Ubuntu
linux-kvm package

test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM kernel

  1. Bionic (18.04)
  2. Bug #1766774
Bug #1766774 reported by Po-Hsu Lin
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
ubuntu-kernel-tests
Fix Released
Undecided
Po-Hsu Lin
linux-kvm (Ubuntu)
Fix Released
Undecided
Po-Hsu Lin
Bionic
Fix Released
Undecided
Unassigned

Bug Description

== Justification ==
In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
meet the security team's requirement.

== Test ==
Before enabling the config, test case test_190_config_kernel_fortify and
test_250_config_security_perf_events_restrict will fail in the kernel
security testsuite for the kernel SRU regression test.

It will pass with these two patches applied, tested on a KVM node.

== Fix ==
Set CONFIG_SECURITY_PERF_EVENTS_RESTRICT to "y".
Set CONFIG_FORTIFY_SOURCE to "y".

== Regression Potential ==
Minimal.
No code changes, just two config changes without disabling any other configs.

BugLink: https://bugs.launchpad.net/bugs/1766780
BugLink: https://bugs.launchpad.net/bugs/1766774

--------------------------------------------------
Test test_190_config_kernel_fortify from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

  ======================================================================
  FAIL: test_190_config_kernel_fortify (__main__.KernelSecurityTest)
  Ensure CONFIG_FORTIFY_SOURCE is set
  ----------------------------------------------------------------------
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2186, in test_190_config_kernel_fortify
      self.assertTrue(self._test_config(config_name))
  AssertionError: False is not true

The CONFIG_FORTIFY_SOURCE is not set.
$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_FORTIFY_SOURCE
# CONFIG_FORTIFY_SOURCE is not set

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:28:13 2018
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=C.UTF-8
 SHELL=/bin/bash
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

See original description
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

A test kernel could be found here (along with the patch for bug 1766780:
http://people.canonical.com/~phlin/kernel/lp-1766774-1766780/

no longer affects: qa-regression-testing
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux-kvm (Ubuntu):
status: New → In Progress
description: updated
description: updated
description: updated
Po-Hsu Lin (cypressyew)
description: updated
Khaled El Mously (kmously)
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Kleber Sacilotto de Souza (kleber-souza)
Changed in linux-kvm (Ubuntu Bionic):
status: New → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1016.16

---------------
linux-kvm (4.15.0-1016.16) bionic; urgency=medium

  * linux-kvm: 4.15.0-1016.16 -proposed tracker (LP: #1782180)

  [ Ubuntu: 4.15.0-29.31 ]

  * linux: 4.15.0-29.31 -proposed tracker (LP: #1782173)
  * [SRU Bionic][Cosmic] kernel panic in ipmi_ssif at msg_done_handler
    (LP: #1777716)
    - ipmi_ssif: Fix kernel panic at msg_done_handler
  * Update to ocxl driver for 18.04.1 (LP: #1775786)
    - misc: ocxl: use put_device() instead of device_unregister()
    - powerpc: Add TIDR CPU feature for POWER9
    - powerpc: Use TIDR CPU feature to control TIDR allocation
    - powerpc: use task_pid_nr() for TID allocation
    - ocxl: Rename pnv_ocxl_spa_remove_pe to clarify it's action
    - ocxl: Expose the thread_id needed for wait on POWER9
    - ocxl: Add an IOCTL so userspace knows what OCXL features are available
    - ocxl: Document new OCXL IOCTLs
    - ocxl: Fix missing unlock on error in afu_ioctl_enable_p9_wait()
  * Critical upstream bugfix missing in Ubuntu 18.04 - frequent Xorg crash after
    suspend (LP: #1776887)
    - ocxl: Document the OCXL_IOCTL_GET_METADATA IOCTL
  * Hard LOCKUP observed on stressing Ubuntu 18 04 (LP: #1777194)
    - powerpc: use NMI IPI for smp_send_stop
    - powerpc: Fix smp_send_stop NMI IPI handling
  * IPL: ppc64_cpu --frequency hang with INFO: rcu_sched detected stalls on
    CPUs/tasks on w34 and wsbmc016 with 920.1714.20170330n (LP: #1773964)
    - rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
  * [Regression] EXT4-fs error (device sda2): ext4_validate_block_bitmap:383:
    comm stress-ng: bg 4705: bad block bitmap checksum (LP: #1781709)
    - SAUCE: Revert "UBUNTU: SAUCE: ext4: fix ext4_validate_inode_bitmap: comm
      stress-ng: Corrupt inode bitmap"
    - SAUCE: ext4: check for allocation block validity with block group locked

  [ Ubuntu: 4.15.0-28.30 ]

  * linux: 4.15.0-28.30 -proposed tracker (LP: #1781433)
  * Cannot set MTU higher than 1500 in Xen instance (LP: #1781413)
    - xen-netfront: Fix mismatched rtnl_unlock
    - xen-netfront: Update features after registering netdev

linux-kvm (4.15.0-1015.15) bionic; urgency=medium

  * linux-kvm: 4.15.0-1015.15 -proposed tracker (LP: #1781068)

  [ Ubuntu: 4.15.0-27.29 ]

  * linux: 4.15.0-27.29 -proposed tracker (LP: #1781062)
  * [Regression] EXT4-fs error (device sda1): ext4_validate_inode_bitmap:99:
    comm stress-ng: Corrupt inode bitmap (LP: #1780137)
    - SAUCE: ext4: fix ext4_validate_inode_bitmap: comm stress-ng: Corrupt inode
      bitmap

linux-kvm (4.15.0-1014.14) bionic; urgency=medium

  * linux-kvm: 4.15.0-1014.14 -proposed tracker (LP: #1780119)

  [ Ubuntu: 4.15.0-26.28 ]

  * linux: 4.15.0-26.28 -proposed tracker (LP: #1780112)
  * failure to boot with linux-image-4.15.0-24-generic (LP: #1779827) // Cloud-
    init causes potentially huge boot delays with 4.15 kernels (LP: #1780062)
    - random: Make getrandom() ready earlier

linux-kvm (4.15.0-1013.13) bionic; urgency=medium

  * linux-kvm: 4.15.0-1013.13 -proposed tracker (LP: #1779363)

  * test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM
    kernel (LP: #1766774)
...

Read more...

Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: Fix Committed → Fix Released
Changed in linux-kvm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.