-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
patch linux kernel to latest #882
Comments
Does the kernel in the current AMI include the patch (torvalds/linux@f6dd975) that introduced the vulnerability in the first place? It was never included in 5.4 LTS releases as far as I can tell. I checked that e.g. Ubuntu 20.04 5.4 kernel seems to have never included it, but I wasn't able to find Amazon Linux kernel sources easily to repeat the check there. |
@tazle https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-023.html claims to fix CVE-2022-0847 for the AL2 5.4 kernels. |
I see pipe_buf_operations anon_pipe_buf_nomerge_ops is still present in https://github.com/amazonlinux/linux/tree/amazon-5.4.y/master. It would have been removed by torvalds/linux@f6dd975, which is the commit that introduced CVE-2022-0847. https://github.com/amazonlinux/linux/tree/amazon-5.4.y/master is supposedly the source for Amazon Linux 5.4 kernel series (though I cannot find the tag for the kernel we are running on the EKS worker I inspected), which makes me wonder if CVE-2022-0847 is only included in the ALAS2KERNEL-5.4-2022-023 list because it happens to include upstream 5.4.181, which does include the mitigation commit or CVE-2022-0847 even though the upstream 5.4 series never was vulnerable as far as I can tell. |
As per the below instruction in ReadMe, please feel free to cut a ticket to AWS Security if there are any open issues with the latest release.
|
What would you like to be added:
Considering the recent DirtyPipe exploit, and seeing as the latest ami (
1.21.5-20220303
as of this writing) doesn't include a kernel version reported as patched, this feature request is to upgrade kernel version in the ami(s) to a known-patched level. According to cinlin.io (referencing the kernel patch sha of9d2231c5d74e13b2a0546fee6737ee4446017903
) the kernel patch has been backported. Judging by the current implementation of a5.4.x
kernel (in the1.21
ami at least), the ami should be upgraded to at least5.4.181
.Why is this needed:
This feature request is intended to disambiguate the issues of kernel updating.
For example, a question came up whether to expedite upgrading the kernel to
5.10.x
due to DirtyPipe -- I suspect this to be a distinct issue (especially considering the thread discussing only bundling for k8s1.22.x
release).[edit]
I just discovered scripts/upgrade_kernel.sh which appears to use some
amazon-linux-extras
helper to manage packages, includingkernel
. So I took a peak at my1.21.5-20220303
-based eks node:So, the patched kernel is available on the
amazon-linux-extras
helpers repository, which I think means this ami simply needs to be built & pushed again. Is that right?The text was updated successfully, but these errors were encountered: