Ubuntu
linux-kvm package

linux-kvm 4.15 needs CONFIG_VMAP_STACK set

Bug #1764985 reported by Po-Hsu Lin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Invalid
Undecided
Unassigned
Declined for Artful by Steve Beattie
Bionic
Invalid
Undecided
Unassigned
linux-kvm (Ubuntu)
Fix Released
Undecided
Kamal Mostafa
Declined for Artful by Steve Beattie
Bionic
Fix Released
Undecided
Kamal Mostafa

Bug Description

test_181_config_vmap_stack in ubuntu_qrt_kernel_security_test has failed with 4.15.0-1004-kvm

  FAIL: test_181_config_vmap_stack (__main__.KernelSecurityTest)
  Ensure kernel stack isolation is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2149, in test_181_config_vmap_stack
      self.assertEqual(self._get_config('VMAP_STACK'), expected)
  AssertionError: None != 'y'

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1004-kvm 4.15.0-1004.4
ProcVersionSignature: User Name 4.15.0-1004.4-kvm 4.15.15
Uname: Linux 4.15.0-1004-kvm x86_64
ApportVersion: 2.20.9-0ubuntu5
Architecture: amd64
Date: Wed Apr 18 09:29:03 2018
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1764985

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Po-Hsu Lin (cypressyew) wrote : Re: test_181_config_vmap_stack failed with 4.15 KVM kernel

This issue can be found on Artful 4.13 ARM64 as well. (both moonshot and thunderX)

tags: added: artful
summary: - test_181_config_vmap_stack failed with 4.15 KVM kernel
+ test_181_config_vmap_stack failed with 4.15 KVM / 4.13 ARM64 kernel
Revision history for this message
Steve Beattie (sbeattie) wrote : Re: test_181_config_vmap_stack failed with 4.15 KVM / 4.13 ARM64 kernel

Hi Po-Hsu,

For artful/arm64, when I implemented the test, I hadn't realized CONFIG_VMAP_STACK had been backported to the 4.13/artful kernel (in 7b7dbeeef3b73294e525f368b03c3890459992a6). I have fixed the qrt test to reflect that in https://git.launchpad.net/qa-regression-testing/commit/?id=6cda576b8fc2f3c6f08d7f6a0bd7408918180ab8 .

For bionic 4.15/linux-kvm, the kernel config there is missing having CONFIG_VMAP_STACK set:

  $ grep VMAP_STACK debian.kvm/config/config.common.ubuntu
  CONFIG_HAVE_ARCH_VMAP_STACK=y
  # CONFIG_VMAP_STACK is not set

The security team would like to see that fixed.

Thanks!

Changed in linux-kvm (Ubuntu Bionic):
status: New → Confirmed
Changed in qa-regression-testing:
status: New → Fix Released
Changed in linux (Ubuntu Bionic):
status: Incomplete → Invalid
summary: - test_181_config_vmap_stack failed with 4.15 KVM / 4.13 ARM64 kernel
+ linux-kvm 4.15 needs CONFIG_VMAP_STACK set
Kamal Mostafa (kamalmostafa)
Changed in linux-kvm (Ubuntu Bionic):
status: Confirmed → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
Kamal Mostafa (kamalmostafa)
Changed in linux-kvm (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (3.7 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1010.10

---------------
linux-kvm (4.15.0-1010.10) bionic; urgency=medium

  [ Ubuntu: 4.15.0-22.24 ]

  * CVE-2018-3639 (powerpc)
    - powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit
    - stf-barrier: set eieio instruction bit 6 for future optimisations
  * CVE-2018-3639 (x86)
    - x86/nospec: Simplify alternative_msr_write()
    - x86/bugs: Concentrate bug detection into a separate function
    - x86/bugs: Concentrate bug reporting into a separate function
    - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - x86/bugs, KVM: Support the combination of guest and host IBRS
    - x86/bugs: Expose /sys/../spec_store_bypass
    - x86/cpufeatures: Add X86_FEATURE_RDS
    - x86/bugs: Provide boot parameters for the spec_store_bypass_disable
      mitigation
    - x86/bugs/intel: Set proper CPU features and setup RDS
    - x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
    - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - x86/speculation: Create spec-ctrl.h to avoid include hell
    - prctl: Add speculation control prctls
    - x86/process: Allow runtime control of Speculative Store Bypass
    - x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - nospec: Allow getting/setting on non-current task
    - proc: Provide details on speculation flaw mitigations
    - seccomp: Enable speculation flaw mitigations
    - x86/bugs: Make boot modes __ro_after_init
    - prctl: Add force disable speculation
    - seccomp: Use PR_SPEC_FORCE_DISABLE
    - seccomp: Add filter flag to opt-out of SSB mitigation
    - seccomp: Move speculation migitation control to arch code
    - x86/speculation: Make "seccomp" the default mode for Speculative Store
      Bypass
    - x86/bugs: Rename _RDS to _SSBD
    - proc: Use underscores for SSBD in 'status'
    - Documentation/spec_ctrl: Do some minor cleanups
    - x86/bugs: Fix __ssb_select_mitigation() return type
    - x86/bugs: Make cpu_show_common() static
  * LSM Stacking prctl values should be redefined as to not collide with
    upstream prctls (LP: #1769263) // CVE-2018-3639
    - SAUCE: LSM stacking: adjust prctl values

linux-kvm (4.15.0-1009.9) bionic; urgency=medium

  * linux-kvm: 4.15.0-1009.9 -proposed tracker (LP: #1767409)

  * linux-image-4.15.0-20-generic install after upgrade from xenial breaks
    (LP: #1767133)
    - Packaging: Depends on linux-base that provides the necessary tools

  * Unable to start docker application with B-KVM kernel (LP: #1763630)
    - kvm: [config] enable NF_NAT, NF_CONNTRACK
    - kvm: [config] enable IP_NF_TABLES

  * test_078_SLAB_freelist_randomization failed on 4.15 KVM kernel
    (LP: #1764975)
    - kvm: [config] enable CONFIG_SLAB_FREELIST_{HARDENED,RANDOM}

  * linux-kvm 4.15 needs CONFIG_VMAP_STACK set (LP: #1764985)
    - kvm: [config] enable CONFIG_VMAP_STACK

  * test_140_kernel_modules_not_tainted in kernel security test failed with 4.15
    kvm kernel (LP: #1766832)
    - kvm: [config] enable CONFIG_MODULE_UNLOAD

  [ Ubuntu: 4.15.0-21.22 ]

  * linu...

Read more...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor)
Changed in linux-kvm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.