Verification done on Eoan.
The apparmor label refcnt inc/dec-rements properly on accept()/release(), no
leaks.
$ lsb_release -cs
eoan
$ uname -rv
5.3.0-63-generic #57-Ubuntu SMP Thu Jul 2 10:38:35 UTC 2020
$ apt-cache policy linux-image-$(uname -r)
linux-image-5.3.0-63-generic:
...
*** 5.3.0-63.57 500
500 http://archive.ubuntu.com/ubuntu eoan-proposed/main amd64 Packages
...
$ gcc -o aa-refcnt-af_alg aa-refcnt-af_alg.c
$ ./aa-refcnt-af_alg &
$ make
$ sudo insmod kmod.ko &
$ dmesg
...
[ 254.940413] accept() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a4
[ 254.941665] release() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a5
[ 254.942932] accept() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a4
[ 254.944187] release() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a5
[ 254.945484] accept() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a4
[ 254.946741] release() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a5
[ 254.948023] accept() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a4
[ 254.949282] release() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a5
[ 254.950572] accept() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a4
[ 254.952526] release() :: comm = aa-refcnt-af_al, pid = 1540,
sk->sk_security->label->count = 0x6a5
...
$ sudo rmmod kmod
** Tags removed: verification-needed-eoan
** Tags added: verification-done-eoan
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1883962
Title:
apparmor reference leak causes refcount_t overflow with
af_alg_accept()
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Bionic:
Fix Committed
Status in linux source package in Eoan:
Fix Committed
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Groovy:
Invalid
Bug description:
[Impact]
* Users of the Crypto (user-space) API (i.e., AF_ALG)
can trigger refcount errors in AppArmor under high
load (might lead to memory leak or use after free.)
* There is a reference leak in AppArmor when af_alg_accept()
calls security_sock_graft() and then security_sk_clone().
* Both acquire a reference to a label, to assign it to the
same pointer, but the latter does not release the former's
acquired reference (before overwriting the pointer value.)
* This reference leak builds up over time, and under high
load can eventually overflow/underflow/saturate refcount,
depending on which value it has when a program hits that.
* The fix just checks if the pointer has an assigned label,
then releases its acquired reference.
[Test Case]
* See comment #1 for the test-case 'aa-refcnt-af_alg.c'.
* Exercise that code path indefinitely until it hits
the refcount_t overflow/underflow/saturate message
(or not, with the patch.) (see comment #4)
* It's possible to monitor refcount values with kprobes,
to confirm whether or not the problem is happening.
(see comments #2 and #3)
[Other Info]
* Patch applied upstream on v5.8-rc1 [1]
* Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1)
* Not required on Groovy (still 5.4; should sync from Unstable)
* Not required on Eoan (EOL date before SRU cycle release date)
* Required on Bionic and Focal.
[1]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
