kernel-packages team mailing list archive

Thread
Date

[Bug 1308765] [NEW] refcount bug in apparmor pivotroot handling

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: John Johansen <john.johansen@xxxxxxxxxxxxx>
Date: Wed, 16 Apr 2014 21:14:30 -0000
Reply-to: Bug 1308765 <1308765@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

There is a profile refcount bug in apparmor pivot_root mediation.

The code increments the profile refcount in one function and decrements
the refcount in another. However the code refactoring made it so the
target profile, that has its refcount incremented is not returned to the
fn that is putting the reference. This results in the put always being
done on NULL, so that the reference is never actually decremented.

This bug will result in the memory associated with the profile leaking
if the profile is ever replaced or removed.

This bug was discovered in auditing of the code

** Affects: linux (Ubuntu)
     Importance: Undecided
     Assignee: John Johansen (jjohansen)
         Status: Confirmed

** Affects: linux (Ubuntu Trusty)
     Importance: Undecided
     Assignee: John Johansen (jjohansen)
         Status: Confirmed

** Changed in: linux (Ubuntu)
     Assignee: (unassigned) => John Johansen (jjohansen)

** Changed in: linux (Ubuntu)
       Status: New => Confirmed

** Also affects: linux (Ubuntu Trusty)
   Importance: Undecided
     Assignee: John Johansen (jjohansen)
       Status: Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1308765

Title:
  refcount bug in apparmor pivotroot handling

Status in “linux” package in Ubuntu:
  Confirmed
Status in “linux” source package in Trusty:
  Confirmed

Bug description:
  There is a profile refcount bug in apparmor pivot_root mediation.

  The code increments the profile refcount in one function and
  decrements the refcount in another. However the code refactoring made
  it so the target profile, that has its refcount incremented is not
  returned to the fn that is putting the reference. This results in the
  put always being done on NULL, so that the reference is never actually
  decremented.

  This bug will result in the memory associated with the profile leaking
  if the profile is ever replaced or removed.

  This bug was discovered in auditing of the code

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1308765/+subscriptions

Follow ups

[Bug 1308765] Re: refcount bug in apparmor pivotroot handling
From: Launchpad Bug Tracker, 2014-07-17
[Bug 1308765] Re: refcount bug in apparmor pivotroot handling
From: Launchpad Bug Tracker, 2014-07-07
[Bug 1308765] Re: refcount bug in apparmor pivotroot handling
From: Launchpad Bug Tracker, 2014-05-29
[Bug 1308765] Re: refcount bug in apparmor pivotroot handling
From: Andy Whitcroft, 2014-05-28
[Bug 1308765] [NEW] refcount bug in apparmor pivotroot handling
From: John Johansen, 2014-04-16

References

[Bug 1308765] [NEW] refcount bug in apparmor pivotroot handling
From: John Johansen, 2014-04-16