Public bug reported:
SRU Justification
Impact: It is possible to hit a BUG statement in notify_change() with
shiftfs (below). This occurs when one of ATTR_KILL_SUID or
ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE
before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs to
notify_change(), and the BUG statement is hit due to ATTR_MODE being set
with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.
Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE if
one of these bits is set, allowning the lower fs to interpret the kill
bits in its own way. Also fix a bug where changes to the attrs from
setattr_prepare() are not propagated to the attrs used for the lower fs.
Regression Potential: Limited to shiftfs, matches the behavior of other
stacked filesystems, and has been tested (see below).
Test Case: Tested in the lxd CI environment where the bug was originally
discovered. No regressions were seen, and the BUG statement was not hit.
---
[18558.819079] ------------[ cut here ]------------
[18558.819082] kernel BUG at fs/attr.c:287!
[18558.823490] invalid opcode: 0000 [#1] SMP PTI
[18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P O
5.0.0-10-generic #11+shiftfsv201904110736
[18558.838152] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[18558.872092] RIP: 0010:notify_change+0x412/0x460
[18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18558.896179] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18558.938616] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000)
knlGS:0000000000000000
[18558.946928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[18558.975018] Call Trace:
[18558.977810] ? setattr_prepare+0x178/0x200
[18558.982160] shiftfs_setattr+0xec/0x140
[18558.986149] notify_change+0x2d9/0x460
[18558.990014] chown_common+0x1c8/0x1e0
[18558.993917] do_fchownat+0x93/0xf0
[18558.997551] __x64_sys_chown+0x22/0x30
[18559.001522] do_syscall_64+0x5a/0x110
[18559.005481] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[18559.010652] RIP: 0033:0x7fe41e9193e7
[18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0
e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
[18559.033294] RSP: 002b:00007fff73c89d48 EFLAGS: 00000297 ORIG_RAX:
000000000000005c
[18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX: 00007fe41e9193e7
[18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI: 00005614237e0190
[18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09: 000000000000002e
[18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12: 00007fff73c8a210
[18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15: 00000000ffffffff
[18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables
ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment
xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter
ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO)
zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac
pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm
ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables
autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net
aes_x86_64 nvme crypto_simd cryptd glue_helper net_failover psmouse nvme_core
failover virtio_scsi i2c_piix4
[18559.161878] ---[ end trace a06dfd01d379d33b ]---
[18559.166628] RIP: 0010:notify_change+0x412/0x460
[18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18559.190333] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX: 0000000000000000
[18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI: 000000005cb1105d
[18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09: 0000000000000000
[18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12: ffff89fa79f756c0
[18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15: ffffb706dbaf7d50
[18559.236285] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000)
knlGS:0000000000000000
[18559.244522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4: 00000000001606e0
[18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
** Affects: linux (Ubuntu)
Importance: High
Assignee: Seth Forshee (sforshee)
Status: In Progress
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1824717
Title:
kernel BUG at fs/attr.c:287 when using shiftfs
Status in linux package in Ubuntu:
In Progress
Bug description:
SRU Justification
Impact: It is possible to hit a BUG statement in notify_change() with
shiftfs (below). This occurs when one of ATTR_KILL_SUID or
ATTR_KILL_SGID is set in the attrs and notify_change() sets ATTR_MODE
before calling shiftfs_setattr(). shiftfs_setattr() passes the attrs
to notify_change(), and the BUG statement is hit due to ATTR_MODE
being set with one of ATTR_KILL_SUID or ATTR_KILL_SGID set.
Fix: Copy the logic used by ecryptfs and overlayfs to clear ATTR_MODE
if one of these bits is set, allowning the lower fs to interpret the
kill bits in its own way. Also fix a bug where changes to the attrs
from setattr_prepare() are not propagated to the attrs used for the
lower fs.
Regression Potential: Limited to shiftfs, matches the behavior of
other stacked filesystems, and has been tested (see below).
Test Case: Tested in the lxd CI environment where the bug was
originally discovered. No regressions were seen, and the BUG statement
was not hit.
---
[18558.819079] ------------[ cut here ]------------
[18558.819082] kernel BUG at fs/attr.c:287!
[18558.823490] invalid opcode: 0000 [#1] SMP PTI
[18558.828038] CPU: 2 PID: 26728 Comm: dpkg Tainted: P O
5.0.0-10-generic #11+shiftfsv201904110736
[18558.838152] Hardware name: Google Google Compute Engine/Google Compute
Engine, BIOS Google 01/01/2011
[18558.872092] RIP: 0010:notify_change+0x412/0x460
[18558.876843] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18558.896179] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18558.901984] RAX: 000000005cb1105d RBX: 0000000000001847 RCX:
0000000000000000
[18558.909241] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI:
000000005cb1105d
[18558.916491] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09:
0000000000000000
[18558.923741] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff89fa79f756c0
[18558.931350] R13: ffff89fa43d89230 R14: 00000000000085ed R15:
ffffb706dbaf7d50
[18558.938616] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000)
knlGS:0000000000000000
[18558.946928] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18558.952826] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4:
00000000001606e0
[18558.960078] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[18558.967395] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
[18558.975018] Call Trace:
[18558.977810] ? setattr_prepare+0x178/0x200
[18558.982160] shiftfs_setattr+0xec/0x140
[18558.986149] notify_change+0x2d9/0x460
[18558.990014] chown_common+0x1c8/0x1e0
[18558.993917] do_fchownat+0x93/0xf0
[18558.997551] __x64_sys_chown+0x22/0x30
[18559.001522] do_syscall_64+0x5a/0x110
[18559.005481] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[18559.010652] RIP: 0033:0x7fe41e9193e7
[18559.014343] Code: 39 84 24 98 00 00 00 75 a1 48 89 df e8 d2 c5 f8 ff eb a0
e8 ab 38 02 00 66 2e 0f 1f 84 00 00 00 00 00 90 b8 5c 00 00 00 0f 05 <48> 3d 01
f0 ff ff 73 01 c3 48 8b 0d 71 9a 2d 00 f7 d8 64 89 01 48
[18559.033294] RSP: 002b:00007fff73c89d48 EFLAGS: 00000297 ORIG_RAX:
000000000000005c
[18559.041365] RAX: ffffffffffffffda RBX: 00005614237e0190 RCX:
00007fe41e9193e7
[18559.048820] RDX: 0000000000000008 RSI: 0000000000000000 RDI:
00005614237e0190
[18559.056290] RBP: 00005614237df110 R08: 000000000000001b R09:
000000000000002e
[18559.063681] R10: fffffffffffff32f R11: 0000000000000297 R12:
00007fff73c8a210
[18559.071386] R13: 0000561424166360 R14: 00005614237e0190 R15:
00000000ffffffff
[18559.078773] Modules linked in: binfmt_misc veth ebtable_filter ebtables
ip6t_MASQUERADE ip6table_nat nf_nat_ipv6 ipt_MASQUERADE xt_CHECKSUM xt_comment
xt_tcpudp iptable_nat nf_nat_ipv4 nf_nat nf_conntrack nf_defrag_ipv6
nf_defrag_ipv4 iptable_mangle bridge stp llc unix_diag ip6table_filter
ip6_tables iptable_filter bpfilter zfs(PO) zunicode(PO) zavl(PO) icp(PO)
zcommon(PO) nls_iso8859_1 znvpair(PO) spl(O) input_leds serio_raw sb_edac
pvpanic mac_hid intel_rapl_perf sch_fq_codel ib_iser rdma_cm iw_cm ib_cm
ib_core iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi ip_tables x_tables
autofs4 btrfs zstd_compress raid10 raid456 async_raid6_recov async_memcpy
async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel virtio_net
aes_x86_64 nvme crypto_simd cryptd glue_helper net_failover psmouse nvme_core
failover virtio_scsi i2c_piix4
[18559.161878] ---[ end trace a06dfd01d379d33b ]---
[18559.166628] RIP: 0010:notify_change+0x412/0x460
[18559.171302] Code: 55 00 e9 35 fe ff ff 48 3b 50 30 0f 85 88 fd ff ff e9 bf
fe ff ff 41 83 ce 04 e9 21 ff ff ff 41 ba ff ff ff ff e9 ac fd ff ff <0f> 0b 4c
89 fe 4c 89 e7 e8 b1 af 00 00 41 89 c2 e9 b5 fe ff ff f6
[18559.190333] RSP: 0018:ffffb706dbaf7d00 EFLAGS: 00010202
[18559.195716] RAX: 000000005cb1105d RBX: 0000000000001847 RCX:
0000000000000000
[18559.204362] RDX: 00000000165a9c4b RSI: 00000000165a9c4b RDI:
000000005cb1105d
[18559.211720] RBP: ffffb706dbaf7d38 R08: 0000000000000000 R09:
0000000000000000
[18559.220358] R10: 0000000000000000 R11: 0000000000000000 R12:
ffff89fa79f756c0
[18559.227648] R13: ffff89fa43d89230 R14: 00000000000085ed R15:
ffffb706dbaf7d50
[18559.236285] FS: 00007fe41f039040(0000) GS:ffff89fc61a80000(0000)
knlGS:0000000000000000
[18559.244522] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[18559.251941] CR2: 00005614215be0a8 CR3: 00000007594fc002 CR4:
00000000001606e0
[18559.259242] DR0: 0000000000000000 DR1: 0000000000000000 DR2:
0000000000000000
[18559.266702] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7:
0000000000000400
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1824717/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
