memory leaking when removing a profile

Bug #1939915 reported by Georgia Garcia
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
AppArmor
New
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Xenial
Fix Committed
Medium
Unassigned
Bionic
Fix Released
Medium
Unassigned
Focal
Fix Released
Medium
Unassigned

Bug Description

There's a memory leak in the kernel when removing a profile.
A simple reproducible example:

root@ubuntu:~# echo "profile foo {}" > profile
root@ubuntu:~# apparmor_parser profile
root@ubuntu:~# apparmor_parser -R profile
root@ubuntu:~# echo scan > /sys/kernel/debug/kmemleak
root@ubuntu:~# cat /sys/kernel/debug/kmemleak
unreferenced object 0xffff99bcf5128bb0 (size 16):
  comm "apparmor_parser", pid 1318, jiffies 4295139856 (age 33.196s)
  hex dump (first 16 bytes):
    01 00 00 00 00 00 00 00 98 1f 01 fd bc 99 ff ff ................
  backtrace:
    [<00000000b1f68969>] kmem_cache_alloc_trace+0xd8/0x1e0
    [<0000000086ca7bd9>] aa_alloc_proxy+0x30/0x60
    [<000000000e34f34c>] aa_alloc_profile+0xd4/0x100
    [<00000000c2e34769>] unpack_profile+0x16f/0xe10
    [<0000000019033e2b>] aa_unpack+0x119/0x500
    [<00000000a97520b2>] aa_replace_profiles+0x94/0xca0
    [<000000001833f520>] policy_update+0x124/0x1e0
    [<00000000992f950e>] profile_load+0x7d/0xa0
    [<00000000db7852ce>] __vfs_write+0x1b/0x40
    [<000000004e709f5d>] vfs_write+0xb9/0x1a0
    [<00000000280db840>] SyS_write+0x5e/0xe0
    [<0000000014c5ab5d>] do_syscall_64+0x79/0x130
    [<00000000e962a389>] entry_SYSCALL_64_after_hwframe+0x41/0xa6
    [<000000009d368497>] 0xffffffffffffffff

This issue was already fixed upstream 3622ad25d4d6 v5.8-rc1~102^2
It still needs to be applied on xenial, bionic and focal.

This issue could lead to a OOM and eventually DoS. We could see this
issue happening during a test in which snaps were disconnected and
reconnected, causing the leak every time the profile was removed.
Since it is a refcount issue, there could be a lot of memory involved
because the whole profile would be leaked.
Note that only privileged users can remove a profile.

description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Bionic):
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu Focal):
importance: Undecided → Medium
status: New → In Progress
Changed in linux (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Revision history for this message
Georgia Garcia (georgiag) wrote (last edit ):

Tested on -proposed by causing the leak and checking the memory used with "free", since CONFIG_DEBUG_KMEMLEAK is not set. It worked as expected - the memory used shown in "free" after removing the profile was in an expected range.

tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (34.1 KiB)

This bug was fixed in the package linux - 5.4.0-88.99

---------------
linux (5.4.0-88.99) focal; urgency=medium

  * focal/linux: 5.4.0-88.99 -proposed tracker (LP: #1944747)

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.06)

  * please drop virtualbox-guest-dkms virtualbox-guest-source (LP: #1933248)
    - Revert "UBUNTU: [Config] Disable virtualbox dkms build"

linux (5.4.0-87.98) focal; urgency=medium

  * please drop virtualbox-guest-dkms virtualbox-guest-source (LP: #1933248)
    - [Config] Disable virtualbox dkms build

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.06)

  * LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

  * disable “CONFIG_HISI_DMA” config for ubuntu version (LP: #1936771)
    - Disable CONFIG_HISI_DMA
    - [Config] Record hisi_dma no longer built for arm64

  * memory leaking when removing a profile (LP: #1939915)
    - apparmor: Fix memory leak of profile proxy

  * CryptoExpress EP11 cards are going offline (LP: #1939618)
    - s390/zcrypt: Support for CCA protected key block version 2
    - s390: Replace zero-length array with flexible-array member
    - s390/zcrypt: Use scnprintf() for avoiding potential buffer overflow
    - s390/zcrypt: replace snprintf/sprintf with scnprintf
    - s390/ap: Remove ap device suspend and resume callbacks
    - s390/zcrypt: use fallthrough;
    - s390/zcrypt: use kvmalloc instead of kmalloc for 256k alloc
    - s390/ap: remove power management code from ap bus and drivers
    - s390/ap: introduce new ap function ap_get_qdev()
    - s390/zcrypt: use kzalloc
    - s390/zcrypt: fix smatch warnings
    - s390/zcrypt: code beautification and struct field renames
    - s390/zcrypt: split ioctl function into smaller code units
    - s390/ap: rename and clarify ap state machine related stuff
    - s390/zcrypt: provide cex4 cca sysfs attributes for cex3
    - s390/ap: rework crypto config info and default domain code
    - s390/zcrypt: simplify cca_findcard2 loop code
    - s390/zcrypt: remove set_fs() invocation in zcrypt device driver
    - s390/ap: remove unnecessary spin_lock_init()
    - s390/zcrypt: Support for CCA APKA master keys
    - s390/zcrypt: introduce msg tracking in zcrypt functions
    - s390/ap: split ap queue state machine state from device state
    - s390/ap: add error response code field for ap queue devices
    - s390/ap: add card/queue deconfig state
    - s390/sclp: Add support for SCLP AP adapter config/deconfig
    - s390/ap: Support AP card SCLP config and deconfig operations
    - s390/ap/zcrypt: revisit ap and zcrypt error handling
    - s390/zcrypt: move ap_msg param one level up the call chain
    - s390/zcrypt: Introduce Failure Injection feature
    - s390/zcrypt: fix wrong format specifications
    - s390/ap: fix ap devices reference counting
    - s390/zcrypt: return EIO when msg retry limit reached
    - s390/zcrypt: fix zcard and zqueue hot-unplug memleak
    - s390/ap: Fix hanging ioctl caused by wrong msg counter

  * memfd from ubuntu_kernel_s...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.2 KiB)

This bug was fixed in the package linux - 4.15.0-159.167

---------------
linux (4.15.0-159.167) bionic; urgency=medium

  * Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.09.06)

  * dell300x: rsi wifi and bluetooth crash after suspend and resume
    (LP: #1940488)
    - Revert "rsi: Use resume_noirq for SDIO"

  * LRMv5: switch primary version handling to kernel-versions data set
    (LP: #1928921)
    - [Packaging] switch to kernel-versions

  * kvm_unit_tests: emulator test fails on 4.4 / 4.15 kernel, timeout
    (LP: #1932966)
    - kvm: Add emulation for movups/movupd

  * memory leaking when removing a profile (LP: #1939915)
    - security/apparmor/label.c: Clean code by removing redundant instructions
    - apparmor: Fix memory leak of profile proxy

  * ubunut_kernel_selftests: memory-hotplug: avoid spamming logs with
    dump_page() (LP: #1941829)
    - selftests: memory-hotplug: avoid spamming logs with dump_page(), ratio limit
      hot-remove error test

  * Bionic update: upstream stable patchset 2021-08-27 (LP: #1941916)
    - btrfs: mark compressed range uptodate only if all bio succeed
    - regulator: rt5033: Fix n_voltages settings for BUCK and LDO
    - r8152: Fix potential PM refcount imbalance
    - qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union()
    - net: Fix zero-copy head len calculation.
    - Revert "Bluetooth: Shutdown controller after workqueues are flushed or
      cancelled"
    - KVM: do not allow mapping valid but non-reference-counted pages
    - Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
    - spi: mediatek: Fix fifo transfer
    - padata: validate cpumask without removed CPU during offline
    - Revert "ACPICA: Fix memory leak caused by _CID repair function"
    - ALSA: seq: Fix racy deletion of subscriber
    - clk: stm32f4: fix post divisor setup for I2S/SAI PLLs
    - omap5-board-common: remove not physically existing vdds_1v8_main fixed-
      regulator
    - scsi: sr: Return correct event when media event code is 3
    - media: videobuf2-core: dequeue if start_streaming fails
    - net: natsemi: Fix missing pci_disable_device() in probe and remove
    - nfp: update ethtool reporting of pauseframe control
    - mips: Fix non-POSIX regexp
    - bnx2x: fix an error code in bnx2x_nic_load()
    - net: pegasus: fix uninit-value in get_interrupt_interval
    - net: fec: fix use-after-free in fec_drv_remove
    - net: vxge: fix use-after-free in vxge_device_unregister
    - Bluetooth: defer cleanup of resources in hci_unregister_dev()
    - USB: usbtmc: Fix RCU stall warning
    - USB: serial: option: add Telit FD980 composition 0x1056
    - USB: serial: ch341: fix character loss at high transfer rates
    - USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2
    - usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers
    - usb: gadget: f_hid: fixed NULL pointer dereference
    - usb: gadget: f_hid: idle uses the highest byte for duration
    - usb: otg-fsm: Fix hrtimer list corruption
    - scripts/tracing: fix the bug that can't parse raw_trace_func
    - staging: rtl8723bs: Fix a resource lea...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers