[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Released Status in linux source package in Bionic: Fix Released Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Released Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug was fixed in the package linux - 4.15.0-115.116
---
linux (4.15.0-115.116) bionic; urgency=medium
* bionic/linux: 4.15.0-115.116 -proposed tracker (LP: #1893055)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (4.15.0-114.115) bionic; urgency=medium
* bionic/linux: 4.15.0-114.115 -proposed tracker (LP: #1891052)
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (4.15.0-113.114) bionic; urgency=medium
* bionic/linux: 4.15.0-113.114 -proposed tracker (LP: #1890705)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Reapply "usb: handle warm-reset port requests on hub resume" (LP: #1859873)
- usb: handle warm-reset port requests on hub resume
* Bionic update: upstream stable patchset 2020-07-29 (LP: #1889474)
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
- xtensa: update *pos in cpuinfo_op.next
- drivers/net/wan/lapbether: Fixed the value of hard_header_len
- net: sky2: initialize return of gm_phy_read
- drm/nouveau/i2c/g94-: increase NV_PMGR_DP_AUXCTL_TRANSACTREQ timeout
- irqdomain/treewide: Keep firmware node unconditionally allocated
- SUNRPC reverting d03727b248d0 ("NFSv4 fix CLOSE not waiting for direct IO
compeletion")
- spi: spi-fsl-dspi: Exit the ISR with IRQ_NONE when it's not ours
- IB/umem: fix reference count leak in ib_umem_odp_get()
- uprobes: Change handle_swbp() to send SIGTRAP with si_code=SI_KERNEL, to
fix
GDB regression
- ALSA: info: Drop WARN_ON() from buffer NULL sanity check
- ASoC: rt5670: Correct RT5670_LDO_SEL_MASK
- btrfs: fix double free on ulist after backref resolution failure
- btrfs: fix mount failure caused by race with umount
- btrfs: fix page leaks after failure to lock page for delalloc
- bnxt_en: Fix race when modifying pause settings.
- hippi: Fix a size used in a 'pci_free_consistent()' in an error handling
path
- ax88172a: fix ax88172a_unbind() failures
- net: dp83640: fix SIOCSHWTSTAMP to update the struct with actual
configuration
- drm: sun4i: hdmi: Fix inverted HPD result
- net: smc91x: Fix possible memory leak in smc_drv_probe()
- bonding: check error value of register_netdevice() immediately
- mlxsw: destroy workqueue when trap_register in mlxsw_emad_init
- ipvs: fix the connection sync failed in some cases
- i2c: rcar: always clear ICSAR to avoid side effects
- bonding: check return value of register_netdevice() in bond_newlink()
- serial: exar: Fix GPIO configuration for Sealevel cards based on XR17V35X
- scripts/decode_stacktrace: strip basepath from all paths
- HID: i2c-hid: add Mediacom FlexBook edge13 to descriptor override
- HID: apple: Disable Fn-key key-re-mapping on clone keyboards
- dmaengine: tegra210-adma: Fix runtime PM imbalance on error
- Input: add `SW_MACHINE_COVER`
- spi: mediatek: use correct SPI_CFG2_REG MACRO
- regmap: dev_get_regmap_match(): fix string comparison
- hwmon: (aspeed-pwm-tacho) Avoid possible buffer overflow
- dmaengine: ioat setting ioat timeout as module parameter
- Input: synaptics - enable InterTouch for ThinkPad X1E 1st gen
- usb: gadget: udc: gr_udc: fix memleak on error handling path in
gr_ep_init()
- arm64: Use test_tsk_thread_flag() for checking TIF_SINGLESTEP
- x86: math-emu: Fix up 'cmp' insn for clang ias
- binder: Don't use mmput() from shrinker function.
- usb: xhci-mtk: fix the failure of bandwidth allocation
- usb: xhci: Fix ASM2142/ASM3142 DMA addressing
- Revert "cifs: Fix the target file was deleted when rename failed."
