test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM kernel

Bug #1766774 reported by Po-Hsu Lin on 2018-04-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Po-Hsu Lin
linux-kvm (Ubuntu)
Po-Hsu Lin

Bug Description

== Justification ==
In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
meet the security team's requirement.

== Test ==
Before enabling the config, test case test_190_config_kernel_fortify and
test_250_config_security_perf_events_restrict will fail in the kernel
security testsuite for the kernel SRU regression test.

It will pass with these two patches applied, tested on a KVM node.

== Fix ==

== Regression Potential ==
No code changes, just two config changes without disabling any other configs.

BugLink: https://bugs.launchpad.net/bugs/1766780
BugLink: https://bugs.launchpad.net/bugs/1766774

Test test_190_config_kernel_fortify from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

  FAIL: test_190_config_kernel_fortify (__main__.KernelSecurityTest)
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2186, in test_190_config_kernel_fortify
  AssertionError: False is not true

$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_FORTIFY_SOURCE

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:28:13 2018
 PATH=(custom, no user)
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Po-Hsu Lin (cypressyew) wrote :
Po-Hsu Lin (cypressyew) wrote :

A test kernel could be found here (along with the patch for bug 1766780:

no longer affects: qa-regression-testing
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux-kvm (Ubuntu):
status: New → In Progress
description: updated
description: updated
description: updated
Po-Hsu Lin (cypressyew) on 2018-06-12
description: updated
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew) on 2018-06-22
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Bionic):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1016.16

linux-kvm (4.15.0-1016.16) bionic; urgency=medium

  * linux-kvm: 4.15.0-1016.16 -proposed tracker (LP: #1782180)

  [ Ubuntu: 4.15.0-29.31 ]

  * linux: 4.15.0-29.31 -proposed tracker (LP: #1782173)
  * [SRU Bionic][Cosmic] kernel panic in ipmi_ssif at msg_done_handler
    (LP: #1777716)
    - ipmi_ssif: Fix kernel panic at msg_done_handler
  * Update to ocxl driver for 18.04.1 (LP: #1775786)
    - misc: ocxl: use put_device() instead of device_unregister()
    - powerpc: Add TIDR CPU feature for POWER9
    - powerpc: Use TIDR CPU feature to control TIDR allocation
    - powerpc: use task_pid_nr() for TID allocation
    - ocxl: Rename pnv_ocxl_spa_remove_pe to clarify it's action
    - ocxl: Expose the thread_id needed for wait on POWER9
    - ocxl: Add an IOCTL so userspace knows what OCXL features are available
    - ocxl: Document new OCXL IOCTLs
    - ocxl: Fix missing unlock on error in afu_ioctl_enable_p9_wait()
  * Critical upstream bugfix missing in Ubuntu 18.04 - frequent Xorg crash after
    suspend (LP: #1776887)
    - ocxl: Document the OCXL_IOCTL_GET_METADATA IOCTL
  * Hard LOCKUP observed on stressing Ubuntu 18 04 (LP: #1777194)
    - powerpc: use NMI IPI for smp_send_stop
    - powerpc: Fix smp_send_stop NMI IPI handling
  * IPL: ppc64_cpu --frequency hang with INFO: rcu_sched detected stalls on
    CPUs/tasks on w34 and wsbmc016 with 920.1714.20170330n (LP: #1773964)
    - rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
  * [Regression] EXT4-fs error (device sda2): ext4_validate_block_bitmap:383:
    comm stress-ng: bg 4705: bad block bitmap checksum (LP: #1781709)
    - SAUCE: Revert "UBUNTU: SAUCE: ext4: fix ext4_validate_inode_bitmap: comm
      stress-ng: Corrupt inode bitmap"
    - SAUCE: ext4: check for allocation block validity with block group locked

  [ Ubuntu: 4.15.0-28.30 ]

  * linux: 4.15.0-28.30 -proposed tracker (LP: #1781433)
  * Cannot set MTU higher than 1500 in Xen instance (LP: #1781413)
    - xen-netfront: Fix mismatched rtnl_unlock
    - xen-netfront: Update features after registering netdev

linux-kvm (4.15.0-1015.15) bionic; urgency=medium

  * linux-kvm: 4.15.0-1015.15 -proposed tracker (LP: #1781068)

  [ Ubuntu: 4.15.0-27.29 ]

  * linux: 4.15.0-27.29 -proposed tracker (LP: #1781062)
  * [Regression] EXT4-fs error (device sda1): ext4_validate_inode_bitmap:99:
    comm stress-ng: Corrupt inode bitmap (LP: #1780137)
    - SAUCE: ext4: fix ext4_validate_inode_bitmap: comm stress-ng: Corrupt inode

linux-kvm (4.15.0-1014.14) bionic; urgency=medium

  * linux-kvm: 4.15.0-1014.14 -proposed tracker (LP: #1780119)

  [ Ubuntu: 4.15.0-26.28 ]

  * linux: 4.15.0-26.28 -proposed tracker (LP: #1780112)
  * failure to boot with linux-image-4.15.0-24-generic (LP: #1779827) // Cloud-
    init causes potentially huge boot delays with 4.15 kernels (LP: #1780062)
    - random: Make getrandom() ready earlier

linux-kvm (4.15.0-1013.13) bionic; urgency=medium

  * linux-kvm: 4.15.0-1013.13 -proposed tracker (LP: #1779363)

  * test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM
    kernel (LP: #1766774)


Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew) on 2018-08-01
Changed in ubuntu-kernel-tests:
status: Fix Committed → Fix Released
Changed in linux-kvm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers