Monitoring the label reference count with the kprobes module: - original kernel: the counter keeps increasing on every pair of accept()/release() syscalls. - modified kernel: the counter keeps stable.
Focal: ----- original) $ uname -rv 5.4.0-38-generic #42-Ubuntu SMP Mon Jun 8 14:14:24 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 4739.811403] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e0 [ 4739.813677] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2 [ 4739.815994] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e1 [ 4739.818274] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e3 [ 4739.820555] accept() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e2 [ 4739.822833] release() :: comm = aa-refcnt-af_al, pid = 1023, sk->sk_security->label->count = 0x40b395e4 ... $ sudo rmmod kmod modified) $ uname -rv 5.4.0-38-generic #42+test20200617b1 SMP Wed Jun 17 16:31:24 -03 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 185.657133] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649 [ 185.660720] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a [ 185.664321] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x649 [ 185.668981] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x64a [ 185.672648] accept() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x629 [ 185.676299] release() :: comm = aa-refcnt-af_al, pid = 1098, sk->sk_security->label->count = 0x62a ... $ sudo rmmod kmod Bionic: ------ original) $ uname -rv 4.15.0-107-generic #108-Ubuntu SMP Mon Jun 8 17:51:33 UTC 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 4333.136581] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e85 [ 4333.139131] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87 [ 4333.141650] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e86 [ 4333.144142] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e88 [ 4333.146675] accept() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e87 [ 4333.149199] release() :: comm = aa-refcnt-af_al, pid = 1243, sk->sk_security->label->count = 0x449b9e89 ... $ sudo rmmod kmod modified) $ uname -rv 4.15.0-107-generic #108+test20200617b1 SMP Wed Jun 17 16:33:16 -03 2020 $ ./aa-refcnt-af_alg & $ sudo insmod kmod.ko ... [ 245.921217] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.923456] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 [ 245.925718] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.927954] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 [ 245.930221] accept() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x608 [ 245.932469] release() :: comm = aa-refcnt-af_al, pid = 1165, sk->sk_security->label->count = 0x609 ... $ sudo rmmod kmod -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1883962 Title: apparmor reference leak causes refcount_t overflow with af_alg_accept() Status in linux package in Ubuntu: Fix Committed Status in linux source package in Bionic: In Progress Status in linux source package in Eoan: Won't Fix Status in linux source package in Focal: In Progress Status in linux source package in Groovy: Won't Fix Bug description: [Impact] * Users of the Crypto (user-space) API (i.e., AF_ALG) can trigger refcount errors in AppArmor under high load (might lead to memory leak or use after free.) * There is a reference leak in AppArmor when af_alg_accept() calls security_sock_graft() and then security_sk_clone(). * Both acquire a reference to a label, to assign it to the same pointer, but the latter does not release the former's acquired reference (before overwriting the pointer value.) * This reference leak builds up over time, and under high load can eventually overflow/underflow/saturate refcount, depending on which value it has when a program hits that. * The fix just checks if the pointer has an assigned label, then releases its acquired reference. [Test Case] * See comment #1 for the test-case 'aa-refcnt-af_alg.c'. * Exercise that code path indefinitely until it hits the refcount_t overflow/underflow/saturate message (or not, with the patch.) (see comment #4) * It's possible to monitor refcount values with kprobes, to confirm whether or not the problem is happening. (see comments #2 and #3) [Other Info] * Patch applied upstream on v5.8-rc1 [1] * Applied on Unstable (tag Ubuntu-5.8-5.8.0-0.1) * Not required on Groovy (still 5.4; should sync from Unstable) * Not required on Eoan (EOL date before SRU cycle release date) * Required on Bionic and Focal. [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit?id=3b646abc5bc6c0df649daea4c2c976bd4d47e4c8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1883962/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
