Large pastes into readline enabled programs causes breakage from kernels v2.6.31 onwards

Bug #1208740 reported by Margarita Manterola
26
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Chris J Arges
Quantal
Fix Released
Medium
Chris J Arges
Raring
Fix Released
Medium
Chris J Arges
Saucy
Fix Released
Medium
Unassigned
Trusty
Fix Released
Medium
Rafael David Tinoco

Bug Description

SRU Justification:

Impact: Large pastes over 4KB in a console may not be pasted correctly.

Fix: A patch was posted here https://lkml.org/lkml/2013/9/3/539, that resolves the issue. It is not upstreamed yet, pending additional analysis.

Testcase:
1. gedit /usr/share/common-licenses/GPL (replace " with blanks)
2. select all and copy contents
3. open a terminal type "
4. paste contents

If the whole contents are pasted without any errors then we pass.

Additional Notes:
While this isn't upstreamed yet, this has already been accepted into Saucy and no additional bug reports or regressions have been detected yet. It would be useful to continue to monitor the upstream thread, and/or more deeply review this patch for potential deadlocks and contribute to the upstream discussion.

--

The bug is described in detail in this mail:
https://lkml.org/lkml/2013/7/25/205

This bug affects any readline enabled program, like bash or psql. A "large" paste is any paste of more than 4kb of data (4kb is the size of the kernel buffer for reading from the console).

As can be found in the lkml thread, the issue is caused by the constant change between canonical mode and non-canonical mode, done by readline for each line being read. This change means that when the buffer is full, some characters might get lost.

This has been happening for a long time (starting with kernel v2.6.31-rc5), but it was barely noticeable for a while. Some changes done in the way the kernel schedules character reading in v2.6.39-rc1 made it much more noticeable. Even the most recent kernels are affected.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1208740

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
dino99 (9d9) wrote :

Logs are not needed here.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
tags: added: kernel-bug precise quantal raring saucy
Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: kernel-bug-exists-upstream
Changed in linux (Ubuntu):
status: Confirmed → Triaged
Revision history for this message
Margarita Manterola (marga-9) wrote :

Hi,

Indeed logs are not needed, and a lot of info is available in the above mentioned URL.

To reproduce the issue, you can just type " in a bash shell and then paste anything larger than 4k (my test file has been the GPL file from /usr/share/common-licenses).

This message, sent to the readline mailing list, also includes a simple test program:
http://lists.gnu.org/archive/html/bug-readline/2013-07/msg00013.html

--
Cheers,
Marga

Chris J Arges (arges)
tags: added: bot-stop-nagging
tags: added: kernel-key
Changed in linux (Ubuntu Raring):
importance: Undecided → Medium
Changed in linux (Ubuntu Quantal):
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
importance: Undecided → Medium
Changed in linux (Ubuntu Raring):
status: New → Triaged
Changed in linux (Ubuntu Quantal):
status: New → Triaged
Changed in linux (Ubuntu Precise):
status: New → Triaged
Revision history for this message
Chris J Arges (arges) wrote :

A test build of the patch identified here:
https://lkml.org/lkml/2013/9/3/539

Can be found here:
http://people.canonical.com/~arges/lp1208740

I've tested with the test case described in #3 and the patched kernel solves this issue.

Revision history for this message
Chris J Arges (arges) wrote :

Sauce patch sent to kernel ML for Saucy.

Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Saucy):
status: Triaged → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-7.13

---------------
linux (3.11.0-7.13) saucy; urgency=low

  * Release tracker
    - LP: #1223545

  [ Andy Whitcroft ]

  * SAUCE: (no-up) scsi: add scsi device flag to request VPD pages be used at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: add scsi device flag to request READ CAPACITY (16) be preferred
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as VPD capable at SPC-2
    - LP: #1223499
  * SAUCE: (no-up) scsi: hyper-v storage -- mark as preferring READ CAPACITY (16) at SPC-2
    - LP: #1223499

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active readers.
    - LP: #1208740

  [ Tim Gardner ]

