apparmor reference leak causes refcount_t overflow with af_alg_accept()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
| linux (Ubuntu) |
Medium
|
Mauricio Faria de Oliveira | ||
| Bionic |
Medium
|
Mauricio Faria de Oliveira | ||
| Eoan |
Medium
|
Mauricio Faria de Oliveira | ||
| Focal |
Medium
|
Mauricio Faria de Oliveira | ||
| Groovy |
Undecided
|
Unassigned |
Bug Description
[Impact]
* Users of the Crypto (user-space) API (i.e., AF_ALG)
can trigger refcount errors in AppArmor under high
load (might lead to memory leak or use after free.)
* There is a reference leak in AppArmor when af_alg_accept()
calls security_
* Both acquire a reference to a label, to assign it to the
same pointer, but the latter does not release the former's
acquired reference (before overwriting the pointer value.)
* This reference leak builds up over time, and under high
load can eventually overflow/
depending on which value it has when a program hits that.
* The fix just checks if the pointer has an assigned label,
then releases its acquired reference.
[Test Case]
* See comment #1 for the test-case 'aa-refcnt-
* Exercise that code path indefinitely until it hits
the refcount_t overflow/
(or not, with the patch.) (see comment #4)
* It's possible to monitor refcount values with kprobes,
to confirm whether or not the problem is happening.
(see comments #2 and #3)
[Other Info]
* Patch applied upstream on v5.8-rc1 [1]
* Applied on Unstable (tag Ubuntu-
* Not required on Groovy (still 5.4; should sync from Unstable)
* Not required on Eoan (EOL date before SRU cycle release date)
* Required on Bionic and Focal.
CVE References
Changed in linux (Ubuntu): | |
importance: | Undecided → Medium |
assignee: | nobody → Mauricio Faria de Oliveira (mfo) |
Changed in linux (Ubuntu Groovy): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Eoan): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux (Ubuntu Groovy): | |
importance: | Medium → Undecided |
assignee: | Mauricio Faria de Oliveira (mfo) → nobody |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Medium |
assignee: | nobody → Mauricio Faria de Oliveira (mfo) |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Medium |
assignee: | nobody → Mauricio Faria de Oliveira (mfo) |
Changed in linux (Ubuntu): | |
status: | New → Fix Committed |
Mauricio Faria de Oliveira (mfo) wrote : | #2 |
kprobes module to monitor the apparmor label reference count.
Mauricio Faria de Oliveira (mfo) wrote : | #3 |
Monitoring the label reference count with the kprobes module:
- original kernel: the counter keeps increasing on every pair of accept()/release() syscalls.
- modified kernel: the counter keeps stable.
Focal:
-----
original)
$ uname -rv
5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 4739.811403] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
[ 4739.813677] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
[ 4739.815994] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
[ 4739.818274] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
[ 4739.820555] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
[ 4739.822833] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_
...
$ sudo rmmod kmod
modified)
$ uname -rv
5.4.0-38-generic #42+test20200617b1 SMP Wed Jun 17 16:31:24 -03 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 185.657133] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
[ 185.660720] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
[ 185.664321] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
[ 185.668981] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
[ 185.672648] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
[ 185.676299] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_
...
$ sudo rmmod kmod
Bionic:
------
original)
$ uname -rv
4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 4333.136581] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
[ 4333.139131] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
[ 4333.141650] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
[ 4333.144142] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
[ 4333.146675] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
[ 4333.149199] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_
...
$ sudo rmmod kmod
modified)
$ uname -rv
4.15.0-107-generic #108+test20200617b1 SMP Wed Jun 17 16:33:16 -03 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 245.921217] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_
[ 245.923456] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_
[ 245.925718] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_
[ 245.927954] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_
[ 245.930221] accept() :: comm = aa-refcnt-af_...
Mauricio Faria de Oliveira (mfo) wrote : | #4 |
After a few hours with the reproducer running on the original kernel,
the kernel errors about the reference count are observed:
Focal:
-----
$ uname -rv
5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020
$ ./aa-refcnt-af_alg
<a few hours later>
[ 9581.048189] ------------[ cut here ]------------
[ 9581.049497] refcount_t overflow at apparmor_
[ 9581.052125] WARNING: CPU: 1 PID: 1023 at kernel/panic.c:677 refcount_
[ 9581.054428] Modules linked in: ...
