2021-04-01 08:05:12 |
Kleber Sacilotto de Souza |
bug |
|
|
added bug |
2021-04-01 08:20:22 |
Kleber Sacilotto de Souza |
nominated for series |
|
Ubuntu Xenial |
|
2021-04-01 08:20:22 |
Kleber Sacilotto de Souza |
bug task added |
|
linux (Ubuntu Xenial) |
|
2021-04-01 08:20:30 |
Kleber Sacilotto de Souza |
linux (Ubuntu): status |
New |
Invalid |
|
2021-04-01 08:20:37 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): status |
New |
Triaged |
|
2021-04-01 08:20:41 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2021-04-01 08:20:46 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): assignee |
|
Kleber Sacilotto de Souza (kleber-souza) |
|
2021-04-01 08:48:29 |
Kleber Sacilotto de Souza |
description |
This is a scripted bug report about ADT failures while running linux tests for linux/4.4.0-207.239 on xenial. Whether this is caused by the tested source or the kernel has yet to be determined.
Testing failed on:
amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/l/linux/20210331_014541_79861@/log.gz
i386: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/l/linux/20210331_012734_ec0bc@/log.gz
ppc64el: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/ppc64el/l/linux/20210331_014757_ec0bc@/log.gz
s390x: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/s390x/l/linux/20210330_031532_e87f8@/log.gz |
[Impact]
The backport of upstream commit ad67b74d2469d9b82aaa572d76474c95bc484d57 ("printk: hash addresses printed with %p"), applied to fix CVEs CVE-2018-5953/CVE-2018-5995/CVE-2018-7754 on xenial/linux 4.4.0-207.239, introduced a regression caught by testcases from ubuntu_qrt_kernel_security.test-kernel-security.py testsuite.
The failing testcases are:
test_095_kernel_symbols_missing_kallsyms
test_095_kernel_symbols_missing_proc_modules
test_095_kernel_symbols_missing_proc_net_tcp
test_300_test_kaslr_base
The '095' testcases expect the addresses read by a regular user to be zeroed out and test '300' expects the default address for 'startup_64' to be 'ffffffff81000000' for non-kaslr kernels (<4.15). The applied backport leaks what the address 0x0 hashes to on the /proc interfaces instead of the expected values.
Examples:
$ head /proc/kallsyms
00000000b845aaf2 A irq_stack_union
00000000b845aaf2 A __per_cpu_start
00000000b845aaf2 A __per_cpu_user_mapped_start
00000000b845aaf2 A vector_irq
00000000b845aaf2 A unsafe_stack_register_backup
00000000b845aaf2 A cpu_debug_store
00000000b845aaf2 A cpu_tss
00000000b845aaf2 A exception_stacks
00000000b845aaf2 A gdt_page
00000000b845aaf2 A espfix_waddr
$ sudo head /proc/kallsyms
00000000b845aaf2 A irq_stack_union
00000000b845aaf2 A __per_cpu_start
00000000b845aaf2 A __per_cpu_user_mapped_start
00000000cd84b193 A vector_irq
00000000f271a77b A unsafe_stack_register_backup
00000000b451cc91 A cpu_debug_store
00000000108c2558 A cpu_tss
000000001484be48 A exception_stacks
000000000a1b6bc6 A gdt_page
00000000f38c128a A espfix_waddr
$ sudo grep -w startup_64 /proc/kallsyms
0000000028c44c50 T startup_64
[Fix]
For the backport to work as expected, we would likely need to backport the following commits as well:
57e734423add vsprintf: refactor %pK code out of pointer()
ef0010a30935 vsprintf: don't use 'restricted_pointer()' when not restricting
However, this could introduce other regressions as there are several corner cases in this code path.
Given that the CVEs which are fixed by this patch are all low or negligible, the best solution seems to be to revert this patch altogether.
[Test]
Run ubuntu_qrt_kernel_security.test-kernel-security.py tests from the kernel team autotest repository.
[Where problems could occur]
Reverting this patch can't introduce any regression as it would return the code to the previous state, however it would keep the kernel vulnerable to these CVEs.
[Additional Info]
Testing failed on:
amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/l/linux/20210331_014541_79861@/log.gz
i386: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/l/linux/20210331_012734_ec0bc@/log.gz
ppc64el: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/ppc64el/l/linux/20210331_014757_ec0bc@/log.gz
s390x: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/s390x/l/linux/20210330_031532_e87f8@/log.gz |
|
2021-04-01 08:52:43 |
Kleber Sacilotto de Souza |
summary |
linux/4.4.0-207.239 ADT test failure with linux/4.4.0-207.239 |
linux ADT test failure with linux/4.4.0-207.239 - ubuntu_qrt_kernel_security.test-kernel-security.py |
|
2021-04-01 09:18:34 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): status |
Triaged |
In Progress |
|
2021-04-01 09:52:24 |
Kleber Sacilotto de Souza |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2021-04-01 13:10:52 |
Kleber Sacilotto de Souza |
tags |
|
kernel-adt-failure |
|
2021-04-01 13:11:01 |
Kleber Sacilotto de Souza |
tags |
kernel-adt-failure |
kernel-adt-failure xenial |
|
2021-04-02 08:38:18 |
Ubuntu Kernel Bot |
tags |
kernel-adt-failure xenial |
kernel-adt-failure verification-needed-xenial xenial |
|
2021-04-06 10:27:26 |
Kleber Sacilotto de Souza |
tags |
kernel-adt-failure verification-needed-xenial xenial |
kernel-adt-failure verification-done-xenial xenial |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2015-1350 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2017-5967 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2018-13095 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2018-5953 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2018-5995 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2018-7754 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2019-16231 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2019-16232 |
|
2021-04-12 15:32:06 |
Launchpad Janitor |
cve linked |
|
2019-19061 |
|