xattr length returned by vfs_getxattr() is not correct in Trusty kernel

Bug #1798013 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Medium
Po-Hsu Lin
linux (Ubuntu)
Medium
Po-Hsu Lin
Trusty
Medium
Unassigned

Bug Description

== Justification ==
This issue has been addressed in bug 1789746 for other kernels

When the getxattr05 test in ubuntu_ltp_syscalls test suite, the test will failed with:

tag=getxattr05 stime=1539663573
cmdline="getxattr05"
contacts=""
analysis=exit
<<<test_output>>>
incrementing stop
tst_test.c:1072: INFO: Timeout per run is 0h 05m 00s
getxattr05.c:85: PASS: Got same data when acquiring the value of system.posix_acl_access twice
getxattr05.c:80: FAIL: Got different data(00 != ffffffff) at 16
getxattr05.c:85: PASS: Got same data when acquiring the value of system.posix_acl_access twice

Summary:
passed 2
failed 1
skipped 0
warnings 0

This is caused by posix_acl_fix_xattr_to_user() being passed the total buffer size and not the actual size of the xattr as returned by vfs_getxattr().

== Fix ==
82c9a927bc5d ("getxattr: use correct xattr length")

A test kernel for Trusty could be found here:
http://people.canonical.com/~phlin/kernel/lp-1798013-getxattr05/

== Regression Potential ==
Low, this one-liner fix just passes the actual length of the xattr as returned by vfs_getxattr() down.

== Test Case ==
Run the getxattr05 test in ubuntu_ltp_syscalls test suite. And it will pass with the patched kernel.

ProblemType: Bug
DistroRelease: Ubuntu 14.04
Package: linux-image-3.13.0-160-generic 3.13.0-160.210
ProcVersionSignature: User Name 3.13.0-160.210-generic 3.13.11-ckt39
Uname: Linux 3.13.0-160-generic x86_64
AlsaDevices:
 total 0
 crw-rw---- 1 root audio 116, 1 Oct 16 03:39 seq
 crw-rw---- 1 root audio 116, 33 Oct 16 03:39 timer
AplayDevices: Error: [Errno 2] No such file or directory: 'aplay'
ApportVersion: 2.14.1-0ubuntu3.29
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory: 'arecord'
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
Date: Tue Oct 16 04:19:43 2018
IwConfig: Error: [Errno 2] No such file or directory: 'iwconfig'
MachineType: Intel Corporation S1200RP
PciMultimedia:

ProcFB: 0 inteldrmfb
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-3.13.0-160-generic root=UUID=b0d2ae4e-12dd-423e-acea-272ee8b2a893 ro console=ttyS0,115200n8
RelatedPackageVersions:
 linux-restricted-modules-3.13.0-160-generic N/A
 linux-backports-modules-3.13.0-160-generic N/A
 linux-firmware 1.127.24
RfKill: Error: [Errno 2] No such file or directory: 'rfkill'
SourcePackage: linux
UpgradeStatus: No upgrade log present (probably fresh install)
dmi.bios.date: 07/01/2015
dmi.bios.vendor: Intel Corp.
dmi.bios.version: S1200RP.86B.03.02.0003.070120151022
dmi.board.asset.tag: ....................
dmi.board.name: S1200RP
dmi.board.vendor: Intel Corporation
dmi.board.version: G62254-407
dmi.chassis.asset.tag: ....................
dmi.chassis.type: 17
dmi.chassis.vendor: ..............................
dmi.chassis.version: ..................
dmi.modalias: dmi:bvnIntelCorp.:bvrS1200RP.86B.03.02.0003.070120151022:bd07/01/2015:svnIntelCorporation:pnS1200RP:pvr....................:rvnIntelCorporation:rnS1200RP:rvrG62254-407:cvn..............................:ct17:cvr..................:
dmi.product.name: S1200RP
dmi.product.version: ....................
dmi.sys.vendor: Intel Corporation

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

From the test case:

 * This issue included by getxattr05 has been fixed in kernel:
 * '82c9a927bc5d ("getxattr: use correct xattr length")'
 */

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Status changed to Confirmed

This change was made by a bot.

Changed in linux (Ubuntu):
status: New → Confirmed
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux (Ubuntu):
status: Confirmed → In Progress
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Po-Hsu Lin (cypressyew)
summary: - getxattr05 in ubuntu_ltp_syscalls failed with T
+ xattr length returned by vfs_getxattr() is not correct in Trusty kernel
Po-Hsu Lin (cypressyew)
description: updated
description: updated
Po-Hsu Lin (cypressyew)
description: updated
description: updated
Stefan Bader (smb)
Changed in linux (Ubuntu):
status: In Progress → Fix Released
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
importance: Undecided → Medium
Changed in linux (Ubuntu):
importance: Undecided → Medium
Changed in linux (Ubuntu Trusty):
importance: Undecided → Medium
Stefan Bader (smb)
Changed in linux (Ubuntu Trusty):
status: New → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

The getxattr05 test can pass with this kernel, thanks

tags: added: verification-done-trusty
removed: verification-needed-trusty
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-162.212

---------------
linux (3.13.0-162.212) trusty; urgency=medium

  * linux: 3.13.0-162.212 -proposed tracker (LP: #1799399)

  * packet socket panic in Trusty 3.13.0-157 and later (LP: #1800254)
    - SAUCE: (no-up) net/packet: fix erroneous dev_add_pack usage in fanout

  * Cleanup Meltdown/Spectre implementation (LP: #1779848)
    - x86/Documentation: Add PTI description
    - Revert "x86/cpu/AMD: Make the LFENCE instruction serialized"
    - x86/cpu/AMD: Make LFENCE a serializing instruction
    - x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC
    - x86/pti: Document fix wrong index
    - x86/nospec: Fix header guards names
    - x86/bugs: Drop one "mitigation" from dmesg
    - x86/spectre: Check CONFIG_RETPOLINE in command line parser
    - x86/spectre: Simplify spectre_v2 command line parsing
    - x86/spectre: Fix an error message
    - SAUCE: x86/cpufeatures: Reorder spectre-related feature bits
    - x86/cpufeatures: Add AMD feature bits for Speculation Control
    - SAUCE: x86/msr: Fix formatting of msr-index.h
    - SAUCE: x86/msr: Rename MSR spec control feature bits
    - x86/pti: Mark constant arrays as __initconst
    - x86/speculation: Add basic IBPB (Indirect Branch Prediction Barrier) support
    - x86/cpufeatures: Clean up Spectre v2 related CPUID flags
    - x86/cpuid: Fix up "virtual" IBRS/IBPB/STIBP feature bits on Intel
    - SAUCE: x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
    - SAUCE: x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
    - x86/speculation: Use IBRS if available before calling into firmware
    - x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP
    - SAUCE: x86/bugs: Fix re-use of SPEC_CTRL MSR boot value
    - SAUCE: Move SSBD feature detection to common code
    - SAUCE: x86/speculation: Move vendor specific IBRS/IBPB control code
    - SAUCE: x86/speculation: Query individual feature flags when reloading
      microcode
    - xen: Add xen_arch_suspend()
    - x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
    - SAUCE: x86/pti: Evaluate X86_BUG_CPU_MELTDOWN when pti=auto
    - SAUCE: x86/speculation: Make use of indirect_branch_prediction_barrier()
    - SAUCE: x86/speculation: Cleanup IBPB runtime control handling
    - SAUCE: x86/speculation: Cleanup IBRS runtime control handling

  * CVE-2016-9588
    - kvm: nVMX: Allow L1 to intercept software exceptions (#BP and #OF)

  * CVE-2017-16649
    - net: cdc_ether: fix divide by 0 on bad descriptors

  * CVE-2018-9363
    - Bluetooth: hidp: buffer overflow in hidp_process_report

  * CVE-2017-13168
    - scsi: sg: mitigate read/write abuse

  * xattr length returned by vfs_getxattr() is not correct in Trusty kernel
    (LP: #1798013)
    - getxattr: use correct xattr length

  * CVE-2018-16658
    - cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status

 -- Stefan Bader <email address hidden> Mon, 29 Oct 2018 11:31:15 +0100

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Brad Figg (brad-figg)
tags: added: cscc
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers