Bug 700637 - Regression of AF_NETLINK credentials leak in 2.6.35.12-90.fc14
Summary: Regression of AF_NETLINK credentials leak in 2.6.35.12-90.fc14
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: kernel
Version: 14
Hardware: Unspecified
OS: Linux
unspecified
unspecified
Target Milestone: ---
Assignee: David Howells
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-04-28 21:10 UTC by Keegan McAllister
Modified: 2011-05-09 20:58 UTC (History)
5 users (show)

Fixed In Version: kernel-2.6.35.13-91.fc14
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-05-09 20:58:21 UTC
Type: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Keegan McAllister 2011-04-28 21:10:34 UTC 
Description of problem:

Kernel 2.6.35.12-88.fc14 fixed a leak of credentials structs sent through an AF_NETLINK socket.  In 2.6.35.12-90.fc14 the bug has returned.

The fix was reverted by Fedora kernel.git commit

    1caa10e2d538 Revert extra fix for credentials leak (#683568)

but it seems the reverted fix is actually essential for preventing the leak.


Reproducer:

Simplified from the upstream commit message on the original fix:

       #!/bin/bash
       for ((i=0; i<100; i++))
       do
               su - -c /bin/true
               cat /proc/keys | wc -l
       done


Actual results:

On 11-83.fc14 and 12-90.fc14, /proc/keys fills up with revoked keys as the script runs.


Expected results:

On 12-88.fc14, the number of keys in /proc/keys stays in the low single digits.


Additional info:

I tested the amd64 flavor of all three kernels, running as Xen HVM guests.
Comment 1 Chuck Ebbert 2011-04-29 01:49:50 UTC 
I'm not sure what's going on here. The fix that was reverted was unnecessary and is not upstream:

http://git.kernel.org/?p=linux/kernel/git/longterm/longterm-queue-2.6.35.git;a=blob;f=releases/release-2.6.35.12/fix-cred-leak-in-af_netlink;h=28d371ea099fdedf78326d8814c60e940ad9e151;hb=HEAD

This is the correct fix, which was also included in 2.6.35.12:

http://git.kernel.org/?p=linux/kernel/git/longterm/longterm-queue-2.6.35.git;a=blob;f=releases/release-2.6.35.12/af_netlink-add-needed-scm_destroy-after-scm_send;h=e09cf7fbb64c607f54b53de33078b5635043b310;hb=HEAD

Reverting the first fix should not have re-introduced the leak.
Comment 2 Chuck Ebbert 2011-05-03 14:22:21 UTC 
Turns out the backport of the proper fix was incomplete. This should be fixed in 2.6.35.13-91
Comment 3 Fedora Update System 2011-05-04 09:27:02 UTC 
kernel-2.6.35.13-91.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/kernel-2.6.35.13-91.fc14
Comment 4 Fedora Update System 2011-05-05 18:23:32 UTC 
Package kernel-2.6.35.13-91.fc14:
* should fix your issue,
* was pushed to the Fedora 14 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing kernel-2.6.35.13-91.fc14'
as soon as you are able to, then reboot.
Please go to the following url:
https://admin.fedoraproject.org/updates/kernel-2.6.35.13-91.fc14
then log in and leave karma (feedback).
Comment 5 Fedora Update System 2011-05-09 20:58:06 UTC 
kernel-2.6.35.13-91.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.