Kernel 4.4 NBD size overflow with image size exceeding 1TB

Bug #1772575 reported by Nathan O'Sullivan on 2018-05-22
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Unassigned
Xenial
Medium
Joseph Salisbury

Bug Description

== SRU Justification ==
With the Xenial kernel, the bug reporter states there is an NBD size
overflow with image size exceeding 1TB.

There's an issue in kernel's NBD module which prevents some larger images to be
correctly "connected" , largely described here:
https://github.com/NetworkBlockDevice/nbd/issues/44

This is a regression from Trusty and was fixed in mainline as of v4.10-rc1.

== Fix ==
ef77b515243b ("nbd: use loff_t for blocksize and nbd_set_size args")

== Regression Potential ==
Medium. A backport was needed. However, it was due to some context
diffs and the way debugfs_create_u32 was used in Xenial and how
debugfs_create_u64 was used in the patch.

== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.

== Original Bug Report ==
Release 16.04, kernel 4.4.0-124-generic

There's an issue in kernel's NBD module which prevents some larger images to be
correctly "connected" , largely described here:
https://github.com/NetworkBlockDevice/nbd/issues/44

There is a small patch here that was accepted into mainline 4.10:
https://www.spinics.net/lists/linux-block/msg07060.html

This is a regression from the previous LTS 3.13 kernel.

----

Here is a small example of the faulty behaviour:

# qemu-img create -f qcow2 test.img 1100G
Formatting 'test.img', fmt=qcow2 size=1181116006400 cluster_size=65536 lazy_refcounts=off refcount_bits=16
# qemu-nbd -c /dev/nbd0 test.img
# blockdev --getsize64 /dev/nbd0
18446743055802302464

The correct response would be 1181116006400; this breaks most tools and makes the image unusable, e.g.

# fdisk -l /dev/nbd0
fdisk: cannot open /dev/nbd0: Invalid argument
---
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 May 21 12:51 seq
 crw-rw---- 1 root audio 116, 33 May 21 12:51 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.17
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
DistroRelease: Ubuntu 16.04
HibernationDevice: RESUME=/dev/mapper/VolGroup00-swap_1
IwConfig: Error: [Errno 2] No such file or directory
MachineType: Supermicro SYS-1028R-WTR
Package: linux (not installed)
PciMultimedia:

ProcEnviron:
 LANGUAGE=en_AU:
 TERM=xterm
 PATH=(custom, no user)
 LANG=en_AU
 SHELL=/bin/bash
ProcFB: 0 VESA VGA
ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-124-generic root=/dev/mapper/VolGroup00-root ro nomodeset elevator=noop consoleblank=0 net.ifnames=0 biosdevname=0 modprobe.blacklist=igb nosplash quiet
ProcVersionSignature: Ubuntu 4.4.0-124.148-generic 4.4.117
RelatedPackageVersions:
 linux-restricted-modules-4.4.0-124-generic N/A
 linux-backports-modules-4.4.0-124-generic N/A
 linux-firmware 1.157.18
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial xenial
Uname: Linux 4.4.0-124-generic x86_64
UnreportableReason: The report belongs to a package that is not installed.
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups:

_MarkForUpload: False
dmi.bios.date: 02/08/2018
dmi.bios.vendor: American Megatrends Inc.
dmi.bios.version: 3.0a
dmi.board.asset.tag: Default string
dmi.board.name: X10DRW-i
dmi.board.vendor: Supermicro
dmi.board.version: 1.10
dmi.chassis.asset.tag: Default string
dmi.chassis.type: 1
dmi.chassis.vendor: Supermicro
dmi.chassis.version: 0123456789
dmi.modalias: dmi:bvnAmericanMegatrendsInc.:bvr3.0a:bd02/08/2018:svnSupermicro:pnSYS-1028R-WTR:pvr0123456789:rvnSupermicro:rnX10DRW-i:rvr1.10:cvnSupermicro:ct1:cvr0123456789:
dmi.product.name: SYS-1028R-WTR
dmi.product.version: 0123456789
dmi.sys.vendor: Supermicro

CVE References

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1772575

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete

apport information

tags: added: apport-collected xenial
description: updated

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

apport information

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Confirmed → Triaged
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Changed in linux (Ubuntu):
status: Triaged → Invalid
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

I built a test kernel with commit ef77b515243b3499d62cf446eda6ca7e0a0b079c. The test kernel can be downloaded from:
http://kernel.ubuntu.com/~jsalisbury/lp1772575

Can you test this kernel and see if it resolves this bug?

Thanks in advance!

Thank you for your prompt attention!

I can confirm your test kernel resolves this issue:

# uname -v
#154~lp1772575 SMP Tue May 22 16:06:05 UTC 2018

# blockdev --getsize64 /dev/nbd0
1181116006400

# fdisk -l /dev/nbd0 | head -1
Disk /dev/nbd0: 1.1 TiB, 1181116006400 bytes, 2306867200 sectors

Joseph Salisbury (jsalisbury) wrote :
description: updated
Juerg Haefliger (juergh) on 2018-06-07
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial

# uname -r
4.4.0-129-generic

# fdisk -l /dev/nbd0
Disk /dev/nbd0: 1.1 TiB, 1181116006400 bytes, 2306867200 sectors
[snip]

tags: added: verification-done-xenial
removed: verification-needed-xenial
Launchpad Janitor (janitor) wrote :
Download full text (29.8 KiB)

This bug was fixed in the package linux - 4.4.0-130.156

---------------
linux (4.4.0-130.156) xenial; urgency=medium

  * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

  * CVE-2018-3665 (x86)
    - x86/fpu: Fix early FPU command-line parsing
    - x86/fpu: Fix 'no387' regression
    - x86/fpu: Disable MPX when eagerfpu is off
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix FNSAVE usage in eagerfpu mode
    - x86/fpu: Fix math emulation in eager fpu mode
    - x86/fpu: Fix eager-FPU handling on legacy FPU machines

linux (4.4.0-129.155) xenial; urgency=medium

  * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

  * Xenial update to 4.4.134 stable release (LP: #1775771)
    - MIPS: ptrace: Expose FIR register through FP regset
    - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
    - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
    - affs_lookup(): close a race with affs_remove_link()
    - aio: fix io_destroy(2) vs. lookup_ioctx() race
    - ALSA: timer: Fix pause event notification
    - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
    - libata: Blacklist some Sandisk SSDs for NCQ
    - libata: blacklist Micron 500IT SSD with MU01 firmware
    - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
    - ipc/shm: fix shmat() nil address after round-down when remapping
    - kasan: fix memory hotplug during boot
    - kernel/sys.c: fix potential Spectre v1 issue
    - kernel/signal.c: avoid undefined behaviour in kill_something_info
    - xfs: remove racy hasattr check from attr ops
    - do d_instantiate/unlock_new_inode combinations safely
    - firewire-ohci: work around oversized DMA reads on JMicron controllers
    - NFSv4: always set NFS_LOCK_LOST when a lock is lost.
    - ALSA: hda - Use IS_REACHABLE() for dependency on input
    - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
    - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
    - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
      account
    - PCI: Add function 1 DMA alias quirk for Marvell 9128
    - tools lib traceevent: Simplify pointer print logic and fix %pF
    - perf callchain: Fix attr.sample_max_stack setting
    - tools lib traceevent: Fix get_field_str() for dynamic strings
    - dm thin: fix documentation relative to low water mark threshold
    - nfs: Do not convert nfs_idmap_cache_timeout to jiffies
    - watchdog: sp5100_tco: Fix watchdog disable bit
    - kconfig: Don't leak main menus during parsing
    - kconfig: Fix automatic menu creation mem leak
    - kconfig: Fix expr_free() E_NOT leak
    - ipmi/powernv: Fix error return code in ipmi_powernv_probe()
    - Btrfs: set plug for fsync
    - btrfs: Fix out of bounds access in btrfs_search_slot
    - Btrfs: fix scrub to repair raid6 corruption
    - scsi: fas216: fix sense buffer initialization
    - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
    - powerpc/numa: Use ibm,max-associativity-domains to discover possib...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers