Bug #1890848 “'ptrace trace' needed to readlink() /proc/*/ns/* f...” : Xenial (16.04) : Bugs : linux package : Ubuntu

Jamie Strandboge (jdstrand) on 2020-08-07

Changed in linux (Ubuntu):
status:	New → Fix Released
tags:	added: apparmor
Changed in linux (Ubuntu Bionic):
status:	New → Confirmed
Changed in linux (Ubuntu Xenial):
status:	New → Confirmed

Jamie Strandboge (jdstrand) on 2020-08-07

summary:

- 'ptrace trace' needed to readlink() /proc/*/ns/* files
+ 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels

Revision history for this message

John Johansen (jjohansen) wrote on 2020-08-08:

#1

We need to pick the upstream fix

338d0be437ef apparmor: fix ptrace read check

and we should probably pick

1f8266ff5884 (fix-setuid) apparmor: don't try to replace stale label in ptrace access check

to avoid other problems.

Revision history for this message

John Johansen (jjohansen) wrote on 2020-08-08:

#2

We didn't pick this up automatically because its fixes tag is for when ptrace rules landed upstream. But ubuntu was carrying ptrace rules prior to this

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-08-10:

#3

Thanks John! Is this something that we can get into the next SRU cycle?

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-08-10:

#4

I spoke with John and he plans to SRU this. Marking as triaged and assigning to him. Thanks John!

Changed in linux (Ubuntu Xenial):
importance:	Undecided → Medium
status:	Confirmed → Triaged
Changed in linux (Ubuntu Bionic):
status:	Confirmed → Triaged
importance:	Undecided → Medium
Changed in linux (Ubuntu Xenial):
assignee:	nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu Bionic):
assignee:	nobody → John Johansen (jjohansen)

Revision history for this message

Jamie Strandboge (jdstrand) wrote on 2020-08-14:

#5

FYI, John provided me a test kernel for 18.04 and it resolved the issue. This will be the basis of the SRU.

Revision history for this message

Georgia Garcia (georgiag) wrote on 2021-07-16:

#6

From the commits mentioned that solve the issue, 338d0be437ef was not available on 4.15 kernels. The cherry-pick was submitted to the kernel team for approval.

description:

updated

Revision history for this message

Ian Johnson (anonymouse67) wrote on 2021-07-19:

#7

Also to be clear, from jjohansen's comment to me last week, all of the necessary patches are available in the 5.4 focal kernel, so kernels for UC20 from canonical snaps should contain this fix on the 20 track.

Kelsey Steele (kelsey-steele) on 2021-08-06

Changed in linux (Ubuntu Bionic):
status:	Triaged → Fix Committed

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2021-08-20:

#8

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-bionic

Revision history for this message

Georgia Garcia (georgiag) wrote on 2021-08-20:

#9

Tested on bionic-proposed using the test binary that can be obtained in the old description and it worked as expected:

root@ubuntu:~# gcc ./readlink-ns.c && sudo apparmor_parser -r ./readlink-ns.apparmor && sudo aa-exec -p test -- ./a.out -p 1 -n pid
path: /proc/1/ns/pid
rpath: pid:[4026531836]
root@ubuntu:~# uname -a
Linux ubuntu 4.15.0-156-generic #163-Ubuntu SMP Thu Aug 19 23:31:58 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

tags:

added: verification-done-bionic
removed: verification-needed-bionic

Revision history for this message

Launchpad Janitor (janitor) wrote on 2021-09-07:

#10

Download full text (33.7 KiB)

This bug was fixed in the package linux - 4.15.0-156.163

---------------
linux (4.15.0-156.163) bionic; urgency=medium

* bionic/linux: 4.15.0-156.163 -proposed tracker (LP: #1940162)

* linux (LP: #1940564)
- SAUCE: Revert "scsi: core: Cap scsi_host cmd_per_lun at can_queue"

  * fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
      (CVE-2021-3653)

  * fails to launch linux L2 guests on AMD (LP: #1940134)
    - SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
      from L2 in int_ctl"

linux (4.15.0-155.162) bionic; urgency=medium

* bionic/linux: 4.15.0-155.162 -proposed tracker (LP: #1939833)

* Packaging resync (LP: #1786013)
- debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

* CVE-2021-3656
- SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

* CVE-2021-3653
- SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

  * dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

  * 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
    (LP: #1890848)
    - apparmor: fix ptrace read check

  * Bionic update: upstream stable patchset 2021-08-03 (LP: #1938824)
    - ALSA: usb-audio: fix rate on Ozone Z90 USB headset
    - media: dvb-usb: fix wrong definition
    - Input: usbtouchscreen - fix control-request directions
    - net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
    - usb: gadget: eem: fix echo command packet response issue
    - USB: cdc-acm: blacklist Heimann USB Appset device
    - ntfs: fix validity check for file name attribute
    - iov_iter_fault_in_readable() should do nothing in xarray case
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
    - ARM: dts: at91: sama5d4: fix pinctrl muxing
    - btrfs: send: fix invalid path for unlink operations after parent
      orphanization
    - btrfs: clear defrag status of a root if starting transaction fails
    - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a
      transaction handle
    - ext4: fix kernel infoleak via ext4_extent_header
    - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
    - ext4: remove check for zero nr_to_scan in ext4_es_scan()
    - ext4: fix avefreec in find_group_orlov
    - ext4: use ext4_grp_locked_error in mb_find_extent
    - can: gw: synchronize rcu operations before removing gw job entry
    - can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in
      TX path
    - SUNRPC: Fix the batch tasks count wraparound.
    - SUNRPC: Should wake up the privileged task firstly.
    - s390/cio: dont call css_wait_for_slow_path() inside a lock
    - rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
    - iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA
      as volatile, too
    - iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
    - iio: ltr501: ltr501_read_ps(): add missing endianness con...

This bug was fixed in the package linux - 4.15.0-156.163

---------------
linux (4.15.0-156.163) bionic; urgency=medium

* bionic/linux: 4.15.0-156.163 -proposed tracker (LP: #1940162)

* linux (LP: #1940564)
    - SAUCE: Revert "scsi: core: Cap scsi_host cmd_per_lun at can_queue"

* fails to launch linux L2 guests on AMD (LP: #1940134) // CVE-2021-3653
    - KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl
      (CVE-2021-3653)

* fails to launch linux L2 guests on AMD (LP: #1940134)
    - SAUCE: Revert "UBUNTU: SAUCE: KVM: nSVM: avoid picking up unsupported bits
      from L2 in int_ctl"

linux (4.15.0-155.162) bionic; urgency=medium

* bionic/linux: 4.15.0-155.162 -proposed tracker (LP: #1939833)

* Packaging resync (LP: #1786013)
    - debian/dkms-versions -- update from kernel-versions (main/2021.08.16)

* CVE-2021-3656
    - SAUCE: KVM: nSVM: always intercept VMLOAD/VMSAVE when nested

* CVE-2021-3653
    - SAUCE: KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl

* dev_forward_skb: do not scrub skb mark within the same name space
    (LP: #1935040)
    - dev_forward_skb: do not scrub skb mark within the same name space

* 'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels
    (LP: #1890848)
    - apparmor: fix ptrace read check

* Bionic update: upstream stable patchset 2021-08-03 (LP: #1938824)
    - ALSA: usb-audio: fix rate on Ozone Z90 USB headset
    - media: dvb-usb: fix wrong definition
    - Input: usbtouchscreen - fix control-request directions
    - net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
    - usb: gadget: eem: fix echo command packet response issue
    - USB: cdc-acm: blacklist Heimann USB Appset device
    - ntfs: fix validity check for file name attribute
    - iov_iter_fault_in_readable() should do nothing in xarray case
    - Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
    - ARM: dts: at91: sama5d4: fix pinctrl muxing
    - btrfs: send: fix invalid path for unlink operations after parent
      orphanization
    - btrfs: clear defrag status of a root if starting transaction fails
    - ext4: cleanup in-core orphan list if ext4_truncate() failed to get a
      transaction handle
    - ext4: fix kernel infoleak via ext4_extent_header
    - ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
    - ext4: remove check for zero nr_to_scan in ext4_es_scan()
    - ext4: fix avefreec in find_group_orlov
    - ext4: use ext4_grp_locked_error in mb_find_extent
    - can: gw: synchronize rcu operations before removing gw job entry
    - can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in
      TX path
    - SUNRPC: Fix the batch tasks count wraparound.
    - SUNRPC: Should wake up the privileged task firstly.
    - s390/cio: dont call css_wait_for_slow_path() inside a lock
    - rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
    - iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA
      as volatile, too
    - iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
    - iio: ltr501: ltr501_read_ps(): add missing endianness conversion
    - serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
    - serial_cs: Add Option International GSM-Ready 56K/ISDN modem
    - serial_cs: remove wrong GLOBETROTTER.cis entry
    - ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
    - ssb: sdio: Don't overwrite const buffer if block_write fails
    - rsi: Assign beacon rate settings to the correct rate_info descriptor field
    - seq_buf: Make trace_seq_putmem_hex() support data longer than 8
    - fuse: check connected before queueing on fpq->io
    - spi: Make of_register_spi_device also set the fwnode
    - spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
    - spi: spi-topcliff-pch: Fix potential double free in
      pch_spi_process_messages()
    - spi: omap-100k: Fix the length judgment problem
    - crypto: nx - add missing MODULE_DEVICE_TABLE
    - media: cpia2: fix memory leak in cpia2_usb_probe
    - media: cobalt: fix race condition in setting HPD
    - media: pvrusb2: fix warning in pvr2_i2c_core_done
    - crypto: qat - check return code of qat_hal_rd_rel_reg()
    - crypto: qat - remove unused macro in FW loader
    - media: em28xx: Fix possible memory leak of em28xx struct
    - media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
    - media: bt8xx: Fix a missing check bug in bt878_probe
    - media: st-hva: Fix potential NULL pointer dereferences
    - media: dvd_usb: memory leak in cinergyt2_fe_attach
    - mmc: via-sdmmc: add a check against NULL pointer dereference
    - crypto: shash - avoid comparing pointers to exported functions under CFI
    - media: dvb_net: avoid speculation from net slot
    - media: siano: fix device register error path
    - btrfs: fix error handling in __btrfs_update_delayed_inode
    - btrfs: abort transaction if we fail to update the delayed inode
    - btrfs: disable build on platforms having page size 256K
    - regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
    - HID: do not use down_interruptible() when unbinding devices
    - ACPI: processor idle: Fix up C-state latency if not ordered
    - hv_utils: Fix passing zero to 'PTR_ERR' warning
    - lib: vsprintf: Fix handling of number field widths in vsscanf
    - ACPI: EC: Make more Asus laptops use ECDT _GPE
    - block_dump: remove block_dump feature in mark_inode_dirty()
    - fs: dlm: cancel work sync othercon
    - random32: Fix implicit truncation warning in prandom_seed_state()
    - fs: dlm: fix memory leak when fenced
    - ACPICA: Fix memory leak caused by _CID repair function
    - ACPI: bus: Call kobject_put() in acpi_init() error path
    - platform/x86: toshiba_acpi: Fix missing error code in
      toshiba_acpi_setup_keyboard()
    - ACPI: tables: Add custom DSDT file as makefile prerequisite
    - HID: wacom: Correct base usage for capacitive ExpressKey status bits
    - ia64: mca_drv: fix incorrect array size calculation
    - media: s5p_cec: decrement usage count if disabled
    - crypto: ixp4xx - dma_unmap the correct address
    - crypto: ux500 - Fix error return code in hash_hw_final()
    - sata_highbank: fix deferred probing
    - pata_rb532_cf: fix deferred probing
    - media: I2C: change 'RST' to "RSET" to fix multiple build errors
    - pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
    - crypto: ccp - Fix a resource leak in an error handling path
    - pata_ep93xx: fix deferred probing
    - media: exynos4-is: Fix a use after free in isp_video_release
    - media: tc358743: Fix error return code in tc358743_probe_of()
    - media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()
    - mmc: usdhi6rol0: fix error return code in usdhi6_probe()
    - media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
    - hwmon: (max31722) Remove non-standard ACPI device IDs
    - hwmon: (max31790) Fix fan speed reporting for fan7..12
    - btrfs: clear log tree recovering status if starting transaction fails
    - spi: spi-sun6i: Fix chipselect/clock bug
    - crypto: nx - Fix RCU warning in nx842_OF_upd_status
    - ACPI: sysfs: Fix a buffer overrun problem with description_show()
    - ocfs2: fix snprintf() checking
    - net: pch_gbe: Propagate error from devm_gpio_request_one()
    - drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in
      cdn_dp_grf_write()
    - ehea: fix error return code in ehea_restart_qps()
    - RDMA/rxe: Fix failure during driver load
    - drm: qxl: ensure surf.data is ininitialized
    - wireless: carl9170: fix LEDS build errors & warnings
    - brcmsmac: mac80211_if: Fix a resource leak in an error handling path
    - ath10k: Fix an error code in ath10k_add_interface()
    - netlabel: Fix memory leak in netlbl_mgmt_add_common
    - netfilter: nft_exthdr: check for IPv6 packet before further processing
    - samples/bpf: Fix the error return code of xdp_redirect's main()
    - net: ethernet: aeroflex: fix UAF in greth_of_remove
    - net: ethernet: ezchip: fix UAF in nps_enet_remove
    - net: ethernet: ezchip: fix error handling
    - pkt_sched: sch_qfq: fix qfq_change_class() error path
    - vxlan: add missing rcu_read_lock() in neigh_reduce()
    - net: bcmgenet: Fix attaching to PYH failed on RPi 4B
    - i40e: Fix error handling in i40e_vsi_open
    - Revert "ibmvnic: remove duplicate napi_schedule call in open function"
    - Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
    - writeback: fix obtain a reference to a freeing memcg css
    - net: sched: fix warning in tcindex_alloc_perfect_hash
    - tty: nozomi: Fix a resource leak in an error handling function
    - mwifiex: re-fix for unaligned accesses
    - iio: adis_buffer: do not return ints in irq handlers
    - iio: accel: bma180: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: accel: bma220: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: accel: hid: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: accel: kxcjk-1013: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: accel: stk8312: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: accel: stk8ba50: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: adc: ti-ads1015: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: adc: vf610: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: gyro: bmg160: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: humidity: am2315: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: prox: srf08: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: prox: pulsed-light: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: prox: as3935: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: light: isl29125: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: light: tcs3414: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - iio: potentiostat: lmp91000: Fix alignment of buffer in
      iio_push_to_buffers_with_timestamp()
    - ASoC: hisilicon: fix missing clk_disable_unprepare() on error in
      hi6210_i2s_startup()
    - Input: hil_kbd - fix error return code in hil_dev_connect()
    - char: pcmcia: error out if 'num_bytes_read' is greater than 4 in
      set_protocol()
    - tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
    - scsi: FlashPoint: Rename si_flags field
    - s390: appldata depends on PROC_SYSCTL
    - eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
    - iio: adc: mxs-lradc: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
    - staging: gdm724x: check for overflow in gdm_lte_netif_rx()
    - ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
    - of: Fix truncation of memory sizes on 32-bit platforms
    - scsi: mpt3sas: Fix error return value in _scsih_expander_add()
    - phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()
    - extcon: sm5502: Drop invalid register write in sm5502_reg_data
    - extcon: max8997: Add missing modalias string
    - configfs: fix memleak in configfs_release_bin_file
    - leds: as3645a: Fix error return code in as3645a_parse_node()
    - leds: ktd2692: Fix an error handling path
    - mm/huge_memory.c: don't discard hugepage if other processes are mapping it
    - selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random
    - mmc: vub3000: fix control-request direction
    - scsi: core: Retry I/O for Notify (Enable Spinup) Required error
    - drm/mxsfb: Don't select DRM_KMS_FB_HELPER
    - drm/zte: Don't select DRM_KMS_FB_HELPER
    - drm/amd/amdgpu/sriov disable all ip hw status by default
    - net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
    - hugetlb: clear huge pte during flush function on mips platform
    - atm: iphase: fix possible use-after-free in ia_module_exit()
    - mISDN: fix possible use-after-free in HFC_cleanup()
    - atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
    - net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
    - reiserfs: add check for invalid 1st journal block
    - drm/virtio: Fix double free on probe failure
    - udf: Fix NULL pointer dereference in udf_symlink function
    - e100: handle eeprom as little endian
    - clk: renesas: r8a77995: Add ZA2 clock
    - clk: tegra: Ensure that PLLU configuration is applied properly
    - ipv6: use prandom_u32() for ID generation
    - RDMA/cxgb4: Fix missing error code in create_qp()
    - dm space maps: don't reset space map allocation cursor when committing
    - virtio_net: Remove BUG() to avoid machine dead
    - net: bcmgenet: check return value after calling platform_get_resource()
    - net: micrel: check return value after calling platform_get_resource()
    - fjes: check return value after calling platform_get_resource()
    - selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
    - xfrm: Fix error reporting in xfrm_state_construct.
    - wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
    - wl1251: Fix possible buffer overflow in wl1251_cmd_scan
    - cw1200: add missing MODULE_DEVICE_TABLE
    - atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
    - atm: nicstar: register the interrupt handler in the right place
    - vsock: notify server to shutdown when client has pending signal
    - RDMA/rxe: Don't overwrite errno from ib_umem_get()
    - iwlwifi: mvm: don't change band on bound PHY contexts
    - sfc: avoid double pci_remove of VFs
    - sfc: error code if SRIOV cannot be disabled
    - wireless: wext-spy: Fix out-of-bounds warning
    - RDMA/cma: Fix rdma_resolve_route() memory leak
    - Bluetooth: Fix the HCI to MGMT status conversion table
    - Bluetooth: Shutdown controller after workqueues are flushed or cancelled
    - Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
    - sctp: validate from_addr_param return
    - sctp: add size validation when walking chunks
    - fscrypt: don't ignore minor_hash when hash is 0
    - bdi: Do not use freezable workqueue
    - fuse: reject internal errno
    - powerpc/barrier: Avoid collision with clang's __lwsync macro
    - usb: gadget: f_fs: Fix setting of device and driver data cross-references
    - drm/radeon: Add the missed drm_gem_object_put() in
      radeon_user_framebuffer_create()
    - pinctrl/amd: Add device HID for new AMD GPIO controller
    - mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
    - mmc: core: clear flags before allowing to retune
    - mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
    - ata: ahci_sunxi: Disable DIPM
    - cpu/hotplug: Cure the cpusets trainwreck
    - ASoC: tegra: Set driver_name=tegra for all machine drivers
    - qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
    - ipmi/watchdog: Stop watchdog timer when the current action is 'none'
    - power: supply: ab8500: Fix an old bug
    - seq_buf: Fix overflow in seq_buf_putmem_hex()
    - tracing: Simplify & fix saved_tgids logic
    - ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
    - dm btree remove: assign new_root only when removal succeeds
    - media: dtv5100: fix control-request directions
    - media: zr364xx: fix memory leak in zr364xx_start_readpipe
    - media: gspca/sq905: fix control-request direction
    - media: gspca/sunplus: fix zero-length control requests
    - jfs: fix GPF in diFree
    - smackfs: restrict bytes count in smk_set_cipso()
    - KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled
    - KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run()
    - scsi: core: Fix bad pointer dereference when ehandler kthread is invalid
    - tracing: Do not reference char * as a string in histograms
    - PCI: aardvark: Don't rely on jiffies while holding spinlock
    - PCI: aardvark: Fix kernel panic during PIO transfer
    - tty: serial: fsl_lpuart: fix the potential risk of division or modulo by
      zero
    - misc/libmasm/module: Fix two use after free in ibmasm_init_one
    - Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro"
    - w1: ds2438: fixing bug that would always get page0
    - scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology
    - scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the
      SGLs
    - scsi: core: Cap scsi_host cmd_per_lun at can_queue
    - tty: serial: 8250: serial_cs: Fix a memory leak in error handling path
    - fs/jfs: Fix missing error code in lmLogInit()
    - scsi: iscsi: Add iscsi_cls_conn refcount helpers
    - scsi: iscsi: Fix shost->max_id use
    - scsi: qedi: Fix null ref during abort handling
    - mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE
    - s390/sclp_vt220: fix console name to match device
    - ALSA: sb: Fix potential double-free of CSP mixer elements
    - powerpc/ps3: Add dma_mask to ps3_dma_region
    - gpio: zynq: Check return value of pm_runtime_get_sync
    - ALSA: ppc: fix error return code in snd_pmac_probe()
    - selftests/powerpc: Fix "no_handler" EBB selftest
    - ASoC: soc-core: Fix the error return code in
      snd_soc_of_parse_audio_routing()
    - ALSA: bebob: add support for ToneWeal FW66
    - usb: gadget: f_hid: fix endianness issue with descriptors
    - usb: gadget: hid: fix error return code in hid_bind()
    - powerpc/boot: Fixup device-tree on little endian
    - backlight: lm3630a: Fix return code of .update_status() callback
    - ALSA: hda: Add IRQ check for platform_get_irq()
    - staging: rtl8723bs: fix macro value for 2.4Ghz only device
    - intel_th: Wait until port is in reset before programming it
    - i2c: core: Disable client irq on reboot/shutdown
    - lib/decompress_unlz4.c: correctly handle zero-padding around initrds.
    - pwm: spear: Don't modify HW state in .remove callback
    - power: supply: ab8500: Avoid NULL pointers
    - power: supply: max17042: Do not enforce (incorrect) interrupt trigger type
    - power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE
    - ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1
    - watchdog: Fix possible use-after-free in wdt_startup()
    - watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff()
    - watchdog: Fix possible use-after-free by calling del_timer_sync()
    - watchdog: iTCO_wdt: Account for rebooting on second timeout
    - x86/fpu: Return proper error codes from user access functions
    - orangefs: fix orangefs df output.
    - ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty
    - NFS: nfs_find_open_context() may only select open files
    - power: supply: charger-manager: add missing MODULE_DEVICE_TABLE
    - power: supply: ab8500: add missing MODULE_DEVICE_TABLE
    - pwm: tegra: Don't modify HW state in .remove callback
    - ACPI: AMBA: Fix resource name in /proc/iomem
    - ACPI: video: Add quirk for the Dell Vostro 3350
    - virtio-blk: Fix memory leak among suspend/resume procedure
    - virtio_net: Fix error handling in virtnet_restore()
    - virtio_console: Assure used length from device is limited
    - f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs
    - PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun
    - power: supply: rt5033_battery: Fix device tree enumeration
    - um: fix error return code in slip_open()
    - um: fix error return code in winch_tramp()
    - watchdog: aspeed: fix hardware timeout calculation
    - nfs: fix acl memory leak of posix_acl_create()
    - ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode
    - x86/fpu: Limit xstate copy size in xstateregs_set()
    - ALSA: isa: Fix error return code in snd_cmi8330_probe()
    - NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times
    - hexagon: use common DISCARDS macro
    - reset: a10sr: add missing of_match_table reference
    - ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3
    - ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4
    - memory: atmel-ebi: add missing of_node_put for loop iteration
    - rtc: fix snprintf() checking in is_rtc_hctosys()
    - ARM: dts: r8a7779, marzen: Fix DU clock names
    - ARM: dts: BCM5301X: Fixup SPI binding
    - reset: bail if try_module_get() fails
    - memory: fsl_ifc: fix leak of IO mapping on probe failure
    - memory: fsl_ifc: fix leak of private memory on probe failure
    - ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema
    - scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe()
    - mips: always link byteswap helpers into decompressor
    - mips: disable branch profiling in boot/decompress.o
    - MIPS: vdso: Invalid GIC access through VDSO
    - net: bridge: multicast: fix PIM hello router port marking race
    - ALSA: usb-audio: Fix OOB access at proc output
    - iio: light: tcs3472: do not free unallocated IRQ
    - rsi: fix AP mode with WPA failure due to encrypted EAPOL
    - evm: Execute evm_inode_init_security() only when an HMAC key is loaded
    - evm: fix writing <securityfs>/evm overflow
    - wcn36xx: Move hal_buf allocation to devm_kmalloc in probe
    - ssb: Fix error return code in ssb_bus_scan()
    - brcmfmac: fix setting of station info chains bitmask
    - ipv6: exthdrs: do not blindly use init_net
    - i40e: Fix autoneg disabling for non-10GBaseT links
    - ipv6: fix out-of-bound access in ip6_parse_tlv()
    - iio: light: tcs3472: Fix buffer alignment in
      iio_push_to_buffers_with_timestamp()
    - ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()
    - visorbus: fix error return code in visorchipset_init()
    - serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates
    - powerpc: Offline CPU in stop_this_cpu()
    - serial: mvebu-uart: correctly calculate minimal possible baudrate
    - arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART
    - vfio/pci: Handle concurrent vma faults
    - clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround
    - coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
    - PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
    - media: subdev: disallow ioctl for saa6588/davinci
    - PCI: iproc: Fix multi-MSI base vector number allocation
    - PCI: iproc: Support multi-MSI only on uniprocessor kernel
    - virtio_net: move tx vq operation under tx queue lock
    - ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1
    - ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema

* Bionic update: upstream stable patchset 2021-07-20 (LP: #1936960)
    - include/linux/mmdebug.h: make VM_WARN* non-rvals
    - mm: add VM_WARN_ON_ONCE_PAGE() macro
    - mm/rmap: remove unneeded semicolon in page_not_mapped()
    - mm/rmap: use page_not_mapped in try_to_unmap()
    - mm/thp: try_to_unmap() use TTU_SYNC for safe splitting
    - mm/thp: fix vma_address() if virtual address below file offset
    - mm/thp: fix page_address_in_vma() on file THP tails
    - mm: thp: replace DEBUG_VM BUG with VM_WARN when unmap fails for split
    - mm: page_vma_mapped_walk(): use page for pvmw->page
    - mm: page_vma_mapped_walk(): settle PageHuge on entry
    - mm: page_vma_mapped_walk(): use pmde for *pvmw->pmd
    - mm: page_vma_mapped_walk(): prettify PVMW_MIGRATION block
    - mm: page_vma_mapped_walk(): crossing page table boundary
    - mm: page_vma_mapped_walk(): add a level of indentation
    - mm: page_vma_mapped_walk(): use goto instead of while (1)
    - mm: page_vma_mapped_walk(): get vma_address_end() earlier
    - mm/thp: fix page_vma_mapped_walk() if THP mapped by ptes
    - mm/thp: another PVMW_SYNC fix in page_vma_mapped_walk()
    - mm, futex: fix shared futex pgoff on shmem huge page
    - scsi: sr: Return appropriate error code when disk is ejected
    - drm/nouveau: fix dma_address check for CPU/GPU sync
    - kfifo: DECLARE_KIFO_PTR(fifo, u64) does not work on arm 32 bit
    - kthread_worker: split code for canceling the delayed work timer
    - kthread: prevent deadlock when kthread_mod_delayed_work() races with
      kthread_cancel_delayed_work_sync()
    - xen/events: reset active flag for lateeoi events later
    - ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment
    - ARM: OMAP: replace setup_irq() by request_irq()
    - clocksource/drivers/timer-ti-dm: Add clockevent and clocksource support
    - clocksource/drivers/timer-ti-dm: Prepare to handle dra7 timer wrap issue

* Bionic update: upstream stable patchset 2021-07-14 (LP: #1936231)
    - Revert "UBUNTU: SAUCE: Revert "proc: Check /proc/$pid/attr/ writes against
      file opener""
    - proc: Track /proc/$pid/attr/ opener mm_struct
    - net/nfc/rawsock.c: fix a permission check bug
    - ASoC: sti-sas: add missing MODULE_DEVICE_TABLE
    - isdn: mISDN: netjet: Fix crash in nj_probe:
    - bonding: init notify_work earlier to avoid uninitialized use
    - netlink: disable IRQs for netlink_lock_table()
    - net: mdiobus: get rid of a BUG_ON()
    - cgroup: disable controllers at parse time
    - wq: handle VM suspension in stall detection
    - net/qla3xxx: fix schedule while atomic in ql_sem_spinlock
    - scsi: vmw_pvscsi: Set correct residual data length
    - scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal
    - net: macb: ensure the device is available before accessing GEMGXL control
      registers
    - net: appletalk: cops: Fix data race in cops_probe1
    - MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER
    - bnx2x: Fix missing error code in bnx2x_iov_init_one()
    - powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers
    - powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers
    - i2c: mpc: Make use of i2c_recover_bus()
    - i2c: mpc: implement erratum A-004447 workaround
    - drm: Fix use-after-free read in drm_getunique()
    - drm: Lock pointer access in drm_master_release()
    - kvm: avoid speculation-based attacks from out-of-range memslot accesses
    - staging: rtl8723bs: Fix uninitialized variables
    - btrfs: return value from btrfs_mark_extent_written() in case of error
    - cgroup1: don't allow '\n' in renaming
    - USB: f_ncm: ncm_bitrate (speed) is unsigned
    - usb: dwc3: ep0: fix NULL pointer exception
    - usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path
    - usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind
    - USB: serial: ftdi_sio: add NovaTech OrionMX product ID
    - USB: serial: omninet: add device id for Zyxel Omni 56K Plus
    - USB: serial: quatech2: fix control-request directions
    - usb: gadget: eem: fix wrong eem header operation
    - usb: fix various gadgets null ptr deref on 10gbps cabling.
    - usb: fix various gadget panics on 10gbps cabling
    - regulator: core: resolve supply for boot-on/always-on regulators
    - regulator: max77620: Use device_set_of_node_from_dev()
    - perf: Fix data race between pin_count increment/decrement
    - NFS: Fix a potential NULL dereference in nfs_get_client()
    - perf session: Correct buffer copying when peeking events
    - kvm: fix previous commit for 32-bit builds
    - NFS: Fix use-after-free in nfs4_init_client()
    - NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error.
    - scsi: core: Fix error handling of scsi_host_alloc()
    - scsi: core: Put .shost_dev in failure path if host state changes to RUNNING
    - scsi: core: Only put parent device if host state differs from SHOST_CREATED
    - ftrace: Do not blindly read the ip address in ftrace_bug()
    - tracing: Correct the length check which causes memory corruption
    - proc: only require mm_struct for writing
    - scsi: bnx2fc: Return failure if io_req is already in ABTS processing
    - ARM: dts: imx6qdl-sabresd: Assign corresponding power supply for LDOs
    - usb: f_ncm: only first packet of aggregate needs to start timer
    - usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms
    - RDMA/mlx4: Do not map the core_clock page to user space unless enabled
    - vmlinux.lds.h: Avoid orphan section with !SMP
    - sched/fair: Make sure to update tg contrib for blocked load
    - net: ieee802154: fix null deref in parse dev addr
    - HID: hid-sensor-hub: Return error for hid_set_field() failure
    - HID: Add BUS_VIRTUAL to hid_connect logging
    - HID: usbhid: fix info leak in hid_submit_ctrl
    - ARM: OMAP2+: Fix build warning when mmc_omap is not built
    - HID: gt683r: add missing MODULE_DEVICE_TABLE
    - gfs2: Fix use-after-free in gfs2_glock_shrink_scan
    - scsi: target: core: Fix warning on realtime kernels
    - ethernet: myri10ge: Fix missing error code in myri10ge_probe()
    - nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues()
    - nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue()
      fails
    - nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue()
    - net: ipconfig: Don't override command-line hostnames or domains
    - rtnetlink: Fix missing error code in rtnl_bridge_notify()
    - net/x25: Return the correct errno code
    - net: Return the correct errno code
    - fib: Return the correct errno code
    - dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM
    - dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM
    - dmaengine: stedma40: add missing iounmap() on error in d40_probe()
    - mm/memory-failure: make sure wait for page writeback in memory_failure
    - batman-adv: Avoid WARN_ON timing related checks
    - net: ipv4: fix memory leak in netlbl_cipsov4_add_std
    - net: rds: fix memory leak in rds_recvmsg
    - udp: fix race between close() and udp_abort()
    - rtnetlink: Fix regression in bridge VLAN configuration
    - netfilter: synproxy: Fix out of bounds when parsing TCP options
    - alx: Fix an error handling path in 'alx_probe()'
    - net: stmmac: dwmac1000: Fix extended MAC address registers definition
    - qlcnic: Fix an error handling path in 'qlcnic_probe()'
    - netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
    - net: cdc_ncm: switch to eth%d interface naming
    - net: usb: fix possible use-after-free in smsc75xx_bind
    - net: ipv4: fix memory leak in ip_mc_add1_src
    - net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock
    - be2net: Fix an error handling path in 'be_probe()'
    - net: hamradio: fix memory leak in mkiss_close
    - net: cdc_eem: fix tx fixup skb leak
    - icmp: don't send out ICMP messages with a source address of 0.0.0.0
    - net: ethernet: fix potential use-after-free in ec_bhf_remove
    - radeon: use memcpy_to/fromio for UVD fw upload
    - hwmon: (scpi-hwmon) shows the negative temperature properly
    - can: bcm: fix infoleak in struct bcm_msg_head
    - can: mcba_usb: fix memory leak in mcba_usb
    - usb: core: hub: Disable autosuspend for Cypress CY7C65632
    - tracing: Do not stop recording cmdlines when tracing is off
    - tracing: Do not stop recording comms if the trace file is being read
    - tracing: Do no increment trace_clock_global() by one
    - PCI: Mark TI C667X to avoid bus reset
    - PCI: Mark some NVIDIA GPUs to avoid bus reset
    - PCI: Add ACS quirk for Broadcom BCM57414 NIC
    - PCI: Work around Huawei Intelligent NIC VF FLR erratum
    - ARCv2: save ABI registers across signal handling
    - dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc
    - net: bridge: fix vlan tunnel dst null pointer dereference
    - net: bridge: fix vlan tunnel dst refcnt when egressing
    - mm/slub.c: include swab.h
    - net: fec_ptp: add clock rate zero check
    - can: bcm/raw/isotp: use per module netdevice notifier
    - inet: use bigger hash table for IP ID generation
    - usb: dwc3: core: fix kernel panic when do reboot
    - x86/fpu: Reset state for all signal restore failures
    - drm/nouveau: wait for moving fence after pinning v2
    - drm/radeon: wait for moving fence after pinning
    - ARM: 9081/1: fix gcc-10 thumb2-kernel regression
    - Makefile: Move -Wno-unused-but-set-variable out of GCC only block
    - MIPS: generic: Update node names to avoid unit addresses
    - Revert "PCI: PM: Do not read power state in pci_enable_device_flags()"
    - mac80211: remove warning in ieee80211_get_sband()
    - cfg80211: call cfg80211_leave_ocb when switching away from OCB
    - mac80211: drop multicast fragments
    - ping: Check return value of function 'ping_queue_rcv_skb'
    - inet: annotate date races around sk->sk_txhash
    - net: caif: fix memory leak in ldisc_open
    - net/packet: annotate accesses to po->bind
    - net/packet: annotate accesses to po->ifindex
    - r8152: Avoid memcpy() over-reading of ETH_SS_STATS
    - sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS
    - r8169: Avoid memcpy() over-reading of ETH_SS_STATS
    - net: qed: Fix memcpy() overflow of qed_dcbx_params()
    - net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY
    - pinctrl: stm32: fix the reported number of GPIO lines per bank
    - nilfs2: fix memory leak in nilfs_sysfs_delete_device_group
    - i2c: robotfuzz-osif: fix control-request directions
    - scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V
    - net/mlx5e: Remove dependency in IPsec initialization flows
    - net: add documentation to socket.c
    - net: make get_net_ns return error if NET_NS is disabled
    - net: qrtr: fix OOB Read in qrtr_endpoint_post
    - ptp: ptp_clock: Publish scaled_ppm_to_ppb
    - ptp: improve max_adj check against unreasonable values
    - net: fec_ptp: fix issue caused by refactor the fec_devtype
    - ASoC: rt5659: Fix the lost powers for the HDA header
    - cfg80211: make certificate generation more robust
    - mm/slub: clarify verification reporting
    - net: ethtool: clear heap allocations for ethtool function
    - PCI: Add AMD RS690 quirk to enable 64-bit DMA
    - upstream stable to v4.14.238, v4.19.196

-- Kelsey Skunberg <kelsey.skunberg@canonical.com>  Thu, 19 Aug 2021 16:30:31 -0600

Changed in linux (Ubuntu Bionic):
status:	Fix Committed → Fix Released

Revision history for this message

Andreas Hasenack (ahasenack) wrote on 2021-09-24:

#11

This change regressed my apparmor profile for a script I'm working on, which walks over processes using python3-psutil, in bionic.

I have this config in the apparmor profile:

capability sys_ptrace,
ptrace trace,

With kernel 4.15.0-154-generic #161 it works.

With kernel 4.15.0-158-generic #166 I get a DENIED error and the script backtraces when reading, for example, /proc/<pid>/fd/0 of some process, with os.readlink():

[ 19.223703] audit: type=1400 audit(1632507704.072:30): apparmor="DENIED" operation="ptrace" profile="/etc/hostos-monitoring/plugins.d/process-monitoring" pid=1098 comm="process-monitor" requested_mask="read" denied_mask="read" peer="unconfined"

Ubuntu
linux package

'ptrace trace' needed to readlink() /proc//ns/ files on older kernels

Bug Description

CVE References

Other bug subscribers

Remote bug watches

	Status	Importance	Assigned to
linux (Ubuntu)	Fix Released	Undecided	Unassigned
Xenial	Triaged	Medium	John Johansen
Bionic	Fix Released	Medium	John Johansen

Ubuntulinux package

'ptrace trace' needed to readlink() /proc/*/ns/* files on older kernels

Bug Description

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package

'ptrace trace' needed to readlink() /proc//ns/ files on older kernels