[apparmor] apparmor_parser segfault

John Johansen john.johansen at canonical.com
Tue Jan 11 18:19:21 UTC 2011 

On 01/11/2011 08:50 AM, Christian Boltz wrote:
> Hello,
> 
> Am Dienstag, 11. Januar 2011 schrieb Kees Cook:
>> On Tue, Jan 11, 2011 at 02:24:50AM +0100, Christian Boltz wrote:
>>> (And they let apparmor_parser segfault when trying to load them, so
>>> the bug is still reproducable with the -p-parsed profiles.)
>>>
>>> Happy debugging! ;-)
>>
>> Hm, I'm not seeing this crash with the latest bzr tree, or with the
>> 2.5.1 version in Ubuntu maverick. Can you try to get some
>> backtraces, or maybe recheck with the latest from the tree? Maybe we
>> can find specifically which commit fixed or hid the problem.
> 
> I'm not too familiar with producing backgraces, but managed to get one - 
> see below. (If I did something wrong, please tell me what I should do ;-)
> 
> Without knowing the code, I'd guess the long list of simplify_tree_base 
> calls could indicate an (endless?) loop...
> 
> 
> Testing the latest version isn't a real problem for me, however I'd love 
> to see a RPM I can just install ;-) (probably not too hard to do - branch
> apparmor from security:apparmor and upload a tarball)
> 
> 
> Backtrace:
> 
> # gdb --args apparmor_parser usr.share.git-web.gitweb.cgi 
> GNU gdb (GDB) SUSE (7.2-2.7)
> Copyright (C) 2010 Free Software Foundation, Inc.
> License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
> and "show warranty" for details.
> This GDB was configured as "x86_64-suse-linux".
> For bug reporting instructions, please see:
> <http://www.gnu.org/software/gdb/bugs/>...
> Reading symbols from /sbin/apparmor_parser...(no debugging symbols found)...done.
> (gdb) run
> Starting program: /sbin/apparmor_parser usr.share.git-web.gitweb.cgi
> Missing separate debuginfo for /lib64/ld-linux-x86-64.so.2
> Try: zypper install -C "debuginfo(build-id)=5cfc5a2c4891477ba3f389a7f24582df1496bd89"
> Missing separate debuginfo for /lib64/libc.so.6
> Try: zypper install -C "debuginfo(build-id)=0d950bde4b77aa25e40384b58280de0f1c77073b"
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000041bca9 in simplify_tree_base(Node*, int, bool&) ()
> (gdb) bt
> #0  0x000000000041bca9 in simplify_tree_base(Node*, int, bool&) ()
> #1  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #2  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #3  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #4  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #5  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #6  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #7  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #8  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #9  0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #10 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #11 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #12 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #13 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #14 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #15 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #16 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #17 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #18 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #19 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #20 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #21 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #22 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #23 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #24 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #25 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #26 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #27 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #28 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #29 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #30 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #31 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #32 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #33 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #34 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #35 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #36 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #37 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #38 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #39 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #40 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #41 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #42 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #43 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #44 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #45 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #46 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #47 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #48 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #49 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #50 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #51 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #52 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #53 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #54 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #55 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #56 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #57 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #58 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #59 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #60 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #61 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #62 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #63 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #64 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #65 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #66 0x000000000041bbba in simplify_tree_base(Node*, int, bool&) ()
> #67 0x000000000041c126 in simplify_tree(Node*, dfaflags) ()
> #68 0x000000000042668b in aare_create_dfa ()
> #69 0x0000000000413deb in process_regex ()
> #70 0x000000000041482c in __process_regex ()
> #71 0x0000000000414dd5 in post_process_regex ()
> #72 0x0000000000414ffa in post_process_policy ()
> #73 0x000000000040962b in process_profile ()
> #74 0x000000000040a08a in main ()
> (gdb) 
> 
yikes!  I remember the general set of commits that fixed this.  We really need
to get suse on to a more recent version of the parser.

I know we can pull the patches to fix this, but then you would be still be
missing so many other improvements and fixes since 2.1.  The parser really
has come a long ways since then (admittedly there is still a lot of improvements
to come).

If we could get a recent build of the parser up in the build service would that
be an acceptable "fix"?

More information about the AppArmor mailing list