  * [Debian] getabis: Commit new ABI directory, remove the old
  * [Config] CONFIG_EFIVAR_FS=y
    - LP: #1223195
  * [Config] CONFIG_EFI_VARS_PSTORE=m,
    CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=n
  * SAUCE: (no-up) USB: input: cm109.c: Convert high volume dev_err() to dev_err_ratelimited()
    - LP: #1222850

  [ Upstream Kernel Changes ]

  * Intel xhci: refactor EHCI/xHCI port switching
    - LP: #1210858
 -- Tim Gardner <email address hidden> Tue, 10 Sep 2013 09:00:19 -0600

Changed in linux (Ubuntu Saucy):
status: Fix Committed → Fix Released
tags: removed: kernel-key
Chris J Arges (arges)
Changed in linux (Ubuntu Precise):
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Quantal):
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Raring):
assignee: nobody → Chris J Arges (arges)
Changed in linux (Ubuntu Precise):
status: Triaged → In Progress
Changed in linux (Ubuntu Raring):
status: Triaged → In Progress
Changed in linux (Ubuntu Quantal):
status: Triaged → In Progress
Chris J Arges (arges)
description: updated
Revision history for this message
Chris J Arges (arges) wrote :

SRU Patches sent to ML for P/Q/R.

Revision history for this message
Simon Déziel (sdeziel) wrote :

The precise kernel version 3.2.0-56.86 fixes the issue, thanks!

Why no verification-needed flag? Anyway, consider this verification-done-precise.

Revision history for this message
Chris J Arges (arges) wrote :

git tag --contains on the patches I see:

99a1224fd2b5d50a19977d5bbc0341793a16dcc7 - Ubuntu-3.2.0-56.86
6a0e09413c4106ed6925e235acd3b0010c6ea93e - Ubuntu-3.5.0-43.66
c58f8db5cfbcc3f7ba35c24edc752bb446d9c85d - Ubuntu-3.8.0-33.48

Chris J Arges (arges)
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Raring):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Quantal):
status: In Progress → Fix Committed
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-precise' to 'verification-done-precise'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-precise
tags: added: verification-needed-quantal
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-quantal' to 'verification-done-quantal'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-raring
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-raring' to 'verification-done-raring'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Simon Déziel (sdeziel)
tags: added: verification-done-precise
removed: verification-needed-precise
Chris J Arges (arges)
tags: added: verification-done-raring
removed: verification-needed-raring
Chris J Arges (arges)
tags: added: verification-done-quantal
removed: verification-needed-quantal
Revision history for this message
Margarita Manterola (marga-9) wrote :

Hi,

I verified in precise for:
 linux-image-3.2.0-56-generic
 linux-image-3.5.0-43-generic
 linux-image-3.8.0-33-generic

Works correctly in all of them.

--
Regards,
Marga

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-56.86

---------------
linux (3.2.0-56.86) precise; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #1242901

  [ Upstream Kernel Changes ]

  * Revert "xfs: fix _xfs_buf_find oops on blocks beyond the filesystem
    end"
    - LP: #1236041
    - CVE-2013-1819 fix backport:
  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740
  * Btrfs: fix hash overflow handling
    - LP: #1091187, #1091188
    - CVE-2012-5375
 -- Steve Conklin <email address hidden> Mon, 21 Oct 2013 15:11:01 -0500

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (19.1 KiB)

This bug was fixed in the package linux - 3.5.0-43.66

---------------
linux (3.5.0-43.66) quantal; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1242895

  [ Timo Aaltonen ]

  * SAUCE: ubuntu/i915: silence unclaimed register poking debug messages
    - LP: #1138787

  [ Upstream Kernel Changes ]

  * Revert "xfs: fix _xfs_buf_find oops on blocks beyond the filesystem
    end"
    - LP: #1236041
    - CVE-2013-1819 fix backport:
  * Revert "sctp: fix call to SCTP_CMD_PROCESS_SACK in
    sctp_cmd_interpreter()"
    - LP: #1241093
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740
  * usb: xhci: define port register names and use them instead of magic
    numbers
    - LP: #1229576
  * usb: xhci: add USB2 Link power management BESL support
    - LP: #1229576
  * iwl4965: fix rfkill set state regression
    - LP: #1241093
  * ath9k_htc: Restore skb headroom when returning skb to mac80211
    - LP: #1241093
  * ALSA: opti9xx: Fix conflicting driver object name
    - LP: #1241093
  * SUNRPC: Fix memory corruption issue on 32-bit highmem systems
    - LP: #1241093
  * drm/i915: ivb: fix edp voltage swing reg val
    - LP: #1241093
  * drm/vmwgfx: Split GMR2_REMAP commands if they are to large
    - LP: #1241093
  * ALSA: ak4xx-adda: info leak in ak4xxx_capture_source_info()
    - LP: #1241093
  * Bluetooth: Add support for Foxconn/Hon Hai [0489:e04d]
    - LP: #1241093
  * [SCSI] sg: Fix user memory corruption when SG_IO is interrupted by a
    signal
    - LP: #1241093
  * xen-gnt: prevent adding duplicate gnt callbacks
    - LP: #1241093
  * usb: config->desc.bLength may not exceed amount of data returned by the
    device
    - LP: #1241093
  * USB: cdc-wdm: fix race between interrupt handler and tasklet
    - LP: #1241093
  * xhci-plat: Don't enable legacy PCI interrupts.
    - LP: #1241093
  * ASoC: wm8960: Fix PLL register writes
    - LP: #1241093
  * rculist: list_first_or_null_rcu() should use list_entry_rcu()
    - LP: #1241093
  * USB: mos7720: use GFP_ATOMIC under spinlock
    - LP: #1241093
  * USB: mos7720: fix big-endian control requests
    - LP: #1241093
  * staging: comedi: dt282x: dt282x_ai_insn_read() always fails
    - LP: #1241093
  * usb: ehci-mxc: check for pdata before dereferencing
    - LP: #1241093
  * usb: xhci: Disable runtime PM suspend for quirky controllers
    - LP: #1241093
  * USB: OHCI: Allow runtime PM without system sleep
    - LP: #1241093
  * ACPI / EC: Add HP Folio 13 to ec_dmi_table in order to skip DSDT scan
    - LP: #1241093
  * ACPI / EC: Add ASUSTEK L4R to quirk list in order to validate ECDT
    - LP: #1241093
  * USB: fix build error when CONFIG_PM_SLEEP isn't enabled
    - LP: #1241093
  * ALSA: hda - hdmi: Fallback to ALSA allocation when selecting CA
    - LP: #1241093
  * regmap: silence GCC warning
    - LP: #1241093
  * target: Fix trailing ASCII space usage in INQUIRY vendor+model
    - LP: #1241093
  * iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth
    - LP: #1...

Changed in linux (Ubuntu Quantal):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (8.8 KiB)

This bug was fixed in the package linux - 3.8.0-33.48

---------------
linux (3.8.0-33.48) raring; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1242849

  [ Maximiliano Curia ]

  * SAUCE: (no-up) Only let characters through when there are active
    readers.
    - LP: #1208740

  [ Upstream Kernel Changes ]

  * cciss: fix info leak in cciss_ioctl32_passthru()
    - LP: #1188355
    - CVE-2013-2147
  * cpqarray: fix info leak in ida_locked_ioctl()
    - LP: #1188355
    - CVE-2013-2147
  * mount: consolidate permission checks
    - LP: #1226726
  * get rid of full-hash scan on detaching vfsmounts
    - LP: #1226726
  * Smack: Fix the bug smackcipso can't set CIPSO correctly
    - LP: #1236743
  * ipvs: add backup_only flag to avoid loops
    - LP: #1238494
  * tuntap: correctly handle error in tun_set_iff()
    - LP: #1229975
    - CVE-2013-4343
  * htb: fix sign extension bug
    - LP: #1240580
  * net: avoid to hang up on sending due to sysctl configuration overflow.
    - LP: #1240580
  * net: check net.core.somaxconn sysctl values
    - LP: #1240580
  * macvlan: validate flags
    - LP: #1240580
  * neighbour: populate neigh_parms on alloc before calling ndo_neigh_setup
    - LP: #1240580
  * bonding: modify only neigh_parms owned by us
    - LP: #1240580
  * fib_trie: remove potential out of bound access
    - LP: #1240580
  * bridge: don't try to update timers in case of broken MLD queries
    - LP: #1240580
  * tcp: cubic: fix overflow error in bictcp_update()
    - LP: #1240580
  * tcp: cubic: fix bug in bictcp_acked()
    - LP: #1240580
  * ipv6: don't stop backtracking in fib6_lookup_1 if subtree does not
    match
    - LP: #1240580
  * 8139cp: Fix skb leak in rx_status_loop failure path.
    - LP: #1240580
  * tun: signedness bug in tun_get_user()
    - LP: #1240580
  * ipv6: remove max_addresses check from ipv6_create_tempaddr
    - LP: #1240580
  * ipv6: Store Router Alert option in IP6CB directly.
    - LP: #1240580
  * ipv6: drop packets with multiple fragmentation headers
    - LP: #1240580
  * tcp: set timestamps for restored skb-s
    - LP: #1240580
  * net: usb: Add HP hs2434 device to ZLP exception table
    - LP: #1240580
  * tcp: initialize rcv_tstamp for restored sockets
    - LP: #1240580
  * ipv4: sendto/hdrincl: don't use destination address found in header
    - LP: #1240580
  * tcp: tcp_make_synack() should use sock_wmalloc
    - LP: #1240580
  * tipc: set sk_err correctly when connection fails
    - LP: #1240580
  * net: bridge: convert MLDv2 Query MRC into msecs_to_jiffies for
    max_delay
    - LP: #1240580
  * ICMPv6: treat dest unreachable codes 5 and 6 as EACCES, not EPROTO
    - LP: #1240580
  * tg3: Don't turn off led on 5719 serdes port 0
    - LP: #1240580
  * vhost_net: poll vhost queue after marking DMA is done
    - LP: #1240580
  * net: ipv6: tcp: fix potential use after free in tcp_v6_do_rcv
    - LP: #1240580
  * drm/radeon/si: Add support for CP DMA to CS checker for compute v2
    - LP: #1240580
  * sfc: Fix efx_rx_buf_offset() for recycled pages
    - LP: #1240580
  * cfq: explicitly use 64bit divide operation for 64bit arguments
    - LP: #1240580
  * drm/radeon/atom: wor...

Read more...

Changed in linux (Ubuntu Raring):
status: Fix Committed → Fix Released
Revision history for this message
Margarita Manterola (marga-9) wrote :

Unfortunately upstream didn't deliver on their promise of backporting the fix to 3.13. It's applied on 3.14 onwards (http://article.gmane.org/gmane.linux.kernel/1611767), but Trusty is still broken. Can we get either the patch version included here, or a backport of the version included in 3.14 in the Trusty kernel, please?

Revision history for this message
Rafael David Tinoco (rafaeldtinoco) wrote :

Attaching patch that is being sent to Kernel Team by e-mail.

Revision history for this message
Chris J Arges (arges) wrote :

Just for clarification, the patch "SAUCE: (no-up) Only let characters through when there are active readers." was not applied to 3.13, and the proper upstream patch is "n_tty: Fix buffer overruns with larger-than-4k pastes". The later patch is applied to 3.16, so 3.13 is the only remaining series that needs to be patched.
Thanks,

Changed in linux (Ubuntu Trusty):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Rafael David Tinoco (inaddy)
Brad Figg (brad-figg)
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Revision history for this message
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for linux-lts-trusty has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-33.58

---------------
linux (3.13.0-33.58) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1349897

  [ Upstream Kernel Changes ]

  * mm: numa: do not automatically migrate KSM pages
    - LP: #1346917
  * net: fix UDP tunnel GSO of frag_list GRO packets
    - LP: #1331219
  * auditsc: audit_krule mask accesses need bounds checking
    - LP: #1347088
  * n_tty: Fix buffer overruns with larger-than-4k pastes
    - LP: #1208740
 -- Tim Gardner <email address hidden> Fri, 18 Jul 2014 14:57:50 +0000

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.