Kernel produces empty lines in /proc/PID/status

Bug #1772671 reported by Hajo Locke on 2018-05-22
48
This bug affects 10 people
Affects Status Importance Assigned to Milestone
iotop (Ubuntu)
Undecided
Unassigned
Xenial
Undecided
Unassigned
linux (Ubuntu)
Medium
Unassigned
Xenial
Medium
Tyler Hicks

Bug Description

[Impact]
The CVE-2018-3639 for Xenial introduced a double newline sequence in the /proc/PID/status files. This breaks some userspace tools, such as iotop, that parse those files.

[Test Case]
Incorrect output in 4.4.0-127.153-generic:

$ cat /proc/self/status
 ...
Seccomp: 0

Speculation_Store_Bypass: thread vulnerable
...

Expected output:

$ cat /proc/self/status
 ...
Seccomp: 0
Speculation_Store_Bypass: thread vulnerable
...

[Regression Potential]
None

[Original Report]

Hello,

after running updates today to linux-image-4.4.0-127-generic_4.4.0-127.153 and rebooting i noticed that iotop is not working any more. Reason are empty lines in /proc/PID/status, which confuse iotop (and me)

In new view there is an empy line between Seccomp and Speculation_Store_Bypass:

####
Seccomp: 0

Speculation_Store_Bypass: vulnerable
####
Speculation_Store_Bypass seems to be new in /proc/PID/status, may be a relation to spectre/meltdown patches.

iotop is first application which is failing here, but iam afraid of more.

Thanks

CVE References

Hajo Locke (hajo-locke) on 2018-05-22
affects: dpkg (Ubuntu) → linux (Ubuntu)

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1772671

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: xenial
tudor (tudor2) wrote :

This fixes it on my machine:

--- data.py 2018-05-22 16:46:51.744204671 +0200
+++ data2.py 2018-05-22 16:48:28.694497438 +0200
@@ -193,8 +193,11 @@
     result_dict = {}
     try:
         for line in open('/proc/%d/status' % pid):
- key, value = line.split(':\t', 1)
- result_dict[key] = value.strip()
+ try:
+ key, value = line.split(':\t', 1)
+ result_dict[key] = value.strip()
+ except:
+ pass
     except IOError:
         pass # No such process
     return result_dict

LorenRosen (lorenrosen) wrote :

attached stack trace

Hajo Locke (hajo-locke) wrote :

yes, i can fix this in iotop, but i thin the main problem is kernel and there should not exist an empty line under /proc/PID/status

Ubuntu Kernel Bot told me to send logs, but i cant run apport-collect for security/dataprotection reasons.

Thanks

Joseph Salisbury (jsalisbury) wrote :

Would it be possible for you to test the latest upstream kernel? Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Please test the latest v4.17 kernel[0].

If this bug is fixed in the mainline kernel, please add the following tag 'kernel-fixed-upstream'.

If the mainline kernel does not fix this bug, please add the tag: 'kernel-bug-exists-upstream'.

Once testing of the upstream kernel is complete, please mark this bug as "Confirmed".

Thanks in advance.

[0] http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.17-rc6

Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
status: New → Incomplete
importance: Undecided → Medium
Hajo Locke (hajo-locke) wrote :

Hello,

i installed v4.17-rc6 and this problem seems fixed, no emtpy line in /proc/PID/status, but i also miss the line Speculation_Store_Bypass which was existing in 4.4.0-127-generic #153-Ubuntu
So may be this is fixed because meltdown/spectre patches are not applied? Iam not sure, so i hesitate to set tag kernel-fixed-upstream.
What do you think?

For information: I could not install linux-headers-4.17.0-041700rc6-generic, there is a dependency to libssl1.1 which is not available currently for xenial.

Thanks

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in iotop (Ubuntu Xenial):
status: New → Confirmed
Changed in iotop (Ubuntu):
status: New → Confirmed

A colleague tried installing a later 4.4.0 kernel, 4.4.0-129 from http://kernel.ubuntu.com/~kernel-ppa/mainline/v4.4.129/ (as below) on 16.04.4 LTS and we then don't see the iotop problem.

Linux version 4.4.129-0404129-generic (kernel@kathleen) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #201804240833 SMP Tue Apr 24 08:35:28 UTC 2018

Hajo Locke (hajo-locke) wrote :

yes, 4.4.0-129 also seems to be ok, but again no Speculation_Store_Bypass line in /proc/PID/status.

Paul Wise (Debian) (pabs) wrote :

Could you gzip and attach the contents of one of your /proc/PID/status files when iotop is crashing?

On Bionic, where iotop works, there is no empty line between:
Seccomp: 0
Speculation_Store_Bypass: vulnerable

Tyler Hicks (tyhicks) on 2018-05-24
Changed in iotop (Ubuntu Xenial):
status: Confirmed → Invalid
Changed in iotop (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Xenial):
status: Incomplete → In Progress
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu):
status: Incomplete → Invalid
description: updated
Tyler Hicks (tyhicks) wrote :

This bug only affected the Xenial 4.4 based kernels. I've submitted a kernel fix here:

  https://lists.ubuntu.com/archives/kernel-team/2018-May/092723.html

Thanks for the bug report!

Hajo Locke (hajo-locke) wrote :

Thanks.

Just for general information, when this patch will be published to live-repos?

Thanks.

I have added a workaround to the iotop git repository:

http://repo.or.cz/iotop.git/commitdiff/0392b205b5c3973a326721c2e9f97f0fa2eefa82
http://repo.or.cz/iotop.git/commitdiff/7c51ce0e29bd135c216f18e18f0c4ab769af0d6f

This should help if this sort of thing gets re-added in the future.

--
bye,
pabs

https://wiki.debian.org/PaulWise

Juerg Haefliger (juergh) on 2018-06-07
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'. If the problem still exists, change the tag 'verification-needed-xenial' to 'verification-failed-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Tyler Hicks (tyhicks) wrote :

I've verified that this is fixed in 4.4.0-129.155-generic

tags: added: verification-done-xenial
removed: verification-needed-xenial

Confirmed, fixed in 4.4.0-129-generic. Thanks! :-)

Launchpad Janitor (janitor) wrote :
Download full text (29.8 KiB)

This bug was fixed in the package linux - 4.4.0-130.156

---------------
linux (4.4.0-130.156) xenial; urgency=medium

  * linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)

  * CVE-2018-3665 (x86)
    - x86/fpu: Fix early FPU command-line parsing
    - x86/fpu: Fix 'no387' regression
    - x86/fpu: Disable MPX when eagerfpu is off
    - x86/fpu: Default eagerfpu=on on all CPUs
    - x86/fpu: Fix FNSAVE usage in eagerfpu mode
    - x86/fpu: Fix math emulation in eager fpu mode
    - x86/fpu: Fix eager-FPU handling on legacy FPU machines

linux (4.4.0-129.155) xenial; urgency=medium

  * linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)

  * Xenial update to 4.4.134 stable release (LP: #1775771)
    - MIPS: ptrace: Expose FIR register through FP regset
    - MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
    - KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
    - affs_lookup(): close a race with affs_remove_link()
    - aio: fix io_destroy(2) vs. lookup_ioctx() race
    - ALSA: timer: Fix pause event notification
    - mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
    - libata: Blacklist some Sandisk SSDs for NCQ
    - libata: blacklist Micron 500IT SSD with MU01 firmware
    - xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent
    - Revert "ipc/shm: Fix shmat mmap nil-page protection"
    - ipc/shm: fix shmat() nil address after round-down when remapping
    - kasan: fix memory hotplug during boot
    - kernel/sys.c: fix potential Spectre v1 issue
    - kernel/signal.c: avoid undefined behaviour in kill_something_info
    - xfs: remove racy hasattr check from attr ops
    - do d_instantiate/unlock_new_inode combinations safely
    - firewire-ohci: work around oversized DMA reads on JMicron controllers
    - NFSv4: always set NFS_LOCK_LOST when a lock is lost.
    - ALSA: hda - Use IS_REACHABLE() for dependency on input
    - ASoC: au1x: Fix timeout tests in au1xac97c_ac97_read()
    - kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
    - tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
      account
    - PCI: Add function 1 DMA alias quirk for Marvell 9128
    - tools lib traceevent: Simplify pointer print logic and fix %pF
    - perf callchain: Fix attr.sample_max_stack setting
    - tools lib traceevent: Fix get_field_str() for dynamic strings
    - dm thin: fix documentation relative to low water mark threshold
    - nfs: Do not convert nfs_idmap_cache_timeout to jiffies
    - watchdog: sp5100_tco: Fix watchdog disable bit
    - kconfig: Don't leak main menus during parsing
    - kconfig: Fix automatic menu creation mem leak
    - kconfig: Fix expr_free() E_NOT leak
    - ipmi/powernv: Fix error return code in ipmi_powernv_probe()
    - Btrfs: set plug for fsync
    - btrfs: Fix out of bounds access in btrfs_search_slot
    - Btrfs: fix scrub to repair raid6 corruption
    - scsi: fas216: fix sense buffer initialization
    - HID: roccat: prevent an out of bounds read in kovaplus_profile_activated()
    - jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
    - powerpc/numa: Use ibm,max-associativity-domains to discover possib...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Drew Freiberger (afreiberger) wrote :

This needs to be backported to trusty for users of the linux-image-generic-lts-xenial.

Drew Freiberger (afreiberger) wrote :

nevermind. I see the patch is kernel fix...will upgrade my host.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers