From a633085eb6785c84fe528351baca5bfe3c79ef52 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Fri, 24 Nov 2017 13:25:03 +0000
Subject: [PATCH] apparmor: fix oops in audit_signal_cb hook (regression in
 4.14)

---
 debian/changelog                              |   1 +
 ...mor-fix-oops-in-audit_signal_cb-hook.patch | 109 ++++++++++++++++++
 debian/patches/series                         |   1 +
 3 files changed, 111 insertions(+)
 create mode 100644 debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch

diff --git a/debian/changelog b/debian/changelog
index d7a7efdfc..82541c5ee 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -14,6 +14,7 @@ linux (4.14.1-1~exp1) UNRELEASED; urgency=medium
     - Change CONNECTOR from built-in to module, and disable PROC_EVENTS
     - Disable INTEGRITY and dependent options
     - video: Disable USB_APPLEDISPLAY, BACKLIGHT_CLASS_DEVICE
+  * apparmor: fix oops in audit_signal_cb hook (regression in 4.14)
 
  -- Ben Hutchings <ben@decadent.org.uk>  Mon, 20 Nov 2017 14:16:28 +0000
 
diff --git a/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch b/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch
new file mode 100644
index 000000000..1b116b7d2
--- /dev/null
+++ b/debian/patches/bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch
@@ -0,0 +1,109 @@
+From: John Johansen <john.johansen@canonical.com>
+Date: Wed, 22 Nov 2017 07:33:38 -0800
+Subject: apparmor: fix oops in audit_signal_cb hook
+Origin: https://lkml.org/lkml/2017/11/22/411
+
+The apparmor_audit_data struct ordering got messed up during a merge
+conflict, resulting in the signal integer and peer pointer being in
+a union instead of a struct together.
+
+For most of the 4.13 and 4.14 life cycle, this was hidden by commit
+651e28c5537abb39076d3949fb7618536f1d242e which fixed the
+apparmor_audit_data struct when its data was added. When that commit
+was reverted in -rc7 the signal audit bug was exposed, and
+unfortunately it never showed up in any of the testing until after
+4.14 was released, and Shaun Khan, Zephaniah E. Loss-Cutler-Hull filed
+nearly simultaneous bug reports (with different oopes, the smaller of
+which is included below).
+
+Full credit goes to Tetsuo Handa for jumping on this as well and
+noticing the audit data struct problem and reporting it.
+
+Alright, trying again, this time with my mail settings to actually send
+as plain text, and with some more detail.
+
+I am running Ubuntu 16.04, with a mainline 4.14 kernel.
+
+[   76.178568] BUG: unable to handle kernel paging request at ffffffff0eee3bc0
+[   76.178579] IP: audit_signal_cb+0x6c/0xe0
+[   76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
+[   76.178586] Oops: 0000 [#1] PREEMPT SMP
+[   76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
+[   76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted 4.14.0-f1-dirty #135
+[   76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio 9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
+[   76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
+[   76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
+[   76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
+[   76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX: 0000000000000000
+[   76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI: ffff9c7a9493d800
+[   76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09: ffffa09b02a4fc46
+[   76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12: ffffa09b02a4fd40
+[   76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15: 0000000000000001
+[   76.178646] FS:  00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000) knlGS:0000000000000000
+[   76.178648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+[   76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4: 00000000001606f0
+[   76.178652] Call Trace:
+[   76.178660]  common_lsm_audit+0x1da/0x780
+[   76.178665]  ? d_absolute_path+0x60/0x90
+[   76.178669]  ? aa_check_perms+0xcd/0xe0
+[   76.178672]  aa_check_perms+0xcd/0xe0
+[   76.178675]  profile_signal_perm.part.0+0x90/0xa0
+[   76.178679]  aa_may_signal+0x16e/0x1b0
+[   76.178686]  apparmor_task_kill+0x51/0x120
+[   76.178690]  security_task_kill+0x44/0x60
+[   76.178695]  group_send_sig_info+0x25/0x60
+[   76.178699]  kill_pid_info+0x36/0x60
+[   76.178703]  SYSC_kill+0xdb/0x180
+[   76.178707]  ? preempt_count_sub+0x92/0xd0
+[   76.178712]  ? _raw_write_unlock_irq+0x13/0x30
+[   76.178716]  ? task_work_run+0x6a/0x90
+[   76.178720]  ? exit_to_usermode_loop+0x80/0xa0
+[   76.178723]  entry_SYSCALL_64_fastpath+0x13/0x94
+[   76.178727] RIP: 0033:0x7f8b0e58b767
+[   76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX: 000000000000003e
+[   76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX: 00007f8b0e58b767
+[   76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 000000000000263b
+[   76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09: 0000000000000001
+[   76.178739] R10: 000000000000022d R11: 0000000000000206 R12: 0000000000000000
+[   76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15: 0000000000000000
+[   76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b 42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd 00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
+[   76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
+[   76.178796] CR2: ffffffff0eee3bc0
+[   76.178799] ---[ end trace 514af9529297f1a3 ]---
+
+Fixes: cd1dbf76b23d ("apparmor: add the ability to mediate signals")
+Reported-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@aehallh.com>
+Reported-by: Shuah Khan <shuahkh@osg.samsung.com>
+Reported-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
+Signed-off-by: John Johansen <john.johansen@canonical.com>
+---
+ security/apparmor/include/audit.h | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -121,17 +121,19 @@ struct apparmor_audit_data {
+ 		/* these entries require a custom callback fn */
+ 		struct {
+ 			struct aa_label *peer;
+-			struct {
+-				const char *target;
+-				kuid_t ouid;
+-			} fs;
++			union {
++				struct {
++					const char *target;
++					kuid_t ouid;
++				} fs;
++				int signal;
++			};
+ 		};
+ 		struct {
+ 			struct aa_profile *profile;
+ 			const char *ns;
+ 			long pos;
+ 		} iface;
+-		int signal;
+ 		struct {
+ 			int rlim;
+ 			unsigned long max;
diff --git a/debian/patches/series b/debian/patches/series
index c84d8700c..aa96b58b5 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -78,6 +78,7 @@ bugfix/all/partially-revert-usb-kconfig-using-select-for-usb_co.patch
 bugfix/all/kbuild-include-addtree-remove-quotes-before-matching-path.patch
 bugfix/all/i40e-i40evf-organize-and-re-number-feature-flags.patch
 bugfix/all/i40e-fix-flags-declaration.patch
+bugfix/all/apparmor-fix-oops-in-audit_signal_cb-hook.patch
 
 # Miscellaneous features