Ubuntu
linux package

linux ADT test failure with linux/4.4.0-208.240

Bug #1922596 reported by Kelsey Steele
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
QA Regression Testing
Fix Released
Undecided
Unassigned
linux (Ubuntu)
Invalid
Undecided
Unassigned
Xenial
Invalid
Undecided
Unassigned

Bug Description

This is a scripted bug report about ADT failures while running linux tests for linux/4.4.0-208.240 on xenial. Whether this is caused by the dep8 tests of the tested source or the kernel has yet to be determined.

Testing failed on:
    amd64: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/l/linux/20210405_165921_51e87@/log.gz
    i386: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/l/linux/20210405_171150_5e4c6@/log.gz
    ppc64el: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/ppc64el/l/linux/20210405_171645_a1619@/log.gz
    s390x: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/s390x/l/linux/20210402_051319_d4fe2@/log.gz

15:47:57 ERROR| [stderr] ======================================================================
15:47:57 ERROR| [stderr] FAIL: test_160_setattr_CVE_2015_1350 (__main__.KernelSecurityTest)
15:47:57 ERROR| [stderr] Ensure unpriv user cannot strip setattr attributes via chown() (CVE-2015-1350)
15:47:57 ERROR| [stderr] ----------------------------------------------------------------------
15:47:57 ERROR| [stderr] Traceback (most recent call last):
15:47:57 ERROR| [stderr] File "./test-kernel-security.py", line 1891, in test_160_setattr_CVE_2015_1350
15:47:57 ERROR| [stderr] self.assertShellOutputEquals(exp_output, ['sudo', '-u', user, 'getcap', testbin])
15:47:57 ERROR| [stderr] File "/tmp/autopkgtest.UEYHB2/build.S4Z/src/autotest/client/tmp/ubuntu_qrt_kernel_security/src/qa-regression-testing/scripts/testlib.py", line 1206, in assertShellOutputEquals
15:47:57 ERROR| [stderr] self.assertEqual(text, out, msg + result + report)
15:47:57 ERROR| [stderr] AssertionError: Got exit code 0. Looking for exact text "" (sudo -u ubuntu getcap /tmp/setattr-GwRjva/true)
15:47:57 ERROR| [stderr] Command: 'sudo', '-u', 'ubuntu', 'getcap', '/tmp/setattr-GwRjva/true'
15:47:57 ERROR| [stderr] Output:
15:47:57 ERROR| [stderr] /tmp/setattr-GwRjva/true = cap_sys_nice+ep
15:47:57 ERROR| [stderr]
15:47:57 ERROR| [stderr]
15:47:57 ERROR| [stderr] ----------------------------------------------------------------------
15:47:57 ERROR| [stderr] Ran 125 tests in 24.852s
15:47:57 ERROR| [stderr]
15:47:57 ERROR| [stderr] FAILED (failures=1)

See original description

CVE References

Kelsey Steele (kelsey-steele)
tags: added: kernel-adt-failure
tags: added: xenial
description: updated
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1922596

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux (Ubuntu Xenial):
status: New → Confirmed
Changed in linux (Ubuntu):
status: Incomplete → Invalid
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :

test_160_setattr_CVE_2015_1350 from qa-regression-testing/scripts/test-kernel-security.py assumes that all Ubuntu kernels prior to 4.9 lack the fix for CVE-2015-1350. The latest Xenial kernel in -proposed (linux/4.4.0-208.240) has the fixes for this CVE applied, therefore the testcase needs to be update with something like:

--- a/scripts/test-kernel-security.py
+++ b/scripts/test-kernel-security.py
@@ -1885,8 +1885,8 @@ class KernelSecurityTest(KernelSecurityBaseTest):
         # chown should fail, but also should not clear fs caps
         self.assertShellExitEquals(1, ['sudo', '-u', user, 'chown', user, testbin])

- if not self.kernel_at_least('4.9'):
- self._skipped("Kernels before 4.9 need to fix CVE-2015-1350")
+ if not self.kernel_at_least('4.4'):
+ self._skipped("Kernels before 4.4 need to fix CVE-2015-1350")
             exp_output = ''
         self.assertShellOutputEquals(exp_output, ['sudo', '-u', user, 'getcap', testbin])

Changed in linux (Ubuntu Xenial):
status: Confirmed → Invalid
Changed in qa-regression-testing:
status: New → Confirmed
Revision history for this message
Kleber Sacilotto de Souza (kleber-souza) wrote :
Revision history for this message
Steve Beattie (sbeattie) wrote :

This was merged into q-r-t in https://git.launchpad.net/qa-regression-testing/commit/?id=c1af010b49291e5526ccac85cd1fd334fa3bd0c5 .

Until this actually makes into a kernel in updates/security, the test will fail for those kernels. Worth keeping in mind if we have to do any respins.

Thanks!

Changed in qa-regression-testing:
status: Confirmed → Fix Released
Po-Hsu Lin (cypressyew)
tags: added: ubuntu-qrt-kernel-security
tags: added: sru-20210315
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.