audit: improve audit queue handling when "audit=1" on cmdline
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Committed
|
Critical
|
gerald.yang | ||
Bionic |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
SRU Justification
[Impact]
When an admin enables audit at early boot via the "audit=1" kernel
command line the audit queue behavior is slightly different; the
audit subsystem goes to greater lengths to avoid dropping records,
which unfortunately can result in problems when the audit daemon is
forcibly stopped for an extended period of time.
[Fix]
upstream discussion:
https:/
upstream commit:
f26d04331360d42
[Test]
configurations:
auditctl -b 64
auditctl --backlog_wait_time 60000
auditctl -r 0
auditctl -w /root/aaa -p wrx
shell scripts:
#!/bin/bash
i=0
while [ $i -le 66 ]
do
touch /root/aaa
let i++
done
mandatory conditions:
add "audit=1" to the cmdline, and kill -19 pid_number(for /sbin/auditd).
As long as we keep the audit_hold_queue non-empty, flush the hold queue will fall into an infinite loop.
This could also trigger soft lockup when it drops into a infinite loop, e.g.
kernel: [ 94.186433] watchdog: BUG: soft lockup - CPU#2 stuck for 11s! [kauditd:34]
kernel: [ 94.187736] Modules linked in: xfs iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_
conntrack libcrc32c iptable_filter isofs xt_cgroup xt_tcpudp iptable_mangle ip_tables x_tables sb_edac crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 pp
dev crypto_simd glue_helper joydev vmwgfx ttm cryptd vmw_balloon drm_kms_helper intel_rapl_perf input_leds psmouse drm fb_sys_fops syscopyarea vmxnet3 sysfillrect parport_pc parport m
ac_hid shpchp i2c_piix4 vmw_vsock_
kernel: [ 94.187757] CPU: 2 PID: 34 Comm: kauditd Not tainted 4.15.0-171-generic #180~16.04.1-Ubuntu
kernel: [ 94.187757] Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS
6.00 11/12/2020
kernel: [ 94.187800] skb_queue_
kernel: [ 94.187803] kauditd_
kernel: [ 94.187805] kauditd_
kernel: [ 94.187806] ? kauditd_
kernel: [ 94.187808] ? kauditd_
kernel: [ 94.187809] kauditd_
kernel: [ 94.187812] ? wait_woken+
kernel: [ 94.187815] kthread+0x105/0x140
kernel: [ 94.187817] ? auditd_
kernel: [ 94.187818] ? kthread_
kernel: [ 94.187820] ret_from_
[Other Info]
SF: #00330803
CVE References
Changed in linux (Ubuntu): | |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
importance: | Undecided → Critical |
status: | New → In Progress |
Changed in linux (Ubuntu Impish): | |
status: | New → In Progress |
Changed in linux (Ubuntu Focal): | |
status: | New → In Progress |
Changed in linux (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in linux (Ubuntu Impish): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu Focal): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → Critical |
Changed in linux (Ubuntu Impish): | |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
Changed in linux (Ubuntu Focal): | |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → gerald.yang (gerald-yang-tw) |
tags: | added: sts |
no longer affects: | linux (Ubuntu Jammy) |
Changed in linux (Ubuntu Impish): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Bionic): | |
status: | New → Confirmed |
Changed in linux (Ubuntu Impish): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Focal): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu Bionic): | |
status: | Confirmed → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Invalid → Fix Committed |
This one has been merged in the last upstream stable patch set