[OpenAFS] OpenAFS 1.8.7 on Linux systems running Crowdstrike falcon-sensor

Benjamin Kaduk kaduk@mit.edu
Mon, 8 Mar 2021 16:20:53 -0800


Hi Martin,

On Mon, Mar 08, 2021 at 07:35:19PM +0000, Martin Kelly wrote:
> On Sun, Mar 7, 2021 at 4:34 PM Benjamin Kaduk <mailto:kaduk@mit.edu> wrote:
> > > I don't use Crowdstrike so haven't seen it, but can you post the backtrace?
> 
> > Based on what I've heard from Mr. Proulx at MIT (and from others off-list), I have put in a ticket with Crowdstrike asking if I can share the kernel backtrace.  I honestly feel like it should be OK but I don't want to risk my job over it.
> 
> Hi,
> 
> I’m an engineer at CrowdStrike. There is a known issue in which OpenAFS can cause the CrowdStrike LSM to crash because current->fs can be set to NULL in a certain code path in which it should not be NULL because we’re in process context. I double-checked this on the upstream LSM mailing list after looking at a stack trace. I had thought that a bug report had gotten back to OpenAFS but it seems like that didn’t happen; sorry about that!
> 
> Below is the LKML LSM thread regarding this. Please let me know if you have any other questions:
> 
> https://www.spinics.net/lists/linux-security-module/msg39081.html
> https://www.spinics.net/lists/linux-security-module/msg39083.html

Thanks for spotting this thread and the quick follow-up.

I suspect that the changes at https://gerrit.openafs.org/#/c/13751/ are
going to be relevant in this space, but without seeing the stack trace of
the crash in question it's hard to be sure.  Can you speak to whether this
is touching the "right" part of the code with respect to the crashes you
were investigating?

Thanks,

Ben