It turns out that the 5.0 and 5.3 kernels should still be supported
on some custom kernels, thus sending the patch for Disco and Eoan.
[D/E][PATCH 0/1] Fix apparmor reference leak via AF_ALG
https://lists.ubuntu.com/archives/kernel-team/2020-June/111585.html
** Changed in: linux (Ubuntu Eoan)
Status: Won't Fix => In Progress
** Changed in: linux (Ubuntu Eoan)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Eoan)
Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo)
--
You received this bug notification because you are subscribed to linux
in Ubuntu.
Matching subscriptions: Bgg, Bmail, Nb
https://bugs.launchpad.net/bugs/1883962
Title:
apparmor reference leak causes refcount_t overflow with
af_alg_accept()
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Bionic:
In Progress
Status in linux source package in Eoan:
In Progress
Status in linux source package in Focal:
In Progress
Status in linux source package in Groovy:
Invalid
Bug description:
[Impact]
* Users of the Crypto (user-space) API (i.e., AF_ALG)
can trigger refcount errors in AppArmor under high
load (might lead to memory leak or use after free.)
* There is a reference leak in AppArmor when af_alg_accept()
calls security_sock_graft() and then security_sk_clone().
* Both acquire a reference to a label, to assign it to the
same pointer, but the latter does not release the former's
acquired reference (before overwriting the pointer value.)
* This reference leak builds up over time, and under high
load can eventually overflow/underflow/saturate refcount,
depending on which value it has when a program hits that.
* The fix just checks if the pointer has an assigned label,
then releases its acquired reference.
[Test Case]
* See comment #1 for the test-case 'aa-refcnt-af_alg.c'.
* Exercise that code path indefinitely until it hits
the refcount_t overflow/underflow/saturate message
(or not, with the patch.) (see comment #4)
* It's possible to monitor refcount values with kprobes,
to confirm whether or not the problem is happening.
(see comments #2 and #3)
[Other Info]
* Patch applied upstream on v5.8-rc1 [1]
* Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
* Not required on Groovy (still 5.4; should sync from Unstable)
* Not required on Eoan (EOL date before SRU cycle release date)
* Required on Bionic and Focal.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions
Комментариев нет:
Отправить комментарий