Bug 652972

Summary: NULL pointer dereference in nameidata_to_filp after avc denial
Product: [Fedora] Fedora Reporter: Enrico Scholz <rh-bugzilla>
Component: kernelAssignee: Kernel Maintainer List <kernel-maint>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: dougsland, gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-10-11 19:47:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Enrico Scholz 2010-11-13 22:01:04 UTC 
Description of problem:

Trying to open a file on an NFS4 (krb5i) mounted partion and denying
this by SELinux policy causes a kernel oops:

[ 1841.233320] type=1400 audit(1289684788.194:30): avc:  denied  { open } for  pid=6211 comm="python" name=".bitbake.elito.conf" dev=0:16 ino=41932 scontext=unconfined_u:unconfined_r:build_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
[ 1841.234331] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
[ 1841.234339] IP: [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234350] PGD 121de4067 PUD 135a1b067 PMD 0
[ 1841.234359] Oops: 0000 [#1] SMP
[ 1841.234365] last sysfs file: /sys/devices/system/cpu/cpu1/cache/index2/shared_cpu_map
[ 1841.234370] CPU 0
[ 1841.234372] Modules linked in: fuse ip6_tables ebtable_nat ebtables nfsd exportfs coretemp des_generic nfs fscache nfs_acl rpcsec_gss_krb5 auth_rpcgss lockd sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf bridge stp llc iptable_nat nf_nat xt_pkttype xt_physdev ipt_LOG xt_limit sha256_generic cryptd aes_x86_64 aes_generic cbc dm_crypt kvm_intel kvm uinput snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device ftdi_sio snd_pcm snd_timer snd e1000e soundcore usbserial tpm_infineon snd_page_alloc serio_raw iTCO_wdt iTCO_vendor_support microcode usb_storage ata_generic pata_acpi i915 drm_kms_helper drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan]
[ 1841.234498]
[ 1841.234501] Pid: 6211, comm: python Not tainted 2.6.35.6-48.fc14.x86_64 #1 D2314-A3/ESPRIMO P5916 iAMT
[ 1841.234505] RIP: 0010:[<ffffffff811163e7>]  [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234510] RSP: 0018:ffff880121e49d48  EFLAGS: 00010286
[ 1841.234513] RAX: fffffffffffffff3 RBX: ffff880121e49e28 RCX: 0000000000000002
[ 1841.234516] RDX: 0000000000000000 RSI: 000000000000012f RDI: ffff880121e49e28
[ 1841.234519] RBP: ffff880121e49d58 R08: ffff8801093829c0 R09: 0000000000000000
[ 1841.234521] R10: 00000000000006ab R11: 0000000000000002 R12: 0000000000000000
[ 1841.234524] R13: 0000000000008000 R14: 0000000000000000 R15: ffff880114aba000
[ 1841.234528] FS:  00007feb797f1720(0000) GS:ffff880002000000(0000) knlGS:0000000000000000
[ 1841.234531] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1841.234534] CR2: 000000000000000b CR3: 0000000130f76000 CR4: 00000000000006f0
[ 1841.234537] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1841.234539] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[ 1841.234543] Process python (pid: 6211, threadinfo ffff880121e48000, task ffff880133315d00)
[ 1841.234545] Stack:
[ 1841.234547]  0000000000000000 0000000000008000 ffff880121e49da8 ffffffff81122048
[ 1841.234553] <0> ffff8801093829c0 0000002400000024 ffff880121e49d88 ffff880121e49e28
[ 1841.234560] <0> 0000000000008000 0000000000000024 0000000000000000 0000000000008001
[ 1841.234568] Call Trace:
[ 1841.234573]  [<ffffffff81122048>] do_last+0x457/0x5d4
[ 1841.234578]  [<ffffffff811223f5>] do_filp_open+0x230/0x5e1
[ 1841.234583]  [<ffffffff81467b5d>] ? _cond_resched+0xe/0x22
[ 1841.234589]  [<ffffffff81221660>] ? might_fault+0x21/0x23
[ 1841.234593]  [<ffffffff81221760>] ? __strncpy_from_user+0x1f/0x4e
[ 1841.234597]  [<ffffffff8112b619>] ? alloc_fd+0x74/0x11f
[ 1841.234601]  [<ffffffff81116477>] do_sys_open+0x64/0x110
[ 1841.234605]  [<ffffffff81116543>] sys_open+0x20/0x22
[ 1841.234610]  [<ffffffff81009cf2>] system_call_fastpath+0x16/0x1b
[ 1841.234612] Code: 49 63 c6 41 5e c9 c3 55 48 89 e5 48 83 ec 10 0f 1f 44 00 00 65 48 8b 04 25 00 cc 00 00 4c 8b 80 40 04 00 00 48 8b 87 90 00 00 00 <48> 83 78 18 00 75 16 4c 8b 4f 08 48 8b 37 31 c9 48 89 c2 4c 89
[ 1841.234683] RIP  [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1841.234688]  RSP <ffff880121e49d48>
[ 1841.234690] CR2: 000000000000000b
[ 1841.234694] ---[ end trace 281ed826b18e4c83 ]---

[ 1923.454549] type=1400 audit(1289684870.416:31): avc:  denied  { open } for  pid=6236 comm="python" name=".bitbake.elito.conf" dev=0:16 ino=41932 scontext=unconfined_u:unconfined_r:build_t:s0-s0:c0.c1023 tcontext=system_u:object_r:nfs_t:s0 tclass=file
[ 1923.455475] BUG: unable to handle kernel NULL pointer dereference at 000000000000000b
[ 1923.455481] IP: [<ffffffff811163e7>] nameidata_to_filp+0x24/0x50
[ 1923.455492] PGD 1149c7067 PUD 114b69067 PMD 0



Version-Release number of selected component (if applicable):

kernel-2.6.35.6-48.fc14.x86_64
Comment 1 Enrico Scholz 2010-11-17 12:40:50 UTC 
oops is at

/usr/src/debug/kernel-2.6.35.fc14/linux-2.6.35.x86_64/fs/open.c:789
ffffffff811163e7:       48 83 78 18 00          cmpq   $0x0,0x18(%rax) <<<

with rax being 0xfffffffffffffff3 (-13 == -EACCESS)
Comment 2 Josh Boyer 2011-08-31 16:40:11 UTC 
Does this still happen on the latest f14 or f15 kernel?
Comment 3 Dave Jones 2011-10-11 19:47:26 UTC 
unlikely to be fixed in f14, due to the limited time remaining in its lifecycle.