execveat03 in ubuntu_ltp_syscalls failed on X/B

Bug #1786729 reported by Po-Hsu Lin on 2018-08-13
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Po-Hsu Lin
linux (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Po-Hsu Lin
Bionic
Undecided
Po-Hsu Lin

Bug Description

== Justification ==
The code in cap_inode_getsecurity(), introduced by commit 8db6c34f1dbc
("Introduce v3 namespaced file capabilities"), should use
d_find_any_alias() instead of d_find_alias() do handle unhashed dentry
correctly. This is needed, for example, if execveat() is called with an
open but unlinked overlayfs file, because overlayfs unhashes dentry on
unlink.
This is a regression of real life application, first reported at
https://www.spinics.net/lists/linux-unionfs/msg05363.html

With the execveat03 test in the LTP test suite on an affected kernel, it will fail with:
<<<test_start>>>
tag=execveat03 stime=1534135632
cmdline="execveat03"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
tst_test.c:1017: INFO: Timeout per run is 0h 05m 00s
execveat03.c:70: FAIL: execveat() returned unexpected errno: EINVAL

Summary:
passed 0
failed 1
skipped 0
warnings 0

== Fix ==
355139a8 (cap_inode_getsecurity: use d_find_any_alias() instead of
 d_find_alias())

It can be cherry-picked for Bionic, but it needs to be backported to Xenial along with the logic when we backport 8db6c34f1dbc (bug 1778286).

The test kernel for Xenial / Bionic could be found here:
http://people.canonical.com/~phlin/kernel/lp-1786729-execveat03/

This patch has already been cherry-picked into Cosmic and Unstable.

== Regression Potential ==
Low, this patch just uses a correct function to handle unhashed dentry, and it's been applied in both upstream and our newer kernel.

== Test Case ==
Run the reproducer in the commit message, or,
run the execveat03 test in ubuntu_ltp_syscalls test suite. And it will pass with the patched kernel.

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: linux-image-4.4.0-1064-aws 4.4.0-1064.74
ProcVersionSignature: User Name 4.4.0-1064.74-aws 4.4.140
Uname: Linux 4.4.0-1064-aws x86_64
ApportVersion: 2.20.1-0ubuntu2.18
Architecture: amd64
Date: Mon Aug 13 04:51:09 2018
Ec2AMI: ami-529fb82a
Ec2AMIManifest: (unknown)
Ec2AvailabilityZone: us-west-2b
Ec2InstanceType: x1e.xlarge
Ec2Kernel: unavailable
Ec2Ramdisk: unavailable
SourcePackage: linux-aws
UpgradeStatus: No upgrade log present (probably fresh install)

Po-Hsu Lin (cypressyew) wrote :
Po-Hsu Lin (cypressyew) on 2018-08-13
no longer affects: ubuntu-kernel-tests

As expected, this failure could be found in generic kernel as well.

summary: - execveat03 in ubuntu_ltp_syscalls failed on Xenial AWS
+ execveat03 in ubuntu_ltp_syscalls failed on Xenial
summary: - execveat03 in ubuntu_ltp_syscalls failed on Xenial
+ execveat03 in ubuntu_ltp_syscalls failed on X/B
tags: added: bionic

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1786729

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Seth Forshee (sforshee) wrote :

From the test case source:

    Check if an unlinked executable can run in overlayfs mount.
    The regression is introduced from 8db6c34f1dbc ("Introduce v3
    namespaced file capabilities"). in security/commoncap.c,
    cap_inode_getsecurity() use d_find_alias() cause unhashed dentry
    can't be found. The solution could use d_find_any_alias() instead of
    d_find_alias().

    From kernel 4.14, this case is expected fails, execveat shell
    return EINVAL.

I checked upstream and the code still uses d_find_alias(). There's a patch that is in Eric Biederman's userns-testing branch but not linux-next:

https://patchwork.kernel.org/patch/10560165/

So ... given that this has always been in bionic and we're only noticing because some test specifically for this problem failed, I don't see that it's something urgent to fix. I think we can just add the fix to the next upload.

Seth Forshee (sforshee) wrote :

Cherry picked fix from linux-next for cosmic and unstable.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Seth Forshee (sforshee) wrote :

Applied this fix to cosmic and unstable. I've also uploaded a new unstable kernel, so will put it through testing after it builds to confirm the problem is fixed.

Changed in linux (Ubuntu):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.18.0-7.8

---------------
linux (4.18.0-7.8) cosmic; urgency=medium

  * linux: 4.18.0-7.8 -proposed tracker (LP: #1789459)

  * pmtu.sh fails on 4.18 kernel (LP: #1789436)
    - SAUCE: Revert "vti6: fix PMTU caching and reporting on xmit"

 -- Seth Forshee <email address hidden> Tue, 28 Aug 2018 11:08:51 -0500

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) wrote :

Mark it as incomplete while waiting for verifications.

Changed in ubuntu-kernel-tests:
status: New → Incomplete
Sean Feole (sfeole) wrote :

This test appears to be passing now on 4.18.0-7.8 on Bionic - AMD64, still waiting on AWS to start, however looks better than the previous kernel already.

The test still fails due to bug: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1788351

2983. 08/29 13:00:44 DEBUG| utils:0153| [stdout] tag=execveat03 stime=1535547644
2984. 08/29 13:00:44 DEBUG| utils:0153| [stdout] cmdline="execveat03"
2985. 08/29 13:00:44 DEBUG| utils:0153| [stdout] contacts=""
2986. 08/29 13:00:44 DEBUG| utils:0153| [stdout] analysis=exit
2987. 08/29 13:00:44 DEBUG| utils:0153| [stdout] <<>>
2988. 08/29 13:00:44 DEBUG| utils:0153| [stdout] tst_test.c:1017: INFO: Timeout per run is 0h 05m 00s
2989. 08/29 13:00:44 DEBUG| utils:0153| [stdout] execveat_child.c:36: PASS: execveat_child run as expected
2990. 08/29 13:00:44 DEBUG| utils:0153| [stdout]
2991. 08/29 13:00:44 DEBUG| utils:0153| [stdout] Summary:
2992. 08/29 13:00:44 DEBUG| utils:0153| [stdout] passed 1
2993. 08/29 13:00:44 DEBUG| utils:0153| [stdout] failed 0
2994. 08/29 13:00:44 DEBUG| utils:0153| [stdout] skipped 0
2995. 08/29 13:00:44 DEBUG| utils:0153| [stdout] warnings 0

Launchpad Janitor (janitor) wrote :
Download full text (60.4 KiB)

This bug was fixed in the package linux-aws - 4.18.0-1002.3

---------------
linux-aws (4.18.0-1002.3) cosmic; urgency=medium

  * linux-aws: 4.18.0-1002.3 -proposed tracker (LP: #1796944)

  * iptables --list --numeric fails on -virtual kernel / -virtual missing
    bpfilter (LP: #1795036)
    - [Config] add bpfilter.ko to generic inclusion list

  [ Ubuntu: 4.18.0-9.10 ]

  * linux: 4.18.0-9.10 -proposed tracker (LP: #1796346)
  * Cosmic update: v4.18.12 upstream stable release (LP: #1796139)
    - crypto: skcipher - Fix -Wstringop-truncation warnings
    - iio: adc: ina2xx: avoid kthread_stop() with stale task_struct
    - tsl2550: fix lux1_input error in low light
    - misc: ibmvmc: Use GFP_ATOMIC under spin lock
    - vmci: type promotion bug in qp_host_get_user_memory()
    - siox: don't create a thread without starting it
    - x86/numa_emulation: Fix emulated-to-physical node mapping
    - staging: rts5208: fix missing error check on call to rtsx_write_register
    - power: supply: axp288_charger: Fix initial constant_charge_current value
    - misc: sram: enable clock before registering regions
    - serial: sh-sci: Stop RX FIFO timer during port shutdown
    - uwb: hwa-rc: fix memory leak at probe
    - power: vexpress: fix corruption in notifier registration
    - iommu/amd: make sure TLB to be flushed before IOVA freed
    - Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
    - USB: serial: kobil_sct: fix modem-status error handling
    - 6lowpan: iphc: reset mac_header after decompress to fix panic
    - iommu/msm: Don't call iommu_device_{,un}link from atomic context
    - s390/mm: correct allocate_pgste proc_handler callback
    - power: remove possible deadlock when unregistering power_supply
    - drm/amd/display/dc/dce: Fix multiple potential integer overflows
    - drm/amd/display: fix use of uninitialized memory
    - md-cluster: clear another node's suspend_area after the copy is finished
    - cxgb4: Fix the condition to check if the card is T5
    - RDMA/bnxt_re: Fix a couple off by one bugs
    - RDMA/i40w: Hold read semaphore while looking after VMA
    - RDMA/bnxt_re: Fix a bunch of off by one bugs in qplib_fp.c
    - IB/core: type promotion bug in rdma_rw_init_one_mr()
    - media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
    - IB/mlx4: Test port number before querying type.
    - powerpc/kdump: Handle crashkernel memory reservation failure
    - media: fsl-viu: fix error handling in viu_of_probe()
    - vhost_net: Avoid tx vring kicks during busyloop
    - media: staging/imx: fill vb2_v4l2_buffer field entry
    - IB/mlx5: Fix GRE flow specification
    - include/rdma/opa_addr.h: Fix an endianness issue
    - x86/tsc: Add missing header to tsc_msr.c
    - ARM: hwmod: RTC: Don't assume lock/unlock will be called with irq enabled
    - x86/entry/64: Add two more instruction suffixes
    - ARM: dts: ls1021a: Add missing cooling device properties for CPUs
    - scsi: target/iscsi: Make iscsit_ta_authentication() respect the output
      buffer size
    - thermal: i.MX: Allow thermal probe to fail gracefully in case of bad
      calibration.
    - scsi: klist: Make it safe to use klists in...

Changed in linux-aws (Ubuntu):
status: New → Fix Released
Po-Hsu Lin (cypressyew) wrote :

Still seeing this on 4.4.0-138.164~14.04.1 Trusty, P8 does not affected as this is not supported:

AMD64:
 tag=execveat03 stime=1538879774
 cmdline="execveat03"
 contacts=""
 analysis=exit
 <<>>
 tst_test.c:1072: INFO: Timeout per run is 0h 05m 00s
 execveat03.c:74: FAIL: execveat() returned unexpected errno: EINVAL

P8:
 tag=execveat03 stime=1539075477
 cmdline="execveat03"
 contacts=""
 analysis=exit
 <<>>
 tst_test.c:1072: INFO: Timeout per run is 0h 05m 00s
 ../../../../include/lapi/execveat.h:37: CONF: syscall(-1) __NR_execveat not supported

Po-Hsu Lin (cypressyew) on 2018-10-22
Changed in ubuntu-kernel-tests:
status: Incomplete → Confirmed
Po-Hsu Lin (cypressyew) on 2018-10-23
description: updated
Po-Hsu Lin (cypressyew) on 2018-10-23
Changed in ubuntu-kernel-tests:
status: Confirmed → In Progress
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Xenial):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew) on 2018-10-24
description: updated
description: updated
Po-Hsu Lin (cypressyew) on 2018-10-24
description: updated
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2018-11-12
no longer affects: linux-aws (Ubuntu)
no longer affects: linux-aws (Ubuntu Xenial)
no longer affects: linux-aws (Ubuntu Bionic)
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
Po-Hsu Lin (cypressyew) wrote :

Passed with Bionic SRU tests.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Po-Hsu Lin (cypressyew) wrote :

Passed with Xenial SRU tests.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Po-Hsu Lin (cypressyew) on 2018-11-20
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.1 KiB)

This bug was fixed in the package linux - 4.15.0-42.45

---------------
linux (4.15.0-42.45) bionic; urgency=medium

  * linux: 4.15.0-42.45 -proposed tracker (LP: #1803592)

  * [FEAT] Guest-dedicated Crypto Adapters (LP: #1787405)
    - KVM: s390: reset crypto attributes for all vcpus
    - KVM: s390: vsie: simulate VCPU SIE entry/exit
    - KVM: s390: introduce and use KVM_REQ_VSIE_RESTART
    - KVM: s390: refactor crypto initialization
    - s390: vfio-ap: base implementation of VFIO AP device driver
    - s390: vfio-ap: register matrix device with VFIO mdev framework
    - s390: vfio-ap: sysfs interfaces to configure adapters
    - s390: vfio-ap: sysfs interfaces to configure domains
    - s390: vfio-ap: sysfs interfaces to configure control domains
    - s390: vfio-ap: sysfs interface to view matrix mdev matrix
    - KVM: s390: interface to clear CRYCB masks
    - s390: vfio-ap: implement mediated device open callback
    - s390: vfio-ap: implement VFIO_DEVICE_GET_INFO ioctl
    - s390: vfio-ap: zeroize the AP queues
    - s390: vfio-ap: implement VFIO_DEVICE_RESET ioctl
    - KVM: s390: Clear Crypto Control Block when using vSIE
    - KVM: s390: vsie: Do the CRYCB validation first
    - KVM: s390: vsie: Make use of CRYCB FORMAT2 clear
    - KVM: s390: vsie: Allow CRYCB FORMAT-2
    - KVM: s390: vsie: allow CRYCB FORMAT-1
    - KVM: s390: vsie: allow CRYCB FORMAT-0
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-1
    - KVM: s390: vsie: allow guest FORMAT-1 CRYCB on host FORMAT-2
    - KVM: s390: vsie: allow guest FORMAT-0 CRYCB on host FORMAT-2
    - KVM: s390: device attrs to enable/disable AP interpretation
    - KVM: s390: CPU model support for AP virtualization
    - s390: doc: detailed specifications for AP virtualization
    - KVM: s390: fix locking for crypto setting error path
    - KVM: s390: Tracing APCB changes
    - s390: vfio-ap: setup APCB mask using KVM dedicated function
    - s390/zcrypt: Add ZAPQ inline function.
    - s390/zcrypt: Review inline assembler constraints.
    - s390/zcrypt: Integrate ap_asm.h into include/asm/ap.h.
    - s390/zcrypt: fix ap_instructions_available() returncodes
    - s390/zcrypt: remove VLA usage from the AP bus
    - s390/zcrypt: Remove deprecated ioctls.
    - s390/zcrypt: Remove deprecated zcrypt proc interface.
    - s390/zcrypt: Support up to 256 crypto adapters.
    - [Config:] Enable CONFIG_S390_AP_IOMMU and set CONFIG_VFIO_AP to module.

