[regression] /dev/kmem available

Bug #354221 reported by Kees Cook on 2009-04-03
266
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Amit Kucheria
Intrepid
High
Amit Kucheria
Jaunty
High
Amit Kucheria
linux-ports (Ubuntu)
High
Luke Yelavich
Intrepid
High
Unassigned
Jaunty
High
Luke Yelavich

Bug Description

In Hardy, the CONFIG_DEVKMEM setting was explicitly disabled. This should stay off for Intrepid and Jaunty.

Reproducer:
  sudo dd if=/dev/kmem of=/dev/null bs=4k count=1

Expected results:
  dd: opening `/dev/kmem': No such device or address

Results on Intrepid and Jaunty:
  dd: reading `/dev/kmem': Bad address
0+0 records in
0+0 records out
0 bytes (0 B) copied, 0.00103467 s, 0.0 kB/s

ProblemType: Bug
Architecture: amd64
DistroRelease: Ubuntu 9.04
MachineType:

Package: linux-image-2.6.28-11-generic 2.6.28-11.38
ProcCmdLine: root=UUID=4817238d-bf87-48ec-9e9c-ede4cac3ea95 ro splash crashkernel=384M-2G:64M@16M,2G-:128M@16M
ProcEnviron:
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.28-11.38-generic
SourcePackage: linux

Kees Cook (kees) wrote :
visibility: private → public
Changed in linux (Ubuntu Jaunty):
importance: Undecided → High
milestone: none → ubuntu-9.04
tags: added: regression
Changed in linux (Ubuntu Jaunty):
status: New → Triaged
Changed in linux (Ubuntu Intrepid):
status: New → Triaged
Amit Kucheria (amitk) on 2009-04-03
Changed in linux (Ubuntu Intrepid):
assignee: nobody → amitk
status: Triaged → In Progress
Changed in linux (Ubuntu Jaunty):
assignee: nobody → amitk
status: Triaged → In Progress
Amit Kucheria (amitk) on 2009-04-03
Changed in linux (Ubuntu Intrepid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Jaunty):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-11.40

---------------
linux (2.6.28-11.40) jaunty; urgency=low

  [ Amit Kucheria ]

  * Disable DEVKMEM for all archs on Jaunty
    - LP: #354221

  [ Andy Whitcroft ]

  * SAUCE: md: wait for possible pending deletes after stopping an array
    - LP: #334994

  [ Brad Figg ]

  * ARM: Setting the bootloader for imx51 flavour.
    - LP: #348382
  * ARM: Add bootloader package Recomendation to iop32x and ixp4xx flavours
    - LP: #348382

  [ Tim Gardner ]

  * SAUCE: [i915] allocate MCHBAR space & enable if necessary
    - LP: #349314

  [ Upstream Kernel Changes ]

  * hpilo: open/close fix
    - LP: #353496

 -- Amit Kucheria <email address hidden> Thu, 02 Apr 2009 11:26:22 -0400

Changed in linux (Ubuntu Jaunty):
status: Fix Committed → Fix Released
Kees Cook (kees) on 2009-04-05
tags: added: regression-potential
removed: regression

If kmem is disabled in our kernels, should we be creating /dev/kmem at all?

There's no good reason for us to have it, no. However, it certainly
makes regression testing easier to already have the device file there.
;) I'm happy to lose the device node; our regression test can just create
the node first when verifying that the kernel interface is disabled.

Luke Yelavich (themuso) on 2009-04-05
Changed in linux-ports (Ubuntu Jaunty):
assignee: nobody → themuso
status: New → Triaged
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ports - 2.6.28-6.17

---------------
linux-ports (2.6.28-6.17) jaunty; urgency=low

  [ Luke Yelavich ]

  * Disable DEVKMEM for all archs on Jaunty
    - LP: #354221

  Rebase on top of jaunty 2.6.28-11.40:

   [ Amit Kucheria ]

  * Disable DEVKMEM for all archs on Jaunty
    - LP: #354221

  [ Andy Whitcroft ]

  * SAUCE: md: wait for possible pending deletes after stopping an array
    - LP: #334994

  [ Brad Figg ]

  * ARM: Setting the bootloader for imx51 flavour.
    - LP: #348382
  * ARM: Add bootloader package Recomendation to iop32x and ixp4xx flavours
    - LP: #348382

  [ Tim Gardner ]

  * SAUCE: [i915] allocate MCHBAR space & enable if necessary
    - LP: #349314

  [ Upstream Kernel Changes ]

  * hpilo: open/close fix
    - LP: #353496

  [ Alan Tull ]

  * SAUCE: mx51: fix to1.1 in mxc_iomux_set_input
    - LP: #348333

  [ Andy Whitcroft ]

  * SAUCE: acer: rfkill disable quirk for ACER Aspire One
    - LP: #319825

  [ Brad Figg ]

  * ARM: Increase CONFIG_BLK_DEV_RAM_SIZE for imx51 flavour.
    - LP: #349842
  * ARM: Enable rtl8187 for imx51
    - LP: #349526
  * ARM: Unset CONFIG_USB_STORAGE_DEBUG for imx51
    - LP: #348504

  [ Bryan Wu ]

  * build CRAMFS into kernel to support mounting CRAMFS initrd on iop32x
    machine
    - LP: #349104

  [ Michael Casadevall ]

  * [lpia] Change ATA, SCSI, SD, ext2-4 modules into compiled-in components
    - LP: #347458

  [ Rob Herring ]

  * SAUCE: imx51: fec: fix cache operations for receive
    - LP: #348333

  [ Sam Yang ]

  * SAUCE: Revert ENGR00103870 FEC reopening causes network wdog timeout
    - LP: #348333
  * SAUCE: imx51: fec cache flush functions are incorrect
    - LP: #348333

  [ Upstream Kernel Changes ]

  * Bluetooth: Add fine grained mem_flags usage to btusb driver
    - LP: #268502
  * Bluetooth: Handle bulk URBs in btusb driver from notify callback
    - LP: #268502
  * Bluetooth: Submit bulk URBs along with interrupt URBs
    - LP: #268502

 -- Luke Yelavich <email address hidden> Mon, 06 Apr 2009 18:07:33 +1000

Changed in linux-ports (Ubuntu Jaunty):
status: Triaged → Fix Released

On Sun, 2009-04-05 at 14:07 +0000, Kees Cook wrote:

> There's no good reason for us to have it, no. However, it certainly
> makes regression testing easier to already have the device file there.
> ;) I'm happy to lose the device node; our regression test can just create
> the node first when verifying that the kernel interface is disabled.
>
It's one of the core devices in /lib/udev/devices that we ALWAYS create
in /dev and never remove even if the underlying kernel device goes away.

I'm more than happy to get rid of it, meaning that the only fixed
devices will be "null" and "console" (with ppp, loop0 and net/tun
available to force-load the modules)

Scott
--
Scott James Remnant
<email address hidden>

Andy Whitcroft (apw) on 2009-04-14
Changed in linux (Ubuntu Intrepid):
importance: Undecided → High
Changed in linux-ports (Ubuntu Jaunty):
importance: Undecided → High
Changed in linux-ports (Ubuntu Intrepid):
importance: Undecided → High
Steve Beattie (sbeattie) on 2009-04-28
tags: added: regression-release
removed: regression-potential
Martin Pitt (pitti) wrote :

Accepted linux into intrepid-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

tags: added: verification-needed
Kees Cook (kees) on 2009-07-09
Changed in linux-ports (Ubuntu Intrepid):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
assignee: Stefan Bader (stefan-bader-canonical) → nobody
Steve Beattie (sbeattie) wrote :

First, with the 2.6.27-14.37 security update, the kernels in intrepid-proposed need to be updated to incorporate that fix.

I reproduced this issue with with the 2.6.27-14.37 kernel in intrepid-updates and can confirm that the 2.6.27-14.36 kernels in intrepid-proposed fix the issue (tested generic and server kernels on both i386 and amd64). I also saw no regressions from running the kernel-security tests in the qa-regression-tests (in which there is already two tests for this issue). Marking verification-done.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.27-14.41

---------------
linux (2.6.27-14.41) intrepid-proposed; urgency=low

  [ Stefan Bader ]

  * Revert "SAUCE: input: Blacklist digitizers from joydev.c"
    - LP: #300143

linux (2.6.27-14.40) intrepid-proposed; urgency=low

  [ Amit Kucheria ]

  * Disable DEVKMEM for all archs on Intrepid
    - LP: #354221
  * SAUCE: Quirk for BT USB device on MacbookPro to be reset before use
    - LP: #332443

  [ Andy Isaacson ]

  * LIRC_PVR150: depends on VIDEO_IVTV
    - LP: #341477
  * SAUCE: FSAM7400: select CHECK_SIGNATURE
    - LP: #341712

  [ Andy Whitcroft ]

  * SAUCE: hotkey quirks for various Zepto Znote and Fujitsu Amilo laptops
    - LP: #330259
  * SAUCE: unusual devs: add an entry for the ScanLogic SL11R-IDE 0.78
    - LP: #336189

  [ Anton Veretenenko ]

  * SAUCE: sony-laptop: add support for Sony Vaio FW series function/media
    keys
    - LP: #307592

  [ Ayaz Abdulla ]

  * SAUCE: forcedeth: msi interrupt fix
    - LP: #288281

  [ Chuck Short ]

  * SAUCE: [USB] Unusual Device support for Gold MP3 Player Energy
    - LP: #125250

  [ Ike Panhc ]

  * squashfs: correct misspelling
    - LP: #322306
  * SAUCE: Fixing symbol name in HECI module
    - LP: #336549
  * Copy header files for various kernel media driver
    - LP: #322732

  [ Stefan Bader ]

  * SAUCE: vgacon: Return the upper half of 512 character fonts
    - LP: #355057
  * SAUCE: input: Blacklist digitizers from joydev.c
    - LP: #300143

  [ Upstream Kernel Changes ]

  * libata: make sure port is thawed when skipping resets
    - LP: #269652
  * x86-64: fix int $0x80 -ENOSYS return
    - LP: #339743
  * rt2x00: Fix race conditions in flag handling
    - LP: #258985
  * USB: cdc-acm: Add another conexant modem to the quirks
    - LP: #323829
  * Bluetooth: Add fine grained mem_flags usage to btusb driver
    - LP: #268502
  * Bluetooth: Handle bulk URBs in btusb driver from notify callback
    - LP: #268502
  * Bluetooth: Submit bulk URBs along with interrupt URBs
    - LP: #268502
  * hwmon: (abituguru3) Match partial DMI board name strings
    - LP: #298798
  * x86: mtrr: don't modify RdDram/WrDram bits of fixed MTRRs
    - LP: #292619
  * sis190: add identifier for Atheros AR8021 PHY
    - LP: #247889
  * ath9k: implement IO serialization
    - LP: #373034
  * ath9k: AR9280 PCI devices must serialize IO as well
    - LP: #373034
  * acer-wmi: fix regression in backlight detection
    - LP: #333386

 -- Stefan Bader <email address hidden> Wed, 26 Aug 2009 11:48:11 +0200

Changed in linux (Ubuntu Intrepid):
status: Fix Committed → Fix Released
Alex Valavanis (valavanisalex) wrote :

Intrepid Ibex reached end-of-life on 30 April 2010 so I am closing the report. The bug has been fixed in newer releases of Ubuntu.

Changed in linux-ports (Ubuntu Intrepid):
status: New → Invalid
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers