This bug was fixed in the package linux - 4.15.0-176.185
---------------
linux (4.15.0-176.185) bionic; urgency=medium
* bionic/linux: 4.15.0-176.185 -proposed tracker (LP: #1966771)
* Bionic update: upstream stable patchset 2022-03-04 (LP: #1963717)
- can: bcm: fix UAF of bcm op
- net: bridge: clear bridge's private skb space on xmit
- s390/hypfs: include z/VM guests with access control group set
- scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP
devices
- udf: Restore i_lenAlloc when inode expansion fails
- udf: Fix NULL ptr deref when converting from inline format
- PM: wakeup: simplify the output logic of pm_show_wakelocks()
- netfilter: nft_payload: do not update layer 4 checksum when mangling
fragments
- serial: stm32: fix software flow control transfer
- tty: n_gsm: fix SW flow control encoding/handling
- tty: Add support for Brainboxes UC cards.
- usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge
- usb: common: ulpi: Fix crash in ulpi_match()
- usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS
- USB: core: Fix hang in usb_kill_urb by adding memory barriers
- usb: typec: tcpm: Do not disconnect while receiving VBUS off
- net: sfp: ignore disabled SFP node
- powerpc/32: Fix boot failure with GCC latent entropy plugin
- lkdtm: Fix content of section containing lkdtm_rodata_do_nothing()
- i40e: Increase delay to 1 s after global EMP reset
- i40e: fix unsigned stat widths
- rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev
- rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev
- scsi: bnx2fc: Flush destroy_work queue before calling
bnx2fc_interface_put()
- ipv6_tunnel: Rate limit warning messages
- net: fix information leakage in /proc/net/ptype
- ping: fix the sk_bound_dev_if match in ping_lookup
- ipv4: avoid using shared IP generator for connected sockets
- hwmon: (lm90) Reduce maximum conversion rate for G781
- NFSv4: Handle case where the lookup of a directory fails
- NFSv4: nfs_atomic_open() can race when looking up a non-regular file
- net-procfs: show net devices bound packet types
- drm/msm: Fix wrong size calculation
- drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable
- ibmvnic: don't spin in tasklet
- yam: fix a memory leak in yam_siocdevprivate()
- ipv4: raw: lock the socket in raw_bind()
- ipv4: tcp: send zero IPID in SYNACK messages
- netfilter: nat: remove l4 protocol port rovers
- netfilter: nat: limit port clash resolution attempts
- ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback
- net: amd-xgbe: ensure to reset the tx_timer_active flag
- net: amd-xgbe: Fix skb data length underflow
- rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink()
- af_packet: fix data-race in packet_setsockopt / packet_setsockopt
- ASoC: ops: Reject out of bounds values in snd_soc_put_volsw()
- ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx()
- ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx()
- drm/nouveau: fix off by one in BIOS boundary checking
- block: bio-integrity: Advance seed correctly for larger interval sizes
- RDMA/mlx4: Don't continue event handler after memory allocation failure
- iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping()
- iommu/amd: Fix loop timeout issue in iommu_ga_log_enable()
- spi: bcm-qspi: check for valid cs before applying chip select
- spi: mediatek: Avoid NULL pointer crash in interrupt
- spi: meson-spicc: add IRQ check in meson_spicc_probe
- net: ieee802154: ca8210: Stop leaking skb's
- net: ieee802154: Return meaningful error codes from the netlink helpers
- net: macsec: Verify that send_sci is on when setting Tx sci explicitly
- drm/i915/overlay: Prevent divide by zero bugs in scaling
- ASoC: fsl: Add missing error handling in pcm030_fabric_probe
- scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe
- nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client.
- selftests: futex: Use variable MAKE instead of make
- rtc: cmos: Evaluate century appropriate
- EDAC/altera: Fix deferred probing
- EDAC/xgene: Fix deferred probing
- ext4: fix error handling in ext4_restore_inline_data()
- serial: 8250: of: Fix mapped region size when using reg-offset property
- i40e: Fix issue when maximum queues is exceeded
- i40e: Fix queues reservation for XDP
- ipv6: annotate accesses to fn->fn_sernum
- ibmvnic: init ->running_cap_crqs early
* Bionic update: upstream stable patchset 2022-03-04 (LP: #1963717) // audit:
improve audit queue handling when "audit=1" on cmdline (LP: #1965723)
- audit: improve audit queue handling when "audit=1" on cmdline
* CVE-2021-43975
- atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait
* Packaging resync (LP: #1786013)
- [Packaging] resync dkms-build{,--nvidia-N} from LRMv5
-- Luke Nowakowski-Krijger <luke.nowakowskikrij...@canonical.com> Tue,
29 Mar 2022 09:53:21 -0700
** Changed in: linux (Ubuntu Bionic)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-43975
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1965723
Title:
audit: improve audit queue handling when "audit=1" on cmdline
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Bionic:
Fix Released
Status in linux source package in Focal:
Fix Committed
Status in linux source package in Impish:
Fix Released
Bug description:
SRU Justification
[Impact]
When an admin enables audit at early boot via the "audit=1" kernel
command line the audit queue behavior is slightly different; the
audit subsystem goes to greater lengths to avoid dropping records,
which unfortunately can result in problems when the audit daemon is
forcibly stopped for an extended period of time.
[Fix]
upstream discussion:
https://lore.kernel.org/all/cahc9vhqgx070poxzk_pusawgzppdqvpezvfybse2dnryrbw...@mail.gmail.com/T/
upstream commit:
f26d04331360d42dbd6b58448bd98e4edbfbe1c5
[Test]
configurations:
auditctl -b 64
auditctl --backlog_wait_time 60000
auditctl -r 0
auditctl -w /root/aaa -p wrx
shell scripts:
#!/bin/bash
i=0
while [ $i -le 66 ]
do
touch /root/aaa
let i++
done
mandatory conditions:
add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).
As long as we keep the audit_hold_queue non-empty, flush the hold
queue will fall into an infinite loop.
This could also trigger soft lockup when it drops into a infinite loop, e.g.
kernel: [ 94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s!
[kauditd:34]
kernel: [ 94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4
nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_
conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle
ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel
pcbc aesni_intel aes_x86_64 pp
dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon
drm_kms_helper intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea
vmxnet3 sysfillrect parport_pc parport m
ac_hid shpchp i2c_piix4 vmw_vsock_vmci_transport vsock sysimgblt vmw_vmci
serio_raw mptspi mptscsih mptbase scsi_transport_spi pata_acpi floppy autofs4
kernel: [ 94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted
4.15.0-171-generic #180~16.04.1-Ubuntu
kernel: [ 94.187757] Hardware name: VMware, Inc. VMware Virtual
Platform/440BX Desktop Reference Platform, BIOS
6.00 11/12/2020
kernel: [ 94.187800] skb_queue_head+0x47/0x50
kernel: [ 94.187803] kauditd_rehold_skb+0x18/0x20
kernel: [ 94.187805] kauditd_send_queue+0xcd/0x100
kernel: [ 94.187806] ? kauditd_retry_skb+0x20/0x20
kernel: [ 94.187808] ? kauditd_send_multicast_skb+0x80/0x80
kernel: [ 94.187809] kauditd_thread+0xa7/0x240
kernel: [ 94.187812] ? wait_woken+0x80/0x80
kernel: [ 94.187815] kthread+0x105/0x140
kernel: [ 94.187817] ? auditd_reset+0x90/0x90
kernel: [ 94.187818] ? kthread_bind+0x40/0x40
kernel: [ 94.187820] ret_from_fork+0x35/0x40
[Other Info]
SF: #00330803
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1965723/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
