Ubuntu
linux package

test_061_guard_page (CVE-2010-2240) failed with Artful kernel

Bug #1699751 reported by Po-Hsu Lin on 2017-06-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	linux (Ubuntu)	Invalid	Undecided	Seth Forshee

Bug Description

Ubuntu 4.11.0-8.13-generic

This test case failed on both of our testing node archytas and michael

FAIL: test_061_guard_page (__main__.KernelSecurityTest)
Userspace stack guard page exists (CVE-2010-2240)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-kernel-security.py", line 512, in test_061_guard_page
self.assertShellExitIn(expected_signals, ["./guard-page"])
File "/home/ubuntu/autotest/client/tmp/ubuntu_qrt_kernel_security/src/qa-regression-testing/scripts/testlib.py", line 1139, in assertShellExitIn
self.assertIn(rc, expected, msg + result + report)
AssertionError: Got exit code 0, expected one of -11, -7
Command: './guard-page'
Output:
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
Target: 0x7fff03e6e000
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
7fff03e6f000-7fff03e90000 rw-p 00000000 00:00 0 [stack]
Unexpectedly survived stack crash into mapped segment

Full log: http://pastebin.ubuntu.com/24923862/

Tags:

Revision history for this message

Joseph Salisbury (jsalisbury) wrote on 2017-06-22: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1699751

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete
tags:	added: artful

Revision history for this message

Seth Forshee (sforshee) wrote on 2017-06-23:

The test was failing because the implementation details of the stack guard area in the kernel changed. Previously there was a single guard page within the vma for the stack, now the kernel treats a range of addresses just below the vma as the guard region.

The test was placing a fixed mmap region directly below the stack vma. In the new implementation that means this mmap was over the topmost portion of the guard region, and there is no guard region between the stack and this mapping. So when the test blew the stack it would start modifying the contents of that page, which the test would detect and treat as a failure.

A simple fix has been comitted to the test, which leaves a gap of one page between the stack and the mapping. For the old implementation, the stack will be extended by one page when it hits the original guard region and then receive SIGSEGV once it hits the new guard page. With the new implementation the test receives SIGSEGV as soon as it hits the page directly below the stack. (Note that for this test, receiving SIGSEGV before modifying the contents of the memory mapping is the expected result.)

Changed in linux (Ubuntu):
assignee:	nobody → Seth Forshee (sforshee)
status:	Incomplete → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.

Ubuntulinux package

test_061_guard_page (CVE-2010-2240) failed with Artful kernel

Bug Description

Other bug subscribers

Remote bug watches

Ubuntu
linux package