Kdump broken since 4.15.0-65 on secureboot - purgatory cannot load
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
High
|
Guilherme G. Piccoli | ||
Bionic |
Fix Released
|
High
|
Guilherme G. Piccoli |
Bug Description
[Impact]
* Kdump kernel can't be loaded using Linux kernel 4.15.0-65 and newer on Bionic; kexec fails to load using the "new" kexec_file_load() syscall, showing the following messages in dmesg:
kexec: Undefined symbol: __stack_chk_fail
kexec-bzImage64: Loading purgatory failed
* Reason for this was that backport from upstream commit b059f801a937 ("x86/purgatory: Use CFLAGS_REMOVE rather than reset KBUILD_CFLAGS") makes use of a config option guard that wasn't backported to Ubuntu 4.15.x series.
* Also, we found another related issue, an undefined memcpy() symbol, that was related to the above patch too. We propose here a specific fix for Bionic, in the form of the patch attached in comment #18.
[Test case]
* Basically the test consists in booting a signed kernel in a secure boot environment (this is required given Ubuntu kernel is built with CONFIG_
systemctl status kdump-tools
[...]
kdump-tools[895]: Starting kdump-tools: * Creating symlink /var/lib/
kdump-tools[895]: * Creating symlink /var/lib/
kdump-tools[895]: kexec_file_load failed: Exec format error
kdump-tools[895]: * failed to load kdump kernel
[...]
* With the patch attached in the LP, it works normally again and I was able to collect a kdump.
[Regression potential]
* Given the patch is quite simple and fixes the build of purgatory, I think the regression potential is low. One potential regression in future would be on backports to purgatory Makefile, making them more difficult/prone to errors; given purgatory is a pretty untouchable code, I consider the regression potential here to be really low.
CVE References
description: | updated |
description: | updated |
Changed in makedumpfile (Ubuntu): | |
status: | New → Confirmed |
Changed in makedumpfile (Ubuntu Bionic): | |
status: | New → Confirmed |
status: | Confirmed → In Progress |
Changed in makedumpfile (Ubuntu): | |
status: | Confirmed → In Progress |
Changed in makedumpfile (Ubuntu Bionic): | |
importance: | Undecided → High |
assignee: | nobody → Guilherme G. Piccoli (gpiccoli) |
tags: | added: seg |
description: | updated |
no longer affects: | makedumpfile (Ubuntu Bionic) |
Changed in linux (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux (Ubuntu): | |
status: | Fix Committed → Fix Released |
Hi yamato, thanks for the bug report! Does your system have secureboot enabled? Also, can you test in a recent kernel, like 4.15.0-91?
Thanks in advance,
Guilherme