Ubuntu
linux package

remap_4K_pfn() safety improvement needed for Ubuntu 14.10

Bug #1352994 reported by bugproxy
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Tim Gardner
Utopic
Fix Released
Medium
Tim Gardner

Bug Description

== Comment: #0 - Brian Hart <email address hidden> - 2014-08-04 17:41:57 ==
---Problem Description---
The current implementation of remap_4k_pfn() trusts that it's safe to map the PFN supplied by the requestor. But there may be PFNs that are not safe to map via remap_4k_pfn(). (For example, the addresses at which PCI MMIO regions are mapped in some hypervisor configurations.) When an unsafe PFN passes through remap_4k_pfn() some address bits may be unknowingly dropped by the underlying remapping routines. When that happens the remap will appear to succeed, but any later attempt to use the mapping will checkstop the machine because the truncated target address is not present in the machine.

A patch has been submitted that will cause remap_4k_pfn() to detect and reject these unsafe requests:

https://lists.ozlabs.org/pipermail/linuxppc-dev/2014-July/119179.html

Our project needs some form of this safety improvement in the Ubuntu 14.10 release.

---uname output---
Linux tul115p1 3.16.0-6-generic #11-Ubuntu SMP Mon Jul 28 02:00:45 UTC 2014 ppc64le ppc64le ppc64le GNU/Linux

Machine Type = 8286-42A

---Debugger---
A debugger is not configured

---Steps to Reproduce---
 The problem requires a hypervisor that allows PCI MMIO regions to span above the 46-bit line, and a device driver that maps MMIO regions using remap_4k_pfn().

I can provide detailed instructions and a driver upon request.

Stack trace output:
 no

Oops output:
 no

System Dump Info:
  The system is not configured to capture a system dump.

CVE References

bugproxy (bugproxy)
tags: added: architecture-ppc64le bugnameltc-114193 severity-critical targetmilestone-inin---
Luciano Chavez (lnx1138)
affects: ubuntu → linux (Ubuntu)
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1352994

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
bugproxy (bugproxy) wrote : Comment bridged from LTC Bugzilla

------- Comment From <email address hidden> 2014-08-06 04:53 EDT-------
This isn't really a problem requiring further diagnosis. Rather, it's an issue with the Power Linux kernel whose root cause is already understood and for which a patch has been submitted. The patch has not yet been accepted, but we hope that it will be soon.

We're just asking here that Ubuntu incorporate the patch if/when it goes into mainline.

So I hope this meets the criteria necessary for a change to 'Confirmed' in LP.

Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2014-08-06 14:37 EDT-------
This patch for this is now in linux-next as of next-20140806.
See commit eeb03a6eaa02e9171f91e385c52a69b159fc6117

Luciano Chavez (lnx1138)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key targetmilestone-inin---ppc64el
removed: targetmilestone-inin---
bugproxy (bugproxy)
tags: added: targetmilestone-inin---
removed: targetmilestone-inin---ppc64el
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2014-08-12 16:22 EDT-------
This patch is now in mainline with commit id eeb03a6eaa02e9171f91e385c52a69b159fc6117.

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Utopic):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.16.0-8.13

---------------
linux (3.16.0-8.13) utopic; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1356403

  [ dann frazier ]

  * [debian] Allow for package revisions condusive for branching

  [ Upstream Kernel Changes ]

  * ahci_xgene: Fix the watermark threshold for the APM X-Gene SATA host controller driver.
    - LP: #1350087
  * ahci_xgene: Use correct OOB tunning parameters for APM X-Gene SoC AHCI SATA Host controller driver.
    - LP: #1350087
  * powerpc/powernv: Enable M64 aperatus for PHB3
    - LP: #1355469
  * powerpc: Fail remap_4k_pfn() if PFN doesn't fit inside PTE
    - LP: #1352994
  * powerpc: Add machine_early_initcall()
    - LP: #1352640
  * powerpc/powernv: Switch powernv drivers to use machine_xxx_initcall()
    - LP: #1352640
  * powerpc/eeh: Avoid event on passed PE
    - LP: #1352640
  * powerpc/eeh: EEH support for VFIO PCI device
    - LP: #1352640
  * powerpc/eeh: sysfs entries lost
    - LP: #1352640
  * powerpc/powernv: Fix IOMMU table for VFIO dev
    - LP: #1352640
  * powerpc/eeh: Fetch IOMMU table in reliable way
    - LP: #1352640
  * powerpc/eeh: Refactor EEH flag accessors
    - LP: #1352640
  * powerpc/eeh: Selectively enable IO for error log
    - LP: #1352640
  * powerpc/eeh: Reduce lines of log dump
    - LP: #1352640
  * powerpc/eeh: Replace pr_warning() with pr_warn()
    - LP: #1352640
  * powerpc/eeh: Make diag-data not endian dependent
    - LP: #1352640
  * powerpc/eeh: Aux PE data for error log
    - LP: #1352640
  * PCI: Support BAR sizes up to 128GB
    - LP: #1352640
  * powerpc/powernv: Allow to freeze PE
    - LP: #1352640
  * powerpc/powernv: Split ioda_eeh_get_state()
    - LP: #1352640
  * powerpc/powernv: Handle compound PE
    - LP: #1352640
  * powerpc/powernv: Handle compound PE for EEH
    - LP: #1352640
  * powerpc/powernv: Handle compound PE in config accessors
    - LP: #1352640
  * mnt: Only change user settable mount flags in remount
    - LP: #1356318
    - CVE-2014-5206
  * mnt: Move the test for MNT_LOCK_READONLY from change_mount_flags into do_remount
    - LP: #1356318
    - CVE-2014-5206
  * mnt: Correct permission checks in do_remount
    - LP: #1356323
    - CVE-2014-5207
  * mnt: Change the default remount atime from relatime to the existing value
    - LP: #1356323
    - CVE-2014-5207
 -- Tim Gardner <email address hidden> Sun, 10 Aug 2014 09:10:51 -0600

Changed in linux (Ubuntu Utopic):
status: Fix Committed → Fix Released
bugproxy (bugproxy)
tags: added: targetmilestone-inin1410
removed: targetmilestone-inin---
Revision history for this message
bugproxy (bugproxy) wrote :

------- Comment From <email address hidden> 2014-08-14 16:59 EDT-------
Thank you Canonical!

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.