lscpu possible crash in min/max frequency

Bug #1771345 reported by Julian Andres Klode on 2018-05-15
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
util-linux (Ubuntu)
High
Unassigned
Xenial
High
Unassigned
Artful
High
Unassigned
Bionic
High
Unassigned

Bug Description

[Impact]
lscpu prior to 2.32 does not correctly check for NULL members in min/max CPU frequency arrays and can call atof() on them, leading to crashes. It seems that's what caused the verification to fail for bug 1732865. The following fixes have been committed upstream:

from 2.30: https://github.com/karelzak/util-linux/commit/0145d84a381fc2fcd7d37e0dbf3d9dff69609ecd

from 2.32: https://github.com/karelzak/util-linux/commit/95f09bc63c564c50ec2c393352801cc056faaea2

I plan to backport them to xenial (both patches); and artful, bionic (second patch, they are > 2.30).

[Regression potential]
The worst possible regression is that lscpu would fail to correctly report min/max frequencies, but it seems unlikely, as we're only adding checks against null pointers / move an atof into a loop.

[Test case]
Extract attached segvtest.tar.gz and run lscpu -s segvtest and check that it does not crash (this removes min mhz file for cpu #0 for testing).

CVE References

Julian Andres Klode (juliank) wrote :

Merged 2.32, should be building and hitting proposed soon.

Changed in util-linux (Ubuntu):
status: New → Fix Committed
Changed in util-linux (Ubuntu Xenial):
status: New → Triaged
Changed in util-linux (Ubuntu Artful):
status: New → Triaged
Changed in util-linux (Ubuntu Bionic):
status: New → Incomplete
status: Incomplete → Triaged
Changed in util-linux (Ubuntu):
importance: Undecided → Critical
importance: Critical → High
Changed in util-linux (Ubuntu Xenial):
importance: Undecided → High
Changed in util-linux (Ubuntu Artful):
importance: Undecided → High
Changed in util-linux (Ubuntu Bionic):
importance: Undecided → High
description: updated
Julian Andres Klode (juliank) wrote :

Test case

description: updated
description: updated

Hello Julian, or anyone else affected,

Accepted util-linux into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.27.1-6ubuntu3.6 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in util-linux (Ubuntu Xenial):
status: Triaged → Fix Committed
Changed in util-linux (Ubuntu Artful):
status: Triaged → Fix Committed
Robie Basak (racb) wrote :

Hello Julian, or anyone else affected,

Accepted util-linux into artful-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.30.1-0ubuntu4.2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-artful to verification-done-artful. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-artful. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Changed in util-linux (Ubuntu Bionic):
status: Triaged → Fix Committed
Robie Basak (racb) wrote :

Hello Julian, or anyone else affected,

Accepted util-linux into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/util-linux/2.31.1-0.4ubuntu3.1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed.Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

Julian Andres Klode (juliank) wrote :
Download full text (3.7 KiB)

xenial: 3.4 prints (null), 3.5 crashed, and 3.6 fixed it -> verified
artful: 4.1 in release crashes; 4.2 fixes it -> verified
bionic: 3 in release crashes, 3.1 fixes it -> verified

Sample log from bionic belog:

jak@jak-t480s:~/Downloads$ echo lscpu -s /home/jak/Downloads/segvtest | lxc exec b -- bash -
bash: line 1: 285 Segmentation fault (core dumped) lscpu -s /home/jak/Downloads/segvtest
-
jak@jak-t480s:~/Downloads$ lxc exec b -- sh -c "echo 'deb http://archive.ubuntu.com/ubuntu bionic-proposed main' > /etc/apt/sources.list"
jak@jak-t480s:~/Downloads$ lxc exec b apt update
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed InRelease [242 kB]
Get:2 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages [35.9 kB]
Get:3 http://archive.ubuntu.com/ubuntu bionic-proposed/main Translation-en [14.7 kB]
Fetched 293 kB in 1s (472 kB/s)
Reading package lists... Done
Building dependency tree
Reading state information... Done
17 packages can be upgraded. Run 'apt list --upgradable' to see them.
jak@jak-t480s:~/Downloads$ lxc exec b apt install -q util-linux
Error: unknown shorthand flag: 'q' in -q
jak@jak-t480s:~/Downloads$ lxc exec b -- apt install -q util-linux
Reading package lists...
Building dependency tree...
Reading state information...
The following package was automatically installed and is no longer required:
  libfreetype6
Use 'apt autoremove' to remove it.
Suggested packages:
  util-linux-locales
The following packages will be upgraded:
  util-linux
1 upgraded, 0 newly installed, 0 to remove and 16 not upgraded.
Need to get 902 kB of archives.
After this operation, 1024 B of additional disk space will be used.
Get:1 http://archive.ubuntu.com/ubuntu bionic-proposed/main amd64 util-linux amd64 2.31.1-0.4ubuntu3.1 [902 kB]
Fetched 902 kB in 1s (990 kB/s)
(Reading database ... 28477 files and directories currently installed.)
Preparing to unpack .../util-linux_2.31.1-0.4ubuntu3.1_amd64.deb ...
Unpacking util-linux (2.31.1-0.4ubuntu3.1) over (2.31.1-0.4ubuntu3) ...
Setting up util-linux (2.31.1-0.4ubuntu3.1) ...
Processing triggers for mime-support (3.60ubuntu1) ...
Processing triggers for ureadahead (0.100.0-20) ...
Processing triggers for systemd (237-3ubuntu10) ...
Processing triggers for man-db (2.8.3-2) ...
jak@jak-t480s:~/Downloads$ echo lscpu -s /home/jak/Downloads/segvtest | lxc exec b -- bash -
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Byte Order: Little Endian
CPU(s): 8
On-line CPU(s) list: 0-7
Thread(s) per core: 2
Core(s) per socket: 4
Socket(s): 1
NUMA node(s): 1
Vendor ID: GenuineIntel
CPU family: 6
Model: 142
Model name: Intel(R) Core(TM) i5-8250U CPU @ 1.60GHz
Stepping: 10
CPU max MHz: 3400.0000
CPU min MHz: 400.0000
BogoMIPS: 3600.00
Virtualization: VT-x
L1d cache: 32K
L1i cache: 32K
L2 cache: 256K
L3 cache: 6144K
NUMA node0 CPU(s): 0-7
Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb...

Read more...

tags: added: verification-done-artful verification-done-bionic verification-done-xenial
Łukasz Zemczak (sil2100) wrote :

There are some autopkgtest regressions associated with the bionic, artful and xenial uploads. Could you check if those are real related regressions or not?

Julian Andres Klode (juliank) wrote :

bionic:

tracker/i386: retriggered, passed
tracker/armhf: retriggered, passed
systemd/amd64: timeout in boot-smoke test -> does not seem to be a regression, for example, the most recent boot-smoke also fails.

Julian Andres Klode (juliank) wrote :

artful:

nplan/amd64: time outs, reproduce with other triggers too (like systemd/234-2ubuntu12.4)
open-iscsi/amd64: times out waiting for network to be configured (same for cloud-utils/0.30-0ubuntu2.1 and others)
network-manager: time outs in failure, also happen with systemd trigger, hence not related

-> None of these time outs seem to be related to the upload. Should we badtest them?

Julian Andres Klode (juliank) wrote :

xenial:

nplan/{amd64,i386}: timed out waiting for NetworkManager to settle down, common error
nplan/armhf: times out during reboot, also seen for nplan/0.32~16.04.5
postgresql-9.5/armf: fails with stderr "Not all processes could be identified" since 2016-10-17
gearmand/armhf: Unknown failure, rerunning against release

Julian Andres Klode (juliank) wrote :

germand/armhf also fails when triggered by gearmand/1.0.6-5.1build2, so it's broken in release.

In summary, I don't think any of the autopkgtest regressions are related to these SRUs. It was not expected anyway, given that they only change lscpu code.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.31.1-0.4ubuntu3.1

---------------
util-linux (2.31.1-0.4ubuntu3.1) bionic; urgency=medium

  * d/patches/Avoid-crash-in-min-max-caculation-when-cpu-0-being-o.patch:
    Cherry pick upstream patch to avoid SEGV in min/max frequency.
    LP: #1771345

 -- Julian Andres Klode <email address hidden> Wed, 16 May 2018 12:41:37 +0200

Changed in util-linux (Ubuntu Bionic):
status: Fix Committed → Fix Released

The verification of the Stable Release Update for util-linux has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.30.1-0ubuntu4.2

---------------
util-linux (2.30.1-0ubuntu4.2) artful; urgency=medium

  * d/patches/Avoid-crash-in-min-max-caculation-when-cpu-0-being-o.patch:
    Cherry pick upstream patch to avoid SEGV in min/max frequency.
    LP: #1771345

 -- Julian Andres Klode <email address hidden> Wed, 16 May 2018 12:44:06 +0200

Changed in util-linux (Ubuntu Artful):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.32-0.1ubuntu1

---------------
util-linux (2.32-0.1ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable. Remaining changes:
    - Build hwclock with audit support.
    - Drop debian/hwclock.rules and hwclock.default, recent kernels sync the
      RTC automatically.
    - Add sulogin-fallback-static-sh.patch: Add support for /bin/static-sh as
      fallback if the regular shell fails to execute. Patch ported from
      sysvinit. (see LP #505887)
    - Add sulogin-lockedpwd.patch: Make sure file systems can be fixed on
      machines with locked root accounts (as Ubuntu does by default). Don't
      require --force for sulogin.
    - Drop the Breaks: cloud-utils, Ubuntu has a different cloud-utils
      packaging and this does not affect Ubuntu ≥ 16.04 any more.
    - Add debian/util-linux.maintscript to clean upstart jobs on upgrade. This
      needs to be kept until after 18.04 LTS.
    - Clean up weekly fstrim cron file, now a systemd timer unit.
    - Remove obsolete upstart job files on upgrade of rfkill. This change
      can be dropped after Ubuntu 18.04.
    - Update s390-tools breaks/replaces, to the correct version for ubuntu.
    - Enable fstrim.timer by default.
  * Dropped changes, merged upstream:
    - Cherrypick upstream patches to add zones support to lsmem/chmem.
    - lscpu: Decode ARM CPUs (patch taken from 2.32)
  * Bugs fixed in new upstream release:
    - possible crash in min/max frequency (LP: #1771345)

util-linux (2.32-0.1) unstable; urgency=medium

  * Non-maintainer upload.
  [ Ben Hutchings ]
  * debian/control: Remove mention of minimum kernel version for rfkill

  [ Laurent Bigonville ]
  * New upstream release.
    - Drop all the patches merged upstream
  * debian/libfdisk1.symbols: Add new exported symbols

util-linux (2.31.1-0.5) unstable; urgency=medium

  * Non-maintainer upload.

  [ Laurent Bigonville ]
  * debian/rules: Enable SMACK support for libmount
  * Enable audit support (Closes: #745771)

  [ Salvatore Bonaccorso ]
  * bash-completion: (umount) use findmnt, escape a space in paths.
    (CVE-2018-7738)
    Fixes "code execution in bash-completion for umount". (Closes: #892179)

util-linux (2.31.1-0.4ubuntu4) cosmic; urgency=medium

  * No-change rebuild for ncurses soname changes.

 -- Julian Andres Klode <email address hidden> Tue, 15 May 2018 15:45:21 +0200

Changed in util-linux (Ubuntu):
status: Fix Committed → Fix Released
tags: added: id-5a2eb607f4872474ec5e0a80
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package util-linux - 2.27.1-6ubuntu3.6

---------------
util-linux (2.27.1-6ubuntu3.6) xenial; urgency=medium

  * d/patches/lscpu-make-min-max-freq-arrays-usage-more-robust.patch,
    d/patches/Avoid-crash-in-min-max-caculation-when-cpu-0-being-o.patch:
    Cherry pick upstream patches to avoid SEGV in min/max frequency.
    LP: #1771345

util-linux (2.27.1-6ubuntu3.5) xenial; urgency=medium

  * d/patches/lscpu-Read-available-CPUs-max-and-min-frequencies.patch,
    d/patches/lscpu-make-cpu_-max-min-_mhz-usage-more-elegant.patch:
    Backport upstream fixes to correctly read minimum and maximum
    CPU frequencies on ppc64 when some cpus are guarded or offline.
    LP: #1732865

 -- Julian Andres Klode <email address hidden> Wed, 16 May 2018 12:36:24 +0200

Changed in util-linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Bug attachments