seccomp_bpf:syscall_faked from kselftests fail on s390x

Bug #1928522 reported by Kelsey Skunberg
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
New
Undecided
Unassigned
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Bionic
Fix Released
Undecided
Thadeu Lima de Souza Cascardo
Focal
Fix Released
Undecided
Thadeu Lima de Souza Cascardo
Groovy
Fix Released
Undecided
Unassigned
Hirsute
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]
kselftests seccomp_bpf will start failing on s390x, though due to a test problem, not a kernel regression, thus wasting people's time doing test review.

[Regression potential]
Though this is only changing the test, we might be missing or miss failures in the future because some tests are not executed anymore.
ptrace_syscall_faked, ptrace_syscall_errno and syscall_errno should all work just fine on s390x, but will be skipped as well with this change.

[Fix]
The fix is to consider that s390x cannot change syscall and errno at once by using ptrace. It can, however, change the errno at syscall exit time, which could even be used with seccomp SECCOMP_RET_TRACE as long as ptrace is used to track the exit transitions. But the test is not designed to deal with such situations.

[Test case]
seccomp_bpf was run, ptrace_faked passed and no new subtests have failed.

-------------------------------

This is a scripted bug report about ADT failures while running linux tests for linux/4.15.0-144.148 on bionic. Whether this is caused by the dep8 tests of the tested source or the kernel has yet to be determined.

Testing failed on:
    s390x: https://autopkgtest.ubuntu.com/results/autopkgtest-bionic/bionic/s390x/l/linux/20210514_022345_e6f3c@/log.gz

tags: added: kernel-adt-failure
summary: - linux ADT test failure with linux/4.15.0-144.148
+ seccomp_bpf from ubuntu_kernel_selftests.seccomp in linux ADT test
+ failure with linux/4.15.0-144.148
description: updated
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1928522

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote : Re: seccomp_bpf from ubuntu_kernel_selftests.seccomp in linux ADT test failure with linux/4.15.0-144.148

01:54:40 ERROR| [stderr] seccomp_bpf.c:1902:TRACE_syscall.syscall_faked:Expected 45000 (45000) == syscall(236) (18446744073709551615)
01:54:40 ERROR| [stderr] TRACE_syscall.syscall_faked: Test failed at step #11

This fails after the fix for LP: #1895132. However, this is not a regression. s390x ptrace does not support changing the syscall return code and the other way was not expected by strace (so tests for that one were failing).

We have not been running this test on s390x since after 4.18. After an effort to get that fixed on ppc64el (because it also has some different behaviors, like only able to set syscall return code at exit time), there was some restructure of the test.

Applying that patchset would allow us to get s390x test back to work on 4.15 kernels, and also start running it on 5.4 and later kernels.

Cascardo.

Changed in linux (Ubuntu Impish):
status: Incomplete → Fix Released
Changed in linux (Ubuntu Hirsute):
status: New → Fix Released
Revision history for this message
Thadeu Lima de Souza Cascardo (cascardo) wrote :

So, s390x ptrace does allow to set the syscall and return code as long as it sets the return code at exit time.

However, when using seccomp SECCOMP_RET_TRACE, there is no possibility to change it at exit time (by doing a ptrace after SECCOMP_RET_TRACE stops the process). It only happens at entry time. Then, either the syscall or return value could be set. This is aggravated by the fact that when seccomp checks for an invalid syscall in order to skip executing it, it checks for int_code, which cannot be changed by ptrace. This is probably something that could be reviewed, however.

Without the code change that led to this test regression, the test sets gpr[2] twice, once for the syscall number, then for the return value. That return value was being used later on as the return code as it was an invalid syscall number, which made the test accidentally work.

Now, instead, ENOSYS is returned, and the test fails.

One regression, however, that this patch causes (but not on 4.15), is that when seccomp returns failure because of a signal, the signal_restart should not be skipped, but it is. This causes a test (that we don't currently run) to fail on 5.4, but that is not a regression and has been like that on 5.4 since forever.

