From: John Johansen <john.johansen@canonical.com>
To: Helge Deller <deller@gmx.de>,
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de>,
Helge Deller <deller@kernel.org>
Cc: linux-kernel@vger.kernel.org, apparmor@lists.ubuntu.com,
linux-security-module@vger.kernel.org
Subject: Re: [PATCH 0/2] apparmor unaligned memory fixes
Date: Sat, 22 Nov 2025 18:08:42 -0800 [thread overview]
Message-ID: <ba3d5651-fa68-4bb5-84aa-35576044e7b0@canonical.com> (raw)
In-Reply-To: <be9c143d-1d5e-4c5b-9078-4a7804489258@gmx.de>
On 11/18/25 04:49, Helge Deller wrote:
> Hi Adrian,
>
> On 11/18/25 12:43, John Paul Adrian Glaubitz wrote:
>> On Tue, 2025-11-18 at 12:09 +0100, Helge Deller wrote:
>>> My patch fixed two call sites, but I suspect you see another call site which
>>> hasn't been fixed yet.
>>>
>>> Can you try attached patch? It might indicate the caller of the function and
>>> maybe prints the struct name/address which isn't aligned.
>>>
>>> Helge
>>>
>>>
>>> diff --git a/security/apparmor/match.c b/security/apparmor/match.c
>>> index c5a91600842a..b477430c07eb 100644
>>> --- a/security/apparmor/match.c
>>> +++ b/security/apparmor/match.c
>>> @@ -313,6 +313,9 @@ struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
>>> if (size < sizeof(struct table_set_header))
>>> goto fail;
>>> + if (WARN_ON(((unsigned long)data) & (BITS_PER_LONG/8 - 1)))
>>> + pr_warn("dfa blob stream %pS not aligned.\n", data);
>>> +
>>> if (ntohl(*(__be32 *) data) != YYTH_MAGIC)
>>> goto fail;
>>
>> Here is the relevant output with the patch applied:
>>
>> [ 73.840639] ------------[ cut here ]------------
>> [ 73.901376] WARNING: CPU: 0 PID: 341 at security/apparmor/match.c:316 aa_dfa_unpack+0x6cc/0x720
>> [ 74.015867] Modules linked in: binfmt_misc evdev flash sg drm drm_panel_orientation_quirks backlight i2c_core configfs nfnetlink autofs4 ext4 crc16 mbcache jbd2 hid_generic usbhid sr_mod hid cdrom
>> sd_mod ata_generic ohci_pci ehci_pci ehci_hcd ohci_hcd pata_ali libata sym53c8xx scsi_transport_spi tg3 scsi_mod usbcore libphy scsi_common mdio_bus usb_common
>> [ 74.428977] CPU: 0 UID: 0 PID: 341 Comm: apparmor_parser Not tainted 6.18.0-rc6+ #9 NONE
>> [ 74.536543] Call Trace:
>> [ 74.568561] [<0000000000434c24>] dump_stack+0x8/0x18
>> [ 74.633757] [<0000000000476438>] __warn+0xd8/0x100
>> [ 74.696664] [<00000000004296d4>] warn_slowpath_fmt+0x34/0x74
>> [ 74.771006] [<00000000008db28c>] aa_dfa_unpack+0x6cc/0x720
>> [ 74.843062] [<00000000008e643c>] unpack_pdb+0xbc/0x7e0
>> [ 74.910545] [<00000000008e7740>] unpack_profile+0xbe0/0x1300
>> [ 74.984888] [<00000000008e82e0>] aa_unpack+0xe0/0x6a0
>> [ 75.051226] [<00000000008e3ec4>] aa_replace_profiles+0x64/0x1160
>> [ 75.130144] [<00000000008d4d90>] policy_update+0xf0/0x280
>> [ 75.201057] [<00000000008d4fc8>] profile_replace+0xa8/0x100
>> [ 75.274258] [<0000000000766bd0>] vfs_write+0x90/0x420
>> [ 75.340594] [<00000000007670cc>] ksys_write+0x4c/0xe0
>> [ 75.406932] [<0000000000767174>] sys_write+0x14/0x40
>> [ 75.472126] [<0000000000406174>] linux_sparc_syscall+0x34/0x44
>> [ 75.548802] ---[ end trace 0000000000000000 ]---
>> [ 75.609503] dfa blob stream 0xfff0000008926b96 not aligned.
