* Users of the Crypto (user-space) API (i.e., AF_ALG)
can trigger refcount errors in AppArmor under high
load (might lead to memory leak or use after free.)
* There is a reference leak in AppArmor when af_alg_accept()
calls security_sock_graft() and then security_sk_clone().
* Both acquire a reference to a label, to assign it to the
same pointer, but the latter does not release the former's
acquired reference (before overwriting the pointer value.)
* This reference leak builds up over time, and under high
load can eventually overflow/underflow/saturate refcount,
depending on which value it has when a program hits that.
* The fix just checks if the pointer has an assigned label,
then releases its acquired reference.
[Test Case]
* See comment # for the test-case 'aa-refcnt-af_alg.c'.
* Exercise that code path indefinitely until it hits
the refcount_t overflow/underflow/saturate message.
(in a few hours.)
* It's possible to monitor refcount values with kprobes.
[Other Info]
* Patch applied upstream on v5.8-rc1 [1]
* Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
* Not required on Groovy (still 5.4; should sync from Unstable)
* Not required on Eoan (EOL date before SRU cycle release date)
* Required on Bionic and Focal.
[Impact]
* Users of the Crypto (user-space) API (i.e., AF_ALG)
can trigger refcount errors in AppArmor under high
load (might lead to memory leak or use after free.)
* There is a reference leak in AppArmor when af_alg_accept() sock_graft( ) and then security_ sk_clone( ).
calls security_
* Both acquire a reference to a label, to assign it to the
same pointer, but the latter does not release the former's
acquired reference (before overwriting the pointer value.)
* This reference leak builds up over time, and under high underflow/ saturate refcount,
load can eventually overflow/
depending on which value it has when a program hits that.
* The fix just checks if the pointer has an assigned label,
then releases its acquired reference.
[Test Case]
* See comment # for the test-case 'aa-refcnt- af_alg. c'.
* Exercise that code path indefinitely until it hits underflow/ saturate message.
the refcount_t overflow/
(in a few hours.)
* It's possible to monitor refcount values with kprobes.
[Other Info]
* Patch applied upstream on v5.8-rc1 [1] 5.8-5.8. 0-0.1)
* Applied on Unstable (tag Ubuntu-
* Not required on Groovy (still 5.4; should sync from Unstable)
* Not required on Eoan (EOL date before SRU cycle release date)
* Required on Bionic and Focal.
[1] https:/ /git.kernel. org/pub/ scm/linux/ kernel/ git/torvalds/ linux.git/ commit? id=3b646abc5bc6 c0df649daea4c2c 976bd4d47e4c8