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * CVE-2018-18955: nested user namespaces with more than five extents
    incorrectly grant privileges over inode (LP: #1801924) // CVE-2018-18955
    - userns: also map extents in the reverse map to kernel IDs

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

 -- Thadeu Lima de Souza Cascardo <email address hidden> Thu, 15 Nov 2018 17:01:46 ...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (8.4 KiB)

This bug was fixed in the package linux - 4.4.0-140.166

---------------
linux (4.4.0-140.166) xenial; urgency=medium

  * linux: 4.4.0-140.166 -proposed tracker (LP: #1802776)

  * Bypass of mount visibility through userns + mount propagation (LP: #1789161)
    - mount: Retest MNT_LOCKED in do_umount
    - mount: Don't allow copying MNT_UNBINDABLE|MNT_LOCKED mounts

  * kdump fail due to an IRQ storm (LP: #1797990)
    - SAUCE: x86/PCI: Export find_cap() to be used in early PCI code
    - SAUCE: x86/quirks: Add parameter to clear MSIs early on boot
    - SAUCE: x86/quirks: Scan all busses for early PCI quirks

  * crash in ENA driver on removing an interface (LP: #1802341)
    - SAUCE: net: ena: fix crash during ena_remove()

  * xenial guest on arm64 drops to busybox under openstack bionic-rocky
    (LP: #1797092)
    - [Config] CONFIG_PCI_ECAM=y
    - PCI: Provide common functions for ECAM mapping
    - PCI: generic, thunder: Use generic ECAM API
    - PCI, of: Move PCI I/O space management to PCI core code
    - PCI: Move ecam.h to linux/include/pci-ecam.h
    - PCI: Add parent device field to ECAM struct pci_config_window
    - PCI: Add pci_unmap_iospace() to unmap I/O resources
    - PCI/ACPI: Support I/O resources when parsing host bridge resources
    - [Config] CONFIG_ACPI_MCFG=y
    - PCI/ACPI: Add generic MCFG table handling
    - PCI: Refactor pci_bus_assign_domain_nr() for CONFIG_PCI_DOMAINS_GENERIC
    - PCI: Factor DT-specific pci_bus_find_domain_nr() code out
    - ARM64: PCI: Add acpi_pci_bus_find_domain_nr()
    - ARM64: PCI: ACPI support for legacy IRQs parsing and consolidation with DT
      code
    - ARM64: PCI: Support ACPI-based PCI host controller

  * [GLK/CLX] Enhanced IBRS (LP: #1786139)
    - x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
    - x86/speculation: Support Enhanced IBRS on future CPUs

  * Update ENA driver to version 2.0.1K (LP: #1798182)
    - net: ena: remove ndo_poll_controller
    - net: ena: fix warning in rmmod caused by double iounmap
    - net: ena: fix rare bug when failed restart/resume is followed by driver
      removal
    - net: ena: fix NULL dereference due to untimely napi initialization
    - net: ena: fix auto casting to boolean
    - net: ena: minor performance improvement
    - net: ena: complete host info to match latest ENA spec
    - net: ena: introduce Low Latency Queues data structures according to ENA spec
    - net: ena: add functions for handling Low Latency Queues in ena_com
    - net: ena: add functions for handling Low Latency Queues in ena_netdev
    - net: ena: use CSUM_CHECKED device indication to report skb's checksum status
    - net: ena: explicit casting and initialization, and clearer error handling
    - net: ena: limit refill Rx threshold to 256 to avoid latency issues
    - net: ena: change rx copybreak default to reduce kernel memory pressure
    - net: ena: remove redundant parameter in ena_com_admin_init()
    - net: ena: update driver version to 2.0.1
    - net: ena: fix indentations in ena_defs for better readability
    - net: ena: Fix Kconfig dependency on X86
    - net: ena: enable Low Latency Queues
    - net: ena: fix compilat...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers