Ubuntu
linux package

Ubuntu-5.4.0-48.52 introduces a regression by cherry picking partial fixes from set of commits

Bug #1904471 reported by Shoily Rahman
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

Hello,

While I was porting a security fix pertaining to blktrace and debugfs, I have noticed that ubuntu-5.4.0-48.52 kernel is missing fix b431ef837e3374da0db8ff6683170359aaa0859c from mainline kernel.

Here ubuntu-5.4.0-48.52 picked partial fixes from set of commits which is solves a race condition present in blktrace and debugfs. This is explained by the Kernel developer Luis Chamberlain <email address hidden> in the thread https://bugzilla.kernel.org/show_bug.cgi?id=205713 -

The fixes for this is now queued up on the block for-next branch, on its way for v5.9. There were quite a bit of scattered fixes required for this, if you are looking to backport this to your kernel be sure to include starting from "blktrace: break out of blktrace setup on concurrent calls" up to "blktrace: ensure our debugfs dir exists". The actual fix for this particular crash however is handled by the patch titled, "blktrace: fix debugfs use after free"

Commit 4a6f7d09462878b26c4732c8fa0c7e7d22ac1564 in ubuntu-5.4.0-48.52 caused the regression by removing NULL check for debugfs dir. This is fixed in mainline kernel commit b431ef837e3374da0db8ff6683170359aaa0859c which is missing in ubuntu.

Let me know if you have further question.

Thanks,

Shoily Rahman
<email address hidden>

CVE References

Shoily Rahman (shoilyr)
summary: - Ubuntu-5.4.0-48.52 introcues a regression by cherry picking partial
+ Ubuntu-5.4.0-48.52 introduces a regression by cherry picking partial
fixes from set of commits
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thank you Shoily. we'll take a look at this.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Going by Luis' comments, it looks like the following commits are needed:

  (1b0b28364816) blktrace: break out of blktrace setup on concurrent calls
  (c3dbe541ef77) blktrace: Avoid sparse warnings when assigning q->blk_trace
  (a67549c8e568) blktrace: annotate required lock on do_blk_trace_setup()
  (b431ef837e33) blktrace: ensure our debugfs dir exists

thanks.

Revision history for this message
Steve Beattie (sbeattie) wrote :

Hi Shoily,

Coming back around to this issue, it looks like b431ef837e3374da0db8ff6683170359aaa0859c landed in focal in 5.4.0-49.53 and bionic in 4.15.0-119.120. I'm making this public as well as marking it as fix released.

Thanks again for the report!

information type: Private Security → Public
Changed in linux (Ubuntu):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.