QA Regression Testing

Kernel security test test_022_aslr_hardy_vdso failed on Precise i386

Bug #1747630 reported by Po-Hsu Lin on 2018-02-06

This bug affects 1 person

	Status	Importance	Assigned to
QA Regression Testing	Invalid	Undecided	Unassigned
ubuntu-kernel-tests	Invalid	Undecided	Unassigned
linux (Ubuntu)	Invalid	Medium	Unassigned

Bug Description

This issue can be reproduced in 3.2.0-133 in proposed and 3.2.0-131. So it should not be considered as a regression.

We didn't spot this issue before, until I'm testing 3.2 kernel on one of the laptop (CID 201307-13930) in Cert lab instead of using our regular regression-testing test pool from kernel team this cycle.

  ======================================================================
  FAIL: test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
  ASLR of vdso
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 1863, in test_022_aslr_hardy_vdso
      self._test_aslr('vdso', expected)
    File "./test-kernel-security.py", line 1795, in _test_aslr
      self._test_aslr_all(area, expected, "unlimited stack %s" % area)
    File "./test-kernel-security.py", line 1772, in _test_aslr_all
      self._test_aslr_exec(area, expected, target, name)
    File "./test-kernel-security.py", line 1765, in _test_aslr_exec
      self.assertShellExitEquals(aslr_expected, ["./%s" % (target), area, "--verbose"], msg="%s:\n" % name)
    File "/home/ubuntu/autotest/client/tmp/ubuntu_qrt_kernel_security/src/qa-regression-testing/scripts/testlib.py", line 1134, in assertShellExitEquals
      self.assertEqual(expected, rc, msg + result + report)
  AssertionError: unlimited stack vdso native:
  Got exit code 1, expected 0
  Command: './aslr', 'vdso', '--verbose'
  Output:
  Checking ASLR of vdso:
   0x40022000
   0x40022000
   0x40022000
  FAIL: ASLR not functional (vdso always at 0x40022000)

See original description

Tags:

CVE References

2016-3672

Po-Hsu Lin (cypressyew) on 2018-02-06

tags:	added: precise
description:	updated

Revision history for this message

Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote on 2018-02-06: Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1747630

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Joseph Salisbury (jsalisbury) on 2018-02-08

Changed in linux (Ubuntu):
importance:	Undecided → Medium
status:	Incomplete → Triaged
tags:	added: kernel-da-key

Revision history for this message

Sean Feole (sfeole) wrote on 2018-09-12:

very old bug, with no action on it, marking bug as incomplete and will
close in 5 days if no update.

Changed in ubuntu-kernel-tests:
status:	New → Incomplete
Changed in linux (Ubuntu):
status:	Triaged → Incomplete

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2018-09-13:

This issue can be reproduced on that specific system here.

3.2.0-135 on Precise.

Changed in ubuntu-kernel-tests:
status:	Incomplete → Confirmed
Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2018-09-13:

Note that I just found that this test is a bit flaky, the fail rate for this is about 50%
Just like bug 1717856

Revision history for this message

Po-Hsu Lin (cypressyew) wrote on 2018-10-02:

One more thing, I can see this issue on our lab HW, onibi with i386 Precise.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2019-08-06:

Okay, the reason this test (and bug 1717856) fail sporadically is that ASLR in precise for i386 has very low number of random values for vdso and shared library offsets, when ulimits are set such that unlimited stack sizes are allowed:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-precise-i386 3.2.0-142-generic #189-Ubuntu SMP Fri Jul 5 18:40:43 UTC 2019 i686 i686 i386 GNU/Linux
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c
     1273 0x40000000
     8662 0x40022000
       65 0x40026000

Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report libs ; done | sort | uniq -c
      499 0x40003d80
      285 0x40016d80
      566 0x40025d80
     7608 0x40038d80
      295 0x4003cd80
      250 0x4003dd80
      167 0x4003ed80
      153 0x4003fd80
      177 0x40040d80

Compare this with the 3.13 results:

  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-trusty-i386 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:41:17 UTC 2019 i686 i686 i686 GNU/Linux
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c | wc -l
  256

(output is piped into wc -l, because there are 256 distinct results.) So 8 bits of randomisation, which is not great, but better than >2.

The tests were added in response to http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html and fixes were applied for the 3.2.0-104.145 kernel.

Yes, all of 3 values, and 86% of the invocations result in one value. The shared library base values are slightly better, but not much:

Compare this with the 3.13 results:

(output is piped into wc -l, because there are 256 distinct results.) So 8 bits of randomisation, which is not great, but better than >2.

The tests were added in response to http://hmarco.org/bugs/CVE-2016-3672-Unlimiting-the-stack-not-longer-disables-ASLR.html and fixes were applied for the 3.2.0-104.145 kernel.

Revision history for this message

Steve Beattie (sbeattie) wrote on 2019-08-06:

That said, at this point, I don't believe we are likely to fix this for 3.2 kernels, so adjusting the QRT test may be in order.

Po-Hsu Lin (cypressyew) on 2019-09-16

tags:

added: ubuntu-qrt-kernel-security

Revision history for this message

Connor Kuehl (connork) wrote on 2019-11-13:

Precise ESM reached end of life in April 2019.

Changed in linux (Ubuntu):
status:	Confirmed → Invalid
Changed in ubuntu-kernel-tests:
status:	Confirmed → Invalid
Changed in qa-regression-testing:
status:	New → Invalid

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.