[Kernel-packages] [Bug 1965723] [NEW] audit: improve audit queue handling when "audit=1" on cmdline

Sun, 20 Mar 2022 23:05:53 -0700 

Public bug reported:

SRU Justification

[Impact]
When an admin enables audit at early boot via the "audit=1" kernel
command line the audit queue behavior is slightly different; the
audit subsystem goes to greater lengths to avoid dropping records,
which unfortunately can result in problems when the audit daemon is
forcibly stopped for an extended period of time.

[Fix]
upstream discussion:
https://lore.kernel.org/all/cahc9vhqgx070poxzk_pusawgzppdqvpezvfybse2dnryrbw...@mail.gmail.com/T/
upstream commit:
f26d04331360d42dbd6b58448bd98e4edbfbe1c5

[Test]
configurations:
    auditctl -b 64
    auditctl --backlog_wait_time 60000
    auditctl -r 0
    auditctl -w /root/aaa  -p wrx
shell scripts:
    #!/bin/bash
    i=0
    while [ $i -le 66 ]
    do
        touch /root/aaa
        let i++
    done
mandatory conditions:
    add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).

As long as we keep the audit_hold_queue non-empty, flush the hold queue
will fall into an infinite loop.

This could also trigger soft lockup when it drops into a infinite loop, e.g.
kernel: [   94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s! 
[kauditd:34]
kernel: [   94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4 
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_
conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle 
ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel 
pcbc aesni_intel aes_x86_64 pp
dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon drm_kms_helper 
intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea vmxnet3 
sysfillrect parport_pc parport m
ac_hid shpchp i2c_piix4 vmw_vsock_vmci_transport vsock sysimgblt vmw_vmci 
serio_raw mptspi mptscsih mptbase scsi_transport_spi pata_acpi floppy autofs4
kernel: [   94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted 
4.15.0-171-generic #180~16.04.1-Ubuntu
kernel: [   94.187757] Hardware name: VMware, Inc. VMware Virtual 
Platform/440BX Desktop Reference Platform, BIOS
 6.00 11/12/2020
kernel: [   94.187800]  skb_queue_head+0x47/0x50
kernel: [   94.187803]  kauditd_rehold_skb+0x18/0x20
kernel: [   94.187805]  kauditd_send_queue+0xcd/0x100
kernel: [   94.187806]  ? kauditd_retry_skb+0x20/0x20
kernel: [   94.187808]  ? kauditd_send_multicast_skb+0x80/0x80
kernel: [   94.187809]  kauditd_thread+0xa7/0x240
kernel: [   94.187812]  ? wait_woken+0x80/0x80
kernel: [   94.187815]  kthread+0x105/0x140
kernel: [   94.187817]  ? auditd_reset+0x90/0x90
kernel: [   94.187818]  ? kthread_bind+0x40/0x40
kernel: [   94.187820]  ret_from_fork+0x35/0x40

[Other Info]
SF: #00330803

** Affects: linux (Ubuntu)
     Importance: Critical
     Assignee: gerald.yang (gerald-yang-tw)
         Status: In Progress

** Affects: linux (Ubuntu Bionic)
     Importance: Critical
     Assignee: gerald.yang (gerald-yang-tw)
         Status: In Progress

** Affects: linux (Ubuntu Focal)
     Importance: Critical
     Assignee: gerald.yang (gerald-yang-tw)
         Status: In Progress

** Affects: linux (Ubuntu Impish)
     Importance: Critical
     Assignee: gerald.yang (gerald-yang-tw)
         Status: In Progress

** Affects: linux (Ubuntu Jammy)
     Importance: Critical
     Assignee: gerald.yang (gerald-yang-tw)
         Status: In Progress


** Tags: sts

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => gerald.yang (gerald-yang-tw)

** Changed in: linux (Ubuntu)
   Importance: Undecided => Critical

** Changed in: linux (Ubuntu)
       Status: New => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1965723

Title:
  audit: improve audit queue handling when "audit=1" on cmdline

Status in linux package in Ubuntu:
  In Progress
Status in linux source package in Bionic:
  In Progress
Status in linux source package in Focal:
  In Progress
Status in linux source package in Impish:
  In Progress
Status in linux source package in Jammy:
  In Progress

Bug description:
  SRU Justification

  [Impact]
  When an admin enables audit at early boot via the "audit=1" kernel
  command line the audit queue behavior is slightly different; the
  audit subsystem goes to greater lengths to avoid dropping records,
  which unfortunately can result in problems when the audit daemon is
  forcibly stopped for an extended period of time.

  [Fix]
  upstream discussion:
  
https://lore.kernel.org/all/cahc9vhqgx070poxzk_pusawgzppdqvpezvfybse2dnryrbw...@mail.gmail.com/T/
  upstream commit:
  f26d04331360d42dbd6b58448bd98e4edbfbe1c5

  [Test]
  configurations:
      auditctl -b 64
      auditctl --backlog_wait_time 60000
      auditctl -r 0
      auditctl -w /root/aaa  -p wrx
  shell scripts:
      #!/bin/bash
      i=0
      while [ $i -le 66 ]
      do
          touch /root/aaa
        let i++
      done
  mandatory conditions:
      add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).

  As long as we keep the audit_hold_queue non-empty, flush the hold
  queue will fall into an infinite loop.

  This could also trigger soft lockup when it drops into a infinite loop, e.g.
  kernel: [   94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s! 
[kauditd:34]
  kernel: [   94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4 
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_
  conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle 
ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel 
pcbc aesni_intel aes_x86_64 pp
  dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon 
drm_kms_helper intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea 
vmxnet3 sysfillrect parport_pc parport m
  ac_hid shpchp i2c_piix4 vmw_vsock_vmci_transport vsock sysimgblt vmw_vmci 
serio_raw mptspi mptscsih mptbase scsi_transport_spi pata_acpi floppy autofs4
  kernel: [   94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted 
4.15.0-171-generic #180~16.04.1-Ubuntu
  kernel: [   94.187757] Hardware name: VMware, Inc. VMware Virtual 
Platform/440BX Desktop Reference Platform, BIOS
   6.00 11/12/2020
  kernel: [   94.187800]  skb_queue_head+0x47/0x50
  kernel: [   94.187803]  kauditd_rehold_skb+0x18/0x20
  kernel: [   94.187805]  kauditd_send_queue+0xcd/0x100
  kernel: [   94.187806]  ? kauditd_retry_skb+0x20/0x20
  kernel: [   94.187808]  ? kauditd_send_multicast_skb+0x80/0x80
  kernel: [   94.187809]  kauditd_thread+0xa7/0x240
  kernel: [   94.187812]  ? wait_woken+0x80/0x80
  kernel: [   94.187815]  kthread+0x105/0x140
  kernel: [   94.187817]  ? auditd_reset+0x90/0x90
  kernel: [   94.187818]  ? kthread_bind+0x40/0x40
  kernel: [   94.187820]  ret_from_fork+0x35/0x40

  [Other Info]
  SF: #00330803

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1965723/+subscriptions


-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to