Add -fcf-protection=none when using retpoline flags
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Medium
|
Seth Forshee | ||
| | Bionic |
Undecided
|
Unassigned | ||
| | Disco |
Undecided
|
Unassigned | ||
Bug Description
SRU Justification
Impact: Starting in eoan -fcf-protection is enabled by default in gcc, see https:/
Fix: Backport upstream patch to add -fcf-protection
Test Case: Upgrade from {bionic,diso} to eoan with dkms modules installed.
Regression Potential: The patch probes the compiler for support for -fcf-protection and only adds it if the compiler supports it, and =none was the default prior to the change in eoan. It's also been upstream and in eoan for a while now, so it's unlikely to cause any regressions.
CVE References
| Changed in linux (Ubuntu Disco): | |
| status: | New → Fix Committed |
| Changed in linux (Ubuntu Bionic): | |
| status: | New → Fix Committed |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-disco |
Running kernel 5.0.0-31-generic in a Eoan install I get the following error when I try to install lttng-modules-dkms:
CC [M] /var/lib/
In file included from ./include/
2:
./include/
./include/
192 | {
| ^
With kernel 5.0.0-32-generic the modules are built and loaded successfully.
Therefore I'm marking verification-done for Disco.
| tags: |
added: verification-done-disco removed: verification-needed-disco |
Confirmed to be also fixed with Bionic kernel. Fails with 4.15.0-65, fixed with 4.15.0-66.
| tags: |
added: verification-done-bionic removed: verification-needed-bionic |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux - 5.0.0-32.34
---------------
linux (5.0.0-32.34) disco; urgency=medium
* disco/linux: 5.0.0-32.34 -proposed tracker (LP: #1846097)
* CVE-2019-14814 // CVE-2019-14815 // CVE-2019-14816
- mwifiex: Fix three heap overflow at parsing element in cfg80211_
* CVE-2019-15505
- media: technisat-usb2: break out of loop at end of buffer
* CVE-2019-2181
- binder: check for overflow when alloc for security context
* Support Hi1620 zip hw accelerator (LP: #1845355)
- [Config] Enable HiSilicon QM/ZIP as modules
- crypto: hisilicon - add queue management driver for HiSilicon QM module
- crypto: hisilicon - add hardware SGL support
- crypto: hisilicon - add HiSilicon ZIP accelerator support
- crypto: hisilicon - add SRIOV support for ZIP
- Documentation: Add debugfs doc for hisi_zip
- crypto: hisilicon - add debugfs for ZIP and QM
- MAINTAINERS: add maintainer for HiSilicon QM and ZIP controller driver
- crypto: hisilicon - fix kbuild warnings
- crypto: hisilicon - add dependency for CRYPTO_DEV_HISI_ZIP
- crypto: hisilicon - init curr_sgl_dma to fix compile warning
- crypto: hisilicon - add missing single_release
- crypto: hisilicon - fix error handle in hisi_zip_
- crypto: hisilicon - Fix warning on printing %p with dma_addr_t
- crypto: hisilicon - Fix return value check in hisi_zip_
- crypto: hisilicon - avoid unused function warning
* xfrm interface: several kernel panic (LP: #1836261)
- xfrm interface: fix memory leak on creation
- xfrm interface: avoid corruption on changelink
- xfrm interface: ifname may be wrong in logs
- xfrm interface: fix list corruption for x-netns
- xfrm interface: fix management of phydev
* shiftfs: drop entries from cache on unlink (LP: #1841977)
- SAUCE: shiftfs: fix buggy unlink logic
* shiftfs: mark kmem_cache as reclaimable (LP: #1842059)
- SAUCE: shiftfs: mark slab objects SLAB_RECLAIM_
* Suspend to RAM(S3) does not wake up for latest megaraid and mpt3sas
adapters(SAS3.5 onwards) (LP: #1838751)
- PCI: Restore Resizable BAR size bits correctly for 1MB BARs
* No sound inputs from the external microphone and headset on a Dell machine
(LP: #1842265)
- ALSA: hda - Expand pin_match function to match upcoming new tbls
- ALSA: hda - Define a fallback_
* Add -fcf-protection
- SAUCE: kbuild: add -fcf-protection
* Disco update: upstream stable patchset 2019-09-25 (LP: #1845390)
- bridge/mdb: remove wrong use of NLM_F_MULTI
- cdc_ether: fix rndis support for Mediatek based smartphones
- ipv6: Fix the link time qualifier of 'ping_v6_
- isdn/capi: check message length in capi_write()
- ixgbe: Fix secpath usage for IPsec TX offload.
- net: Fix null de-reference of device refcount
- net: gso: Fix skb_segment splat when splitting gso_size mangled skb having
linear-headed frag_list
- net: phylink: Fix flow control resolution
- net: s...
| Changed in linux (Ubuntu Disco): | |
| status: | Fix Committed → Fix Released |
| Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux - 4.15.0-66.75
---------------
linux (4.15.0-66.75) bionic; urgency=medium
* bionic/linux: 4.15.0-66.75 -proposed tracker (LP: #1846131)
* Packaging resync (LP: #1786013)
- [Packaging] update helper scripts
* CVE-2018-21008
- rsi: add fix for crash during assertions
* ipv6: fix neighbour resolution with raw socket (LP: #1834465)
- ipv6: constify rt6_nexthop()
- ipv6: fix neighbour resolution with raw socket
* run_netsocktests from net in ubuntu_
(LP: #1842023)
- SAUCE: selftests: net: replace AF_MAX with INT_MAX in socket.c
* No sound inputs from the external microphone and headset on a Dell machine
(LP: #1842265)
- ALSA: hda - Expand pin_match function to match upcoming new tbls
- ALSA: hda - Define a fallback_
* Add -fcf-protection
- SAUCE: kbuild: add -fcf-protection
* Enhanced Hardware Support - Finalize Naming (LP: #1842774)
- s390: add support for IBM z15 machines
* Bionic update: upstream stable patchset 2019-09-24 (LP: #1845266)
- bridge/mdb: remove wrong use of NLM_F_MULTI
- cdc_ether: fix rndis support for Mediatek based smartphones
- ipv6: Fix the link time qualifier of 'ping_v6_
- isdn/capi: check message length in capi_write()
- net: Fix null de-reference of device refcount
- net: gso: Fix skb_segment splat when splitting gso_size mangled skb having
linear-headed frag_list
- net: phylink: Fix flow control resolution
- sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero
- sctp: Fix the link time qualifier of 'sctp_ctrlsock_
- sctp: use transport pf_retrans in sctp_do_
- tcp: fix tcp_ecn_
- tipc: add NULL pointer check before calling kfree_rcu
- tun: fix use-after-free when register netdev failed
- btrfs: compression: add helper for type to string conversion
- btrfs: correctly validate compression type
- Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur"
- gpiolib: acpi: Add gpiolib_
- gpio: fix line flag validation in linehandle_create
- gpio: fix line flag validation in lineevent_create
- Btrfs: fix assertion failure during fsync and use of stale transaction
- genirq: Prevent NULL pointer dereference in resend_irqs()
- KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl
- KVM: x86: work around leak of uninitialized stack contents
- KVM: nVMX: handle page fault in vmread
- MIPS: VDSO: Prevent use of smp_processor_id()
- MIPS: VDSO: Use same -m%-float cflag as the kernel proper
- powerpc: Add barrier_nospec to raw_copy_in_user()
- drm/meson: Add support for XBGR8888 & ABGR8888 formats
- clk: rockchip: Don't yell about bad mmc phases when getting
- mtd: rawnand: mtk: Fix wrongly assigned OOB buffer pointer issue
- PCI: Always allow probing with driver_override
- ubifs: Cor...
| Changed in linux (Ubuntu Bionic): | |
| status: | Fix Committed → Fix Released |
| Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (linux-bluefield/5.0.0-1003.12) | #7 |
All autopkgtests for the newly accepted linux-bluefield (5.0.0-1003.12) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:
fsprotect/unknown (armhf)
Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUp
[1] https:/
Thank you!
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/