Ubuntu
apparmor package

regession tests failing after stackprofile test is run

  1. Yakkety (16.10)
  2. Bug #1661030
Bug #1661030 reported by Colin Ian King
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apparmor (Ubuntu)
Fix Released
High
John Johansen
Xenial
Fix Committed
Undecided
Unassigned
Yakkety
Fix Committed
Undecided
Unassigned
Zesty
Fix Released
High
John Johansen
linux (Ubuntu)
Incomplete
Undecided
Unassigned
Xenial
Fix Released
Undecided
Unassigned
Yakkety
Fix Released
Undecided
Unassigned
Zesty
Incomplete
Undecided
Unassigned

Bug Description

from source, I'm running the tests and the makefile fails at the end with:

running stackprofile
Makefile:303: recipe for target 'tests' failed
make: *** [tests] Error 1

No idea why that is happening. It's breaking on our kernel team regression tests runs, so can this be investigated? The source was fetched using "apt-get source apparmor".

A full run is below:

king@ubuntu:~/apparmor-2.10.95/tests/regression/apparmor$ sudo make USE_SYSTEM=1 tests

running aa_exec

running access
xfail: ACCESS file rx (r)
xfail: ACCESS file rwx (r)
xfail: ACCESS file r (wx)
xfail: ACCESS file rx (wx)
xfail: ACCESS file rwx (wx)
xfail: ACCESS dir rwx (r)
xfail: ACCESS dir r (wx)
xfail: ACCESS dir rx (wx)
xfail: ACCESS dir rwx (wx)

running at_secure

running introspect

running capabilities
        (ptrace)
        (sethostname)
        (setdomainname)
        (setpriority)
        (setscheduler)
        (reboot)
        (chroot)
        (mlockall)
        (net_raw)
        (ioperm)
        (iopl)

running changeprofile

running onexec

running changehat

running changehat_fork

running changehat_misc

*** A 'Killed' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12503 Killed $testexec "$@" > $outfile 2>&1

*** A 'Killed' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12537 Killed $testexec "$@" > $outfile 2>&1

running chdir

running clone

running coredump
*** A 'Segmentation Fault' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12803 Segmentation fault (core dumped) $testexec "$@" > $outfile 2>&1

*** A 'Segmentation Fault' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12833 Segmentation fault $testexec "$@" > $outfile 2>&1

*** A 'Segmentation Fault' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12869 Segmentation fault $testexec "$@" > $outfile 2>&1

*** A 'Segmentation Fault' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12905 Segmentation fault $testexec "$@" > $outfile 2>&1

*** A 'Segmentation Fault' message from bash is expected for the following test
/home/king/apparmor-2.10.95/tests/regression/apparmor/prologue.inc: line 219: 12941 Segmentation fault $testexec "$@" > $outfile 2>&1
XFAIL: Error: corefile present when not expected -- COREDUMP (ix confinement)

running deleted

running environ
Fatal Error (environ): Unable to run test sub-executable

running exec

running exec_qual

running fchdir

running fd_inheritance

running fork

running i18n

running link

running link_subset

running mkdir

running mmap

running mount
    using mount rules ...

running mult_mount

running named_pipe

running namespaces

running net_raw

running open

running openat

running pipe

running pivot_root

running ptrace
   using ptrace v6 tests ...

running pwrite

running query_label
Alert: query_label passed. Test 'QUERY file (all base perms #1)' was marked as expected pass but known problem (xpass)
xpass: QUERY file (all base perms #1)
Alert: query_label passed. Test 'QUERY file (all base perms #2)' was marked as expected pass but known problem (xpass)
xpass: QUERY file (all base perms #2)

running regex

running rename

running readdir

running rw

running socketpair

running swap
mkswap: /tmp/sdtest.21272-20356-eRXvtR/swapfile: insecure permissions 0644, 0600 suggested.
swapon: /tmp/sdtest.21272-20356-eRXvtR/swapfile: insecure permissions 0644, 0600 suggested.

running sd_flags

running setattr

running symlink

running syscall

running tcp

running unix_fd_server

running unix_socket_pathname
xpass: AF_UNIX pathname socket (dgram); confined server w/ access (rw)
xpass: AF_UNIX pathname socket (dgram); confined client w/ access (rw)

running unix_socket_abstract

running unix_socket_unnamed
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/ implicit perms)
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label w/ explicit perms)
xpass: AF_UNIX unnamed socket (dgram); confined server (peer label, peer addr)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, peer label, peer addr)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer label)
xpass: AF_UNIX unnamed socket (dgram); confined server (type, addr, peer label, peer addr)

running unlink

running xattrs
Required feature 'file/xattr' not available.. Skipping tests ...

