test_182_config_hardened_usercopy in kernel security test failed with 4.15 KVM kernel

Bug #1766777 reported by Po-Hsu Lin on 2018-04-25
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
linux-kvm (Ubuntu)
Kamal Mostafa

Bug Description

Test test_182_config_hardened_usercopy from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

  FAIL: test_182_config_hardened_usercopy (__main__.KernelSecurityTest)
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2176, in test_182_config_hardened_usercopy
  AssertionError: False is not true

$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_HARDENED_USERCOPY

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:36:58 2018
 PATH=(custom, no user)
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Po-Hsu Lin (cypressyew) wrote :
Steve Beattie (sbeattie) wrote :

The test is correcty detecting that the bionic linux-kvm kernel CONFIG_HARDENED_USERCOPY is unset, which is inconsistent with the setting for the master bionic kernel.

Changed in qa-regression-testing:
status: New → Invalid
Changed in linux-kvm (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
Kamal Mostafa (kamalmostafa) wrote :


Enabling CONFIG_HARDENED_USERCOPY would force CONFIG_BUG, because its Kconfig (improperly?) requires that. I've submitted this upstream to resolve that issue:

https://<email address hidden>/T/#u

Pending acceptance, we should apply that to linux-kvm before enabling HARDENED_USERCOPY.

Po-Hsu Lin (cypressyew) on 2018-07-09
Changed in ubuntu-kernel-tests:
status: New → In Progress
Po-Hsu Lin (cypressyew) wrote :

Test seems to be renamed:

FAIL: test_290_config_hardened_usercopy (__main__.KernelSecurityConfigTest)
Traceback (most recent call last):
File "./test-kernel-security.py", line 2475, in test_290_config_hardened_usercopy
File "./test-kernel-security.py", line 194, in assertKernelConfigSet
'%s option was expected to be set in the kernel config' % name)
AssertionError: HARDENED_USERCOPY option was expected to be set in the kernel config

Changed in linux-kvm (Ubuntu Bionic):
status: In Progress → Fix Committed
Steve Beattie (sbeattie) wrote :

> Test seems to be renamed

Correct, I restructured the test script in question a bit, separating out the config checks from the behavioral checks.

Po-Hsu Lin (cypressyew) on 2018-07-30
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (36.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1020.20

linux-kvm (4.15.0-1020.20) bionic; urgency=medium

  * linux-kvm: 4.15.0-1020.20 -proposed tracker (LP: #1787158)

  * DEBUG_WX is not set in Bionic KVM kernel (LP: #1782721)
    - kvm: [Config] enable CONFIG_DEBUG_WX

  * test_182_config_hardened_usercopy in kernel security test failed with 4.15
    KVM kernel (LP: #1766777)
    - usercopy: Do not select BUG with HARDENED_USERCOPY
    - kvm: [Config] Enable CONFIG_HARDENED_USERCOPY

  [ Ubuntu: 4.15.0-33.36 ]

  * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)
  * RTNL assertion failure on ipvlan (LP: #1776927)
    - ipvlan: drop ipv6 dependency
    - ipvlan: use per device spinlock to protect addrs list updates
    - SAUCE: fix warning from "ipvlan: drop ipv6 dependency"
  * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941)
    - test_bpf: flag tests that cannot be jited on s390
  * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689)
    - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type
    - drm/radeon: fix radeon_atpx_get_client_id()'s return type
    - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type
    - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type
    - vga_switcheroo: set audio client id according to bound GPU id
  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets
  * Update2 for ocxl driver (LP: #1781436)
    - ocxl: Fix page fault handler in case of fault on dying process
  * netns: unable to follow an interface that moves to another netns
    (LP: #1774225)
    - net: core: Expose number of link up/down transitions
    - dev: always advertise the new nsid when the netns iface changes
    - dev: advertise the new ifindex when the netns iface changes
  * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066)
    - block, bfq: fix occurrences of request finish method's old name
    - block, bfq: remove batches of confusing ifdefs
    - block, bfq: add requeue-request hook
  * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763)
    - ALSA: hda: add mute led support for HP ProBook 455 G5
  * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver
    (LP: #1781476)
    - i2c: xlp9xx: Fix issue seen when updating receive length
    - i2c: xlp9xx: Make sure the transfer size is not more than
  * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486)
    - x86/kvm: fix LAPIC timer drift when guest uses periodic mode
  * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823)
    - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules
  * Nvidia fails after switching its mode (LP: #1778658)
    - PCI: Restore config space on runtime resume despite being unbound
  * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3
  * CVE-2018-12232
    - PATCH 1/1] socket: cl...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in linux-kvm (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers