[lxc-users] lxc-start-ephemeral triggers kernel oops

Wed, 17 Jun 2015 06:38:45 -0700 

This report pertains to ubuntu 14.04 host and container, with the lxc-daily ppa
and a container which includes the x11-common package.

A patch for CVE-2015-1328, overlayfs privilege escalation,
has recently been applied to the kernel,
http://www.ubuntu.com/usn/usn-2643-1/

With this patch in place, running the following command,

   lxc-start-ephemeral -o trusty -d

triggers a kernel oops,

   kernel: [ 3993.329638] BUG: unable to handle kernel NULL pointer
dereference at 0000000000000030
   kernel: [ 3993.329691] IP: [<ffffffffa075cd80>]
ovl_dentry_root_may+0x30/0x60 [overlayfs]
   kernel: [ 3993.329735] PGD 8e7a2067 PUD 8b516067 PMD 0
   kernel: [ 3993.329766] Oops: 0000 [#1] SMP

with call trace,

   kernel: [ 3993.331138] Call Trace:
   kernel: [ 3993.331156]  [<ffffffffa075ef2e>]
ovl_check_empty_and_clear+0x4e/0x240 [overlayfs]
   kernel: [ 3993.331198]  [<ffffffff811d44c0>] ?
prepend.constprop.25+0x30/0x30
   kernel: [ 3993.331231]  [<ffffffffa075d963>] ovl_rmdir+0x23/0x40
[overlayfs]
   kernel: [ 3993.331262]  [<ffffffff811cc678>] vfs_rmdir+0xa8/0x100
   kernel: [ 3993.331291]  [<ffffffff811ce571>] do_rmdir+0x1c1/0x1e0
   kernel: [ 3993.331321]  [<ffffffff81021127>] ?
syscall_trace_enter+0x197/0x250
   kernel: [ 3993.331352]  [<ffffffff811cf655>] SyS_unlinkat+0x25/0x40
   kernel: [ 3993.331383]  [<ffffffff81733f6f>] tracesys+0xe1/0xe6
   kernel: [ 3993.331409] Code: 55 48 89 e5 41 55 49 89 f5 41 54 53 48
8b 47 68 89 d3 48 8b 80 f8 02 00 00 48 8b 78 28 e8 e9 3a 93 e0 49 89
c4 49 8b 45 08 89 de <48> 8b 78 30 e8 97 c4 a6 e0 83 f8 01 4c 89 e7 19
db f7 d3 83 e3
   kernel: [ 3993.331695] RIP  [<ffffffffa075cd80>]
ovl_dentry_root_may+0x30/0x60 [overlayfs]
   kernel: [ 3993.331737]  RSP <ffff88008bfbbda8>
   kernel: [ 3993.331755] CR2: 0000000000000030
   kernel: [ 3993.337695] ---[ end trace 166f37bc2c7b0f52 ]---

The oops occurs every time the command is run.

If the container's (upstart) init is replaced with,

    /sbin/init --no-startup-event

then the oops does not occur.

When the oops occurs, /etc/init.d/x11-common hangs at
the following line,

   mkdir -p -m 01777 /tmp/.X11-unix

and the container's /tmp is unreadable, both from within the container
and from the host.

Containers that do not include the x11-common package
do not exhibit the bug. Installing x11-common suffices to trigger the bug.
_______________________________________________
lxc-users mailing list
lxc-users@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-users

Reply via email to