[lxc-users] lxc-start-ephemeral triggers kernel oops

Serge Hallyn serge.hallyn at ubuntu.com
Wed Jun 17 15:20:06 UTC 2015 

I can't reproduce this.  Is the 'trusty' container a stock,
download-templated created container?  Which lxc version (from which
ppa) are you using?  What is the underlying filesystem?

Quoting overlay fs (overlayfs at gmail.com):
> This report pertains to ubuntu 14.04 host and container, with the lxc-daily ppa
> and a container which includes the x11-common package.
> 
> A patch for CVE-2015-1328, overlayfs privilege escalation,
> has recently been applied to the kernel,
> http://www.ubuntu.com/usn/usn-2643-1/
> 
> With this patch in place, running the following command,
> 
>    lxc-start-ephemeral -o trusty -d
> 
> triggers a kernel oops,
> 
>    kernel: [ 3993.329638] BUG: unable to handle kernel NULL pointer
> dereference at 0000000000000030
>    kernel: [ 3993.329691] IP: [<ffffffffa075cd80>]
> ovl_dentry_root_may+0x30/0x60 [overlayfs]
>    kernel: [ 3993.329735] PGD 8e7a2067 PUD 8b516067 PMD 0
>    kernel: [ 3993.329766] Oops: 0000 [#1] SMP
> 
> with call trace,
> 
>    kernel: [ 3993.331138] Call Trace:
>    kernel: [ 3993.331156]  [<ffffffffa075ef2e>]
> ovl_check_empty_and_clear+0x4e/0x240 [overlayfs]
>    kernel: [ 3993.331198]  [<ffffffff811d44c0>] ?
> prepend.constprop.25+0x30/0x30
>    kernel: [ 3993.331231]  [<ffffffffa075d963>] ovl_rmdir+0x23/0x40
> [overlayfs]
>    kernel: [ 3993.331262]  [<ffffffff811cc678>] vfs_rmdir+0xa8/0x100
>    kernel: [ 3993.331291]  [<ffffffff811ce571>] do_rmdir+0x1c1/0x1e0
>    kernel: [ 3993.331321]  [<ffffffff81021127>] ?
> syscall_trace_enter+0x197/0x250
>    kernel: [ 3993.331352]  [<ffffffff811cf655>] SyS_unlinkat+0x25/0x40
>    kernel: [ 3993.331383]  [<ffffffff81733f6f>] tracesys+0xe1/0xe6
>    kernel: [ 3993.331409] Code: 55 48 89 e5 41 55 49 89 f5 41 54 53 48
> 8b 47 68 89 d3 48 8b 80 f8 02 00 00 48 8b 78 28 e8 e9 3a 93 e0 49 89
> c4 49 8b 45 08 89 de <48> 8b 78 30 e8 97 c4 a6 e0 83 f8 01 4c 89 e7 19
> db f7 d3 83 e3
>    kernel: [ 3993.331695] RIP  [<ffffffffa075cd80>]
> ovl_dentry_root_may+0x30/0x60 [overlayfs]
>    kernel: [ 3993.331737]  RSP <ffff88008bfbbda8>
>    kernel: [ 3993.331755] CR2: 0000000000000030
>    kernel: [ 3993.337695] ---[ end trace 166f37bc2c7b0f52 ]---
> 
> The oops occurs every time the command is run.
> 
> If the container's (upstart) init is replaced with,
> 
>     /sbin/init --no-startup-event
> 
> then the oops does not occur.
> 
> When the oops occurs, /etc/init.d/x11-common hangs at
> the following line,
> 
>    mkdir -p -m 01777 /tmp/.X11-unix
> 
> and the container's /tmp is unreadable, both from within the container
> and from the host.
> 
> Containers that do not include the x11-common package
> do not exhibit the bug. Installing x11-common suffices to trigger the bug.
> _______________________________________________
> lxc-users mailing list
> lxc-users at lists.linuxcontainers.org
> http://lists.linuxcontainers.org/listinfo/lxc-users

More information about the lxc-users mailing list