test_250_config_security_perf_events_restrict in kernel security test failed with 4.15 KVM kernel

Bug #1766780 reported by Po-Hsu Lin
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Fix Released
Po-Hsu Lin
linux-kvm (Ubuntu)
Fix Released
Po-Hsu Lin
Fix Released

Bug Description

== Justification ==
In the Bionic KVM kernel, the CONFIG_FORTIFY_SOURCE and
CONFIG_SECURITY_PERF_EVENTS_RESTRICT were not set, they need to be enabled to
meet the security team's requirement.

== Test ==
Before enabling the config, test case test_190_config_kernel_fortify and
test_250_config_security_perf_events_restrict will fail in the kernel
security testsuite for the kernel SRU regression test.

It will pass with these two patches applied, tested on a KVM node.

== Fix ==

== Regression Potential ==
No code changes, just two config changes without disabling any other configs.

BugLink: https://bugs.launchpad.net/bugs/1766780
BugLink: https://bugs.launchpad.net/bugs/1766774

test_250_config_security_perf_events_restrict from the kernel security test suite failed with 4.15.0-1008 KVM kernel.

 FAIL: test_250_config_security_perf_events_restrict (__main__.KernelSecurityTest)
  Traceback (most recent call last):
    File "./test-kernel-security.py", line 2313, in test_250_config_security_perf_events_restrict
      self.assertEqual(expected, self._test_config(config_name))
  AssertionError: True != False

$ cat /boot/config-4.15.0-1008-kvm | grep CONFIG_SECURITY_PERF_EVENTS_RESTRICT

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
Uname: Linux 4.15.0-1008-kvm x86_64
NonfreeKernelModules: signpost
ApportVersion: 2.20.9-0ubuntu7
Architecture: amd64
Date: Wed Apr 25 04:41:49 2018
 PATH=(custom, no user)
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)

Revision history for this message
Po-Hsu Lin (cypressyew) wrote :
Po-Hsu Lin (cypressyew)
Changed in linux-kvm (Ubuntu):
assignee: nobody → Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
assignee: nobody → Po-Hsu Lin (cypressyew)
no longer affects: qa-regression-testing
Changed in ubuntu-kernel-tests:
status: New → In Progress
Changed in linux-kvm (Ubuntu):
status: New → In Progress
Revision history for this message
Po-Hsu Lin (cypressyew) wrote :

A test kernel could be found here (along with the patch for bug 1766774:

description: updated
description: updated
description: updated
Po-Hsu Lin (cypressyew)
description: updated
Changed in linux-kvm (Ubuntu):
status: In Progress → Fix Committed
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: In Progress → Fix Committed
Changed in linux-kvm (Ubuntu Bionic):
status: New → Fix Committed
Po-Hsu Lin (cypressyew)
Changed in ubuntu-kernel-tests:
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (5.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1016.16

linux-kvm (4.15.0-1016.16) bionic; urgency=medium

  * linux-kvm: 4.15.0-1016.16 -proposed tracker (LP: #1782180)

  [ Ubuntu: 4.15.0-29.31 ]

  * linux: 4.15.0-29.31 -proposed tracker (LP: #1782173)
  * [SRU Bionic][Cosmic] kernel panic in ipmi_ssif at msg_done_handler
    (LP: #1777716)
    - ipmi_ssif: Fix kernel panic at msg_done_handler
  * Update to ocxl driver for 18.04.1 (LP: #1775786)
    - misc: ocxl: use put_device() instead of device_unregister()
    - powerpc: Add TIDR CPU feature for POWER9
    - powerpc: Use TIDR CPU feature to control TIDR allocation
    - powerpc: use task_pid_nr() for TID allocation
    - ocxl: Rename pnv_ocxl_spa_remove_pe to clarify it's action
    - ocxl: Expose the thread_id needed for wait on POWER9
    - ocxl: Add an IOCTL so userspace knows what OCXL features are available
    - ocxl: Document new OCXL IOCTLs
    - ocxl: Fix missing unlock on error in afu_ioctl_enable_p9_wait()
  * Critical upstream bugfix missing in Ubuntu 18.04 - frequent Xorg crash after
    suspend (LP: #1776887)
    - ocxl: Document the OCXL_IOCTL_GET_METADATA IOCTL
  * Hard LOCKUP observed on stressing Ubuntu 18 04 (LP: #1777194)
    - powerpc: use NMI IPI for smp_send_stop
    - powerpc: Fix smp_send_stop NMI IPI handling
  * IPL: ppc64_cpu --frequency hang with INFO: rcu_sched detected stalls on
    CPUs/tasks on w34 and wsbmc016 with 920.1714.20170330n (LP: #1773964)
    - rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
  * [Regression] EXT4-fs error (device sda2): ext4_validate_block_bitmap:383:
    comm stress-ng: bg 4705: bad block bitmap checksum (LP: #1781709)
    - SAUCE: Revert "UBUNTU: SAUCE: ext4: fix ext4_validate_inode_bitmap: comm
      stress-ng: Corrupt inode bitmap"
    - SAUCE: ext4: check for allocation block validity with block group locked

  [ Ubuntu: 4.15.0-28.30 ]

  * linux: 4.15.0-28.30 -proposed tracker (LP: #1781433)
  * Cannot set MTU higher than 1500 in Xen instance (LP: #1781413)
    - xen-netfront: Fix mismatched rtnl_unlock
    - xen-netfront: Update features after registering netdev

linux-kvm (4.15.0-1015.15) bionic; urgency=medium

  * linux-kvm: 4.15.0-1015.15 -proposed tracker (LP: #1781068)

  [ Ubuntu: 4.15.0-27.29 ]

  * linux: 4.15.0-27.29 -proposed tracker (LP: #1781062)
  * [Regression] EXT4-fs error (device sda1): ext4_validate_inode_bitmap:99:
    comm stress-ng: Corrupt inode bitmap (LP: #1780137)
    - SAUCE: ext4: fix ext4_validate_inode_bitmap: comm stress-ng: Corrupt inode

linux-kvm (4.15.0-1014.14) bionic; urgency=medium

  * linux-kvm: 4.15.0-1014.14 -proposed tracker (LP: #1780119)

  [ Ubuntu: 4.15.0-26.28 ]

  * linux: 4.15.0-26.28 -proposed tracker (LP: #1780112)
  * failure to boot with linux-image-4.15.0-24-generic (LP: #1779827) // Cloud-
    init causes potentially huge boot delays with 4.15 kernels (LP: #1780062)
    - random: Make getrandom() ready earlier

linux-kvm (4.15.0-1013.13) bionic; urgency=medium

  * linux-kvm: 4.15.0-1013.13 -proposed tracker (LP: #1779363)

  * test_190_config_kernel_fortify in kernel security test failed with 4.15 KVM
    kernel (LP: #1766774)


Changed in linux-kvm (Ubuntu Bionic):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (36.1 KiB)

This bug was fixed in the package linux-kvm - 4.15.0-1020.20

linux-kvm (4.15.0-1020.20) bionic; urgency=medium

  * linux-kvm: 4.15.0-1020.20 -proposed tracker (LP: #1787158)

  * DEBUG_WX is not set in Bionic KVM kernel (LP: #1782721)
    - kvm: [Config] enable CONFIG_DEBUG_WX

  * test_182_config_hardened_usercopy in kernel security test failed with 4.15
    KVM kernel (LP: #1766777)
    - usercopy: Do not select BUG with HARDENED_USERCOPY
    - kvm: [Config] Enable CONFIG_HARDENED_USERCOPY

  [ Ubuntu: 4.15.0-33.36 ]

  * linux: 4.15.0-33.36 -proposed tracker (LP: #1787149)
  * RTNL assertion failure on ipvlan (LP: #1776927)
    - ipvlan: drop ipv6 dependency
    - ipvlan: use per device spinlock to protect addrs list updates
    - SAUCE: fix warning from "ipvlan: drop ipv6 dependency"
  * ubuntu_bpf_jit test failed on Bionic s390x systems (LP: #1753941)
    - test_bpf: flag tests that cannot be jited on s390
  * HDMI/DP audio can't work on the laptop of Dell Latitude 5495 (LP: #1782689)
    - drm/nouveau: fix nouveau_dsm_get_client_id()'s return type
    - drm/radeon: fix radeon_atpx_get_client_id()'s return type
    - drm/amdgpu: fix amdgpu_atpx_get_client_id()'s return type
    - platform/x86: apple-gmux: fix gmux_get_client_id()'s return type
    - vga_switcheroo: set audio client id according to bound GPU id
  * locking sockets broken due to missing AppArmor socket mediation patches
    (LP: #1780227)
    - UBUNTU SAUCE: apparmor: fix apparmor mediating locking non-fs, unix sockets
  * Update2 for ocxl driver (LP: #1781436)
    - ocxl: Fix page fault handler in case of fault on dying process
  * netns: unable to follow an interface that moves to another netns
    (LP: #1774225)
    - net: core: Expose number of link up/down transitions
    - dev: always advertise the new nsid when the netns iface changes
    - dev: advertise the new ifindex when the netns iface changes
  * [Bionic] Disk IO hangs when using BFQ as io scheduler (LP: #1780066)
    - block, bfq: fix occurrences of request finish method's old name
    - block, bfq: remove batches of confusing ifdefs
    - block, bfq: add requeue-request hook
  * HP ProBook 455 G5 needs mute-led-gpio fixup (LP: #1781763)
    - ALSA: hda: add mute led support for HP ProBook 455 G5
  * [Bionic] bug fixes to improve stability of the ThunderX2 i2c driver
    (LP: #1781476)
    - i2c: xlp9xx: Fix issue seen when updating receive length
    - i2c: xlp9xx: Make sure the transfer size is not more than
  * x86/kvm: fix LAPIC timer drift when guest uses periodic mode (LP: #1778486)
    - x86/kvm: fix LAPIC timer drift when guest uses periodic mode
  * Please include ax88179_178a and r8152 modules in d-i udeb (LP: #1771823)
    - [Config:] d-i: Add ax88179_178a and r8152 to nic-modules
  * Nvidia fails after switching its mode (LP: #1778658)
    - PCI: Restore config space on runtime resume despite being unbound
  * Kernel error "task zfs:pid blocked for more than 120 seconds" (LP: #1781364)
    - SAUCE: (noup) zfs to 0.7.5-1ubuntu16.3
  * CVE-2018-12232
    - PATCH 1/1] socket: cl...

Changed in linux-kvm (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers