[SRU] killfilter should handle updated/deleted executables

Bug #967931 reported by Dan Prince on 2012-03-29
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Medium
Dan Prince
Essex
Undecided
Unassigned
nova (Ubuntu)
Undecided
Unassigned
Precise
Undecided
Chuck Short

Bug Description

The KillFilter class used by rootwrapper currently relies on the /proc/PID/exe symlink to determine the command used to execute a process. This works fine until an executable is updated/deleted while a process is running.

The fix seems to be to strip ' (deleted)' off of the readlink command.

Related branches

CVE References

Dan Prince (dan-prince) wrote :

Here is an example:

[root@nova1 nova]# ll /proc/6227/exe
lrwxrwxrwx 1 root root 0 Mar 28 19:34 /proc/6227/exe -> /usr/sbin/dnsmasq (deleted)

For reference I *think* this is the relevant filesystem code that causes the ' (deleted)' to appear in proc:

http://git.kernel.org/?p=linux/kernel/git/stable/linux-stable.git;a=blob;f=fs/dcache.c;h=e441941c834d26a176db4f43aaa475747b4d2f2d;hb=HEAD#l2605

Changed in nova:
assignee: nobody → Dan Prince (dan-prince)
importance: Undecided → Medium
status: New → In Progress

Reviewed: https://review.openstack.org/5940
Committed: http://github.com/openstack/nova/commit/b24c11b4c390d6315efed595d1f92c2df6602bec
Submitter: Jenkins
Branch: master

commit b24c11b4c390d6315efed595d1f92c2df6602bec
Author: Dan Prince <email address hidden>
Date: Wed Mar 28 22:00:11 2012 -0400

    Update KillFilter to handle 'deleted' exe's.

    Updates KillFilter so that it handles the case where the executable
    linked to by /proc/PID/exe is updated or deleted.

    Fixes LP Bug #967931.

    Change-Id: I368a01383bf62b64b7579d573b8b84640dec03ae

Changed in nova:
status: In Progress → Fix Committed
Dan Prince (dan-prince) on 2012-04-27
Changed in nova:
status: Fix Committed → In Progress

Reviewed: https://review.openstack.org/6865
Committed: http://github.com/openstack/nova/commit/3d28e3d3f9cc755389c933e86b9be1edf8ba1dc3
Submitter: Jenkins
Branch: master

commit 3d28e3d3f9cc755389c933e86b9be1edf8ba1dc3
Author: Dan Prince <email address hidden>
Date: Fri Apr 27 09:36:34 2012 -0400

    Make KillFilter to handle 'deleted' w/o rstrip.

    The initial code for this fixed used rstrip incorrectly.
    This implementation uses endswith and rindex instead
    and should read a bit more easily.

    Also added a unit test to test that 'deleted' exe's are
    filtered correctly.

    Fixes LP Bug #967931.

    Change-Id: I1783a8e2d59edd35734673b23e295f5a0b80b988

Changed in nova:
status: In Progress → Fix Committed

post-mortem: This should have used a separate bug, so that we can track the incremental fix separately. Also I can't find a description of the symptoms of this incorrect rstrip use...

Reviewed: https://review.openstack.org/6834
Committed: http://github.com/openstack/nova/commit/facb936f0bfc6c78fdce93785078e78223b0ddf7
Submitter: Jenkins
Branch: stable/essex

commit facb936f0bfc6c78fdce93785078e78223b0ddf7
Author: Dan Prince <email address hidden>
Date: Wed Mar 28 22:00:11 2012 -0400

    Update KillFilter to handle 'deleted' exe's.

    Updates KillFilter so that it handles the case where the executable
    linked to by /proc/PID/exe is updated or deleted.

    Fixes LP Bug #967931.

    Also added a unit test to test that 'deleted' exe's are
    filtered correctly.

    (cherry picked from commit b24c11b and commit 3d28e3d)

    Change-Id: I368a01383bf62b64b7579d573b8b84640dec03ae

tags: added: in-stable-essex
Devin Carlen (devcamcar) on 2012-05-22
Changed in nova:
milestone: none → folsom-1
Thierry Carrez (ttx) on 2012-05-23
Changed in nova:
status: Fix Committed → Fix Released
Chuck Short (zulcss) on 2012-05-30
Changed in nova (Ubuntu):
status: New → In Progress
Changed in nova (Ubuntu Precise):
status: New → In Progress
Chuck Short (zulcss) on 2012-06-07
summary: - killfilter should handle updated/deleted executables
+ [SRU] killfilter should handle updated/deleted executables
Chuck Short (zulcss) wrote :

** Impact **

The KillFilter class used by rootwrapper currently relies on the /proc/PID/exe symlink to determine the command used to execute a process. This works fine until an executable is updated/deleted while a process is running.

** Development Fix **

This has been addressed in the trunk at https://review.openstack.org/6865 and fixed in quantal

** Stable Fix **

This has been addressed in the stable/essex tree at: https://review.openstack.org/6834

** Test Case **

Not available

** Regression Potential **

Minimal, if the process have (deleted) then the killfilter will remove them properly now.

