unable to mmap zero-page, even when mmap_min_addr is 0

Bug #423513 reported by Kees Cook on 2009-09-03
12
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Stefan Bader

Bug Description

I'd rather not report this bug, but it is a regression compared to jaunty and will break dosemu and 16-bit Wine.

$ bzr branch lp:~ubuntu-bugcontrol/qa-regression-testing/master qa-regression-testing
$ cd qa-regression-testing/scripts
$ sudo apt-get install build-essential python-unit sudo libcap2-bin lsb-release
$ ./test-kernel-security.py -v
Build helper tools (via sudo) ... (9.10) ok
/proc/$pid/maps is correctly protected ... ok
ASLR of stack ... ok
ASLR of libs ... ok
ASLR of mmap ... ok
ASLR of text ... ok
ASLR of vdso ... ok
ASLR of brk ... ok
lower memory is not allocatable ... FAIL
AppArmor loaded ... ok
PR_SET_SECCOMP works ... ok
/dev/kmem not available ... ok
SYN cookies is enabled ... ok
init's CAPABILITY list is clean (via sudo) ... ok
init missing READ_IMPLIES_EXEC (via sudo) ... (/proc/1/personality) ok
NX bit is working ... ok
CONFIG_COMPAT_BRK disabled ... ok
CONFIG_DEVKMEM disabled ... ok
CONFIG_SECURITY enabled ... ok
CONFIG_SECURITY_SELINUX enabled ... ok
CONFIG_SYN_COOKIES enabled ... ok
CONFIG_SECCOMP enabled ... ok
CONFIG_COMPAT_VDSO disabled ... ok
CONFIG_DEBUG_RODATA enabled ... ok
CONFIG_SECURITY_APPARMOR enabled ... ok
CONFIG_STRICT_DEVMEM enabled ... ok
CONFIG_SECURITY_FILE_CAPABILITIES enabled ... ok
CONFIG_SECURITY_SMACK enabled ... ok
CONFIG_DEFAULT_MMAP_MIN_ADDR ... (65536) ok
CONFIG_CC_STACKPROTECTOR set ... ok
Kernel stack guard ... ok

======================================================================
FAIL: lower memory is not allocatable
----------------------------------------------------------------------
Traceback (most recent call last):
  File "./test-kernel-security.py", line 178, in test_30_mmap_min
    self.assertShellExitEquals(1, ["./zero-possible",'%d'%(mmap_limit)], msg="Unable to allocate zero-page when mmap_min_addr set to 0!\n")
  File "/scratch/ubuntu/vcs/lp/package-tests/scripts/testlib.py", line 511, in assertShellExitEquals
    self.assertEquals(expected, rc, msg + result + report)
AssertionError: Unable to allocate zero-page when mmap_min_addr set to 0!
Got exit code 0, expected 1
Command: './zero-possible', '65536'
Output:
0
Testing lower 65536 bytes in 4096 byte chunks: pass
Testing 4096 byte chunk above 65535: pass
65536

----------------------------------------------------------------------
Ran 31 tests in 0.880s

FAILED (failures=1)

The "zero-possible" is not expected to return 0. mmap of 0 is not working.

ProblemType: Bug
AplayDevices:
 **** List of PLAYBACK Hardware Devices ****
 card 0: Intel [HDA Intel], device 0: ALC268 Analog [ALC268 Analog]
   Subdevices: 1/1
   Subdevice #0: subdevice #0
Architecture: amd64
AudioDevicesInUse:
 USER PID ACCESS COMMAND
 /dev/snd/controlC0: kees 10496 F.... pulseaudio
CRDA: Error: [Errno 2] No such file or directory
Card0.Amixer.info:
 Card hw:0 'Intel'/'HDA Intel at 0xe0420000 irq 22'
   Mixer name : 'Realtek ALC268'
   Components : 'HDA:10ec0268,80860000,00100003'
   Controls : 18
   Simple ctrls : 12
Date: Wed Sep 2 21:16:48 2009
DistroRelease: Ubuntu 9.10
HibernationDevice: RESUME=/dev/md1
Package: linux-image-2.6.31-9-generic 2.6.31-9.29
PccardctlIdent:

PccardctlStatus:

