Linux 6.8 fails to boot on ARM64 if any param is more than 146 chars
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Invalid
|
Undecided
|
Unassigned | ||
Noble |
Fix Released
|
High
|
Matthew Ruffell | ||
linux-hwe-6.8 (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
High
|
Stefan Bader | ||
Noble |
Invalid
|
Undecided
|
Unassigned |
Bug Description
BugLink: https:/
[Impact]
Linux 6.8 kernel fails to boot on ARM64 when any Linux command line param is more than 146 characters.
This most notably affects MAAS deployments, as MAAS generates very long command line parameters for ARM64, e.g.:
nomodeset root=squash:http://
This was introduced in 6.8-rc1 by:
commit dc3f5aae06381b4
Author: Ard Biesheuvel <email address hidden>
Date: Wed Nov 29 12:16:12 2023 +0100
Subject: arm64: idreg-override: Avoid parameq() and parameqn()
Link: https:/
There is no workaround, other than using command line parameters less than 146 characters. This is not tenable for MAAS users.
[Fix]
The fix arrived in a major refactor of early ARM64 init, where they moved from assembly to the pi mini c library. The specific commit that fixed the issue is:
commit e223a449125571d
Author: Ard Biesheuvel <email address hidden>
Date: Wed Feb 14 13:28:50 2024 +0100
Subject: arm64: idreg-override: Move to early mini C runtime
Link: https:/
However, this needs a lot of dependencies, mostly all the "mini c runtime" commits in the below merge commit:
commit 6d75c6f40a03c97
Merge: fe46a7dd189e 1ef21fcd6a50
Author: Linus Torvalds <email address hidden>
Date: Thu Mar 14 15:35:42 2024 -0700
Subject: Merge tag 'arm64-upstream' of git://git.
Link: https:/
The amount of code is generally unacceptable for an SRU due to regression risk. I also don't think that reverting "arm64: idreg-override: Avoid parameq() and parameqn()" is the right solution either.
Thankfully, Tj did some debugging of the root cause in comment #20 [1], and found the issue occurs because of memcmp() in include/
That triggers the fortified memcmp()'s:
if (p_size < size || q_size < size)
fortify_
where q_size == 146, size == 147, and it crashes the kernel.
[1] https:/
I know SAUCE patches are to be avoided if possible, but Tj's solution is minimal and fixes the root cause without the regression risk of backporting the entire mini C runtime, so I suggest we go with Tj's patch.
commit a4c616d2156c9c4
Author: Tj <email address hidden>
Date: Fri Jul 26 13:48:44 2024 +0000
Subject: UBUNTU: SAUCE: arm64: v6.8: cmdline param >= 146 chars kills kernel
Link: https:/
[Testcase]
1) Deploy an ARM64 VM or use a bare metal ARM64 board with Noble, running 6.8.
2) Edit /boot/grub/grub.cfg and add the following param to any boot entry with
Linux 6.8
testparam=
3) Reboot the machine and select the boot entry in grub with the testparam as
above.
4) Observe kernel never boots.
[Where problems could occur]
We are changing command line parsing on ARM64 systems, such that we only do a memcmp() with aliased entries if the parameter we are parsing has the same length as an aliased entry. This really shouldn't have any change in functionality at all.
If a regression were to occur, then command line parsing on ARM64 systems could be broken, and it could lead to early boot failures, likely caught on automated kernel tests.
[Other Info]
This fix is 6.8 specific. It is already fixed upstream by the mini C runtime in 6.9 and later. This patch is for noble only.
Related branches
- Ubuntu Kernel Repositories: Pending requested
-
Diff: 62 lines (+11/-17)1 file modifiedarch/arm64/kernel/idreg-override.c (+11/-17)
CVE References
Changed in linux (Ubuntu): | |
status: | New → Fix Released |
summary: |
- linux 6.8 fails to boot on arm64 if any param is more than 140 chars + Linux 6.8 fails to boot on ARM64 if any param is more than 146 chars |
description: | updated |
Changed in linux (Ubuntu Noble): | |
status: | Confirmed → In Progress |
importance: | Undecided → High |
assignee: | nobody → Matthew Ruffell (mruffell) |
tags: | added: noble seg |
description: | updated |
Changed in linux-hwe-6.8 (Ubuntu Jammy): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu Noble): | |
status: | In Progress → Fix Committed |
Hi @Matthew
Thanks for fixing the bug.
Can you please let me know where can I get the fixed kernel release from?
Thanks