[arm64] Kernel panic while running coreutils testsuite

Bug #1471892 reported by Adam Conrad on 2015-07-06
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
dann frazier
Trusty
High
dann frazier

Bug Description

[Impact]
The kernel crashes when building coreutils on arm64, impacting the Ubuntu buildds. Also maybe considered a local DoS, as it can be used by a local non-privileged user to crash a system.

[Test Case]
Build the Ubuntu coreutils package w/ tests enabled (the default) on an arm64 system.

[Regression Risk]
I'm no expert in this code, but it is an obviously missing part of the backport, and looks identical to what was used in other upstream stable trees (3.12.y in particular). So, though I don't feel like I can properly assess the regression risk - at least we should have some interest from upstream to help fix regressions that do pop up.

CVE References

Adam Conrad (adconrad) wrote :

For what it's worth, coreutils has never been built on a 3.13 distro kernel before, the last successful builds were all on the APM 3.8.0-2-mustang (or earlier) kernels.

Changed in linux (Ubuntu):
status: New → Confirmed
Raghuram Kota (rkota) on 2015-07-06
tags: added: hs-arm64
tags: added: arm64
dann frazier (dannf) wrote :

I can reproduce this with trusty's 3.13, but not with utopic/3.16 or vivid/3.19.

dann frazier (dannf) wrote :

I've bisected it down to this commit, introduced in 3.13.0-49.81:

commit b671cf8ede23e76aea4d87d7dc654ee27edaeaf0
Author: Linus Torvalds <email address hidden>
Date: Thu Jan 29 11:15:17 2015 -0800

    vm: make stack guard page errors return VM_FAULT_SIGSEGV rather than SIGBUS

    commit 9c145c56d0c8a0b62e48c8d71e055ad0fb2012ba upstream.

Changed in linux (Ubuntu):
assignee: nobody → dann frazier (dannf)
importance: Undecided → High

BugLink: http://bugs.launchpad.net/bugs/1471892

Commit b9496d0cc02900b74f01f294b76d3af9f3b12bfe in the 3.13.y-ckt tree is an
incomplete backport of upstream commit 33692f27597fcab536d7cbbcc8f52905133e4aa7.
The commit notes that the changes to mm/gup.c were omitted - presumably because
that file didn't exist in 3.13. However, the relevant code does exist in
3.13.y - it just hadn't been split out from mm/memory.c yet.

This introduced a regression in the Ubuntu kernel that resulted in panics
on arm64 when running the coreutils test suite:

  [...]
  PASS: tests/misc/chcon-fail.sh
  PASS: tests/misc/cut.pl
  [ 141.509350] Kernel panic - not syncing: BUG!
  [ 141.510301] CPU: 0 PID: 22674 Comm: bash Not tainted 3.13.11-ckt22 #20
  [ 141.511641] Call trace:
  [ 141.512115] [<ffffffc00008839c>] dump_backtrace+0x0/0x164
  [ 141.513133] [<ffffffc000088510>] show_stack+0x10/0x1c
  [ 141.514079] [<ffffffc000615460>] dump_stack+0x78/0x94
  [ 141.515022] [<ffffffc000613fd8>] panic+0xe0/0x20c
  [ 141.515903] [<ffffffc00017a7e4>] __get_user_pages+0x454/0x4c8
  [ 141.516971] [<ffffffc00017a898>] get_user_pages+0x40/0x4c
  [ 141.517973] [<ffffffc0001b1580>] get_arg_page+0x40/0xb4
  [ 141.518956] [<ffffffc0001b1fb0>] copy_strings.isra.21+0x158/0x248
  [ 141.520095] [<ffffffc0001b2d50>] do_execve_common.isra.26+0x3f4/0x5a0
  [ 141.521280] [<ffffffc0001b2f14>] do_execve+0x18/0x24
  [ 141.522203] [<ffffffc0001b3174>] SyS_execve+0x34/0x70

This commit completes the backport by retrofiting the missing changes to
mm/memory.c. This does not appear to impact upstream stable kernels. I checked
3.12.y, and it has already included these changes in the initial backport.

Signed-off-by: dann frazier <email address hidden>
---
 mm/memory.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mm/memory.c b/mm/memory.c
index 0d58cbc..8203f8f 100644
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1833,7 +1833,8 @@ long __get_user_pages(struct task_struct *tsk, struct mm_struct *mm,
       else
        return -EFAULT;
      }
- if (ret & VM_FAULT_SIGBUS)
+ if (ret & (VM_FAULT_SIGBUS |
+ VM_FAULT_SIGSEGV))
       return i ? i : -EFAULT;
      BUG();
     }
@@ -1943,7 +1944,7 @@ int fixup_user_fault(struct task_struct *tsk, struct mm_struct *mm,
    return -ENOMEM;
   if (ret & (VM_FAULT_HWPOISON | VM_FAULT_HWPOISON_LARGE))
    return -EHWPOISON;
- if (ret & VM_FAULT_SIGBUS)
+ if (ret & (VM_FAULT_SIGBUS | VM_FAULT_SIGSEGV))
    return -EFAULT;
   BUG();
  }
--
2.1.4

Changed in linux (Ubuntu):
status: Confirmed → In Progress
dann frazier (dannf) on 2015-07-07
summary: - [arm64][xgene] Kernel panic while running coreutils testsuite
+ [arm64] Kernel panic while running coreutils testsuite
tags: added: patch
Kamal Mostafa (kamalmostafa) wrote :

Thanks very much Dann. I've queued your patch for 3.13-stable:
http://kernel.ubuntu.com/git/ubuntu/linux.git/commit/?h=linux-3.13.y-queue&id=eef5d05f530ba16df8f758f6ae72f62e4ac7a503

Please also submit it as an SRU request for Trusty.

dann frazier (dannf) on 2015-07-07
Changed in linux (Ubuntu):
status: In Progress → Invalid
Changed in linux (Ubuntu Trusty):
status: New → In Progress
assignee: nobody → dann frazier (dannf)
importance: Undecided → High
dann frazier (dannf) on 2015-07-07
description: updated
Luis Henriques (henrix) on 2015-07-08
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Adam Conrad (adconrad) wrote :

Verified fixed on the buildds with the new kernel, thanks!

tags: added: verification-done
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Adam Conrad (adconrad) on 2015-07-11
tags: added: verification-done-trusty
removed: verification-done verification-needed-trusty
Launchpad Janitor (janitor) wrote :
Download full text (9.8 KiB)

This bug was fixed in the package linux - 3.13.0-58.97

---------------
linux (3.13.0-58.97) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1472453

  [ Upstream Kernel Changes ]

  * vm: Fix incomplete backport of VM_FAULT_SIGSEGV handling support
    - LP: #1471892

linux (3.13.0-58.96) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1471991

  [ Iyappan Subramanian ]

  * SAUCE: (no-up): drivers: net: xgene: fix: Out of order descriptor bytes
    read
    - LP: #1425576

  [ Upstream Kernel Changes ]

  * NVMe: Add shutdown timeout as module parameter.
    - LP: #1465136
  * Drivers: hv: vmbus: Add support for VMBus panic notifier handler
    - LP: #1463584
  * Drivers: hv: vmbus: Correcting truncation error for constant
    HV_CRASH_CTL_CRASH_NOTIFY
    - LP: #1463584
  * netfilter: nf_conntrack: don't release a conntrack with non-zero refcnt
    - LP: #1466135
  * lpfc: Add iotag memory barrier
    - LP: #1468416
  * mm/slab_common: support the slub_debug boot option on specific object
    size
    - LP: #1456952
  * pipe: iovec: Fix memory corruption when retrying atomic copy as
    non-atomic
    - CVE-2015-1805
  * kvm: x86: fix kvm_apic_has_events to check for NULL pointer
  * staging, rtl8192e, LLVMLinux: Change extern inline to static inline
    - LP: #1471233
  * kernel: use the gnu89 standard explicitly
    - LP: #1471233
  * staging, rtl8192e, LLVMLinux: Remove unused inline prototype
    - LP: #1471233
  * staging: rtl8712, rtl8712: avoid lots of build warnings
    - LP: #1471233
  * qla2xxx: remove redundant declaration in 'qla_gbl.h'
    - LP: #1471233
  * staging: wlags49_h2: fix extern inline functions
    - LP: #1471233
  * ARM: 8307/1: psci: move psci firmware calls out of line
    - LP: #1471233
  * kconfig: Fix warning "‘jump’ may be used uninitialized"
    - LP: #1471233
  * scripts/sortextable: suppress warning: `relocs_size' may be used
    uninitialized
    - LP: #1471233
  * ASoC: dapm: Enable autodisable on SOC_DAPM_SINGLE_TLV_AUTODISABLE
    - LP: #1471233
  * ALSA: hda - Fix mute-LED fixed mode
    - LP: #1471233
  * ALSA: emu10k1: Fix card shortname string buffer overflow
    - LP: #1471233
  * ALSA: emux: Fix mutex deadlock at unloading
    - LP: #1471233
  * drm/radeon: add SI DPM quirk for Sapphire R9 270 Dual-X 2G GDDR5
    - LP: #1471233
  * SCSI: add 1024 max sectors black list flag
    - LP: #1471233
  * 3w-sas: fix command completion race
    - LP: #1471233
  * 3w-xxxx: fix command completion race
    - LP: #1471233
  * 3w-9xxx: fix command completion race
    - LP: #1471233
  * serial: xilinx: Use platform_get_irq to get irq description structure
    - LP: #1471233
  * serial: of-serial: Remove device_type = "serial" registration
    - LP: #1471233
  * tty/serial: at91: maxburst was missing for dma transfers
    - LP: #1471233
  * ALSA: emux: Fix mutex deadlock in OSS emulation
    - LP: #1471233
  * ALSA: emu10k1: Emu10k2 32 bit DMA mode
    - LP: #1471233
  * rbd: end I/O the entire obj_request on error
    - LP: #1471233
  * powerpc/pseries: Correct cpu affinity for dlpar added cpus
    - LP: #1471233
  * bridge/mdb: remove wrong use of NLM_F_MULT...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers