bpf_prog05 from ubuntu_ltp_syscalls fails on X/aws-hwe

Bug #1927794 reported by Kelsey Skunberg on 2021-05-07
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Undecided
Unassigned

Bug Description

Found on Xenial/aws-hwe 4.15.0-1102.109~16.04.1

Listed as not being fixed for CVE-2021-3444

842. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:144: TINFO: Check w7(-1) /= w6(0) [r7 = -1, r6 = 1 << 32]
843. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:121: TFAIL: src(r6) = 0, but should be 4294967296
844. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:123: TPASS: dst(r7) = 0
845. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:148: TINFO: Check w7(-1) %= w6(0) [r7 = -1, r6 = 1 << 32]
846. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:121: TFAIL: src(r6) = 0, but should be 4294967296
847. 05/06 02:40:10 DEBUG| utils:0153| [stdout] bpf_prog05.c:121: TFAIL: dst(r7) = 0, but should be 4294967295
848. 05/06 02:40:10 DEBUG| utils:0153| [stdout]
849. 05/06 02:40:10 DEBUG| utils:0153| [stdout] HINT: You _MAY_ be missing kernel fixes, see:
850. 05/06 02:40:10 DEBUG| utils:0153| [stdout]
851. 05/06 02:40:10 DEBUG| utils:0153| [stdout] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f6b1b3bf0d5f
852. 05/06 02:40:10 DEBUG| utils:0153| [stdout] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=468f6eafa6c4
853. 05/06 02:40:10 DEBUG| utils:0153| [stdout] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=e88b2c6e5a4d
854. 05/06 02:40:10 DEBUG| utils:0153| [stdout] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=9b00f1b78809
855. 05/06 02:40:10 DEBUG| utils:0153| [stdout]
856. 05/06 02:40:10 DEBUG| utils:0153| [stdout] HINT: You _MAY_ be vulnerable to CVE(s), see:
857. 05/06 02:40:10 DEBUG| utils:0153| [stdout]
858. 05/06 02:40:10 DEBUG| utils:0153| [stdout] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-CVE-2021-3444
859. 05/06 02:40:10 DEBUG| utils:0153| [stdout]
860. 05/06 02:40:10 DEBUG| utils:0153| [stdout] Summary:
861. 05/06 02:40:10 DEBUG| utils:0153| [stdout] passed 2
862. 05/06 02:40:10 DEBUG| utils:0153| [stdout] failed 3
863. 05/06 02:40:10 DEBUG| utils:0153| [stdout] broken 0
864. 05/06 02:40:10 DEBUG| utils:0153| [stdout] skipped 0
865. 05/06 02:40:10 DEBUG| utils:0153| [stdout] warnings 0
866. 05/06 02:40:10 DEBUG| utils:0153| [stdout] tag=bpf_prog05 stime=1620266599 dur=0 exit=exited stat=1 core=no cu=0 cs=0

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

This is a new test case added 3 days ago:
https://github.com/linux-test-project/ltp/commit/8f260c5a2eb20d487c5207e9a026c3fe9d395043

Therefore I don't think this should be considered as a blocker.

tags: added: aws
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

You should see this failure on all 4.15 kernels. CVE-2021-3444 was due to differences in behavior on division by 0 but also on the 32-bit ALU32 bounds tracking. Our 4.15 kernels do not carry the ALU32 bounds tracking support, so are not vulnerable to the attack. We decided to keep the difference in behavior to avoid regressions.

We might decide to add the said commit and test it with this particular LTP test, if we decide there is more value than simply silencing a test failure. Given the reason that behavior change was introduced, I think it's worth it. We just need to take care not to introduce CVE-2021-3444 or other vulnerability when we do it.

Cascardo.

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Confirmed with 4.15.0-143-generic, this issue exist just like Thadeu mentioned above:

<<<test_start>>>
tag=bpf_prog05 stime=1620817587
cmdline="bpf_prog05"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
tst_buffers.c:55: TINFO: Test is using guarded buffers
tst_test.c:1313: TINFO: Timeout per run is 0h 05m 00s
bpf_common.c:17: TINFO: Raising RLIMIT_MEMLOCK to 69206016
tst_capability.c:29: TINFO: Dropping CAP_SYS_ADMIN(21)
bpf_common.c:114: TPASS: Loaded program
bpf_prog05.c:142: TINFO: Check w7(-1) /= w6(0) [r7 = -1, r6 = 1 << 32]
bpf_prog05.c:119: TFAIL: src(r6) = 0, but should be 4294967296
bpf_prog05.c:121: TPASS: dst(r7) = 0
bpf_prog05.c:146: TINFO: Check w7(-1) %= w6(0) [r7 = -1, r6 = 1 << 32]
bpf_prog05.c:119: TFAIL: src(r6) = 0, but should be 4294967296
bpf_prog05.c:119: TFAIL: dst(r7) = 0, but should be 4294967295

Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

Observed in B/KVM, cycle sru-20210510.

tags: added: bionic kvm linux-kvm sru-20210510
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Also seen with bionic/linux 4.15.0-144.148.

Revision history for this message
Ian (ian-may) wrote :

bionic/linux-aws: 4.15.0-1103.110

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

4.15.0-1103.110~16.04.1 aws

Revision history for this message
Guilherme G. Piccoli (gpiccoli) wrote :

Observed in B/KVM, cycle sru-20210531.

tags: added: sru-20210531
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers