Verification done on Eoan.
The apparmor label refcnt inc/dec-rements properly on accept()/release(), no 
leaks.

$ lsb_release -cs
eoan

$ uname -rv
5.3.0-63-generic #57-Ubuntu SMP Thu Jul 2 10:38:35 UTC 2020

$ apt-cache policy linux-image-$(uname -r)
linux-image-5.3.0-63-generic:
...
 *** 5.3.0-63.57 500
        500 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages
...

$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg &

$ make
$ sudo insmod kmod.ko & 

$ dmesg
...
[  254.940413] accept() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a4
[  254.941665] release() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a5
[  254.942932] accept() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a4
[  254.944187] release() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a5
[  254.945484] accept() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a4
[  254.946741] release() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a5
[  254.948023] accept() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a4
[  254.949282] release() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a5                                           
              
[  254.950572] accept() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a4
[  254.952526] release() :: comm = aa-refcnt-af_al, pid = 1540, 
sk->sk_security->label->count = 0x6a5
...

$ sudo rmmod kmod

** Tags removed: verification-needed-eoan
** Tags added: verification-done-eoan

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1883962

Title:
  apparmor reference leak causes refcount_t overflow with
  af_alg_accept()

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Bionic:
  Fix Committed
Status in linux source package in Eoan:
  Fix Committed
Status in linux source package in Focal:
  Fix Committed
Status in linux source package in Groovy:
  Invalid

Bug description:
  [Impact]

   * Users of the Crypto (user-space) API (i.e., AF_ALG)
     can trigger refcount errors in AppArmor under high
     load (might lead to memory leak or use after free.)

   * There is a reference leak in AppArmor when af_alg_accept()
     calls security_sock_graft() and then security_sk_clone().

   * Both acquire a reference to a label, to assign it to the
     same pointer, but the latter does not release the former's
     acquired reference (before overwriting the pointer value.)

   * This reference leak builds up over time, and under high
     load can eventually overflow/underflow/saturate refcount,
     depending on which value it has when a program hits that.

   * The fix just checks if the pointer has an assigned label,
     then releases its acquired reference.

  [Test Case]

   * See comment #1 for the test-case 'aa-refcnt-af_alg.c'.

   * Exercise that code path indefinitely until it hits
     the refcount_t overflow/underflow/saturate message
     (or not, with the patch.) (see comment #4)

   * It's possible to monitor refcount values with kprobes,
     to confirm whether or not the problem is happening.
     (see comments #2 and #3)

  [Other Info]

   * Patch applied upstream on v5.8-rc1 [1]
   * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
   * Not required on Groovy (still 5.4; should sync from Unstable)
   * Not required on Eoan (EOL date before SRU cycle release date)
   * Required on Bionic and Focal.

  [1]
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to