Upstream has changed the entry code for a common code, which should not have this bug. That needs to be verified, though. Then, a different fix should be applied to our earlier kernels, like this one:

@@ -905,7 +905,7 @@ asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
                sd.args[5] = regs->gprs[7] & mask;

                if (__secure_computing(&sd) == -1)
- goto skip;
+ return -1;
        }
 #endif /* CONFIG_SECCOMP */

Then, seccomp_bpf can be run just fine on 5.8, for example. 5.4 possibly needs one small fix for s390x to work, instead of the very large patchset I thought was needed.

That would be:
commit 4bae85b620dc1f7aa4d2338b923d9d9b394b58c4
Author: Sven Schnelle <email address hidden>
Date: Mon Mar 9 16:56:53 2020 +0100

    selftests/seccomp: s390 shares the syscall and return value register

    s390 cannot set syscall number and reture code at the same time,
    so set the appropriate flag to indicate it.

    Signed-off-by: Sven Schnelle <email address hidden>
    Signed-off-by: Vasily Gorbik <email address hidden>

Which is the same that is likely needed for 4.15 to skip these tests.

Cascardo.

description: updated
summary: - seccomp_bpf from ubuntu_kernel_selftests.seccomp in linux ADT test
- failure with linux/4.15.0-144.148
+ seccomp_bpf:syscall_faked from kselftests fail on s390x
Changed in linux (Ubuntu Groovy):
status: New → Fix Released
Changed in linux (Ubuntu Focal):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
Changed in linux (Ubuntu Focal):
assignee: nobody → Thadeu Lima de Souza Cascardo (cascardo)
tags: added: 4.15 bionic s390x sru-20210510
Po-Hsu Lin (cypressyew)
tags: added: ubuntu-kernel-selftests
Changed in linux (Ubuntu Focal):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic
tags: added: verification-needed-focal
Revision history for this message
Ubuntu Kernel Bot (ubuntu-kernel-bot) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Kelsey Skunberg (kelsey-skunberg) wrote :

Verified through ADT this test is not failing on Bionic or Focal for the latest versions in proposed. Flipping verification to done for those. Thank you, Thadeu!

tags: added: verification-done-bionic verification-done-focal
removed: verification-needed-bionic verification-needed-focal
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (34.3 KiB)

This bug was fixed in the package linux - 5.4.0-77.86

---------------
linux (5.4.0-77.86) focal; urgency=medium

  * UAF on CAN J1939 j1939_can_recv (LP: #1932209)
    - SAUCE: can: j1939: delay release of j1939_priv after synchronize_rcu

  * UAF on CAN BCM bcm_rx_handler (LP: #1931855)
    - SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu

linux (5.4.0-76.85) focal; urgency=medium

  * focal/linux: 5.4.0-76.85 -proposed tracker (LP: #1932123)

  * Upstream v5.9 introduced 'module' patches that removed exported symbols
    (LP: #1932065)
    - SAUCE: Revert "modules: inherit TAINT_PROPRIETARY_MODULE"
    - SAUCE: Revert "modules: return licensing information from find_symbol"
    - SAUCE: Revert "modules: rename the licence field in struct symsearch to
      license"
    - SAUCE: Revert "modules: unexport __module_address"
    - SAUCE: Revert "modules: unexport __module_text_address"
    - SAUCE: Revert "modules: mark each_symbol_section static"
    - SAUCE: Revert "modules: mark find_symbol static"
    - SAUCE: Revert "modules: mark ref_module static"

linux (5.4.0-75.84) focal; urgency=medium

  * focal/linux: 5.4.0-75.84 -proposed tracker (LP: #1930032)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * CVE-2021-33200
    - bpf: Wrap aux data inside bpf_sanitize_info container
    - bpf: Fix mask direction swap upon off reg sign change
    - bpf: No need to simulate speculative domain for immediates

  * Realtek USB hubs in Dell WD19SC/DC/TB fail to work after exiting s2idle
    (LP: #1928242)
    - USB: Verify the port status when timeout happens during port suspend

  * CVE-2020-26145
    - ath10k: drop fragments with multicast DA for SDIO
    - ath10k: add CCMP PN replay protection for fragmented frames for PCIe
    - ath10k: drop fragments with multicast DA for PCIe

  * CVE-2020-26141
    - ath10k: Fix TKIP Michael MIC verification for PCIe

  * CVE-2020-24588
    - mac80211: properly handle A-MSDUs that start with an RFC 1042 header
    - cfg80211: mitigate A-MSDU aggregation attacks
    - mac80211: drop A-MSDUs on old ciphers
    - ath10k: drop MPDU which has discard flag set by firmware for SDIO

  * CVE-2020-26139
    - mac80211: do not accept/forward invalid EAPOL frames

  * CVE-2020-24586 // CVE-2020-24587 // CVE-2020-24587 for such cases.
    - mac80211: extend protection against mixed key and fragment cache attacks

  * CVE-2020-24586 // CVE-2020-24587
    - mac80211: prevent mixed key and fragment cache attacks
    - mac80211: add fragment cache to sta_info
    - mac80211: check defrag PN against current frame
    - mac80211: prevent attacks on TKIP/WEP as well

  * CVE-2020-26147
    - mac80211: assure all fragments are encrypted

  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull the code that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout
    - dm raid: remove unnecessary discard limi...

Changed in linux (Ubuntu Focal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.5 KiB)

This bug was fixed in the package linux - 4.15.0-147.151

---------------
linux (4.15.0-147.151) bionic; urgency=medium

  * CVE-2021-3444
    - bpf: Fix truncation handling for mod32 dst reg wrt zero

  * CVE-2021-3600
    - SAUCE: bpf: Do not use ax register in interpreter on div/mod
    - bpf: fix subprog verifier bypass by div/mod by 0 exception
    - SAUCE: bpf: Fix 32-bit register truncation on div/mod instruction

linux (4.15.0-146.150) bionic; urgency=medium

  * UAF on CAN BCM bcm_rx_handler (LP: #1931855)
    - SAUCE: can: bcm: delay release of struct bcm_op after synchronize_rcu

linux (4.15.0-145.149) bionic; urgency=medium

  * bionic/linux: 4.15.0-145.149 -proposed tracker (LP: #1929967)

  * Packaging resync (LP: #1786013)
    - update dkms package versions

  * raid10: Block discard is very slow, causing severe delays for mkfs and
    fstrim operations (LP: #1896578)
    - md: add md_submit_discard_bio() for submitting discard bio
    - md/raid10: extend r10bio devs to raid disks
    - md/raid10: pull the code that wait for blocked dev into one function
    - md/raid10: improve raid10 discard request
    - md/raid10: improve discard request for far layout

  * CVE-2021-23133
    - sctp: delay auto_asconf init until binding the first addr

  * Bionic update: upstream stable patchset 2021-05-25 (LP: #1929603)
    - Input: nspire-keypad - enable interrupts only when opened
    - dmaengine: dw: Make it dependent to HAS_IOMEM
    - ARM: dts: Fix moving mmc devices with aliases for omap4 & 5
    - arc: kernel: Return -EFAULT if copy_to_user() fails
    - neighbour: Disregard DEAD dst in neigh_update
    - ARM: keystone: fix integer overflow warning
    - ASoC: fsl_esai: Fix TDM slot setup for I2S mode
    - scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state
    - net: ieee802154: stop dump llsec keys for monitors
    - net: ieee802154: stop dump llsec devs for monitors
    - net: ieee802154: forbid monitor for add llsec dev
    - net: ieee802154: stop dump llsec devkeys for monitors
    - net: ieee802154: forbid monitor for add llsec devkey
    - net: ieee802154: stop dump llsec seclevels for monitors
    - net: ieee802154: forbid monitor for add llsec seclevel
    - pcnet32: Use pci_resource_len to validate PCI resource
    - mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN
    - Input: i8042 - fix Pegatron C15B ID entry
    - HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices
    - readdir: make sure to verify directory entry for legacy interfaces too
    - arm64: fix inline asm in load_unaligned_zeropad()
    - arm64: alternatives: Move length validation in alternative_{insn, endif}
    - scsi: libsas: Reset num_scatter if libata marks qc as NODATA
    - netfilter: conntrack: do not print icmpv6 as unknown via /proc
    - netfilter: nft_limit: avoid possible divide error in nft_limit_init
    - net: davicom: Fix regulator not turned off on failed probe
    - net: sit: Unregister catch-all devices
    - i40e: fix the panic when running bpf in xdpdrv mode
    - ibmvnic: avoid calling napi_disable() twice
    - ibmvnic: remove duplicate napi_schedule call in do_reset function
  ...

Read more...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers