kernel-packages team mailing list archive

Thread
Date

[Bug 1308764] Re: apparmor refcount bug in apparmor_kill

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1308764@xxxxxxxxxxxxxxxxxx>
Date: Thu, 17 Jul 2014 15:22:27 -0000
Reply-to: Bug 1308764 <1308764@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Branch linked: lp:~ubuntu-branches/ubuntu/utopic/linux-hammerhead
/utopic-proposed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1308764

Title:
  apparmor refcount bug in apparmor_kill

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux” source package in Trusty:
  Confirmed

Bug description:
  There is a race window in the apparmor_kill hook, that may result in a
  profile refcount being decremented without a previous increment. This
  can result in the profile being freed, while references still exist
  and can lead to an oops.

  The race window exists for the time after the profile has been
  replaced but before the task cred has been updated to the new profile.

  This bug has not been seen in the wild and was found as part of a code
  audit.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1308764/+subscriptions

References

[Bug 1308764] [NEW] apparmor refcount bug in apparmor_kill
From: John Johansen, 2014-04-16