** Regression Potential **

Chuck Short (zulcss) on 2012-06-08
Changed in nova (Ubuntu Precise):
assignee: nobody → Chuck Short (zulcss)
milestone: none → ubuntu-12.04.1
Chuck Short (zulcss) wrote :

Updated ** Test Case **

Run the following tests

./run_tests nova.tests.test_nova_rootwrap

Hello Dan, or anyone else affected,

Accepted nova into precise-proposed. The package will build now and be available in a few hours. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you please change the bug tag from verification-needed to verification-done. If it does not, change the tag to verification-failed. In either case details of your testing will help us make a better decision. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in nova (Ubuntu Precise):
status: In Progress → Fix Committed
tags: added: verification-needed
Adam Gandelman (gandelman-a) wrote :

Please find the attached Jenkins job results from the Ubuntu Server Team's CI
infrastructure. As part of the verification process for this bug, Nova has
been deployed and configured across multiple nodes using precise-proposed as
an installation source. After successful bring-up and configuration of the
cluster, a number of exercises and smoke tests have be invoked to ensure the
updated package did not introduce any regressions. A number of test iterations
were carried out to catch any possible transient errors.

Note the list of installed packages at the top and bottom of the report.

For records of upstream test coverage of this update, please see the
Jenkins links in the comments of the relevant upstream code-review:

https://review.openstack.org/6834

As per the provisional Micro Release Exception granted to this package by
the Technical Board, we hope this contributes toward verification of this
update.

Dave Walker (davewalker) on 2012-07-03
tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package nova - 2012.1+stable~20120612-3ee026e-0ubuntu1

---------------
nova (2012.1+stable~20120612-3ee026e-0ubuntu1) precise-proposed; urgency=low

  * New upstream snapshot. (LP: #1010473)
  * Dropped, superseeded by new snapshot:
    - debian/patches/upstream/0001-fix-bug-where-nova-ignores-glance-host-in-imageref.patch
    - debian/patches/upstream/0002-Stop-libvirt-test-from-deleting-instances-dir.patch
    - debian/patches/upstream/0003-Allow-unprivileged-RADOS-users-to-access-rbd-volumes.patch
    - debian/patches/upstream/0004-Fixed-bug-962840-added-a-test-case.patch
    - debian/patches/upstream/0005-Populate-image-properties-with-project_id-again.patch
    - debian/patches/upstream/0006-Use-project_id-in-ec2.cloud._format_image.patc
    - debian/patches/CVE-2012-2101.patch
    - debian/patches/CVE-2012-2654.patch
  * Resynchronize with stable/essex:
    - 3ee026e Only invoke .lower() on non-None protocols. (LP: #1010514)
    - f0a9f47 Create a utf8 version of the dns_domains table. (LP: #993663)
    - 84a43e1 Report memory correctly on Xen. (LP: #997014)
    - 8c72924 Add libvirt get_console_output tests: pty and file. (LP: #990237)
    - 4e423cd Fix Multi_Scheduler to process host capabilities. (LP: #1000403)
    - 4aea7f1 Nail pep8 dependencies to 1.0.1
    - 2b3bbc4 handle updated qemu-img info output. (LP: #1000261)
    - 2d7d51c Fix type of snapshot_id column to match db. (LP: #962615)
    - ec70c69 Generate a Changelog for Nova
    - e5e890f Fix nova.tests.test_nova_rootwrap on Fedora 17. (LP: #992916)
    - 9e9a554 Ec2 handle strings with "0x" (LP: #983206)
    - 26dc6b7 QuantumManager will start dnsmasq during startup. Fixes (LP: #977759)
    - 7028d66 Introduced flag base_dir_name. (LP: #973194)
    - 76b525a Get unit tests functional in OS X.
    - facb936 Update KillFilter to handle 'deleted' exe's. (LP: #967931)
    - 1209af4 Checks if value is string or not before decode. (LP: #952176)
    - 1209af4 Fix timeout in EC2 CloudController.create_image(). (LP: #989764)
    - 108e74b Re-add console_log from console_console_output(). (LP: #987335)
    - 48a0768 Don't leak RPC connections on timeouts or other exceptions. (LP: #968843)
    - 7c64de9 Cloudpipe tap vpn not always working. (LP: #975043)
    - 5ab5051 add libvirt_inject_key flag fix (LP: #971640)
    - 6c68ef5 Xen: Pass session to destroy_vdi. (LP: #988615)
    - 015744e Delete fixed_ips when network is deleted. (LP: #754900)
  * Add debian/scripts/changelog.sh to help generate the changelog.
  * Add debian/nova-common.docs:
    - Include changelog and README.rst
  * debian/rules: Generate a tarball from git snapshot.
  * debian/patches/fix-pep8-errors.patch: Fix pep8 errors due to pep8 upstream
    migration.
 -- Chuck Short <email address hidden> Tue, 05 Jun 2012 09:50:59 -0400

Changed in nova (Ubuntu Precise):
status: Fix Committed → Fix Released
Chuck Short (zulcss) on 2012-07-31
Changed in nova (Ubuntu):
status: In Progress → Fix Released
Thierry Carrez (ttx) on 2012-09-27
Changed in nova:
milestone: folsom-1 → 2012.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers