enable CONFIG_CPU_SW_DOMAIN_PAN for raspi2/raspi3

Bug #1683505 reported by Leann Ogasawara on 2017-04-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux-raspi2 (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
Yakkety
Undecided
Unassigned
Zesty
Undecided
Unassigned

Bug Description

Kees Cook is requesting the following be enabled for our Raspi2/3 enabled kernel:

config CPU_SW_DOMAIN_PAN
        bool "Enable use of CPU domains to implement privileged no-access"
        depends on MMU && !ARM_LPAE
        default y
        help
          Increase kernel security by ensuring that normal kernel accesses
          are unable to access userspace addresses. This can help prevent
          use-after-free bugs becoming an exploitable privilege escalation
          by ensuring that magic values (such as LIST_POISON) will always
          fault when dereferenced.

          CPUs with low-vector mappings use a best-efforts implementation.
          Their lower 1MB needs to remain accessible for the vectors, but
          the remainder of userspace will become appropriately inaccessible.

Similarly, Kees noted that all the configs from ubuntu's 4.8 new defaults seem to be missing for raspi2/3. e.g.:

CONFIG_HARDENED_USERCOPY=y
CONFIG_SLAB_FREELIST_RANDOM=y
CONFIG_DEBUG_LIST=y
CONFIG_DEBUG_CREDENTIALS=y

Kees also noted that it may ust be armhf/arm64 issue with the config.common.ubuntu being out of sync because fixing that solved his missing configs.

I suspect what actually needs to happen is a full config review comparison for our linux-raspi2 kernel.

CVE References

description: updated
description: updated
Paolo Pisati (p-pisati) wrote :

Xenial doesn't have CONFIG_HARDENED_USERCOPY and CONFIG_SLAB_FREELIST_RANDOM, while CONFIG_DEBUG_LIST and CONFIG_DEBUG_CREDENTIALS are off in -generic (so i'm not taking these into consideration) - the only eligible options there is CPU_SW_DOMAIN_PAN.

In Yakkety, CONFIG_DEBUG_CREDENTIALS and CONFIG_DEBUG_LIST are off in -generic (except for DEBUG_LIST being =y for s390x) so i'm not taking these in consideration, HARDENED_USERCOPY was already =y, while the rest should be synced with -generic.

In Zeisty CONFIG_DEBUG_CREDENTIALS and CONFIG_DEBUG_LIST are off in -generic, so i'm not taking these in consideration, while the rest should be synced.

Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Fix Committed
tags: added: verification-done-xenial
Launchpad Janitor (janitor) wrote :
Download full text (10.2 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1057.64

---------------
linux-raspi2 (4.4.0-1057.64) xenial; urgency=low

  * linux-raspi2: 4.4.0-1057.64 -proposed tracker (LP: #1692040)

  * linux xenial derivatives fail to build (LP: #1691814)
    - [Packaging] Set do_tools_common in common vars
    - [Packaging] Do not build tools-common

linux-raspi2 (4.4.0-1056.63) xenial; urgency=low

  * linux-raspi2: 4.4.0-1056.63 -proposed tracker (LP: #1691182)

  * enable CONFIG_CPU_SW_DOMAIN_PAN for raspi2/raspi3 (LP: #1683505)
    - [Config] CPU_SW_DOMAIN_PAN=y

  [ Ubuntu: 4.4.0-79.100 ]

  * linux: 4.4.0-79.100 -proposed tracker (LP: #1691180)
  * linux-aws/linux-gke incorrectly producing and using linux-*-tools-
    common/linux-*-cloud-tools-common (LP: #1688579)
    - [Config] make linux-tools-common and linux-cloud-tools-common provide linux-
      gke versions
    - [Config] make linux-tools-common and linux-cloud-tools-common provide linux-
      aws versions
    - [Packaging] prevent linux-*-tools-common from being produced from non linux
      packages
  * CVE-2017-0605
    - tracing: Use strlcpy() instead of strcpy() in __trace_find_cmdline()
  * i915-bpo crashes on external hdmi input (LP: #1580272)
    - SAUCE: i915_bpo: Silence the warning about watermark entries not changing
  * Kernel panics on Xenial when using cgroups and strict CFS limits
    (LP: #1687512)
    - sched/fair: Initialize throttle_count for new task-groups lazily
    - sched/fair: Do not announce throttled next buddy in dequeue_task_fair()
  * bonding - mlx5 - speed changed to 0 after changing ring size (LP: #1687877)
    - bonding: allow notifications for bond_set_slave_link_state
  * Xenial update to 4.4.67 stable release (LP: #1689296)
    - timerfd: Protect the might cancel mechanism proper
    - Handle mismatched open calls
    - ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
    - ALSA: ppc/awacs: shut up maybe-uninitialized warning
    - drbd: avoid redefinition of BITS_PER_PAGE
    - mtd: avoid stack overflow in MTD CFI code
    - net: tg3: avoid uninitialized variable warning
    - netlink: Allow direct reclaim for fallback allocation
    - IB/qib: rename BITS_PER_PAGE to RVT_BITS_PER_PAGE
    - IB/ehca: fix maybe-uninitialized warnings
    - ext4: require encryption feature for EXT4_IOC_SET_ENCRYPTION_POLICY
    - ext4 crypto: revalidate dentry after adding or removing the key
    - ext4 crypto: use dget_parent() in ext4_d_revalidate()
    - ext4/fscrypto: avoid RCU lookup in d_revalidate
    - nfsd4: minor NFSv2/v3 write decoding cleanup
    - nfsd: stricter decoding of write-like NFSv2/v3 ops
    - dm ioctl: prevent stack leak in dm ioctl call
    - Linux 4.4.67
  * Precision Rack failed to resume from S4 (LP: #1686061)
    - x86 / hibernate: Use hlt_play_dead() when resuming from hibernation
    - x86/boot: Split out kernel_ident_mapping_init()
    - x86/power/64: Always create temporary identity mapping correctly
  * Xenial update to 4.4.66 stable release (LP: #1688505)
    - f2fs: do more integrity verification for superblock
    - xc2028: unlock on error in xc2028_set_config()
    - ARM: OMAP2+: timer: add probe for clocksources...

Changed in linux-raspi2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Juerg Haefliger (juergh) on 2017-06-30
Changed in linux-raspi2 (Ubuntu Yakkety):
status: New → Fix Committed
Changed in linux-raspi2 (Ubuntu Zesty):
status: New → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers