This bug was fixed in the package linux - 4.4.0-161.189
---------------
linux (4.4.0-161.189) xenial; urgency=medium
* xenial/linux: 4.4.0-161.189 -proposed tracker (LP: #1841544)
* flock not mediated by 'k' (LP: 1658219)
- Revert "UBUNTU: SAUCE: apparmor: flock mediation is not being, enforced on
cache check"
* Packaging resync (LP: #1786013)
- [Packaging] resync getabis
linux (4.4.0-160.188) xenial; urgency=medium
* xenial/linux: 4.4.0-160.188 -proposed tracker (LP: #1840021)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* EeePC 1005px laptop backlight is off after system boot up (LP: #1837117)
- platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys
from
asus_nb_wmi
* CVE-2019-10638
- [Config] CONFIG_TEST_HASH=n
- siphash: add cryptographically secure PRF
- inet: switch IP ID generator to siphash
* Stacked onexec transitions fail when under NO NEW PRIVS restrictions
(LP: #1839037)
- SAUCE: apparmor: fix nnp subset check failure, when stacking
* AppArmor onexec transition causes WARN kernel stack trace (LP: #1838627)
- SAUCE: apparmor: fix audit failures when performing profile transitions
* flock not mediated by 'k' (LP: 1658219) // Ubuntu 16.04: read access
incorrectly implies 'm' rule (LP: 1838090)
- SAUCE: apparmor: flock mediation is not being, enforced on cache check
* bcache: bch_allocator_thread(): hung task timeout (LP: #1784665) // Tight
timeout for bcache removal causes spurious failures (LP: #1796292)
- SAUCE: bcache: fix deadlock in bcache_allocator
* bcache: bch_allocator_thread(): hung task timeout (LP: #1784665)
- bcache: improve bcache_reboot()
- bcache: add journal statistic
- bcache: fix high CPU occupancy during journal
- bcache: fix incorrect sysfs output value of strip size
- bcache: fix error return value in memory shrink
- bcache: fix using of loop variable in memory shrink
- bcache: Fix indentation
- bcache: Add __printf annotation to __bch_check_keys()
- bcache: Annotate switch fall-through
- bcache: Fix kernel-doc warnings
- bcache: Remove an unused variable
- bcache: Suppress more warnings about set-but-not-used variables
- bcache: Reduce the number of sparse complaints about lock imbalances
- bcache: Move couple of functions to sysfs.c
* CVE-2019-3900
- vhost: introduce vhost_vq_avail_empty()
- vhost_net: tx batching
- vhost_net: do not stall on zerocopy depletion
- vhost-net: set packet weight of tx polling to 2 * vq size
- vhost_net: use packet weight for rx handler, too
- vhost_net: introduce vhost_exceeds_weight()
- vhost: introduce vhost_exceeds_weight()
- vhost_net: fix possible infinite loop
- vhost: scsi: add weight support
* Xenial: ZFS deadlock in shrinker path with xattrs (LP: #1839521)
- SAUCE: (noup) Update zfs to 0.6.5.6-0ubuntu28
* CVE-2019-13648
- powerpc/tm: Fix oops on sigreturn on systems without TM
* CVE-2018-20856
- block: blk_init_allocated_queue() set q->fq as NULL in the fail case
* CVE-2019-14283
- floppy: fix out-of-bounds read in copy_buffer
* CVE-2019-14284
- floppy: fix div-by-zero in setup_format_params
* Xenial update: 4.4.186 upstream stable release (LP: #1838467)
- Input: elantech - enable middle button support on 2 ThinkPads
- samples, bpf: fix to change the buffer size for read()
- mac80211: mesh: fix RCU warning
- dt-bindings: can: mcp251x: add mcp25625 support
- can: mcp251x: add support for mcp25625
- Input: imx_keypad - make sure keyboard can always wake up system
- ARM: davinci: da850-evm: call regulator_has_full_constraints()
- ARM: davinci: da8xx: specify dma_coherent_mask for lcdc
- md: fix for divide error in status_resync
- bnx2x: Check if transceiver implements DDM before access
- udf: Fix incorrect final NOT_ALLOCATED (hole) extent length
- x86/ptrace: Fix possible spectre-v1 in ptrace_get_debugreg()
- x86/tls: Fix possible spectre-v1 in do_get_thread_area()
- mwifiex: Abort at too short BSS descriptor element
- fscrypt: don't set policy for a dead directory
- mwifiex: Don't abort on small, spec-compliant vendor IEs
- USB: serial: ftdi_sio: add ID for isodebug v1
- USB: serial: option: add support for GosunCn ME3630 RNDIS mode
- usb: gadget: ether: Fix race between gether_disconnect and rx_submit
- usb: renesas_usbhs: add a workaround for a race condition of workqueue
- staging: comedi: dt282x: fix a null pointer deref on interrupt
- staging: comedi: amplc_pci230: fix null pointer deref on interrupt
- carl9170: fix misuse of device driver API
- VMCI: Fix integer overflow in VMCI handle arrays
- MIPS: Remove superfluous check for __linux__
- e1000e: start network tx queue only when link is up
- perf/core: Fix perf_sample_regs_user() mm check
- ARM: omap2: remove incorrect __init annotation
- be2net: fix link failure after ethtool offline test
- ppp: mppe: Add softdep to arc4
- sis900: fix TX completion
- dm verity: use message limit for data block corruption message
- kvm: x86: avoid warning on repeated KVM_SET_TSS_ADDR
- ARC: hide unused function unw_hdr_alloc
- s390: fix stfle zero padding
- s390/qdio: (re-)initialize tiqdio list entries
- s390/qdio: don't touch the dsci in tiqdio_add_input_queues()
- KVM: x86: protect KVM_CREATE_PIT/KVM_CREATE_PIT2 with kvm->lock
- Linux 4.4.186
-- Stefan Bader <stefan.ba...@canonical.com> Tue, 27 Aug 2019 09:49:19
+0200
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-20856
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-10638
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-13648
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14283
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14284
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-3900
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1838627
Title:
AppArmor onexec transition causes WARN kernel stack trace
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Xenial:
Fix Released
Bug description:
microk8s has reported on issue with the Xenial kernel where apparmor
causes the following kernel stack trace due to an apparmor AA_BUG
condition being triggered.
[ 225.236085] ------------[ cut here ]------------
[ 225.236104] WARNING: CPU: 1 PID: 13726 at
/build/linux-aUWTNP/linux-4.4.0/security/apparmor/file.c:136
aa_audit_file+0x16e/0x180()
[ 225.236109] AppArmor WARN aa_audit_file:
((!(&sa)->apparmor_audit_data->request)):
[ 225.236113] Modules linked in:
[ 225.236118] btrfs xor raid6_pq ufs qnx4 hfsplus hfs minix ntfs msdos jfs
xfs veth xt_nat xt_mark xt_comment ip_vs_sh ip_vs_wrr ip_vs_rr ip_vs libcrc32c
ctr ccm ipt_MASQUERADE nf_nat_masquerade_ipv4 nf_conntrack_netlink nfnetlink
xfrm_user xfrm_algo iptable_nat nf_nat_ipv4 br_netfilter bridge stp llc
pci_stub vboxpci(OE) vboxnetadp(OE) vboxnetflt(OE) vboxdrv(OE) bnep aufs
overlay binfmt_misc drbg ansi_cprng dm_crypt snd_hda_codec_hdmi arc4 eeepc_wmi
asus_wmi sparse_keymap nvidia_uvm(POE) mxm_wmi joydev input_leds btusb btrtl
btbcm btintel bluetooth snd_usb_audio snd_usbmidi_lib snd_hda_intel
snd_hda_codec intel_rapl x86_pkg_temp_thermal snd_hda_core intel_powerclamp
snd_hwdep coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul
ghash_clmulni_intel snd_ens1371 snd_ac97_codec gameport ac97_bus
[ 225.236305] snd_seq_midi aesni_intel snd_pcm snd_seq_midi_event
aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd snd_rawmidi snd_seq
iwlmvm snd_seq_device serio_raw snd_timer mac80211 snd soundcore iwlwifi
cfg80211 mei_me mei shpchp 8250_fintek wmi acpi_pad mac_hid ip6t_REJECT
nf_reject_ipv6 nf_log_ipv6 xt_hl ip6t_rt nf_conntrack_ipv6 nf_defrag_ipv6
ipt_REJECT nf_reject_ipv4 nf_log_ipv4 nf_log_common xt_LOG xt_recent xt_limit
xt_tcpudp xt_addrtype nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack
ip6table_filter ip6_tables nf_conntrack_netbios_ns nf_conntrack_broadcast
nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack parport_pc iptable_filter
ip_tables ppdev x_tables lp parport autofs4 hid_generic usbhid hid
nvidia_drm(POE) nvidia_modeset(POE) nvidia(POE) i915_bpo psmouse e1000e
intel_ips ptp i2c_algo_bit
[ 225.236420] pps_core drm_kms_helper nvme syscopyarea sysfillrect
sysimgblt fb_sys_fops ahci drm libahci video fjes
[ 225.236446] CPU: 1 PID: 13726 Comm: runc:[2:INIT] Tainted: P W OE
4.4.0-154-generic #181-Ubuntu
[ 225.236451] Hardware name: System manufacturer System Product Name/PRIME
H270-PRO, BIOS 0323 01/04/2017
[ 225.236456] 0000000000000286 fa217f3573a84520 ffff88033ade39d0
ffffffff8140b481
[ 225.236464] ffff88033ade3a18 ffffffff81d03018 ffff88033ade3a08
ffffffff81085432
[ 225.236477] ffff88035cb2f000 ffff88033ade3b6c ffff88033bcb8b88
ffff88033ade3d88
[ 225.236484] Call Trace:
[ 225.236498] [<ffffffff8140b481>] dump_stack+0x63/0x82
[ 225.236509] [<ffffffff81085432>] warn_slowpath_common+0x82/0xc0
[ 225.236518] [<ffffffff810854cc>] warn_slowpath_fmt+0x5c/0x80
[ 225.236527] [<ffffffff81397ebc>] ? label_match.constprop.9+0x3dc/0x6c0
[ 225.236536] [<ffffffff813a696e>] aa_audit_file+0x16e/0x180
[ 225.236544] [<ffffffff813982dd>] profile_onexec+0x13d/0x3d0
[ 225.236554] [<ffffffff8139a33e>] handle_onexec+0x10e/0x10d0
[ 225.236562] [<ffffffff81242957>] ? vfs_getxattr_alloc+0x67/0x100
[ 225.236571] [<ffffffff81355395>] ? cap_inode_getsecurity+0x95/0x220
[ 225.236581] [<ffffffff8135965d>] ? security_inode_getsecurity+0x5d/0x70
[ 225.236589] [<ffffffff8139b417>] apparmor_bprm_set_creds+0x117/0xa60
[ 225.236596] [<ffffffff81242a8e>] ? vfs_getxattr+0x9e/0xb0
[ 225.236608] [<ffffffffc1439712>] ? ovl_getxattr+0x52/0xb0 [overlay]
[ 225.236617] [<ffffffff8135619d>] ? get_vfs_caps_from_disk+0x7d/0x180
[ 225.236624] [<ffffffff81356343>] ? cap_bprm_set_creds+0xa3/0x5f0
[ 225.236633] [<ffffffff81358909>] security_bprm_set_creds+0x39/0x50
[ 225.236642] [<ffffffff812229d5>] prepare_binprm+0x85/0x190
[ 225.236651] [<ffffffff812240f4>] do_execveat_common.isra.31+0x4b4/0x770
[ 225.236661] [<ffffffff8122460a>] SyS_execve+0x3a/0x50
[ 225.236671] [<ffffffff81863f15>] stub_execve+0x5/0x5
[ 225.236678] [<ffffffff81863b9b>] ? entry_SYSCALL_64_fastpath+0x22/0xcb
[ 225.236684] ---[ end trace 6b2beaa85ae31c29 ]---
This is caused when the change_onexec api is used and permitted by the
profile but the task has the NO_NEW_PRIVS flag set causing the domain
transition specified in the change_onexec request to fail.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1838627/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
