test_182_config_hardened_usercopy in kernel security test failed with 4.15 KVM kernel

Bug #1766777 reported by Po-Hsu Lin
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Invalid
Undecided
Unassigned
ubuntu-kernel-tests
Fix Released
Undecided
Unassigned
linux-kvm (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Kamal Mostafa

Bug Description

Test test_182_config_hardened_usercopy from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

  FAIL: test_182_config_hardened_usercopy (__main__.KernelSecurityTest)
  Ensure CONFIG_HARDENED_USERCOPY is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2176, in test_182_config_hardened_usercopy
      self.assertTrue(self._test_config(config_name))
  AssertionError: False is not true

The CONFIG_HARDENED_USERCOPY is not set.
$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_HARDENED_USERCOPY
# CONFIG_HARDENED_USERCOPY is not set

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:36:58 2018
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

The test is correcty detecting that the bionic linux-kvm kernel CONFIG_HARDENED_USERCOPY is unset, which is inconsistent with the setting for the master bionic kernel.

Changed in qa-regression-testing:
status: New → Invalid
Changed in linux-kvm (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Kamal Mostafa (kamalmostafa)
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

Notes:

Enabling CONFIG_HARDENED_USERCOPY would force CONFIG_BUG, because its Kconfig (improperly?) requires that. I've submitted this upstream to resolve that issue:

https://<email address hidden>/T/#u

Pending acceptance, we should apply that to linux-kvm before enabling HARDENED_USERCOPY.

Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Test seems to be renamed:

FAIL: test_290_config_hardened_usercopy (__main__.KernelSecurityConfigTest)
Ensure CONFIG_HARDENED_USERCOPY is set
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-kernel-security.py", line 2475, in test_290_config_hardened_usercopy
self.assertKernelConfigSet(config_name)
File "./test-kernel-security.py", line 194, in assertKernelConfigSet
'%s option was expected to be set in the kernel config' % name)
AssertionError: HARDENED_USERCOPY option was expected to be set in the kernel config

Changed in linux-kvm (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Steve Beattie (sbeattie) wrote :

> Test seems to be renamed

Correct, I restructured the test script in question a bit, separating out the config checks from the behavioral checks.

Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (36.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1020.20

---------------
linux-kvm (4.15.0-1020.20) bionic; urgency=medium

  * linux-kvm: 4.15.0-1020.20 -proposed tracker (LP: #1787158)

  * DEBUG_WX is not set in Bionic KVM kernel (LP: #1782721)
    - kvm: [Config] enable CONFIG_DEBUG_WX

  * test_182_config_hardened_usercopy in kernel security test failed with 4.15
    KVM kernel (LP: #1766777)
    - usercopy: Do not select BUG with HARDENED_USERCOPY
    - kvm: [Config] Enable CONFIG_HARDENED_USERCOPY

  [ Ubuntu: 4.15.0-33.36 ]

  * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)
  * RTNL assertion failure on ipvlan (LP: #1776927)
    - ipvlan: drop ipv6 dependency
    - ipvlan: use per device spinlock to protect addrs list updates
    - SAUCE: fix warning from "ipvlan: drop ipv6 dependency"
  * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941)
    - test_bpf: flag tests that cannot be jited on s390
  * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689)
    - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type
    - drm/radeon: fix radeon_atpx_get_client_id()'s return type
    - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type
    - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type
    - ALSA: hda: use PCI_BASE_CLASS_DISPLAY to replace PCI_CLASS_DISPLAY_VGA
    - vga_switcheroo: set audio client id according to bound GPU id
  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets
  * Update2 for ocxl driver (LP: #1781436)
    - ocxl: Fix page fault handler in case of fault on dying process
  * netns: unable to follow an interface that moves to another netns
    (LP: #1774225)
    - net: core: Expose number of link up/down transitions
    - dev: always advertise the new nsid when the netns iface changes
    - dev: advertise the new ifindex when the netns iface changes
  * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066)
    - block, bfq: fix occurrences of request finish method's old name
    - block, bfq: remove batches of confusing ifdefs
    - block, bfq: add requeue-request hook
  * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763)
    - ALSA: hda: add mute led support for HP ProBook 455 G5
  * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver
    (LP: #1781476)
    - i2c: xlp9xx: Fix issue seen when updating receive length
    - i2c: xlp9xx: Make sure the transfer size is not more than
      I2C_SMBUS_BLOCK_SIZE
  * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486)
    - x86/kvm: fix LAPIC timer drift when guest uses periodic mode
  * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823)
    - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules
  * Nvidia fails after switching its mode (LP: #1778658)
    - PCI: Restore config space on runtime resume despite being unbound
  * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3
  * CVE-2018-12232
    - PATCH 1/1] socket: cl...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in linux-kvm (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.