kernel-packages team mailing list archive

Thread
Date

[Bug 1308764] Re: apparmor refcount bug in apparmor_kill

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1308764@xxxxxxxxxxxxxxxxxx>
Date: Thu, 29 May 2014 07:55:23 -0000
Reply-to: Bug 1308764 <1308764@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

This bug was fixed in the package linux - 3.15.0-4.8

---------------
linux (3.15.0-4.8) utopic; urgency=low

  [ Andy Whitcroft ]

  * Release Tracking Bug
    - LP: #1324107
  * [Config] enable SECURITY_APPARMOR_UNCONFINED_INIT

  [ Javier Martinez Canillas ]

  * SAUCE: (no-up) apparmor: fix bug that constantly spam the console
    - LP: #1323526

  [ John Johansen ]

  * SAUCE: (no-up) apparmor: Sync to apparmor3 - alpha6 snapshot
    - LP: #1323528
  * SAUCE: (no-up) apparmor: fix apparmor spams log with warning message
    - LP: #1308761
  * SAUCE: (no-up) apparmor: fix refcount bug in apparmor pivotroot
    - LP: #1308765
  * SAUCE: (no-up): apparmor: fix apparmor refcount bug in apparmor_kill
    - LP: #1308764
  * SAUCE: (no-up): apparmor: use custom write_is_locked macro
    - LP: #1323530

  [ Kamal Mostafa ]

  * [Config] add debian/gbp.conf

  [ Tim Gardner ]

  * [Config] CONFIG_SATA_AHCI=m for ppc64el
    - LP: #1323980
 -- Andy Whitcroft <apw@xxxxxxxxxxxxx>   Wed, 28 May 2014 12:47:17 +0100

** Changed in: linux (Ubuntu)
       Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1308764

Title:
  apparmor refcount bug in apparmor_kill

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux” source package in Trusty:
  Confirmed

Bug description:
  There is a race window in the apparmor_kill hook, that may result in a
  profile refcount being decremented without a previous increment. This
  can result in the profile being freed, while references still exist
  and can lead to an oops.

  The race window exists for the time after the profile has been
  replaced but before the task cred has been updated to the new profile.

  This bug has not been seen in the wild and was found as part of a code
  audit.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1308764/+subscriptions

References

[Bug 1308764] [NEW] apparmor refcount bug in apparmor_kill
From: John Johansen, 2014-04-16