Possible Bug

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Thu Mar 31 13:52:50 EDT 2016


On Thu, 31 Mar 2016 09:30:01 -0700, John Johansen said:

> hrmm, the only thing apparmor is doing in this kernel here is a kzalloc and
> assigning it to f_security, expanding out the aa_alloc_file_context
> abstraction (which should probably just be dropped) we get.
>
>   	file->f_security =  kzalloc(sizeof(struct aa_file_cxt), GFP_KERNEL);
> 	if (!file->f_security)
> 		return -ENOMEM;
> 	return 0;
>
> So unless we are getting a NULL for the file I don't see how apparmor can be
> causing the NULL pointer dereference

Now here's the odd part - just before that, we have:

        f->f_cred = get_cred(cred);
        error = security_file_alloc(f);

so if f-> was NULL, we should have exploded just *before* the security_file_alloc()
call.

>> [952620.397309] IP: [<ffffffff811e636b>] kmem_cache_alloc_trace+0x7b/0x1e0

Aha.  Smoking gun - I should have spotted this before.  f-> isn't the null
pointer - it's exploding trying to alloc a slab.  You're right, John - it looks
like somebody did the fandango all over the memory allocator.

Roger - can you find out if this kernel was using SLAB, SLOB, or SLUB as
the allocator?  And is KASAN enabled or not? (I see a kasan_kmalloc() lurking
in slab.h)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
Url : http://lists.kernelnewbies.org/pipermail/kernelnewbies/attachments/20160331/6d61410e/attachment-0001.bin 


More information about the Kernelnewbies mailing list