- staging: wlan-ng: properly check endpoint types
- staging: comedi: addi_apci_1032: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: ni_6527: fix INSN_CONFIG_DIGITAL_TRIG support
- staging: comedi: addi_apci_1500: check INSN_CONFIG_DIGITAL_TRIG shift
- staging: comedi: addi_apci_1564: check INSN_CONFIG_DIGITAL_TRIG shift
- serial: 8250: fix null-ptr-deref in serial8250_start_tx()
- serial: 8250_mtk: Fix high-speed baud rates clamping
- fbdev: Detect integer underflow at "struct fbcon_ops"->clear_margins.
- vt: Reject zero-sized screen buffer size.
- Makefile: Fix GCC_TOOLCHAIN_DIR prefix for Clang cross compilation
- mm/memcg: fix refcount error while moving and swapping
- io-mapping: indicate mapping failure
- parisc: Add atomic64_set_release()
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug was fixed in the package linux - 5.4.0-45.49
---
linux (5.4.0-45.49) focal; urgency=medium
* focal/linux: 5.4.0-45.49 -proposed tracker (LP: #1893050)
* [Potential Regression] dscr_inherit_exec_test from powerpc in
ubuntu_kernel_selftests failed on B/E/F (LP: #1888332)
- powerpc/64s: Don't init FSCR_DSCR in __init_FSCR()
linux (5.4.0-44.48) focal; urgency=medium
* focal/linux: 5.4.0-44.48 -proposed tracker (LP: #1891049)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* ipsec: policy priority management is broken (LP: #1890796)
- xfrm: policy: match with both mark and mask on user interfaces
linux (5.4.0-43.47) focal; urgency=medium
* focal/linux: 5.4.0-43.47 -proposed tracker (LP: #1890746)
* Packaging resync (LP: #1786013)
- update dkms package versions
* Devlink - add RoCE disable kernel support (LP: #1877270)
- devlink: Add new "enable_roce" generic device param
- net/mlx5: Document flow_steering_mode devlink param
- net/mlx5: Handle "enable_roce" devlink param
- IB/mlx5: Rename profile and init methods
- IB/mlx5: Load profile according to RoCE enablement state
- net/mlx5: Remove unneeded variable in mlx5_unload_one
- net/mlx5: Add devlink reload
- IB/mlx5: Do reverse sequence during device removal
* msg_zerocopy.sh in net from ubuntu_kernel_selftests failed (LP: #1812620)
- selftests/net: relax cpu affinity requirement in msg_zerocopy test
* Enlarge hisi_sec2 capability (LP: #1890222)
- Revert "UBUNTU: [Config] Disable hisi_sec2 temporarily"
- crypto: hisilicon - update SEC driver module parameter
* Fix missing HDMI/DP Audio on an HP Desktop (LP: #1890441)
- ALSA: hda/hdmi: Add quirk to force connectivity
* Fix IOMMU error on AMD Radeon Pro W5700 (LP: #1890306)
- PCI: Mark AMD Navi10 GPU rev 0x00 ATS as broken
* ASoC:amd:renoir: the dmic can't record sound after suspend and resume
(LP: #1890220)
- SAUCE: ASoC: amd: renoir: restore two more registers during resume
* No sound, Dummy output on Acer Swift 3 SF314-57G with Ice Lake core-i7 CPU
(LP: #1877757)
- ASoC: SOF: Intel: hda: fix generic hda codec support
* Fix right speaker of HP laptop (LP: #1889375)
- SAUCE: hda/realtek: Fix right speaker of HP laptop
* blk_update_request error when mount nvme partition (LP: #1872383)
- SAUCE: nvme-pci: prevent SK hynix PC400 from using Write Zeroes command
* soc/amd/renoir: detect dmic from acpi table (LP: #1887734)
- ASoC: amd: add logic to check dmic hardware runtime
- ASoC: amd: add ACPI dependency check
- ASoC: amd: fixed kernel warnings
* soc/amd/renoir: change the module name to make it work with ucm3
(LP: #1888166)
- AsoC: amd: add missing snd- module prefix to the acp3x-rn driver kernel
module
- SAUCE: remove a kernel module since its name is changed
* Focal update: v5.4.55 upstream stable release (LP: #1890343)
- AX.25: Fix out-of-bounds read in ax25_connect()
- AX.25: Prevent out-of-bounds read in ax25_sendmsg()
- dev: Defer free of skbs in flush_backlog
- drivers/net/wan/x25_asy: Fix to make it work
- ip6_gre: fix null-ptr-deref in ip6gre_init_net()
- net-sysfs: add a newline when printing 'tx_timeout' by sysfs
- net: udp: Fix wrong clean up for IS_UDPLITE macro
- qrtr: orphan socket in qrtr_release()
- rtnetlink: Fix memory(net_device) leak when ->newlink fails
- rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
- tcp: allow at most one TLP probe per flight
- AX.25: Prevent integer overflows in connect and sendmsg
- sctp: shrink stream outq only when new outcnt < old outcnt
- sctp: shrink stream outq when fails to do addstream reconf
- udp: Copy has_conns in reuseport_grow().
- udp: Improve load balancing for SO_REUSEPORT.
- regmap: debugfs: check count when read regmap file
- PM: wakeup: Show statistics for deleted wakeup sources again
- Revert "dpaa_eth: fix usage as DSA master, try 3"
- Linux 5.4.55
* Add support for Atlantic NIC firmware v4 (LP: #1886908)
- net: atlantic: simplify hw_get_fw_version() usage
- net: atlantic: align return value of ver_match function with function name
- net: atlantic: add support for FW 4.x
* perf vendor events s390: Add new deflate counters for IBM z15 (LP: #1888551)
- perf vendor events s390: Add new deflate counters for IBM z15
* Focal update: v5.4.54 upstream stable release (LP: #1889669)
- soc: qcom: rpmh: Dirt can only make you dirtier, not cleaner
- gpio: arizona: handle pm_runtime_get_sync failure case
- gpio: arizona: put pm_runtime in case of failure
- pinctrl: amd: fix npins for uart0 in kerncz_groups
- mac80211: allow rx of mesh eapol frames with default rx key
- scsi: scsi_transport_spi: Fix function pointer check
- xtensa: fix __sync_fetch_and_{and,or}_4 declarations
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Verification done for Focal. $ uname -rv 5.4.0-43-generic #47-Ubuntu SMP Sat Aug 8 06:34:35 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 171.672847] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583 [ 171.674249] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584 [ 171.675676] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583 [ 171.676932] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584 [ 171.678154] accept() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x583 [ 171.679617] release() :: comm = aa-refcnt-af_al, pid = 1600, sk->sk_security->label->count = 0x584 ** Tags removed: verification-needed-focal ** Tags added: verification-done-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Verification done for Bionic. $ uname -rv 4.15.0-113-generic #114-Ubuntu SMP Sun Aug 9 07:27:58 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 335.387236] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582 [ 335.388370] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x581 [ 335.389376] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582 [ 335.390558] accept() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x581 [ 335.391521] release() :: comm = aa-refcnt-af_al, pid = 5764, sk->sk_security->label->count = 0x582 ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed- bionic'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-bionic -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Released Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug was fixed in the package linux - 5.3.0-64.58
---
linux (5.3.0-64.58) eoan; urgency=medium
* eoan/linux: 5.3.0-64.58 -proposed tracker (LP: #1887088)
* linux 4.15.0-109-generic network DoS regression vs -108 (LP: #1886668)
- SAUCE: Revert "netprio_cgroup: Fix unlimited memory leak of v2 cgroups"
linux (5.3.0-63.57) eoan; urgency=medium
* eoan/linux: 5.3.0-63.57 -proposed tracker (LP: #1885495)
* seccomp_bpf fails on powerpc (LP: #1885757)
- SAUCE: selftests/seccomp: fix ptrace tests on powerpc
* The thread level parallelism would be a bottleneck when searching for the
shared pmd by using hugetlbfs (LP: #1882039)
- hugetlbfs: take read_lock on i_mmap for PMD sharing
* Eoan update: upstream stable patchset 2020-06-30 (LP: #1885775)
- ipv6: fix IPV6_ADDRFORM operation logic
- net_failover: fixed rollback in net_failover_open()
- bridge: Avoid infinite loop when suppressing NS messages with invalid
options
- vxlan: Avoid infinite loop when suppressing NS messages with invalid
options
- tun: correct header offsets in napi frags mode
- Input: mms114 - fix handling of mms345l
- ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
- sched/fair: Don't NUMA balance for kthreads
- Input: synaptics - add a second working PNP_ID for Lenovo T470s
- drivers/net/ibmvnic: Update VNIC protocol version reporting
- powerpc/xive: Clear the page tables for the ESB IO mapping
- ath9k_htc: Silence undersized packet warnings
- RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
- x86/cpu/amd: Make erratum #1054 a legacy erratum
- perf probe: Accept the instance number of kretprobe event
- mm: add kvfree_sensitive() for freeing sensitive data objects
- aio: fix async fsync creds
- x86_64: Fix jiffies ODR violation
- x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
- x86/speculation: Prevent rogue cross-process SSBD shutdown
- x86/reboot/quirks: Add MacBook6,1 reboot quirk
- efi/efivars: Add missing kobject_put() in sysfs entry creation error path
- ALSA: es1688: Add the missed snd_card_free()
- ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
- ALSA: usb-audio: Fix inconsistent card PM state after resume
- ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt
Dock
- ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
- ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
- ACPI: GED: add support for _Exx / _Lxx handler methods
- ACPI: PM: Avoid using power resources if there are none for D0
- nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
- spi: dw: Fix controller unregister order
- spi: bcm2835aux: Fix controller unregister order
- spi: bcm-qspi: when tx/rx buffer is NULL set to 0
- PM: runtime: clk: Fix clk_pm_runtime_get() error path
- crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is
fully iterated
- ALSA: pcm: disallow linking stream to itself
- x86/{mce,mm}: Unmap the entire page if the whole page is affected and
poisoned
- KVM: x86: Fix APIC page invalidation race
- KVM: x86/mmu: Consolidate "is MMIO SPTE" code
- KVM: x86: only do L1TF workaround on affected processors
- x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced
IBRS.
- x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
- spi: Fix controller unregister order
- spi: pxa2xx: Fix controller unregister order
- spi: bcm2835: Fix controller unregister order
- spi: pxa2xx: Fix runtime PM ref imbalance on probe error
- crypto: virtio: Fix use-after-free in
virtio_crypto_skcipher_finalize_req()
- crypto: virtio: Fix src/dst scatterlist calculation in
__virtio_crypto_skcipher_do_req()
- crypto: virtio: Fix dest length calculation in
__virtio_crypto_skcipher_do_req()
- selftests/net: in rxtimestamp getopt_long needs terminating null entry
- ovl: initialize error in ovl_copy_xattr
- proc: Use new_inode not new_inode_pseudo
- video: fbdev: w100fb: Fix a potential double free.
- KVM: nSVM: fix condition for filtering async PF
- KVM: nSVM: leave ASID aside in copy_vmcb_control_area
- KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
- KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(_cpu_data)
- KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
- KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
- scsi: megaraid_sas: TM command refire leads to controller firmware crash
- ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
- ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
- ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
- ath9k: Fix general protection fault in
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Verification done on "Disco" (linux-hwe-5.0) --- # uname -rv 5.0.0-58-generic #62~18.04.1-Ubuntu SMP Tue Jul 14 03:37:30 UTC 2020 For some other reason the kprobes module is not picking up on accept, only on release. This is unrelated to this patchset. I used kprobe events instead, which is working, and reveals the ref counter does not leak (stable increase/decrease on accept/release.) On the example below, it varies between 0x64b and 0x64c, correctly. # ./aa-refcnt-af_alg & # echo 'p af_alg_accept sk=%di count=+0x0(+0x0(+0x278(%di))):x32' > /sys/kernel/debug/tracing/kprobe_events # echo 'p af_alg_release_parent sk=%di count=+0x0(+0x0(+0x278(%di))):x32' >> /sys/kernel/debug/tracing/kprobe_events # echo 1 > /sys/kernel/debug/tracing/events/kprobes/enable # cat /sys/kernel/debug/tracing/trace_pipe ... aa-refcnt-af_al-21362 [002] 77023.869615: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0x9138b54c2400 count=0x64b aa-refcnt-af_al-21362 [002] 77023.869619: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0x9138b5e27800 count=0x64c aa-refcnt-af_al-21362 [002] 77023.869623: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0x9138b54c2400 count=0x64b aa-refcnt-af_al-21362 [002] 77023.869626: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0x9138b5e27800 count=0x64c aa-refcnt-af_al-21362 [002] 77023.869630: p_af_alg_accept_0: (af_alg_accept+0x0/0x1c0 [af_alg]) sk=0x9138b54c2400 count=0x64b aa-refcnt-af_al-21362 [002] 77023.869633: p_af_alg_release_parent_0: (af_alg_release_parent+0x0/0xc0 [af_alg]) sk=0x9138b5e27800 count=0x64c ... ctrl-c # echo 0 > /sys/kernel/debug/tracing/events/kprobes/enable # echo > /sys/kernel/debug/tracing/kprobe_events # killall aa-refcnt-af_alg Details: --- We want this value from 'struct sock *sk': kref_read(_CTX(sk)->label->count) With: #define SK_CTX(X) apparmor_sock(X) static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk) ... return sk->sk_security + apparmor_blob_sizes->lbs_sock; ... Checking the value for lbs_sock w/ a kernel module: [76604.268403] apparmor_blob_sizes->lbs_sock: 0 And struct member offsets: $ pahole --hex -C sock usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep sk_security void * sk_security; /* 0x278 0x8 */ $ pahole --hex -C aa_sk_ctx usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep -w label struct aa_label * label;/* 0 0x8 */ $ pahole --hex -C aa_label usr/lib/debug/boot/vmlinux-5.0.0-58-generic | grep -w count struct krefcount;/* 0 0x4 */ -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Verification done on Eoan. The apparmor label refcnt inc/dec-rements properly on accept()/release(), no leaks. $ lsb_release -cs eoan $ uname -rv 5.3.0-63-generic #57-Ubuntu SMP Thu Jul 2 10:38:35 UTC 2020 $ apt-cache policy linux-image-$(uname -r) linux-image-5.3.0-63-generic: ... *** 5.3.0-63.57 500 500 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages ... $ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c $ ./aa-refcnt-af_alg & $ make $ sudo insmod kmod.ko & $ dmesg ... [ 254.940413] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4 [ 254.941665] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5 [ 254.942932] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4 [ 254.944187] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5 [ 254.945484] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4 [ 254.946741] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5 [ 254.948023] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4 [ 254.949282] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5 [ 254.950572] accept() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a4 [ 254.952526] release() :: comm = aa-refcnt-af_al, pid = 1540, sk->sk_security->label->count = 0x6a5 ... $ sudo rmmod kmod ** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed- eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'. If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you! ** Tags added: verification-needed-eoan -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
** Changed in: linux (Ubuntu Bionic) Status: In Progress => Fix Committed ** Changed in: linux (Ubuntu Focal) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: Fix Committed Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: Fix Committed Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
** Changed in: linux (Ubuntu Eoan) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Fix Committed Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
It turns out that the 5.0 and 5.3 kernels should still be supported on some custom kernels, thus sending the patch for Disco and Eoan. [D/E][PATCH 0/1] Fix apparmor reference leak via AF_ALG https://lists.ubuntu.com/archives/kernel-team/2020-June/111585.html ** Changed in: linux (Ubuntu Eoan) Status: Won't Fix => In Progress ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Mauricio Faria de Oliveira (mfo) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: In Progress Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
** Tags added: sts ** Changed in: linux (Ubuntu Groovy) Status: Won't Fix => Invalid -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Won't Fix Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Invalid Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
[B][PATCH 0/1] Fix apparmor reference leak via AF_ALG https://lists.ubuntu.com/archives/kernel-team/2020-June/36.html [B][PATCH 1/1] apparmor: check/put label on apparmor_sk_clone_security() https://lists.ubuntu.com/archives/kernel-team/2020-June/37.html [F][PATCH 1/1] apparmor: check/put label on apparmor_sk_clone_security() https://lists.ubuntu.com/archives/kernel-team/2020-June/38.html -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Won't Fix Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Won't Fix Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
After a few hours with the reproducer running on the original kernel, the kernel errors about the reference count are observed: Focal: - $ uname -rv 5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020 $ ./aa-refcnt-af_alg [ 9581.048189] [ cut here ] [ 9581.049497] refcount_t overflow at apparmor_sk_clone_security+0x35/0x70 in aa-refcnt-af_al[1023], uid/euid: 1000/1000 [ 9581.052125] WARNING: CPU: 1 PID: 1023 at kernel/panic.c:677 refcount_error_report+0x9b/0xab [ 9581.054428] Modules linked in: ... [ 9581.063137] CPU: 1 PID: 1023 Comm: aa-refcnt-af_al Tainted: G OE 5.4.0-38-generic #42-Ubuntu [ 9581.065494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 9581.067693] RIP: 0010:refcount_error_report+0x9b/0xab ... [ 9581.088358] Call Trace: [ 9581.089083] ex_handler_refcount+0x50/0x70 [ 9581.090147] fixup_exception+0x4a/0x61 [ 9581.091142] do_trap+0x4e/0xf0 [ 9581.091998] do_error_trap+0x7c/0xc0 [ 9581.092958] ? csum_partial_copy_generic+0x1687/0x3a10 [ 9581.094250] do_invalid_op+0x3c/0x50 [ 9581.095210] ? csum_partial_copy_generic+0x1687/0x3a10 [ 9581.096505] invalid_op+0x1e/0x30 [ 9581.097413] RIP: 0010:apparmor_sk_clone_security+0x35/0x70 ... [ 9581.113048] security_sk_clone+0x2f/0x40 [ 9581.114078] af_alg_accept+0x7e/0x190 [af_alg] [ 9581.115456] alg_accept+0x15/0x20 [af_alg] [ 9581.116549] __sys_accept4+0x109/0x210 [ 9581.117549] ? _cond_resched+0x19/0x30 [ 9581.118545] __x64_sys_accept+0x1c/0x20 [ 9581.119573] do_syscall_64+0x57/0x190 [ 9581.120551] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 9581.121821] RIP: 0033:0x7efc1bc390a7 ... Bionic: -- $ uname -rv 4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020 $ ./aa-refcnt-af_alg [ 8460.359291] [ cut here ] [ 8460.360638] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in aa-refcnt-af_al[1243], uid/euid: 1000/1000 [ 8460.363332] WARNING: CPU: 1 PID: 1243 at /build/linux-oHXYZI/linux-4.15.0/kernel/panic.c:662 refcount_error_report+0x9c/0xac [ 8460.366556] Modules linked in: ... [ 8460.375936] CPU: 1 PID: 1243 Comm: aa-refcnt-af_al Tainted: G OE 4.15.0-107-generic #108-Ubuntu [ 8460.378352] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 [ 8460.380598] RIP: 0010:refcount_error_report+0x9c/0xac ... [ 8460.397294] Call Trace: [ 8460.398331] ex_handler_refcount+0x52/0x80 [ 8460.399432] fixup_exception+0x3a/0x50 [ 8460.400462] do_trap+0x8a/0x140 [ 8460.401346] do_error_trap+0xa6/0x140 [ 8460.402355] ? csum_partial_copy_generic+0xcfb/0x27a0 [ 8460.403671] ? ___slab_alloc+0x204/0x4f0 [ 8460.404730] ? ___slab_alloc+0x204/0x4f0 [ 8460.405786] ? get_empty_filp+0x5c/0x1c0 [ 8460.406840] do_invalid_op+0x20/0x30 [ 8460.407830] invalid_op+0x1b/0x40 [ 8460.408755] RIP: 0010:apparmor_sk_clone_security+0x37/0x70 ... [ 8460.420262] security_sk_clone+0x33/0x50 [ 8460.421314] af_alg_accept+0x81/0x1c0 [af_alg] [ 8460.422484] ? aa_sock_accept_perm+0x25/0x30 [ 8460.423623] alg_accept+0x15/0x20 [af_alg] [ 8460.424725] SYSC_accept4+0xff/0x210 [ 8460.425706] ? mntput+0x24/0x40 [ 8460.426598] ? __fput+0x193/0x220 [ 8460.427536] ? _cond_resched+0x19/0x40 [ 8460.428561] ? task_work_run+0x46/0xc0 [ 8460.429586] SyS_accept+0x10/0x20 [ 8460.430518] do_syscall_64+0x73/0x130 [ 8460.431522] entry_SYSCALL_64_after_hwframe+0x41/0xa6 [ 8460.432830] RIP: 0033:0x7f0ecc0c87e4 ... ** Description changed: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] + * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. + * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message -(or not, with the patch.) +(or not, with the patch.) (see comment #4) - * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. - -If the problem happens, in a few hours there is an -error message in the kernel logs (see comment #1.) + If the problem happens, in a few hours there is an + error message in the kernel logs (see comment #1.) * It's possible to monitor refcount values with kprobes, -to confirm whether or not the
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Monitoring the label reference count with the kprobes module: - original kernel: the counter keeps increasing on every pair of accept()/release() syscalls. - modified kernel: the counter keeps stable. Focal: - original) $ uname -rv 5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 4739.811403] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e0 [ 4739.813677] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2 [ 4739.815994] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e1 [ 4739.818274] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e3 [ 4739.820555] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2 [ 4739.822833] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e4 ... $ sudo rmmod kmod modified) $ uname -rv 5.4.0-38-generic #42+test20200617b1 SMP Wed Jun 17 16:31:24 -03 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 185.657133] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649 [ 185.660720] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a [ 185.664321] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649 [ 185.668981] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a [ 185.672648] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x629 [ 185.676299] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x62a ... $ sudo rmmod kmod Bionic: -- original) $ uname -rv 4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 4333.136581] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e85 [ 4333.139131] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87 [ 4333.141650] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e86 [ 4333.144142] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e88 [ 4333.146675] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87 [ 4333.149199] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e89 ... $ sudo rmmod kmod modified) $ uname -rv 4.15.0-107-generic #108+test20200617b1 SMP Wed Jun 17 16:33:16 -03 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 245.921217] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.923456] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 [ 245.925718] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.927954] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 [ 245.930221] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.932469] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 ... $ sudo rmmod kmod -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Won't Fix Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Won't Fix Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
kprobes module to monitor the apparmor label reference count. ** Attachment added: "kmod.c" https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+attachment/5385006/+files/kmod.c -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Won't Fix Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Won't Fix Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1883962] Re: apparmor reference leak causes refcount_t overflow with af_alg_accept()
Test Case:
-
$ cat aa-refcnt-af_alg.c
#include
#include
#include
#include
#include
int main() {
int sockfd;
struct sockaddr_alg sa;
/* Setup the crypto API socket */
sockfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
if (sockfd < 0) {
perror("socket");
return 1;
}
memset(, 0, sizeof(sa));
sa.salg_family = AF_ALG;
strcpy((char *) sa.salg_type, "rng");
strcpy((char *) sa.salg_name, "stdrng");
if (bind(sockfd, (struct sockaddr *) , sizeof(sa)) < 0) {
perror("bind");
return 1;
}
/* Accept a "connection" and close it; repeat. */
while (!close(accept(sockfd, NULL, 0)));
return 0;
}
$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg
[ 9928.475953] refcount_t overflow at apparmor_sk_clone_security+0x37/0x70 in
aa-refcnt-af_alg[1322], uid/euid: 1000/1000
...
[ 9928.507443] RIP: 0010:apparmor_sk_clone_security+0x37/0x70
...
[ 9928.514286] security_sk_clone+0x33/0x50
[ 9928.514807] af_alg_accept+0x81/0x1c0 [af_alg]
[ 9928.516091] alg_accept+0x15/0x20 [af_alg]
[ 9928.516682] SYSC_accept4+0xff/0x210
[ 9928.519609] SyS_accept+0x10/0x20
[ 9928.520190] do_syscall_64+0x73/0x130
[ 9928.520808] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
Note that other messages may be seen, not just overflow, depending on
the value being incremented by kref_get(); on another run:
[ 7273.182666] refcount_t: saturated; leaking memory.
...
[ 7273.185789] refcount_t: underflow; use-after-free.
** Description changed:
[Impact]
- * Users of the Crypto (user-space) API (i.e., AF_ALG)
-can trigger refcount errors in AppArmor under high
-load (might lead to memory leak or use after free.)
+ * Users of the Crypto (user-space) API (i.e., AF_ALG)
+ can trigger refcount errors in AppArmor under high
+ load (might lead to memory leak or use after free.)
- * There is a reference leak in AppArmor when af_alg_accept()
-calls security_sock_graft() and then security_sk_clone().
-
- * Both acquire a reference to a label, to assign it to the
-same pointer, but the latter does not release the former's
-acquired reference (before overwriting the pointer value.)
-
- * This reference leak builds up over time, and under high
-load can eventually overflow/underflow/saturate refcount,
-depending on which value it has when a program hits that.
-
- * The fix just checks if the pointer has an assigned label,
-then releases its acquired reference.
+ * There is a reference leak in AppArmor when af_alg_accept()
+ calls security_sock_graft() and then security_sk_clone().
+
+ * Both acquire a reference to a label, to assign it to the
+ same pointer, but the latter does not release the former's
+ acquired reference (before overwriting the pointer value.)
+
+ * This reference leak builds up over time, and under high
+ load can eventually overflow/underflow/saturate refcount,
+ depending on which value it has when a program hits that.
+
+ * The fix just checks if the pointer has an assigned label,
+ then releases its acquired reference.
[Test Case]
- * See comment # for the test-case 'aa-refcnt-af_alg.c'.
+ * Exercise that code path indefinitely until it hits
+the refcount_t overflow/underflow/saturate message
+(or not, with the patch.)
- * Exercise that code path indefinitely until it hits
-the refcount_t overflow/underflow/saturate message.
-(in a few hours.)
-
- * It's possible to monitor refcount values with kprobes.
+ * See comment #1 for the test-case 'aa-refcnt-af_alg.c'.
+
+If the problem happens, in a few hours there is an
+error message in the kernel logs (see comment #1.)
+
+ * It's possible to monitor refcount values with kprobes,
+to confirm whether or not the problem is happening.
[Other Info]
- * Patch applied upstream on v5.8-rc1 [1]
- * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
- * Not required on Groovy (still 5.4; should sync from Unstable)
- * Not required on Eoan (EOL date before SRU cycle release date)
- * Required on Bionic and Focal.
+ * Patch applied upstream on v5.8-rc1 [1]
+ * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
+ * Not required on Groovy (still 5.4; should sync from Unstable)
+ * Not required on Eoan (EOL date before SRU cycle release date)
+ * Required on Bionic and Focal.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1883962
Title:
apparmor reference leak causes refcount_t overflow with
af_alg_accept()
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Bionic:
In Progress
Status in linux source package in Eoan:
Won't Fix
Status in linux source package