>> [ 75.682695] Kernel unaligned access at TPC[8db2a8] aa_dfa_unpack+0x6e8/0x720
>
> The non-8-byte-aligned address (0xfff0000008926b96) is coming from userspace
> (via the write syscall).
> Some apparmor userspace tool writes into the apparmor ".replace" virtual file with
> a source address which is not correctly aligned.
the userpace buffer passed to write(2) has to be aligned? Its certainly nice if it
is but the userspace tooling hasn't been treating it as aligned. With that said,
the dfa should be padded to be aligned. So this tripping in the dfa is a bug,
and there really should be some validation to catch it.
> You should be able to debug/find the problematic code with strace from userspace.
> Maybe someone with apparmor knowledge here on the list has an idea?
>
This is likely an unaligned 2nd profile, being split out and loaded separately
from the rest of the container. Basically the loader for some reason (there
are a few different possible reasons) is poking into the container format and
pulling out the profile at some offset, this gets loaded to the kernel but
it would seem that its causing an issue with the dfa alignment within the container,
which should be aligned to the original container.
Kernel side, we are going to need to add some extra verification checks, it should
be catching this, as unaligned as part of the unpack. Userspace side, we will have
to verify my guess and fix the loader.
next prev parent reply other threads:[~2025-11-23 2:08 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-31 15:08 [PATCH 0/2] apparmor unaligned memory fixes deller
2025-05-31 15:08 ` [PATCH 1/2] apparmor: Fix 8-byte alignment for initial dfa blob streams deller
2025-05-31 15:08 ` [PATCH 2/2] apparmor: Fix unaligned memory accesses in KUnit test deller
2025-11-18 9:04 ` [PATCH 0/2] apparmor unaligned memory fixes John Paul Adrian Glaubitz
2025-11-18 11:09 ` Helge Deller
2025-11-18 11:43 ` John Paul Adrian Glaubitz
2025-11-18 12:49 ` Helge Deller
2025-11-23 2:08 ` John Johansen [this message]
2025-11-25 15:11 ` Helge Deller
2025-11-25 19:20 ` John Johansen
2025-11-25 21:13 ` Helge Deller
2025-11-26 9:11 ` John Johansen
2025-11-26 10:44 ` david laight
2025-11-26 11:03 ` Helge Deller
2025-11-26 11:31 ` Helge Deller
2025-11-26 16:16 ` John Paul Adrian Glaubitz
2025-11-26 16:58 ` Helge Deller
2025-11-26 17:26 ` John Paul Adrian Glaubitz
2025-11-26 14:22 ` david laight
2025-11-26 15:12 ` Helge Deller
2025-11-26 19:33 ` John Johansen
2025-11-26 20:15 ` Helge Deller
2025-11-26 21:10 ` John Johansen
2025-11-27 9:25 ` John Paul Adrian Glaubitz
2025-11-27 9:43 ` John Paul Adrian Glaubitz
2025-11-28 9:54 ` John Paul Adrian Glaubitz
2025-11-26 21:23 ` david laight
2025-11-26 22:18 ` John Johansen
2025-11-26 19:22 ` John Johansen
2025-11-26 7:27 ` John Paul Adrian Glaubitz
2025-11-26 7:52 ` John Paul Adrian Glaubitz
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ba3d5651-fa68-4bb5-84aa-35576044e7b0@canonical.com \
--to=john.johansen@canonical.com \
--cc=apparmor@lists.ubuntu.com \
--cc=deller@gmx.de \
--cc=deller@kernel.org \
--cc=glaubitz@physik.fu-berlin.de \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox