tipc: missing linearization of sk_buff

Bug #1567064 reported by Jon Maloy on 2016-04-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Joseph Salisbury
Xenial
Medium
Joseph Salisbury

Bug Description

The TIPC binding table sometimes fails to update correctly between nodes because we don't linearize nonlinear buffers at two places where it is needed in the code.

In the upstream kernel at kernel.org, the following commit was applied on Nov 19th 2015:

commit c7cad0d6f70cd4ce8644ffe528a4df1cdc2e77f5 ("tipc: move linearization of buffers to generic code") that fixes this issue.

This crucial fix made it into kernel 4.5, but unfortunately not into 4.4 that is used in Xenial, and makes TIPC in Xenial almost unusable as it is now.

Now I am uncertain about how to proceed with this, since I am new with dealing with the Ubuntu kernel.
- Do you apply such fixes from kernel.org if I post a new one to kernel.org/stable? (The one referred to above won't apply cleanly to 4.4).
- Or should I issue a new one directly to Ubuntu's kernel team ?
- Or do you fix it yourself (it it pretty trivial and safe if you take a look at the original commit I refer to) ?

BR
Jon Maloy
Ericsson Canada Inc

CVE References

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1567064

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Jon Maloy (maloy) wrote :

1: There is no need to "diagnose the problem". It has been diagnosed, solved, and corrected by me, in my role as code maintainer. This is what I did with the above-mentioned commit; it just didn't make it into 4.4.

2: "apport-collect" seems to assume access to a browser, which I don't have on my non-graphical server version. Anyway, I don't quite see the use of it in this case.

3) Apart from the above-mentioned commit, even the following one must be applied to have a fully robust code:

commit 45c8b7b175ceb2d542e0fe15247377bf3bce29ec
Author: Jon Paul Maloy <email address hidden>
Date: Mon Oct 19 11:33:00 2015 -0400
tipc: allow non-linear first fragment buffer

Please advise me how to proceed.

BR
///jon

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Jon Maloy (maloy) wrote :

Additional comment:
The commit mentioned under 3) above is already applied. Sorry for not having checked that.
///j

Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-da-key xenial
Changed in linux (Ubuntu Xenial):
status: Confirmed → Triaged
Changed in linux (Ubuntu Xenial):
status: Triaged → In Progress
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

I built a Xenial test kernel with a cherry-pick of commit c7cad0d6f. This test kernel can be downloaded from:

http://kernel.ubuntu.com/~jsalisbury/lp1567064/

Can you test this kernel and see if it resolves this bug?

Thanks in advance!

Hi,
I have installed and tested it as far as I could without being able to reproduce the problem.
You can go ahead.

Thank you for your help.
///jon

PS. I hope I will receive a hint when this is officially released, so I can alert the users who have seen the problem.

> -----Original Message-----
> From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
> Joseph Salisbury
> Sent: Monday, 18 April, 2016 14:17
> To: Jon Maloy
> Subject: [Bug 1567064] Re: tipc: missing linearization of sk_buff
>
> I built a Xenial test kernel with a cherry-pick of commit c7cad0d6f.
> This test kernel can be downloaded from:
>
> http://kernel.ubuntu.com/~jsalisbury/lp1567064/
>
> Can you test this kernel and see if it resolves this bug?
>
> Thanks in advance!
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567064
>
> Title:
> tipc: missing linearization of sk_buff
>
> Status in linux package in Ubuntu:
> In Progress
> Status in linux source package in Xenial:
> In Progress
>
> Bug description:
> The TIPC binding table sometimes fails to update correctly between
> nodes because we don't linearize nonlinear buffers at two places where
> it is needed in the code.
>
> In the upstream kernel at kernel.org, the following commit was applied
> on Nov 19th 2015:
>
> commit c7cad0d6f70cd4ce8644ffe528a4df1cdc2e77f5 ("tipc: move
> linearization of buffers to generic code") that fixes this issue.
>
> This crucial fix made it into kernel 4.5, but unfortunately not into
> 4.4 that is used in Xenial, and makes TIPC in Xenial almost unusable
> as it is now.
>
> Now I am uncertain about how to proceed with this, since I am new with dealing
> with the Ubuntu kernel.
> - Do you apply such fixes from kernel.org if I post a new one to
> kernel.org/stable? (The one referred to above won't apply cleanly to 4.4).
> - Or should I issue a new one directly to Ubuntu's kernel team ?
> - Or do you fix it yourself (it it pretty trivial and safe if you take a look at the
> original commit I refer to) ?
>
> BR
> Jon Maloy
> Ericsson Canada Inc
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1567064/+subscriptions

Joseph Salisbury (jsalisbury) wrote :

I just submitted an SRU request for inclusion in Xenial. The bug status will changed to "Fix Commited" when the fix lands in the -proposed repository. It will then changed to "Fix Released" when it is in the official kernel.

Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Jon Maloy (maloy) wrote :

Hi,
I reported back to your colleague Joseph Salisbury on April 18th that the fix was tested and found ok. I have pasted in our conversation below. There must be a misunderstanding somewhere.

BR
///jon

>I just submitted an SRU request for inclusion in Xenial. The bug status
>will changed to "Fix Commited" when the fix lands in the -proposed
>repository. It will then changed to "Fix Released" when it is in the
>official kernel.

[...]

>>Hi,
>>I have installed and tested it as far as I could without being able to reproduce the problem.
>>You can go ahead.
>>
>>Thank you for your help.
>>///jon
>>
>> PS. I hope I will receive a hint when this is officially released, so I can alert the users who have seen the problem.

> -----Original Message-----
> From: <email address hidden> [mailto:<email address hidden>] On Behalf Of
> Kamal Mostafa
> Sent: Monday, 25 April, 2016 16:02
> To: Jon Maloy
> Subject: [Bug 1567064] Re: tipc: missing linearization of sk_buff
>
> This bug is awaiting verification that the kernel in -proposed solves
> the problem. Please test the kernel and update this bug with the
> results. If the problem is solved, change the tag 'verification-needed-
> xenial' to 'verification-done-xenial'.
>
> If verification is not done by 5 working days from today, this fix will
> be dropped from the source code, and this bug will be closed.
>
> See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how
> to enable and use -proposed. Thank you!
>
>
> ** Tags added: verification-needed-xenial
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1567064
>
> Title:
> tipc: missing linearization of sk_buff
>
> Status in linux package in Ubuntu:
> In Progress
> Status in linux source package in Xenial:
> Fix Committed
>
> Bug description:
> The TIPC binding table sometimes fails to update correctly between
> nodes because we don't linearize nonlinear buffers at two places where
> it is needed in the code.
>
> In the upstream kernel at kernel.org, the following commit was applied
> on Nov 19th 2015:
>
> commit c7cad0d6f70cd4ce8644ffe528a4df1cdc2e77f5 ("tipc: move
> linearization of buffers to generic code") that fixes this issue.
>
> This crucial fix made it into kernel 4.5, but unfortunately not into
> 4.4 that is used in Xenial, and makes TIPC in Xenial almost unusable
> as it is now.
>
> Now I am uncertain about how to proceed with this, since I am new with dealing
> with the Ubuntu kernel.
> - Do you apply such fixes from kernel.org if I post a new one to
> kernel.org/stable? (The one referred to above won't apply cleanly to 4.4).
> - Or should I issue a new one directly to Ubuntu's kernel team ?
> - Or do you fix it yourself (it it pretty trivial and safe if you take a look at the
> original commit I refer to) ?
>
> BR
> Jon Maloy
> Ericsson Canada Inc
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1567064/+subscriptions

Jon Maloy (maloy) wrote :

I re-read your comment and realized I am supposed to change the tag too. I hope I succeeded in doing it correctly.

Thanks
///jon

tags: added: verification-done-xenial
removed: verification-needed-xenial
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :
Download full text (23.7 KiB)

This bug was fixed in the package linux - 4.4.0-22.38

---------------
linux (4.4.0-22.38) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1573817

  * autoreconstruct: need to also generate extend-diff-ignore options for links
    (LP: #1574362)
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links

  * tipc: missing linearization of sk_buff (LP: #1567064)
    - tipc: move linearization of buffers to generic code

  * [Hyper-V] In-flight PCI Passthrough Patches (LP: #1570124)
    - SAUCE:(noup) drivers:hv: Lock access to hyperv_mmio resource tree
    - SAUCE:(noup) drivers:hv: Call vmbus_mmio_free() to reverse
      vmbus_mmio_allocate()
    - SAUCE:(noup) drivers:hv: Reverse order of resources in hyperv_mmio
    - SAUCE:(noup) drivers:hv: Track allocations of children of hv_vmbus in
      private resource tree
    - SAUCE:(noup) drivers:hv: Record MMIO range in use by frame buffer
    - SAUCE:(noup) drivers:hv: Separate out frame buffer logic when picking MMIO
      range

  * vbox: resync with 5.0.18-dfsg-2build1 (LP: #1571156)
    - ubuntu: vbox -- update to 5.0.18-dfsg-2build1

  * CONFIG_AUFS_XATTR is not set (LP: #1557776)
    - [Config] CONFIG_AUFS_XATTR=y

  * CVE-2016-3672 (LP: #1568523)
    - x86/mm/32: Enable full randomization on i386 and X86_32

  * CVE-2016-3955 (LP: #1572666)
    - USB: usbip: fix potential out-of-bounds write

  * Xenial update to v4.4.8 stable release (LP: #1573034)
    - hwmon: (max1111) Return -ENODEV from max1111_read_channel if not
      instantiated
    - PKCS#7: pkcs7_validate_trust(): initialize the _trusted output argument
    - parisc: Avoid function pointers for kernel exception routines
    - parisc: Fix kernel crash with reversed copy_from_user()
    - parisc: Unbreak handling exceptions from kernel modules
    - ALSA: timer: Use mod_timer() for rearming the system timer
    - ALSA: hda - Asus N750JV external subwoofer fixup
    - ALSA: hda - Fix white noise on Asus N750JV headphone
    - ALSA: hda - Apply fix for white noise on Asus N550JV, too
    - mm: fix invalid node in alloc_migrate_target()
    - powerpc/mm: Fixup preempt underflow with huge pages
    - libnvdimm: fix smart data retrieval
    - libnvdimm, pfn: fix uuid validation
    - compiler-gcc: disable -ftracer for __noclone functions
    - arm64: opcodes.h: Add arm big-endian config options before including arm
      header
    - drm/dp: move hw_mutex up the call stack
    - drm/udl: Use unlocked gem unreferencing
    - drm/radeon: add a dpm quirk for sapphire Dual-X R7 370 2G D5
    - drm/radeon: add another R7 370 quirk
    - drm/radeon: add a dpm quirk for all R7 370 parts
    - drm/amdgpu/gmc: move vram type fetching into sw_init
    - drm/amdgpu/gmc: use proper register for vram type on Fiji
    - xen/events: Mask a moving irq
    - tcp: convert cached rtt from usec to jiffies when feeding initial rto
    - tunnel: Clear IPCB(skb)->opt before dst_link_failure called
    - net: jme: fix suspend/resume on JMC260
    - net: vrf: Remove direct access to skb->data
    - net: qca_spi: Don't clear IFF_BROADCAST
    - net: qca_spi: clear IFF_TX_SKB_SHARING
    - net: fix bridge multicas...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers