Ubuntu
linux package

test_095_kernel_symbols_missing_proc_self_stack failed on P-LTS

Bug #1813001 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Fix Released
Undecided
Kleber Sacilotto de Souza
linux (Ubuntu)
Invalid
Undecided
Unassigned
Trusty
Fix Released
Medium
Kleber Sacilotto de Souza

Bug Description

[Impact]

The testcase test_095_kernel_symbols_missing_proc_self_stack from ubuntu_qrt_kernel_security testsuite started to fail with Trusty kernel (3.13) after the fix for CVE-2018-17972 ("proc: restrict kernel stack dumps to root"), which prevents a regular user to read from /proc/self/stack.

Kernel: 3.13.0-165.215~precise1
The test failed with:
    AssertionError: cat: /proc/self/stack: Permission denied

FAIL: test_095_kernel_symbols_missing_proc_self_stack (__main__.KernelSecurityTest)
kernel addresses in /proc/self/stack are zeroed out
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test-kernel-security.py", line 1364, in test_095_kernel_symbols_missing_proc_self_stack
self._check_pK_files(self._095_kernel_symbols_missing_proc_self_stack, expected=expected)
File "./test-kernel-security.py", line 1209, in _check_pK_files
test_function(expected_restricted)
File "./test-kernel-security.py", line 1320, in _095_kernel_symbols_missing_proc_self_stack
expected, retry=True)
File "./test-kernel-security.py", line 1146, in _read_twice
self.assertEqual(rc, 0, regular)
AssertionError: cat: /proc/self/stack: Permission denied

The testcase checks the file permission before trying to read it, and for kernel 3.13 the permissions became inconsistent with what the user can actually do:

$ cat /proc/self/stack
cat: /proc/self/stack: Permission denied
$ ls -l /proc/self/stack
-r--r--r-- 1 ubuntu ubuntu 0 Jan 24 04:06 /proc/self/stack

[Test Case]
Run 'cat' and 'ls' on the file as stated above, or run the ubuntu_qrt_kernel_security testsuite and check for the results of the test_095_kernel_symbols_missing_proc_self_stack testcase.

[Fix]
Upstream commit 35a35046e4f9 ("procfs: make /proc/*/{stack,syscall,personality} 0400") applied for v3.15-rc1 fixes the issue.

[Regression Potential]
The upstream fix changes the permissions of the files /proc/*/{stack,syscall,personality}, so userspace which relies on reading these files as regular users might fail. However, this fixes a security issue and is already applied on our later series.

See original description

CVE References

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

On Precise 3.13
$ cat /proc/self/stack
cat: /proc/self/stack: Permission denied
$ sudo cat /proc/self/stack
[<ffffffff810730b0>] do_wait+0x1f0/0x280
[<ffffffff8107403f>] SyS_wait4+0xaf/0x120
[<ffffffff817823fc>] system_call_fastpath+0x26/0x2b
[<ffffffffffffffff>] 0xffffffffffffffff
$ ls -l /proc/self/stack
-r--r--r-- 1 ubuntu ubuntu 0 Jan 24 04:06 /proc/self/stack

But on Bionic, the file permission is:
$ ls -l /proc/self/stack
-r-------- 1 ubuntu ubuntu 0 Jan 24 12:07 /proc/self/stack

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

Patch to restrict stack access has already landed, commit 4c53014 in lts-backport-trusty.

The reason why it failed here is the file permission, it should be "-r--------"

Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1813001

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Setting the linux task to 'Invalid', since this is the expected permission of the file now for all our kernels.

Changed in linux (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

Sorry Sam, I misunderstood your comment.

With the Bionic kernel, before the fix for CVE-2018-17972 ("proc: restrict kernel stack dumps to root") the behavior was:

----------------------------------------------
$ uname -r
4.15.0-38-generic
$ ls -la /proc/self/stack
-r-------- 1 ubuntu ubuntu 0 Jan 24 15:04 /proc/self/stack
$ cat /proc/self/stack
[<0>] proc_pid_stack+0xaa/0x100
[<0>] proc_single_show+0x56/0x80
[<0>] seq_read+0xe5/0x430
[<0>] __vfs_read+0x1b/0x40
[<0>] vfs_read+0x8e/0x130
[<0>] SyS_read+0x55/0xc0
[<0>] do_syscall_64+0x73/0x130
[<0>] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[<0>] 0xffffffffffffffff
----------------------------------------------

With the fix it's now:

----------------------------------------------
$ uname -r
4.15.0-44-generic
$ ls -la /proc/self/stack
-r-------- 1 ubuntu ubuntu 0 Jan 24 15:10 /proc/self/stack
$ cat /proc/self/stack
cat: /proc/self/stack: Permission denied
----------------------------------------------

So you are right, the permission on the trusty kernel (3.13) should be the same.

Changed in linux (Ubuntu):
status: Invalid → Confirmed
status: Confirmed → Invalid
Changed in linux (Ubuntu Trusty):
status: New → Confirmed
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Trusty):
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
importance: Undecided → Medium
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

I have identified the fix, I'm preparing it for a SRU request.

Changed in linux (Ubuntu Trusty):
status: Confirmed → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

OK thanks,
I will remove the qa-regression-testing here.

no longer affects: qa-regression-testing
Changed in ubuntu-kernel-tests:
status: New → In Progress
assignee: nobody → Kleber Sacilotto de Souza (kleber-souza)
Kleber Sacilotto de Souza (kleber-souza)
description: updated
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

SRU request sent:
https://lists.ubuntu.com/archives/kernel-team/2019-January/098080.html

Khaled El Mously (kmously)
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'. If the problem still exists, change the tag 'verification-needed-trusty' to 'verification-failed-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Revision history for this message
Terry Rudd (terrykrudd) wrote :

Final reminder: We are at the end of the SRU Cycle and request that you please provide verification the kernel in proposed resolves the problem for which this bug was submitted. -Thank you!

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

There is a dependency issue with the kernel package installation, can't verify this now:
https://bugs.launchpad.net/ubuntu/+source/linux-lts-trusty/+bug/1818474

Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

New behavior with Trusty kernel 3.13.0-166-generic:

ubuntu@autopkgtest:~$ ls -la /proc/self/stack
-r-------- 1 ubuntu ubuntu 0 Mar 6 15:43 /proc/self/stack
ubuntu@autopkgtest:~$ cat /proc/self/stack
cat: /proc/self/stack: Permission denied

tags: added: verification-done-trusty
removed: verification-needed-trusty
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.0 KiB)

This bug was fixed in the package linux - 3.13.0-166.216

---------------
linux (3.13.0-166.216) trusty; urgency=medium

  * linux: 3.13.0-166.216 -proposed tracker (LP: #1814645)

  * linux-buildinfo: pull out ABI information into its own package
    (LP: #1806380)
    - [Packaging] limit preparation to linux-libc-dev in headers
    - [Packaging] commonise debhelper invocation
    - [Packaging] ABI -- accumulate abi information at the end of the build
    - [Packaging] buildinfo -- add basic build information
    - [Packaging] buildinfo -- add firmware information to the flavour ABI
    - [Packaging] buildinfo -- add compiler information to the flavour ABI
    - [Packaging] buildinfo -- add buildinfo support to getabis
    - [Config] buildinfo -- add retpoline version markers
    - [Packaging] getabis -- handle all known package combinations
    - [Packaging] getabis -- support parsing a simple version
    - [Packaging] autoreconstruct -- base tag is always primary mainline version

  * signing: only install a signed kernel (LP: #1764794)
    - [Debian] usbip tools packaging
    - [Debian] Don't fail if a symlink already exists
    - [Debian] perf -- build in the context of the full generated local headers
    - [Debian] basic hook support
    - [Debian] follow rename of DEB_BUILD_PROFILES
    - [Debian] standardise on stage1 for the bootstrap stage in line with debian
    - [Debian] set do_*_tools after stage1 or bootstrap is determined
    - [Debian] initscripts need installing when making the package
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Debian] add feature interlock with mainline builds
    - [Debian] Remove generated intermediate files on clean
    - [Packaging] prevent linux-*-tools-common from being produced from non linux
      packages
    - SAUCE: ubuntu: vbox -- elide the new symlinks and reconstruct on clean:
    - [Debian] Update to new signing key type and location
    - [Packaging] autoreconstruct -- generate extend-diff-ignore for links
    - [Packaging] reconstruct -- update when inserting final changes
    - [Packaging] update to Debian like control scripts
    - [Packaging] switch to triggers for postinst.d postrm.d handling
    - [Packaging] signing -- switch to raw-signing tarballs
    - [Packaging] signing -- switch to linux-image as signed when available
    - [Packaging] printenv -- add signing options
    - [Packaging] fix invocation of header postinst hooks
    - [Packaging] signing -- add support for signing Opal kernel binaries
    - [Debian] Use src_pkg_name when constructing udeb control files
    - [Debian] Dynamically determine linux udebs package name
    - [Packaging] handle both linux-lts* and linux-hwe* as backports
    - [Config] linux-source-* is in the primary linux namespace
    - [Packaging] lookup the upstream tag
    - [Packaging] switch up to debhelper 9
    - [Packaging] autopkgtest -- disable d-i when dropping flavours
    - [debian] support for ship_extras_package=false
    - [Debian] do_common_tools should always be on
    - [debian] do not force do_tools_common
    - [Packaging] skip cloud tools packaging when not building package
    - [debian] pre...

Read more...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.