Root can lift kernel lockdown via USB/IP

Bug #1861238 reported by Andrey Konovalov on 2020-01-29
266
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Tyler Hicks
Xenial
Undecided
Unassigned
Bionic
High
Tyler Hicks
Disco
High
Tyler Hicks
Eoan
High
Tyler Hicks
Focal
High
Tyler Hicks
linux-oem (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]

It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it.

Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package.

See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip

[Test Case]

$ git clone https://github.com/xairy/unlockdown.git
$ cd unlockdown/01-usbip/
$ sudo ./run.sh
$ dmesg

# Ensure there are no log entries talking about lifting lockdown:
sysrq: SysRq : Disabling Secure Boot restrictions
Lifting lockdown

# You should see a SysRq help log entry because the Alt+SysRq+X
# combination should be disabled
sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z)

[Regression Potential]

Some users may see a usability regression due to the Lockdown lift sysrq combination being removed. Some users are known to disable lockdown, using the sysrq combination, in order to perform some "dangerous" operation such as writing to an MSR. It is believed that this is a small number of users but it is impossible to know for sure.

Users that rely on this functionality may need to permanently disable secure boot using 'mokutil --disable-validation'.

This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:

apport-collect 1861238

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Tyler Hicks (tyhicks) on 2020-01-29
information type: Public → Public Security
Andy Whitcroft (apw) on 2020-01-29
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Tyler Hicks (tyhicks) on 2020-02-07
description: updated
Tyler Hicks (tyhicks) wrote :

Thanks for the report! After speaking with the security team, we've come to an agreement that removing the lockdown lift sysrq is the best thing to do. We understand that a small amount of users may rely on that sysrq today to do things like writing to an MSR but they'll still be able to achieve a lockdown free environment by running 'mokutil --disable-validation' and rebooting.

Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
importance: Undecided → High
status: Confirmed → In Progress
Tyler Hicks (tyhicks) wrote :

Xenial doesn't have support for lifting lockdown features via sysrq so I'm marking its task as invalid.

Changed in linux (Ubuntu Eoan):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Disco):
status: New → In Progress
importance: Undecided → High
Changed in linux (Ubuntu Bionic):
status: New → In Progress
importance: Undecided → High
Changed in linux (Ubuntu Disco):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Eoan):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Xenial):
status: New → Invalid
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-bionic' to 'verification-done-bionic'. If the problem still exists, change the tag 'verification-needed-bionic' to 'verification-failed-bionic'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-bionic

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-eoan' to 'verification-done-eoan'. If the problem still exists, change the tag 'verification-needed-eoan' to 'verification-failed-eoan'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-eoan
Tyler Hicks (tyhicks) wrote :

I've verified the fix in 4.15.0-89.89-generic. The sysrq help message is printed to the kernel log when trying to lift lockdown with the proof-of-concept and when trying to lift lockdown with alt+sysrq+x.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Tyler Hicks (tyhicks) wrote :

I've also verified the fix in 5.3.0-41.33-generic.

tags: added: verification-done-eoan
removed: verification-needed-eoan
AceLan Kao (acelankao) on 2020-02-25
no longer affects: linux-oem (Ubuntu Xenial)
no longer affects: linux-oem (Ubuntu Disco)
no longer affects: linux-oem (Ubuntu Eoan)
no longer affects: linux-oem (Ubuntu Focal)
Changed in linux-oem (Ubuntu Bionic):
status: New → Fix Committed

All autopkgtests for the newly accepted linux-bluefield (5.0.0-1010.20) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

fsprotect/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-bluefield

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-focal' to 'verification-done-focal'. If the problem still exists, change the tag 'verification-needed-focal' to 'verification-failed-focal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-focal
Launchpad Janitor (janitor) wrote :
Download full text (48.0 KiB)

This bug was fixed in the package linux - 5.3.0-42.34

---------------
linux (5.3.0-42.34) eoan; urgency=medium

  * eoan/linux: 5.3.0-42.34 -proposed tracker (LP: #1865111)

  * CVE-2020-2732
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (5.3.0-41.33) eoan; urgency=medium

  * eoan/linux: 5.3.0-41.33 -proposed tracker (LP: #1863294)

  * CVE-2019-3016
    - x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit
    - x86/kvm: Introduce kvm_(un)map_gfn()
    - x86/kvm: Cache gfn to pfn translation
    - x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed
    - x86/KVM: Clean up host's steal time structure

  * Reduce s2idle power consumption when ethernet cable is connected on e1000e
    (LP: #1859126)
    - e1000e: Add support for S0ix

  * alsa/sof: let legacy hda driver and sof driver co-exist (LP: #1837828)
    - ASoC: Intel: Skylake: move NHLT header to common directory
    - ALSA: hda: move parts of NHLT code to new module
    - ALSA: hda: intel-nhlt: handle NHLT VENDOR_DEFINED DMIC geometry
    - ASoC: Intel: Skylake: use common NHLT module
    - ALSA: hda/intel: stop probe if DMICS are detected on Skylake+ platforms
    - [Config] Enable SND_HDA_INTEL_DETECT_DMIC

  * USB key cannot be detected by hotplug on Sunix USB Type-A 3.1 Gen 2 card
    [1b21:2142] (LP: #1858988)
    - SAUCE: PCI: Avoid ASMedia XHCI USB PME# from D0 defect

  * ipsec interfaces: fix sending with bpf_redirect() / AF_PACKET sockets
    (LP: #1860969)
    - vti[6]: fix packet tx through bpf_redirect()
    - xfrm interface: fix packet tx through bpf_redirect()

  * peripheral devices on Dell WD19TB cannot be detected after suspend resume
    (LP: #1859407)
    - PCI: irq: Introduce rearm_wake_irq()
    - ACPICA: Return u32 from acpi_dispatch_gpe()
    - ACPI: EC: Return bool from acpi_ec_dispatch_gpe()
    - ACPI: PM: Set s2idle_wakeup earlier and clear it later
    - PM: sleep: Simplify suspend-to-idle control flow
    - ACPI: EC: Rework flushing of pending work

  * Dell XPS 13 (7390) Display Flickering - 19.10 (LP: #1849947)
    - SAUCE: drm/i915: Disable PSR by default on all platforms

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [CML-H] Add intel_thermal_pch driver support Comet Lake -H (LP: #1853219)
    - thermal: intel: intel_pch_thermal: Add Comet Lake (CML) platform support

  * Eoan update: upstream stable patchset 2020-02-07 (LP: #1862429)
    - ARM: dts: meson8: fix the size of the PMU registers
    - clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
    - dt-bindings: reset: meson8b: fix duplicate reset IDs
    - ARM: dts: imx6q-dhcom: fix rtc compatible
    - clk: Don't try to enable critical clocks if prepare failed
    - ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
    - iio: buffer: align the size of scan bytes to size of the largest element
    - USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
    - USB: serial: option: Add support for Quec...

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (44.4 KiB)

This bug was fixed in the package linux - 4.15.0-91.92

---------------
linux (4.15.0-91.92) bionic; urgency=medium

  * bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)

  * CVE-2020-2732
    - KVM: x86: emulate RDPID
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux (4.15.0-90.91) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)

  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

linux (4.15.0-90.90) bionic; urgency=medium

  * bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)

  * vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
    - Revert "apparmor: don't try to replace stale label in ptrace access check"

linux (4.15.0-89.89) bionic; urgency=medium

  * bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)

  * [SRU][B/OEM-B] Fix multitouch support on some devices (LP: #1862567)
    - HID: core: move the dynamic quirks handling in core
    - HID: quirks: move the list of special devices into a quirk
    - HID: core: move the list of ignored devices in hid-quirks.c
    - HID: core: remove the absolute need of hid_have_special_driver[]

  * [linux] Patch to prevent possible data corruption (LP: #1848739)
    - blk-mq: silence false positive warnings in hctx_unlock()

  * Add bpftool to linux-tools-common (LP: #1774815)
    - tools/bpftool: fix bpftool build with bintutils >= 2.9
    - bpftool: make libbfd optional
    - [Debian] Remove binutils-dev build dependency
    - [Debian] package bpftool in linux-tools-common

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * [Bionic] i915 incomplete fix for CVE-2019-14615 (LP: #1862840) //
    CVE-2020-8832
    - drm/i915: Use same test for eviction and submitting kernel context
    - drm/i915: Define an engine class enum for the uABI
    - drm/i915: Force the switch to the i915->kernel_context
    - drm/i915: Move GT powersaving init to i915_gem_init()
    - drm/i915: Move intel_init_clock_gating() to i915_gem_init()
    - drm/i915: Inline intel_modeset_gem_init()
    - drm/i915: Mark the context state as dirty/written
    - drm/i915: Record the default hw state after reset upon load

  * Bionic update: upstream stable patchset 2020-02-12 (LP: #1863019)
    - xfs: Sanity check flags of Q_XQUOTARM call
    - mfd: intel-lpss: Add default I2C device properties for Gemini Lake
    - powerpc/archrandom: fix arch_get_random_seed_int()
    - tipc: fix wrong timeout input for tipc_wait_for_cond()
    - mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
    - crypto: sun4i-ss - fix big endian issues
    - drm/sti: do not remove the drm_bridge that was never added
    - drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
    - ALSA: hda: fix unused variable warning
    - apparmor: don't try to replace stale label in ptrace access chec...

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (81.5 KiB)

This bug was fixed in the package linux - 5.4.0-18.22

---------------
linux (5.4.0-18.22) focal; urgency=medium

  * focal/linux: 5.4.0-18.22 -proposed tracker (LP: #1866488)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync getabis
    - [Packaging] update helper scripts

  * Add sysfs attribute to show remapped NVMe (LP: #1863621)
    - SAUCE: ata: ahci: Add sysfs attribute to show remapped NVMe device count

  * [20.04 FEAT] Compression improvements in Linux kernel (LP: #1830208)
    - lib/zlib: add s390 hardware support for kernel zlib_deflate
    - s390/boot: rename HEAP_SIZE due to name collision
    - lib/zlib: add s390 hardware support for kernel zlib_inflate
    - s390/boot: add dfltcc= kernel command line parameter
    - lib/zlib: add zlib_deflate_dfltcc_enabled() function
    - btrfs: use larger zlib buffer for s390 hardware compression
    - [Config] Introducing s390x specific kernel config option CONFIG_ZLIB_DFLTCC

  * [UBUNTU 20.04] s390x/pci: increase CONFIG_PCI_NR_FUNCTIONS to 512 in kernel
    config (LP: #1866056)
    - [Config] Increase CONFIG_PCI_NR_FUNCTIONS from 64 to 512 starting with focal
      on s390x

  * CONFIG_IP_MROUTE_MULTIPLE_TABLES is not set (LP: #1865332)
    - [Config] CONFIG_IP_MROUTE_MULTIPLE_TABLES=y

  * Dell XPS 13 9300 Intel 1650S wifi [34f0:1651] fails to load firmware
    (LP: #1865962)
    - iwlwifi: remove IWL_DEVICE_22560/IWL_DEVICE_FAMILY_22560
    - iwlwifi: 22000: fix some indentation
    - iwlwifi: pcie: rx: use rxq queue_size instead of constant
    - iwlwifi: allocate more receive buffers for HE devices
    - iwlwifi: remove some outdated iwl22000 configurations
    - iwlwifi: assume the driver_data is a trans_cfg, but allow full cfg

  * [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
    (LP: #1861521)
    - Revert "USUNTU: SAUCE: drm/i915: Force DPCD backlight mode on Dell Precision
      4K sku"
    - Revert "UBUNTU: SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd
      Gen 4K AMOLED panel"
    - SAUCE: drm/dp: Introduce EDID-based quirks
    - SAUCE: drm/i915: Force DPCD backlight mode on X1 Extreme 2nd Gen 4K AMOLED
      panel
    - SAUCE: drm/i915: Force DPCD backlight mode for some Dell CML 2020 panels

  * [20.04 FEAT] Enable proper kprobes on ftrace support (LP: #1865858)
    - s390/ftrace: save traced function caller
    - s390: support KPROBES_ON_FTRACE

  * alsa/sof: load different firmware on different platforms (LP: #1857409)
    - ASoC: SOF: Intel: hda: use fallback for firmware name
    - ASoC: Intel: acpi-match: split CNL tables in three
    - ASoC: SOF: Intel: Fix CFL and CML FW nocodec binary names.

  * [UBUNTU 20.04] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x
    starting with focal (LP: #1865452)
    - [Config] Enable CONFIG_NET_SWITCHDEV in kernel config for s390x starting
      with focal

  * Focal update: v5.4.24 upstream stable release (LP: #1866333)
    - io_uring: grab ->fs as part of async offload
    - EDAC: skx_common: downgrade message importance on missing PCI device
    - net: dsa: b53: Ensure the default VID is untagged
    - net: fib_rules: Correctly set table field when table number exceeds 8 bit...

Changed in linux (Ubuntu Focal):
status: In Progress → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (45.6 KiB)

This bug was fixed in the package linux-oem - 4.15.0-1076.86

---------------
linux-oem (4.15.0-1076.86) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1076.86 -proposed tracker (LP: #1865200)

  [ Ubuntu: 4.15.0-91.92 ]

  * bionic/linux: 4.15.0-91.92 -proposed tracker (LP: #1865109)
  * CVE-2020-2732
    - KVM: x86: emulate RDPID
    - KVM: nVMX: Don't emulate instructions in guest mode
    - KVM: nVMX: Refactor IO bitmap checks into helper function
    - KVM: nVMX: Check IO instruction VM-exit conditions

linux-oem (4.15.0-1075.85) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1075.85 -proposed tracker (LP: #1864730)

  * Packaging resync (LP: #1786013)
    - [Packaging] resync dkms-build and family

  [ Ubuntu: 4.15.0-90.91 ]

  * bionic/linux: 4.15.0-90.91 -proposed tracker (LP: #1864753)
  * dkms artifacts may expire from the pool (LP: #1850958)
    - [Packaging] autoreconstruct -- manage executable debian files
    - [packaging] handle downloads from the librarian better

  [ Ubuntu: 4.15.0-90.90 ]

  * bionic/linux: 4.15.0-90.90 -proposed tracker (LP: #1864753)
  * vm-segv from ubuntu_stress_smoke_test failed on B (LP: #1864063)
    - Revert "apparmor: don't try to replace stale label in ptrace access check"

linux-oem (4.15.0-1074.84) bionic; urgency=medium

  * bionic/linux-oem: 4.15.0-1074.84 -proposed tracker (LP: #1863312)

  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"

  * r8152 init may take up to 40 seconds at initialization with Dell WD19/WD19DC
    during hotplug (LP: #1864284)
    - SAUCE: r8151: check disconnect status after long sleep

  * alsa/hda/realtek: fix a mute led regression on Lenovo X1 Carbon
    (LP: #1864576)
    - SAUCE: ALSA: hda/realtek - Fix a regression for mute led on Lenovo Carbon X1

  [ Ubuntu: 4.15.0-89.89 ]

  * bionic/linux: 4.15.0-89.89 -proposed tracker (LP: #1863350)
  * [SRU][B/OEM-B] Fix multitouch support on some devices (LP: #1862567)
    - HID: core: move the dynamic quirks handling in core
    - HID: quirks: move the list of special devices into a quirk
    - HID: core: move the list of ignored devices in hid-quirks.c
    - HID: core: remove the absolute need of hid_have_special_driver[]
  * [linux] Patch to prevent possible data corruption (LP: #1848739)
    - blk-mq: silence false positive warnings in hctx_unlock()
  * Add bpftool to linux-tools-common (LP: #1774815)
    - tools/bpftool: fix bpftool build with bintutils >= 2.9
    - bpftool: make libbfd optional
    - [Debian] Remove binutils-dev build dependency
    - [Debian] package bpftool in linux-tools-common
  * Root can lift kernel lockdown via USB/IP (LP: #1861238)
    - Revert "UBUNTU: SAUCE: (efi-lockdown) Add a SysRq option to lift kernel
      lockdown"
  * [Bionic] i915 incomplete fix for CVE-2019-14615 (LP: #1862840) //
    CVE-2020-8832
    - drm/i915: Use same test for eviction and submitting kernel context
    - drm/i915: Define an engine class enum for the uABI
    - drm/i915: Force the switch to the i915->kernel_context
    - drm/i915: Move GT powersaving init to i915_gem_init()
    - drm/i915: Move...

Changed in linux-oem (Ubuntu Bionic):
status: Fix Committed → Fix Released
Changed in linux-oem (Ubuntu):
status: New → Fix Released

All autopkgtests for the newly accepted linux-bluefield (5.0.0-1010.20) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

fsprotect/unknown (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#linux-bluefield

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers