[Bug 2115447] Re: Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

** Changed in: linux (Ubuntu Noble)
Status: Fix Committed => Fix Released

--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/2115447

Title:
Ubuntu 24.04.2: NULL pointer dereference with Ceph and selinux

Status in linux package in Ubuntu:
Invalid
Status in linux source package in Noble:
Fix Released

Bug description:
[ Impact ]

fs/ceph,selinux: fix NULL pointer dereference on CephFS write with
SELinux in permissive mode

A NULL pointer dereference occurs in the Ceph kernel client (CephFS)
when a file is created on a mounted CephFS volume while SELinux is
enabled in permissive mode.

[ 86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
[ 86.679238] #PF: supervisor read access in kernel mode
[ 86.679859] #PF: error_code(0x0000) - not-present page
[ 86.680445] PGD 0 P4D 0
[ 86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
[ 86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic #65-Ubuntu
[ 86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 86.682716] RIP: 0010:memcpy_orig+0x54/0x130
[ 86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
[ 86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
[ 86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000
[ 86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d
[ 86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000
[ 86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025
[ 86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4
[ 86.687888] FS: 0000724d07b47740(0000) GS:ffff9aec77c00000(0000) knlGS:0000000000000000
[ 86.688416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0
[ 86.689541] Call Trace:
[ 86.690124] <TASK>
[ 86.690704] ? show_regs+0x6d/0x80
[ 86.691256] ? __die+0x24/0x80
[ 86.691807] ? page_fault_oops+0x99/0x1b0
[ 86.692426] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
[ 86.692991] ? __bad_area_nosemaphore+0x19e/0x2c0
[ 86.693563] ? find_vma+0x34/0x60
[ 86.694214] ? bad_area_nosemaphore+0x16/0x30
[ 86.694835] ? do_user_addr_fault+0x29d/0x670
[ 86.695439] ? exc_page_fault+0x83/0x1b0
[ 86.696024] ? asm_exc_page_fault+0x27/0x30
[ 86.696614] ? memcpy_orig+0x54/0x130
[ 86.697202] ? ceph_pagelist_append+0x124/0x150 [libceph]
[ 86.697995] ceph_security_init_secctx+0xce/0x1f0 [ceph]
[ 86.698733] ceph_new_inode+0x80/0xe0 [ceph]
[ 86.699484] ceph_atomic_open+0x3b2/0x9d0 [ceph]
[ 86.700239] ? may_create+0x141/0x150
[ 86.700903] lookup_open.isra.0+0x3a9/0x570
[ 86.701534] open_last_lookups+0x14f/0x400
[ 86.702196] path_openat+0x99/0x2d0
[ 86.702815] do_filp_open+0xaf/0x170
[ 86.703475] do_sys_openat2+0xb3/0xe0
[ 86.704098] __x64_sys_openat+0x55/0xa0
[ 86.704804] x64_sys_call+0x1eb1/0x25a0
[ 86.705437] do_syscall_64+0x7f/0x180
[ 86.706120] ? filemap_map_pages+0x2fe/0x4c0
[ 86.706792] ? __lruvec_stat_mod_folio+0x70/0xc0
[ 86.707444] ? do_read_fault+0x112/0x200
[ 86.708157] ? do_fault+0xf0/0x260
[ 86.708850] ? handle_pte_fault+0x114/0x1d0
[ 86.709519] ? __handle_mm_fault+0x654/0x800
[ 86.710216] ? __count_memcg_events+0x6b/0x120
[ 86.710884] ? count_memcg_events.constprop.0+0x2a/0x50
[ 86.711505] ? handle_mm_fault+0xad/0x380
[ 86.712136] ? do_user_addr_fault+0x334/0x670
[ 86.712778] ? irqentry_exit_to_user_mode+0x7b/0x260
[ 86.713433] ? irqentry_exit+0x43/0x50
[ 86.714111] ? clear_bhb_loop+0x15/0x70
[ 86.714777] ? clear_bhb_loop+0x15/0x70
[ 86.715330] ? clear_bhb_loop+0x15/0x70
[ 86.715844] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 86.716378] RIP: 0033:0x724d0791b175
[ 86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
[ 86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175
[ 86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c
[ 86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000
[ 86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635
[ 86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001
[ 86.721596] </TASK>

[ Fix ]

The issue must be solved modifying kernel code as follows:
- In the SELinux hook selinux_dentry_init_security(), remove a faulty cast when
assigning the context pointer is removed, allowing the LSM to populate
the context buffer correctly, avoinding the NULL pointer dereference
- In ceph_security_init_secctx(), add the missing encoding of the xattr name
and it's length to the pagelist

[ Test Plan ]

The issue can be reproduced (before) and the fix tested (after)
following the steps below:

$ sudo snap install microceph
$ sudo microceph cluster bootstrap
$ sudo microceph.ceph osd crush rule rm replicated_rule
$ sudo microceph.ceph osd crush rule create-replicated single default osd
$ sudo microceph disk add /dev/sdb --wipe
$ sudo microceph.ceph config set global osd_pool_default_size 1
$ sudo microceph.ceph osd pool create cephfs_metadata 8
$ sudo microceph.ceph osd pool create cephfs_data 8
$ sudo microceph.ceph fs new cephfs cephfs_metadata cephfs_data
$ sudo apt install selinux-basics selinux-policy-default -y && sudo selinux-activate
$ sudo reboot

$ sudo mkdir -p /mnt/cephfs
$ sudo microceph.ceph auth get-or-create client.admin mon 'allow *' mds 'allow *' osd 'allow *' mgr 'allow *'
$ sudo mount -t ceph $(hostname -I | awk '{print $1}'):6789:/ /mnt/cephfs -o name=admin,secret=
$ sudo touch /mnt/cephfs/test.txt
$ ll /mnt/cephfs/

[ Regression Potential ]

This fix modifies how SELinux provides security context data
to the CephFS client and how that data is encoded for transmission.
A regression could cause incorrect xattr encoding,
resulting in file creation failures (EPERM or EIO) or LSM labeling errors.
If the context pointer is mishandled, memory corruption or crashes may occur.
Additionally, malformed pagelist encoding could cause client-MDS
protocol mismatches.

---

Upgraded ceph cluster running ceph to 24.04.2 from Ubuntu 22. Turning
on selinux (permissive), hit a kernel null reference when mounting
cephfs and trying to touch a file:

1. Update cluster to 24.04

2. Verify ceph is working as intended (able to mount cephFS, write out
a file, unmount, etc.)

3. Installed selinux packages

4. Added following to grub on all 3 cluster members:
"audit=1 audit_backlog_limit=8192 panic=10 security=selinux selinux=1 apparmor=0"

5. Selinux policy is permissive:
root@ceph0:~# sestatus
SELinux status: enabled
SELinuxfs mount: /sys/fs/selinux
SELinux root directory: /etc/selinux
Loaded policy name: default
Current mode: permissive
Mode from config file: permissive
Policy MLS status: enabled
Policy deny_unknown status: allowed
Memory protection checking: actual (secure)
Max kernel policy version: 33
root@ceph0:~#

6. Mounted ceph fs:
mount -t ceph admin@.cephfs=/ /var/lib/libvirt/images -o ms_mode=secure

7. attempted to write a file, did not complete and null reference reported:
[ 86.678570] BUG: kernel NULL pointer dereference, address: 000000000000001d
[ 86.679238] #PF: supervisor read access in kernel mode
[ 86.679859] #PF: error_code(0x0000) - not-present page
[ 86.680445] PGD 0 P4D 0
[ 86.681021] Oops: 0000 [#1] PREEMPT SMP PTI
[ 86.681558] CPU: 0 PID: 2818 Comm: touch Not tainted 6.8.0-62-generic #65-Ubuntu
[ 86.682095] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020
[ 86.682716] RIP: 0010:memcpy_orig+0x54/0x130
[ 86.683267] Code: 89 07 4c 89 4f 08 4c 89 57 10 4c 89 5f 18 48 8d 7f 20 73 d4 83 c2 20 eb 44 48 01 d6 48 01 d7 48 83 ea 20 0f 1f 00 48 83 ea 20 <4c> 8b 46 f8 4c 8b 4e f0 4c 8b 56 e8 4c 8b 5e e0 48 8d 76 e0 4c 89
[ 86.684464] RSP: 0018:ffffa79300b2f7e0 EFLAGS: 00010283
[ 86.685060] RAX: ffff9aeb6123a008 RBX: 0000000000000ff8 RCX: 0000000000000000
[ 86.685659] RDX: ffffffffffffffe5 RSI: 0000000000000025 RDI: ffff9aeb6123a02d
[ 86.686265] RBP: ffffa79300b2f810 R08: 0000000000000025 R09: 0000000000000000
[ 86.686843] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000025
[ 86.687366] R13: 0000000000000000 R14: ffff9aeb408d5960 R15: ffffa79300b2f8e4
[ 86.687888] FS: 0000724d07b47740(0000) GS:ffff9aec77c00000(0000) knlGS:0000000000000000
[ 86.688416] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 86.688947] CR2: 000000000000001d CR3: 000000012038a004 CR4: 00000000001706f0
[ 86.689541] Call Trace:
[ 86.690124] <TASK>
[ 86.690704] ? show_regs+0x6d/0x80
[ 86.691256] ? __die+0x24/0x80
[ 86.691807] ? page_fault_oops+0x99/0x1b0
[ 86.692426] ? kernelmode_fixup_or_oops.isra.0+0x69/0x90
[ 86.692991] ? __bad_area_nosemaphore+0x19e/0x2c0
[ 86.693563] ? find_vma+0x34/0x60
[ 86.694214] ? bad_area_nosemaphore+0x16/0x30
[ 86.694835] ? do_user_addr_fault+0x29d/0x670
[ 86.695439] ? exc_page_fault+0x83/0x1b0
[ 86.696024] ? asm_exc_page_fault+0x27/0x30
[ 86.696614] ? memcpy_orig+0x54/0x130
[ 86.697202] ? ceph_pagelist_append+0x124/0x150 [libceph]
[ 86.697995] ceph_security_init_secctx+0xce/0x1f0 [ceph]
[ 86.698733] ceph_new_inode+0x80/0xe0 [ceph]
[ 86.699484] ceph_atomic_open+0x3b2/0x9d0 [ceph]
[ 86.700239] ? may_create+0x141/0x150
[ 86.700903] lookup_open.isra.0+0x3a9/0x570
[ 86.701534] open_last_lookups+0x14f/0x400
[ 86.702196] path_openat+0x99/0x2d0
[ 86.702815] do_filp_open+0xaf/0x170
[ 86.703475] do_sys_openat2+0xb3/0xe0
[ 86.704098] __x64_sys_openat+0x55/0xa0
[ 86.704804] x64_sys_call+0x1eb1/0x25a0
[ 86.705437] do_syscall_64+0x7f/0x180
[ 86.706120] ? filemap_map_pages+0x2fe/0x4c0
[ 86.706792] ? __lruvec_stat_mod_folio+0x70/0xc0
[ 86.707444] ? do_read_fault+0x112/0x200
[ 86.708157] ? do_fault+0xf0/0x260
[ 86.708850] ? handle_pte_fault+0x114/0x1d0
[ 86.709519] ? __handle_mm_fault+0x654/0x800
[ 86.710216] ? __count_memcg_events+0x6b/0x120
[ 86.710884] ? count_memcg_events.constprop.0+0x2a/0x50
[ 86.711505] ? handle_mm_fault+0xad/0x380
[ 86.712136] ? do_user_addr_fault+0x334/0x670
[ 86.712778] ? irqentry_exit_to_user_mode+0x7b/0x260
[ 86.713433] ? irqentry_exit+0x43/0x50
[ 86.714111] ? clear_bhb_loop+0x15/0x70
[ 86.714777] ? clear_bhb_loop+0x15/0x70
[ 86.715330] ? clear_bhb_loop+0x15/0x70
[ 86.715844] entry_SYSCALL_64_after_hwframe+0x78/0x80
[ 86.716378] RIP: 0033:0x724d0791b175
[ 86.716895] Code: 83 e2 40 75 50 89 f0 f7 d0 a9 00 00 41 00 74 45 80 3d de fe 0e 00 00 74 60 89 da 4c 89 e6 bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 7f 00 00 00 48 8b 55 b8 64 48 2b 14 25 28
[ 86.718058] RSP: 002b:00007ffd9c151d40 EFLAGS: 00000202 ORIG_RAX: 0000000000000101
[ 86.718648] RAX: ffffffffffffffda RBX: 0000000000000941 RCX: 0000724d0791b175
[ 86.719225] RDX: 0000000000000941 RSI: 00007ffd9c153635 RDI: 00000000ffffff9c
[ 86.719833] RBP: 00007ffd9c151db0 R08: 0000000000000000 R09: 0000000000000000
[ 86.720414] R10: 00000000000001b6 R11: 0000000000000202 R12: 00007ffd9c153635
[ 86.720982] R13: 0000724d07a03248 R14: 0000000000000000 R15: 0000000000000001
[ 86.721596] </TASK>

ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: linux-image-6.8.0-62-generic 6.8.0-62.65
ProcVersionSignature: Ubuntu 6.8.0-62.65-generic 6.8.12
Uname: Linux 6.8.0-62-generic x86_64
AlsaDevices:
 total 0
 crw-rw----. 1 root audio 116, 1 Jun 26 19:53 seq
 crw-rw----. 1 root audio 116, 33 Jun 26 19:53 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.28.1-0ubuntu3.7
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Thu Jun 26 20:01:43 2025
InstallationDate: Installed on 2024-03-19 (464 days ago)
InstallationMedia: Ubuntu-Server 22.04.4 LTS "Jammy Jellyfish" - Release amd64 (20240216.1)
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
Lsusb: Error: command ['lsusb'] failed with exit code 1:
Lsusb-t:

Lsusb-v: Error: command ['lsusb', '-v'] failed with exit code 1:
MachineType: VMware, Inc. VMware Virtual Platform
PciMultimedia:

ProcEnviron:
 LANG=en_US.UTF-8
 PATH=(custom, no user)
 SHELL=/bin/bash
 TERM=xterm-256color
 XDG_RUNTIME_DIR=<set>
ProcFB: 0 vmwgfxdrmfb
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-6.8.0-62-generic root=/dev/mapper/ubuntu--vg-ubuntu--lv ro ipv6.disable=1 ipv6.disable=1 audit=1 audit_backlog_limit=8192 panic=10 security=selinux selinux=1 apparmor=0
RelatedPackageVersions:
 linux-restricted-modules-6.8.0-62-generic N/A
 linux-backports-modules-6.8.0-62-generic N/A
 linux-firmware 20240318.git3b128b60-0ubuntu2.13
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: Upgraded to noble on 2025-06-26 (0 days ago)
dmi.bios.date: 11/12/2020
dmi.bios.release: 4.6
dmi.bios.vendor: Phoenix Technologies LTD
dmi.bios.version: 6.00
dmi.board.name: 440BX Desktop Reference Platform
dmi.board.vendor: Intel Corporation
dmi.board.version: None
dmi.chassis.asset.tag: No Asset Tag
dmi.chassis.type: 1
dmi.chassis.vendor: No Enclosure
dmi.chassis.version: N/A
dmi.ec.firmware.release: 0.0
dmi.modalias: dmi:bvnPhoenixTechnologiesLTD:bvr6.00:bd11/12/2020:br4.6:efr0.0:svnVMware,Inc.:pnVMwareVirtualPlatform:pvrNone:rvnIntelCorporation:rn440BXDesktopReferencePlatform:rvrNone:cvnNoEnclosure:ct1:cvrN/A:sku:
dmi.product.name: VMware Virtual Platform
dmi.product.version: None
dmi.sys.vendor: VMware, Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2115447/+subscriptions