kernel-packages team mailing list archive

[John Johansen <john.johansen@xxxxxxxxxxxxx>]

Public bug reported:

There is a race window in the apparmor_kill hook, that may result in a
profile refcount being decremented without a previous increment. This
can result in the profile being freed, while references still exist and
can lead to an oops.

The race window exists for the time after the profile has been replaced
but before the task cred has been updated to the new profile.

This bug has not been seen in the wild and was found as part of a code
audit.

** Affects: linux (Ubuntu)
     Importance: Undecided
     Assignee: John Johansen (jjohansen)
         Status: Confirmed

** Affects: linux (Ubuntu Trusty)
     Importance: Undecided
     Assignee: John Johansen (jjohansen)
         Status: Confirmed

** Changed in: linux (Ubuntu)
       Status: New => Confirmed

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => John Johansen (jjohansen)

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
     Assignee: John Johansen (jjohansen)
       Status: Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1308764

Title:
  apparmor refcount bug in apparmor_kill

Status in “linux” package in Ubuntu:
  Confirmed
Status in “linux” source package in Trusty:
  Confirmed

Bug description:
  There is a race window in the apparmor_kill hook, that may result in a
  profile refcount being decremented without a previous increment. This
  can result in the profile being freed, while references still exist
  and can lead to an oops.

  The race window exists for the time after the profile has been
  replaced but before the task cred has been updated to the new profile.

  This bug has not been seen in the wild and was found as part of a code
  audit.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1308764/+subscriptions