ProcCmdLine: BOOT_IMAGE=/vmlinuz-2.6.31-9-generic root=/dev/mapper/systemvg-root2lv ro splash
ProcEnviron:
 LANGUAGE=en_US.UTF-8
 PATH=(custom, user)
 LANG=en_US.UTF-8
 SHELL=/bin/bash
ProcVersionSignature: Ubuntu 2.6.31-9.29-generic
RelatedPackageVersions:
 linux-backports-modules-2.6.31-9-generic N/A
 linux-firmware 1.16
RfKill:

SourcePackage: linux
Uname: Linux 2.6.31-9-generic x86_64
WpaSupplicantLog:

dmi.bios.date: 09/22/2008
dmi.bios.vendor: Intel Corp.
dmi.bios.version: JOQ3510J.86A.0954.2008.0922.2331
dmi.board.asset.tag: Base Board Asset Tag
dmi.board.name: DQ35JO
dmi.board.vendor: Intel Corporation
dmi.board.version: AAD82085-800
dmi.chassis.type: 3
dmi.modalias: dmi:bvnIntelCorp.:bvrJOQ3510J.86A.0954.2008.0922.2331:bd09/22/2008:svn:pn:pvr:rvnIntelCorporation:rnDQ35JO:rvrAAD82085-800:cvn:ct3:cvr:

Kees Cook (kees) wrote :
tags: added: regression-potential
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: New → Triaged
Stefan Bader (smb) wrote :

Seems the new CONFIG_LSM_MMAP_MIN_ADDR has to be set to 0, in order to allow the procfs interface to change the value of mmap_min_addr to 0. A patch has been sent to the mailing list.

Changed in linux (Ubuntu):
assignee: nobody → Stefan Bader (stefan-bader-canonical)
status: Triaged → In Progress
Stefan Bader (smb) on 2009-09-07
Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-10.30

---------------
linux (2.6.31-10.30) karmic; urgency=low

  [ Amit Kucheria ]

  * [Config] Enable CONFIG_USB_DEVICEFS
    - LP: #417748
  * [Config] Populate the config-update template a bit more

  [ Andy Whitcroft ]

  * rebase to v2.6.31-rc9
  * [Config] update configs following rebase to v2.6.31-rc9
  * [Config] update ports configs following rebase to v2.6.31-rc9

  [ Colin Ian King ]

  * SAUCE: wireless: hostap, fix oops due to early probing interrupt
    - LP: #254837

  [ Jerone Young ]

  * [Upstream] ACPI: Add Thinkpad T400 & Thinkpad T500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X200, X200s, X200t to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad X300 & Thinkpad X301 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad R400 & Thinkpad R500 to OSI(Linux)
    white-list
    - LP: #281732
  * [Upstream] ACPI: Add Thinkpad W500, W700, & W700ds to OSI(Linux)
    white-list
    - LP: #281732

  [ John Johansen ]

  * SAUCE: AppArmor: Fix profile attachment for regexp based profile names
    - LP: #419308
  * SAUCE: AppArmor: Return the correct error codes on profile
    addition/removal
    - LP: #408473
  * SAUCE: AppArmor: Fix OOPS in profile listing, and display full list
    - LP: #408454
  * SAUCE: AppArmor: Fix mapping of pux to new internal permission format
    - LP: #419222
  * SAUCE: AppArmor: Fix change_profile failure
    - LP: #401931
  * SAUCE: AppArmor: Tell git to ignore generated include files
    - LP: #419505

  [ Stefan Bader ]

  * [Upstream] acpi: video: Loosen strictness of video bus detection code
    - LP: #333386
  * SAUCE: Remove ov511 driver from ubuntu subdirectory

  [ Tim Gardner ]

  * [Config] Exclude char-modules from non-x86 udeb creation
  * SAUCE: Notify the ACPI call chain of AC events
  * [Config] CONFIG_SATA_VIA=m
    - LP: #403385
  * [Config] Build in all phylib support modules.
  * [Config] Don't fail when sub-flavour files are missing
    - LP: #423426
  * [Config] Set CONFIG_LSM_MMAP_MIN_ADDR=0
    - LP: #423513

  [ Upstream ]

  * Rebased against v2.6.31-rc9

 -- Andy Whitcroft <email address hidden> Mon, 07 Sep 2009 11:33:45 +0100

Changed in linux (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers