patch linux kernel to latest

[mars64]

What would you like to be added:

Considering the recent DirtyPipe exploit, and seeing as the latest ami (1.21.5-20220303 as of this writing) doesn't include a kernel version reported as patched, this feature request is to upgrade kernel version in the ami(s) to a known-patched level. According to cinlin.io (referencing the kernel patch sha of 9d2231c5d74e13b2a0546fee6737ee4446017903) the kernel patch has been backported. Judging by the current implementation of a 5.4.x kernel (in the 1.21 ami at least), the ami should be upgraded to at least 5.4.181.

Why is this needed:

This feature request is intended to disambiguate the issues of kernel updating.

For example, a question came up whether to expedite upgrading the kernel to 5.10.x due to DirtyPipe -- I suspect this to be a distinct issue (especially considering the thread discussing only bundling for k8s 1.22.x release).

[edit]

I just discovered scripts/upgrade_kernel.sh which appears to use some amazon-linux-extras helper to manage packages, including kernel. So I took a peak at my 1.21.5-20220303-based eks node:

[ec2-user@ip-w-x-y-z ~]$ yum list kernel
Loaded plugins: dkms-build-requires, nvidia, priorities, update-motd, versionlock
7 packages excluded due to repository priority protections
Installed Packages
kernel.x86_64                                                              4.14.262-200.489.amzn2                                                              installed
kernel.x86_64                                                              5.4.176-91.338.amzn2                                                                @amzn2extra-kernel-5.4
Available Packages
kernel.x86_64                                                              5.4.181-99.354.amzn2                                                                amzn2extra-kernel-5.4

So, the patched kernel is available on the amazon-linux-extras helpers repository, which I think means this ami simply needs to be built & pushed again. Is that right?

[tazle]

Does the kernel in the current AMI include the patch (torvalds/linux@f6dd975) that introduced the vulnerability in the first place? It was never included in 5.4 LTS releases as far as I can tell.

I checked that e.g. Ubuntu 20.04 5.4 kernel seems to have never included it, but I wasn't able to find Amazon Linux kernel sources easily to repeat the check there.

[beezly]

@tazle https://alas.aws.amazon.com/AL2/ALASKERNEL-5.4-2022-023.html claims to fix CVE-2022-0847 for the AL2 5.4 kernels.

[tazle]

I see pipe_buf_operations anon_pipe_buf_nomerge_ops is still present in https://github.com/amazonlinux/linux/tree/amazon-5.4.y/master. It would have been removed by torvalds/linux@f6dd975, which is the commit that introduced CVE-2022-0847.

https://github.com/amazonlinux/linux/tree/amazon-5.4.y/master is supposedly the source for Amazon Linux 5.4 kernel series (though I cannot find the tag for the kernel we are running on the EKS worker I inspected), which makes me wonder if CVE-2022-0847 is only included in the ALAS2KERNEL-5.4-2022-023 list because it happens to include upstream 5.4.181, which does include the mitigation commit or CVE-2022-0847 even though the upstream 5.4 series never was vulnerable as far as I can tell.

[ravisinha0506]

As per the below instruction in ReadMe, please feel free to cut a ticket to AWS Security if there are any open issues with the latest release.

For security issues or concerns, please do not open an issue or pull request on GitHub. Please report any suspected or confirmed security issues to AWS Security https://aws.amazon.com/security/vulnerability-reporting/