running longpath

running dbus_eavesdrop

running dbus_message

running dbus_service

running dbus_unrequested_reply

running aa_policy_cache

running exec_stack

running stackonexec

running stackprofile
Makefile:303: recipe for target 'tests' failed
make: *** [tests] Error 1

CVE References

Colin Ian King (colin-king)
Changed in apparmor (Ubuntu):
importance: Undecided → High
Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Colin,

stackprofile is just the last test in the for-loop, it's the make tests target failing as a whole. It looks like for some reason the environ test is failing.

What kernel are you running this on?

Thanks.

Changed in apparmor (Ubuntu):
status: New → Incomplete
Revision history for this message
Colin Ian King (colin-king) wrote :

4.9.0-12_4.9.0-12.13 + jj latest fixes that landed on the kernel-team mailing list in the last 24 hours.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Okay. Can you attempt to run the environ test individually with VERBOSE=1 set in the environment? e.g.:

$ sudo sh -c "VERBOSE=1 bash ./environ.sh"
ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
ok: ENVIRON (elf): confined/complain & regular env
ok: ENVIRON (elf): confined/complain & sensitive env
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
ok: ENVIRON (shell script): confined/complain & regular env
ok: ENVIRON (shell script): confined/complain & sensitive env
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper

Thanks.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Okay, thanks to jj for providing kernels, I've now reproduced this in zesty with his patch set applied.

It's failing in the 'confined/complain' tests. There's a bug in the environ.c test that prevents the test harness from detecting/reporting the failure correctly. When that's fixed, the output looks like:

ok: ENVIRON (elf): ux & regular env
ok: ENVIRON (elf): ux & sensitive env
ok: ENVIRON (elf): Ux & regular env
ok: ENVIRON (elf): Ux & sensitive env
ok: ENVIRON (elf): ix & regular env
ok: ENVIRON (elf): ix & sensitive env
ok: ENVIRON (elf): px & regular env
ok: ENVIRON (elf): px & sensitive env
ok: ENVIRON (elf): Px & regular env
ok: ENVIRON (elf): Px & sensitive env
ok: ENVIRON (elf): unconfined --> confined & regular env
ok: ENVIRON (elf): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (elf): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (elf): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (shell script): ux & regular env
ok: ENVIRON (shell script): ux & sensitive env
ok: ENVIRON (shell script): Ux & regular env
ok: ENVIRON (shell script): Ux & sensitive env
ok: ENVIRON (shell script): px & regular env
ok: ENVIRON (shell script): px & sensitive env
ok: ENVIRON (shell script): Px & regular env
ok: ENVIRON (shell script): Px & sensitive env
ok: ENVIRON (shell script): ix & regular env
ok: ENVIRON (shell script): ix & sensitive env
ok: ENVIRON (shell script): unconfined --> confined & regular env
ok: ENVIRON (shell script): unconfined --> confined & sensitive env
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & regular env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
Error: environ failed. Test 'ENVIRON (shell script): confined/complain & sensitive env' was expected to 'pass'. Reason for failure 'FAIL: child failed'
ok: ENVIRON (elf): unconfined setuid helper
ok: ENVIRON (elf): unconfined setuid helper

Examining the individual test, the environ program is attempting to run the env_check program while confined by a complain mode profile, but is not permitted to do so. From strace output:

[pid 5706] execve("/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check", ["/home/ubuntu/tmp/apparmor-2.10.9"..., "FOO=BAR"], [/* 24 vars */]) = -1 EACCES (Permission denied)

The apparmor audit message is correctly claiming that its allowing it (but isn't permitted by the loaded policy):

[ 1726.404464] audit: type=1400 audit(1485991672.366:348): apparmor="ALLOWED" operation="exec" profile="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ" name="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check" pid=5700 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 target="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ//null-/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"

but that doesn't seem to be the case. So I think there's something wonky in John's patch set.

John, can you take a look at what's going on?

Changed in apparmor (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
Revision history for this message
Steve Beattie (sbeattie) wrote :

I enabled the apparmor kernel debugging, and this is what shows up in dmesg:

[ 3526.954133] AppArmor: unconfined exec no attachment
[ 3533.965480] AppArmor: unconfined attached to new label
[ 3533.965485] apparmor: clearing unsafe personality bits. /home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ label=
[ 3533.965547] /home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ

[ 3533.966847] audit: type=1400 audit(1485993479.943:350): apparmor="ALLOWED" operation="exec" profile="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ" name="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check" pid=5722 comm="environ" requested_mask="x" denied_mask="x" fsuid=1000 ouid=1000 target="/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/environ//null-/home/ubuntu/tmp/apparmor-2.10.95/tests/regression/apparmor/env_check"

Revision history for this message
John Johansen (jjohansen) wrote :

Alright, so I broke complain mode for execs with
  UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked namespaces

I have a fix and the test kernels are building and will be available in
  http://people.canonical.com/~jj/linux+jj/

Revision history for this message
John Johansen (jjohansen) wrote :

These kernels are working for me

Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 1661030] Re: regession tests failing after stackprofile test is run

On Thu, Feb 02, 2017 at 08:13:45AM -0000, John Johansen wrote:
> These kernels are working for me

The zesty 4.9.0 kernel (once I hacked around a problem I was having the
kernel modules not generating a working initrd) is solving the issue for
me, too.

Thanks John!

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/

Tim Gardner (timg-tpi)
Changed in apparmor (Ubuntu Xenial):
status: New → Fix Committed
Changed in apparmor (Ubuntu Yakkety):
status: New → Fix Committed
Changed in apparmor (Ubuntu Zesty):
status: Incomplete → Fix Committed
status: Fix Committed → Fix Released
Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Yakkety):
status: New → Fix Committed
Changed in linux (Ubuntu Xenial):
status: New → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1661030

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
tags: added: verification-needed-yakkety
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-yakkety' to 'verification-done-yakkety'. If the problem still exists, change the tag 'verification-needed-yakkety' to 'verification-failed-yakkety'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Colin Ian King (colin-king) wrote :

tested and verified it is fixed on Ubuntu Yakkety with -proposed kernel 4.8.0-39-generic #42

tags: added: verification-done-yakkety
removed: verification-needed-yakkety
Revision history for this message
Colin Ian King (colin-king) wrote :

tested and verified it is fixed on Ubuntu Xenial with -proposed kernel 4.4.0-64 #86

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (6.0 KiB)

This bug was fixed in the package linux - 4.8.0-40.43

---------------
linux (4.8.0-40.43) yakkety; urgency=low

  * linux: 4.8.0-40.43 -proposed tracker (LP: #1667066)

  [ Andy Whitcroft ]
  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * shaking screen (LP: #1651981)
    - drm/radeon: drop verde dpm quirks

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * In Ubuntu 17.04 : after reboot getting message in console like Unable to
    open file: /etc/keys/x509_ima.der (-2) (LP: #1656908)
    - SAUCE: ima: Downgrade error to warning

  * 16.04.2: Extra patches for POWER9 (LP: #1664564)
    - powerpc/mm: Fix no execute fault handling on pre-POWER5
    - powerpc/mm: Fix spurrious segfaults on radix with autonuma

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the restriction on max segment size
    - scsi: storvsc: Enable multi-queue support
    - scsi: storvsc: use tagged SRB requests if supported by the device
    - scsi: storvsc: properly handle SRB_ERROR when sense message is present
    - scsi: storvsc: properly set residual data length on errors

  * Ubuntu16.10-KVM:Big configuration with multiple guests running SRIOV VFs
    caused KVM host hung and all KVM guests down. (LP: #1651248)
    - KVM: PPC: Book 3S: XICS cleanup: remove XICS_RM_REJECT
    - KVM: PPC: Book 3S: XICS: correct the real mode ICP rejecting counter
    - KVM: PPC: Book 3S: XICS: Fix potential issue with duplicate IRQ resends
    - KVM: PPC: Book 3S: XICS: Implement ICS P/Q states
    - KVM: PPC: Book 3S: XICS: Don't lock twice when checking for resend

  * ISST-LTE:pNV: ppc64_cpu command is hung w HDs, SSDs and NVMe (LP: #1662666)
    - blk-mq: Avoid memory reclaim when remapping queues
    - blk-mq: Fix failed allocation path when mapping queues
    - blk-mq: Always schedule hctx->next_cpu

  * systemd-udevd hung in blk_mq_freeze_queue_wait testing unpartitioned NVMe
    drive (LP: #1662673)
    - percpu-refcount: fix reference leak during percpu-atomic transition

  * [Yakkety SRU] Enable KEXEC support in ARM64 kernel (LP: #1662554)
    - [Config] Enable KEXEC support in ARM64.

  * [Hyper-V] Fix ring buffer handling to avoid host throttling (LP: #1661430)
    - Drivers: hv: vmbus: On write cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: On the read path cleanup the logic to interrupt the host
    - Drivers: hv: vmbus: finally fix hv_need_to_signal_on_read()

  * brd module compiled as built-in (LP: #1593293)
    - CONFIG_BLK_DEV_RAM=m

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in compla...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (14.5 KiB)

This bug was fixed in the package linux - 4.4.0-65.86

---------------
linux (4.4.0-65.86) xenial; urgency=low

  * linux: 4.4.0-65.86 -proposed tracker (LP: #1667052)

  [ Stefan Bader ]
  * Upgrade Redpine RS9113 driver to support AP mode (LP: #1665211)
    - SAUCE: Redpine driver to support Host AP mode

  * NFS client : permission denied when trying to access subshare, since kernel
    4.4.0-31 (LP: #1649292)
    - fs: Better permission checking for submounts

  * [Hyper-V] SAUCE: pci-hyperv fixes for SR-IOV on Azure (LP: #1665097)
    - SAUCE: PCI: hv: Fix wslot_to_devfn() to fix warnings on device removal
    - SAUCE: pci-hyperv: properly handle pci bus remove
    - SAUCE: pci-hyperv: lock pci bus on device eject

  * [Hyper-V/Azure] Please include Mellanox OFED drivers in Azure kernel and
    image (LP: #1650058)
    - net/mlx4_en: Fix bad WQE issue
    - net/mlx4_core: Fix racy CQ (Completion Queue) free
    - net/mlx4_core: Fix when to save some qp context flags for dynamic VST to VGT
      transitions
    - net/mlx4_core: Avoid command timeouts during VF driver device shutdown

  * Xenial update to v4.4.49 stable release (LP: #1664960)
    - ARC: [arcompact] brown paper bag bug in unaligned access delay slot fixup
    - selinux: fix off-by-one in setprocattr
    - Revert "x86/ioapic: Restore IO-APIC irq_chip retrigger callback"
    - cpumask: use nr_cpumask_bits for parsing functions
    - hns: avoid stack overflow with CONFIG_KASAN
    - ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
    - target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
    - target: Use correct SCSI status during EXTENDED_COPY exception
    - target: Fix early transport_generic_handle_tmr abort scenario
    - target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
    - ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
    - mac80211: Fix adding of mesh vendor IEs
    - netvsc: Set maximum GSO size in the right place
    - scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed
      send
    - scsi: aacraid: Fix INTx/MSI-x issue with older controllers
    - scsi: mpt3sas: disable ASPM for MPI2 controllers
    - xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
    - ALSA: seq: Fix race at creating a queue
    - ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
    - drm/i915: fix use-after-free in page_flip_completed()
    - Linux 4.4.49

  * NFS client : kernel 4.4.0-57 crash with nfsv4 enries in /etc/fstab
    (LP: #1650336)
    - SUNRPC: fix refcounting problems with auth_gss messages.

  * [0bda:0328] Card reader failed after S3 (LP: #1664809)
    - usb: hub: Wait for connection to be reestablished after port reset

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * ibmvscsis: Add SGL LIMIT (LP: #1662551)
    - ibmvscsis: Add SGL limit

  * [Hyper-V] Bug fixes for storvsc (tagged queuing, error conditions)
    (LP: #1663687)
    - scsi: storvsc: Enable tracking of queue depth
    - scsi: storvsc: Remove the ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Stefan Bader (smb) wrote :

Not fixed because we had to revert the commits due to various regressions.

Changed in linux (Ubuntu Yakkety):
status: Fix Released → Triaged
Changed in linux (Ubuntu Xenial):
status: Fix Released → Triaged
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.8.0-45.48

---------------
linux (4.8.0-45.48) yakkety; urgency=low

  * CVE-2017-7184
    - xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
    - xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder

 -- Stefan Bader <email address hidden> Fri, 24 Mar 2017 12:03:39 +0100

Changed in linux (Ubuntu Yakkety):
status: Triaged → Fix Released
Stefan Bader (smb)
Changed in linux (Ubuntu Yakkety):
status: Fix Released → Triaged
Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (29.1 KiB)

This bug was fixed in the package linux - 4.4.0-75.96

---------------
linux (4.4.0-75.96) xenial; urgency=low

  * linux: 4.4.0-75.96 -proposed tracker (LP: #1684441)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.4.0-74.95) xenial; urgency=low

  * linux: 4.4.0-74.95 -proposed tracker (LP: #1682041)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.4.0-73.94) xenial; urgency=low

  * linux: 4.4.0-73.94 -proposed tracker (LP: #1680416)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with nested namespaces
    (LP: #1660832)
    - SAUCE: apparmor: fix cross ns perm of unix domain sockets

  * Xenial update to v4.4.59 stable release (LP: #1678960)
    - xfrm: policy: init locks early
    - virtio_balloon: init ...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (14.5 KiB)

This bug was fixed in the package linux - 4.8.0-49.52

---------------
linux (4.8.0-49.52) yakkety; urgency=low

  * linux: 4.8.0-49.52 -proposed tracker (LP: #1684427)

  * [Hyper-V] hv: util: move waiting for release to hv_utils_transport itself
    (LP: #1682561)
    - Drivers: hv: util: move waiting for release to hv_utils_transport itself

linux (4.8.0-48.51) yakkety; urgency=low

  * linux: 4.8.0-48.51 -proposed tracker (LP: #1682034)

  * [Hyper-V] hv: vmbus: Raise retry/wait limits in vmbus_post_msg()
    (LP: #1681893)
    - Drivers: hv: vmbus: Raise retry/wait limits in vmbus_post_msg()

linux (4.8.0-47.50) yakkety; urgency=low

  * linux: 4.8.0-47.50 -proposed tracker (LP: #1679678)

  * CVE-2017-6353
    - sctp: deny peeloff operation on asocs with threads sleeping on it

  * CVE-2017-5986
    - sctp: avoid BUG_ON on sctp_wait_for_sndbuf

  * vfat: missing iso8859-1 charset (LP: #1677230)
    - [Config] NLS_ISO8859_1=y

  * [Hyper-V] pci-hyperv: Use device serial number as PCI domain (LP: #1667527)
    - net/mlx4_core: Use cq quota in SRIOV when creating completion EQs

  * Regression: KVM modules should be on main kernel package (LP: #1678099)
    - [Config] powerpc: Add kvm-hv and kvm-pr to the generic inclusion list

  * linux-lts-xenial 4.4.0-63.84~14.04.2 ADT test failure with linux-lts-xenial
    4.4.0-63.84~14.04.2 (LP: #1664912)
    - SAUCE: apparmor: fix link auditing failure due to, uninitialized var

  * regession tests failing after stackprofile test is run (LP: #1661030)
    - SAUCE: fix regression with domain change in complain mode

  * Permission denied and inconsistent behavior in complain mode with 'ip netns
    list' command (LP: #1648903)
    - SAUCE: fix regression with domain change in complain mode

  * unexpected errno=13 and disconnected path when trying to open /proc/1/ns/mnt
    from a unshared mount namespace (LP: #1656121)
    - SAUCE: apparmor: null profiles should inherit parent control flags

  * apparmor refcount leak of profile namespace when removing profiles
    (LP: #1660849)
    - SAUCE: apparmor: fix ns ref count link when removing profiles from policy

  * tor in lxd: apparmor="DENIED" operation="change_onexec"
    namespace="root//CONTAINERNAME_<var-lib-lxd>" profile="unconfined"
    name="system_tor" (LP: #1648143)
    - SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using stacked
      namespaces

  * apparmor oops in bind_mnt when dev_path lookup fails (LP: #1660840)
    - SAUCE: apparmor: fix oops in bind_mnt when dev_path lookup fails

  * apparmor auditing denied access of special apparmor .null fi\ le
    (LP: #1660836)
    - SAUCE: apparmor: Don't audit denied access of special apparmor .null file

  * apparmor label leak when new label is unused (LP: #1660834)
    - SAUCE: apparmor: fix label leak when new label is unused

  * apparmor reference count bug in label_merge_insert() (LP: #1660833)
    - SAUCE: apparmor: fix reference count bug in label_merge_insert()

  * apparmor's raw_data file in securityfs is sometimes truncated (LP: #1638996)
    - SAUCE: apparmor: fix replacement race in reading rawdata

  * unix domain socket cross permission check failing with n...

Changed in linux (Ubuntu Yakkety):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.