[ 9581.063137] CPU: 1 PID: 1023 Comm: aa-refcnt-af_al Tainted: G OE 5.4.0-38-generic #42-Ubuntu
[ 9581.065494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 9581.067693] RIP: 0010:refcount_
...
[ 9581.088358] Call Trace:
[ 9581.089083] ex_handler_
[ 9581.090147] fixup_exception
[ 9581.091142] do_trap+0x4e/0xf0
[ 9581.091998] do_error_
[ 9581.092958] ? csum_partial_
[ 9581.094250] do_invalid_
[ 9581.095210] ? csum_partial_
[ 9581.096505] invalid_
[ 9581.097413] RIP: 0010:apparmor_
...
[ 9581.113048] security_
[ 9581.114078] af_alg_
[ 9581.115456] alg_accept+
[ 9581.116549] __sys_accept4+
[ 9581.117549] ? _cond_resched+
[ 9581.118545] __x64_sys_
[ 9581.119573] do_syscall_
[ 9581.120551] entry_SYSCALL_
[ 9581.121821] RIP: 0033:0x7efc1bc390a7
...
Bionic:
------
$ uname -rv
4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020
$ ./aa-refcnt-af_alg
<a few hours later>
[ 8460.359291] ------------[ cut here ]------------
[ 8460.360638] refcount_t overflow at apparmor_
[ 8460.363332] WARNING: CPU: 1 PID: 1243 at /build/
[ 8460.366556] Modules linked in: ...
[ 8460.375936] CPU: 1 PID: 1243 Comm: aa-refcnt-af_al Tainted: G OE 4.15.0-107-generic #108-Ubuntu
[ 8460.378352] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
[ 8460.380598] RIP: 0010:refcount_
...
[ 8460.397294] Call Trace:
[ 8460.398331] ex_handler_
[ 8460.399432] fixup_exception
[ 8460.400462] do_trap+0x8a/0x140
[ 8460.401346] do_error_
[ 8460.402355] ? csum_partial_
[ 8460.403671] ? ___slab_
[ 8460.404730] ? ___slab_
[ 8460.405786] ? get_empty_
[ 8460.406840] do_invalid_
[ 8460.407830] invalid_
[ 8460.408755] RIP: 0010:apparmor_
...
[ 8460.420262] security_
[ 8460.421314] af_alg_
[ 8460.422484] ? aa_sock_
[ 8460.423623] alg_accept+
[ 8460.424725] SYSC_accept4+
[ 84...
description: | updated |
description: | updated |
Mauricio Faria de Oliveira (mfo) wrote : | #5 |
[B][PATCH 0/1] Fix apparmor reference leak via AF_ALG
https:/
[B][PATCH 1/1] apparmor: check/put label on apparmor_
https:/
[F][PATCH 1/1] apparmor: check/put label on apparmor_
https:/
tags: | added: sts |
Changed in linux (Ubuntu Groovy): | |
status: | Won't Fix → Invalid |
Mauricio Faria de Oliveira (mfo) wrote : | #6 |
It turns out that the 5.0 and 5.3 kernels should still be supported
on some custom kernels, thus sending the patch for Disco and Eoan.
[D/E][PATCH 0/1] Fix apparmor reference leak via AF_ALG
https:/
Changed in linux (Ubuntu Eoan): | |
status: | Won't Fix → In Progress |
importance: | Undecided → Medium |
assignee: | nobody → Mauricio Faria de Oliveira (mfo) |
Changed in linux (Ubuntu Eoan): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | In Progress → Fix Committed |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-eoan |
Mauricio Faria de Oliveira (mfo) wrote : | #8 |
Verification done on Eoan.
The apparmor label refcnt inc/dec-rements properly on accept()/release(), no leaks.
$ lsb_release -cs
eoan
$ uname -rv
5.3.0-63-generic #57-Ubuntu SMP Thu Jul 2 10:38:35 UTC 2020
$ apt-cache policy linux-image-$(uname -r)
linux-image-
...
*** 5.3.0-63.57 500
500 http://
...
$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg &
$ make
$ sudo insmod kmod.ko &
$ dmesg
...
[ 254.940413] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.941665] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.942932] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.944187] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.945484] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.946741] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.948023] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.949282] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.950572] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
[ 254.952526] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_
...
$ sudo rmmod kmod
tags: |
added: verification-done-eoan removed: verification-needed-eoan |
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-hwe-5.0/5.0.0-57.61~18.04.1) | #9 |
All autopkgtests for the newly accepted linux-hwe-5.0 (5.0.0-
The following regressions have been reported in tests triggered by the package:
linux-hwe-
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-azure-5.3/5.3.0-1034.35~18.04.1) | #10 |
All autopkgtests for the newly accepted linux-azure-5.3 (5.3.0-
The following regressions have been reported in tests triggered by the package:
zfs-linux/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-aws-5.3/5.3.0-1032.34~18.04.1) | #11 |
All autopkgtests for the newly accepted linux-aws-5.3 (5.3.0-
The following regressions have been reported in tests triggered by the package:
zfs-linux/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-gcp-5.3/5.3.0-1032.34~18.04.1) | #12 |
All autopkgtests for the newly accepted linux-gcp-5.3 (5.3.0-
The following regressions have been reported in tests triggered by the package:
zfs-linux/
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
Mauricio Faria de Oliveira (mfo) wrote : | #13 |
Verification done on "Disco" (linux-hwe-5.0)
---
# uname -rv
5.0.0-58-generic #62~18.04.1-Ubuntu SMP Tue Jul 14 03:37:30 UTC 2020
For some other reason the kprobes module is not picking up on accept,
only on release. This is unrelated to this patchset.
I used kprobe events instead, which is working, and reveals the ref
counter does not leak (stable increase/decrease on accept/release.)
On the example below, it varies between 0x64b and 0x64c, correctly.
# ./aa-refcnt-af_alg &
# echo 'p af_alg_accept sk=%di count=+
# echo 'p af_alg_
# echo 1 > /sys/kernel/
# cat /sys/kernel/
...
aa-refcnt-
aa-refcnt-
aa-refcnt-
aa-refcnt-
aa-refcnt-
aa-refcnt-
...
ctrl-c
# echo 0 > /sys/kernel/
# echo > /sys/kernel/
# killall aa-refcnt-af_alg
Details:
-------
We want this value from 'struct sock *sk': kref_read(
With:
#define SK_CTX(X) apparmor_sock(X)
static inline struct aa_sk_ctx *apparmor_
...
return sk->sk_security + apparmor_
...
Checking the value for lbs_sock w/ a kernel module:
[76604.268403] apparmor_
And struct member offsets:
$ pahole --hex -C sock usr/lib/
void * sk_security; /* 0x278 0x8 */
$ pahole --hex -C aa_sk_ctx usr/lib/
struct aa_label * label; /* 0 0x8 */
$ pahole --hex -C aa_label usr/lib/
struct kref count; /* 0 0x4 */
Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package linux - 5.3.0-64.58
---------------
linux (5.3.0-64.58) eoan; urgency=medium
* eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.3.0-63.57) eoan; urgency=medium
* eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* The thread level parallelism would be a bottleneck when searching for the
shared pmd by using hugetlbfs (LP: #1882039)
- hugetlbfs: take read_lock on i_mmap for PMD sharing
* Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
- ipv6: fix IPV6_ADDRFORM operation logic
- net_failover: fixed rollback in net_failover_open()
- bridge: Avoid infinite loop when suppressing NS messages with invalid
options
- vxlan: Avoid infinite loop when suppressing NS messages with invalid options
- tun: correct header offsets in napi frags mode
- Input: mms114 - fix handling of mms345l
- ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
- sched/fair: Don't NUMA balance for kthreads
- Input: synaptics - add a second working PNP_ID for Lenovo T470s
- drivers/
- powerpc/xive: Clear the page tables for the ESB IO mapping
- ath9k_htc: Silence undersized packet warnings
- RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
- x86/cpu/amd: Make erratum #1054 a legacy erratum
- perf probe: Accept the instance number of kretprobe event
- mm: add kvfree_sensitive() for freeing sensitive data objects
- aio: fix async fsync creds
- x86_64: Fix jiffies ODR violation
- x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
- x86/speculation: Prevent rogue cross-process SSBD shutdown
- x86/reboot/quirks: Add MacBook6,1 reboot quirk
- efi/efivars: Add missing kobject_put() in sysfs entry creation error path
- ALSA: es1688: Add the missed snd_card_free()
- ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
- ALSA: usb-audio: Fix inconsistent card PM state after resume
- ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
Dock
- ACPI: sysfs: Fix reference count leak in acpi_sysfs_
- ACPI: CPPC: Fix reference count leak in acpi_cppc_
- ACPI: GED: add support for _Exx / _Lxx handler methods
- ACPI: PM: Avoid using power resources if there are none for D0
- nilfs2: fix null pointer dereference at nilfs_segctor_
- spi: dw: Fix controller unregister order
- spi: bcm2835aux: Fix controller unregister order
- spi: bcm-qspi: when tx/rx buffer is NULL set to 0
- PM: runtime: clk: Fix clk_pm_
- crypto: cavium/nitrox - Fix 'nitrox_
fully iterated
- ALSA: pcm: disallow linking stream to itself
- x86/{mce,mm}: Unmap the entire page if the who...
Changed in linux (Ubuntu Eoan): | |
status: | Fix Committed → Fix Released |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-focal |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
tags: | added: verification-needed-bionic |
Mauricio Faria de Oliveira (mfo) wrote : | #17 |
Verification done for Bionic.
$ uname -rv
4.15.0-113-generic #114-Ubuntu SMP Sun Aug 9 07:27:58 UTC 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 335.387236] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_
[ 335.388370] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_
[ 335.389376] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_
[ 335.390558] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_
[ 335.391521] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
Mauricio Faria de Oliveira (mfo) wrote : | #18 |
Verification done for Focal.
$ uname -rv
5.4.0-43-generic #47-Ubuntu SMP Sat Aug 8 06:34:35 UTC 2020
$ ./aa-refcnt-af_alg &
$ sudo insmod kmod.ko
...
[ 171.672847] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
[ 171.674249] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
[ 171.675676] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
[ 171.676932] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
[ 171.678154] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
[ 171.679617] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_
tags: |
added: verification-done-focal removed: verification-needed-focal |
Launchpad Janitor (janitor) wrote : | #19 |
This bug was fixed in the package linux - 5.4.0-45.49
---------------
linux (5.4.0-45.49) focal; urgency=medium
* focal/linux: 5.4.0-45.49 -proposed tracker (LP: #1893050)
* [Potential Regression] dscr_inherit_
ubuntu_
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (5.4.0-44.48) focal; urgency=medium
* focal/linux: 5.4.0-44.48 -proposed tracker (LP: #1891049)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (5.4.0-43.47) focal; urgency=medium
* focal/linux: 5.4.0-43.47 -proposed tracker (LP: #1890746)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Devlink - add RoCE disable kernel support (LP: #1877270)
- devlink: Add new "enable_roce" generic device param
- net/mlx5: Document flow_steering_mode devlink param
- net/mlx5: Handle "enable_roce" devlink param
- IB/mlx5: Rename profile and init methods
- IB/mlx5: Load profile according to RoCE enablement state
- net/mlx5: Remove unneeded variable in mlx5_unload_one
- net/mlx5: Add devlink reload
- IB/mlx5: Do reverse sequence during device removal
* msg_zerocopy.sh in net from ubuntu_
- selftests/net: relax cpu affinity requirement in msg_zerocopy test
* Enlarge hisi_sec2 capability (LP: #1890222)
- Revert "UBUNTU: [Config] Disable hisi_sec2 temporarily"
- crypto: hisilicon - update SEC driver module parameter
* Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
- ALSA: hda/hdmi: Add quirk to force connectivity
* Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
- PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken
* ASoC:amd:renoir: the dmic can't record sound after suspend and resume
(LP: #1890220)
- SAUCE: ASoC: amd: renoir: restore two more registers during resume
* No sound, Dummy output on Acer Swift 3 SF314-57G with Ice Lake core-i7 CPU
(LP: #1877757)
- ASoC: SOF: Intel: hda: fix generic hda codec support
* Fix right speaker of HP laptop (LP: #1889375)
- SAUCE: hda/realtek: Fix right speaker of HP laptop
* blk_update_request error when mount nvme partition (LP: #1872383)
- SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command
* soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
- ASoC: amd: add logic to check dmic hardware runtime
- ASoC: amd: add ACPI dependency check
- ASoC: amd: fixed kernel warnings
* soc/amd/renoir: change the module name to make it work with ucm3
(LP: #1888166)
- AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
module
- SAUCE: remove a kernel module since its name is changed
* Focal update: v5.4.55 upstream stable release (LP: #1890343)
- AX.25: Fix out-of-bounds read in ax25_connect()
- AX.25: Prevent out-of-bounds read in ax25_sendmsg()
- dev: Defer free of skbs in flush_backlog
- drivers/
Changed in linux (Ubuntu Focal): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #20 |
This bug was fixed in the package linux - 4.15.0-115.116
---------------
linux (4.15.0-115.116) bionic; urgency=medium
* bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
* [Potential Regression] dscr_inherit_
ubuntu_
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (4.15.0-114.115) bionic; urgency=medium
* bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (4.15.0-113.114) bionic; urgency=medium
* bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
- usb: handle warm-reset port requests on hub resume
* Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_
- xtensa: update *pos in cpuinfo_op.next
- drivers/
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/
- irqdomain/treewide: Keep firmware node unconditionally allocated
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
- IB/umem: fix reference count leak in ib_umem_odp_get()
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- btrfs: fix mount failure caused by race with umount
- btrfs: fix page leaks after failure to lock page for delalloc
- bnxt_en: Fix race when modifying pause settings.
- hippi: Fix a size used in a 'pci_free_
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- drm: sun4i: hdmi: Fix inverted HPD result
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- bonding: check error value of register_
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
- ipvs: fix the connection sync failed in some cases
- i2c: rcar: always clear ICSAR to avoid side effects
- bonding: check return value of register_
- serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
- scripts/
- HID: i...
Changed in linux (Ubuntu Bionic): | |
status: | Fix Committed → Fix Released |
Test Case:
---------
$ cat aa-refcnt-af_alg.c
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <sys/socket.h>
#include <linux/if_alg.h>
int main() {
int sockfd;
struct sockaddr_alg sa;
/* Setup the crypto API socket */
perror( "socket" );
sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (sockfd < 0) {
return 1;
}
memset(&sa, 0, sizeof(sa));
sa.salg_family = AF_ALG;
strcpy((char *) sa.salg_type, "rng");
strcpy((char *) sa.salg_name, "stdrng");
if (bind(sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
perror( "bind") ;
return 1;
}
/* Accept a "connection" and close it; repeat. */ accept( sockfd, NULL, 0)));
while (!close(
return 0;
}
$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg
<a few hours later>
[ 9928.475953] refcount_t overflow at apparmor_ sk_clone_ security+ 0x37/0x70 in aa-refcnt- af_alg[ 1322], uid/euid: 1000/1000 sk_clone_ security+ 0x37/0x70 sk_clone+ 0x33/0x50 accept+ 0x81/0x1c0 [af_alg] 0x15/0x20 [af_alg] 0xff/0x210 0x10/0x20 64+0x73/ 0x130 64_after_ hwframe+ 0x3d/0xa2
...
[ 9928.507443] RIP: 0010:apparmor_
...
[ 9928.514286] security_
[ 9928.514807] af_alg_
[ 9928.516091] alg_accept+
[ 9928.516682] SYSC_accept4+
[ 9928.519609] SyS_accept+
[ 9928.520190] do_syscall_
[ 9928.520808] entry_SYSCALL_
Note that other messages may be seen, not just overflow, depending on
the value being incremented by kref_get(); on another run:
[ 7273.182666] refcount_t: saturated; leaking memory.
...
[ 7273.185789] refcount_t: underflow; use-after-free.