HOME}/.quake4/*/gamex86.so rwkm,

  # used by PulseAudio
  /etc/machine-id r,
  /var/lib/dbus/machine-id r,

  # the audio and X abstractions don't allow mmapping these
  /dev/dri/* m,
  owner /{run,dev}/shm/pulse-shm* m,

  # udev device enumeration, input devices, video
  /etc/udev/udev.conf r,
  /run/udev/data/** r,
  @{sys}/bus/ r,
  @{sys}/class/ r,
  @{sys}/class/drm/ r,
  @{sys}/class/input/ r,
  @{sys}/class/sound/ r,
  @{sys}/devices/**/drm/** r,
  @{sys}/devices/**/input/** r,
  @{sys}/devices/**/sound/**/input*/** r,
  @{sys}/devices/**/sound/**/uevent r,
  @{sys}/devices/pci*/**/config r,
  @{sys}/devices/pci*/**/revision r,

  /usr/bin/python3 rmix,
  /usr/bin/xdg-open rmix,
  /usr/share/games/game-data-packager-runtime/gdp-openurl rmix,
  /{usr/,}bin/dash rmix,
  dbus (send) bus=session peer=(name=org.freedesktop.portal.Desktop),
}

Reply via email to