2017-12-03 09:53:30 |
rppt |
bug |
|
|
added bug |
2017-12-03 09:55:37 |
rppt |
bug |
|
|
added subscriber Mimi Zohar |
2017-12-03 10:00:05 |
Ubuntu Kernel Bot |
linux (Ubuntu): status |
New |
Incomplete |
|
2017-12-03 10:31:34 |
rppt |
tags |
kernel-bug xenial |
apport-collected kernel-bug uec-images xenial |
|
2017-12-03 10:31:35 |
rppt |
description |
I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api") |
I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.13
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-101-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 4.4.0-101.124-generic 4.4.95
RelatedPackageVersions:
linux-restricted-modules-4.4.0-101-generic N/A
linux-backports-modules-4.4.0-101-generic N/A
linux-firmware N/A
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-101-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU |
|
2017-12-03 10:31:35 |
rppt |
attachment added |
|
CurrentDmesg.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017682/+files/CurrentDmesg.txt |
|
2017-12-03 10:31:37 |
rppt |
attachment added |
|
JournalErrors.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017683/+files/JournalErrors.txt |
|
2017-12-03 10:31:38 |
rppt |
attachment added |
|
Lspci.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017684/+files/Lspci.txt |
|
2017-12-03 10:31:39 |
rppt |
attachment added |
|
ProcCpuinfo.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017685/+files/ProcCpuinfo.txt |
|
2017-12-03 10:31:40 |
rppt |
attachment added |
|
ProcCpuinfoMinimal.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017686/+files/ProcCpuinfoMinimal.txt |
|
2017-12-03 10:31:41 |
rppt |
attachment added |
|
ProcEnviron.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017687/+files/ProcEnviron.txt |
|
2017-12-03 10:31:42 |
rppt |
attachment added |
|
ProcInterrupts.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017688/+files/ProcInterrupts.txt |
|
2017-12-03 10:31:43 |
rppt |
attachment added |
|
ProcModules.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017689/+files/ProcModules.txt |
|
2017-12-03 10:31:44 |
rppt |
attachment added |
|
UdevDb.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017690/+files/UdevDb.txt |
|
2017-12-03 10:31:45 |
rppt |
attachment added |
|
WifiSyslog.txt https://bugs.launchpad.net/bugs/1735977/+attachment/5017691/+files/WifiSyslog.txt |
|
2017-12-03 13:09:27 |
rppt |
linux (Ubuntu): status |
Incomplete |
Confirmed |
|
2017-12-04 14:55:10 |
Joseph Salisbury |
linux (Ubuntu): importance |
Undecided |
Medium |
|
2017-12-04 14:55:18 |
Joseph Salisbury |
nominated for series |
|
Ubuntu Xenial |
|
2017-12-04 14:55:18 |
Joseph Salisbury |
bug task added |
|
linux (Ubuntu Xenial) |
|
2017-12-04 14:55:25 |
Joseph Salisbury |
linux (Ubuntu Xenial): status |
New |
Incomplete |
|
2017-12-04 14:55:29 |
Joseph Salisbury |
linux (Ubuntu): status |
Confirmed |
Incomplete |
|
2017-12-04 14:55:41 |
Joseph Salisbury |
linux (Ubuntu Xenial): importance |
Undecided |
Medium |
|
2017-12-04 14:56:52 |
Joseph Salisbury |
tags |
apport-collected kernel-bug uec-images xenial |
apport-collected kernel-bug kernel-da-key uec-images xenial |
|
2017-12-05 21:05:21 |
Joseph Salisbury |
linux (Ubuntu): status |
Incomplete |
In Progress |
|
2017-12-05 21:05:24 |
Joseph Salisbury |
linux (Ubuntu Xenial): status |
Incomplete |
In Progress |
|
2017-12-05 21:05:28 |
Joseph Salisbury |
linux (Ubuntu): assignee |
|
Joseph Salisbury (jsalisbury) |
|
2017-12-05 21:05:33 |
Joseph Salisbury |
linux (Ubuntu Xenial): assignee |
|
Joseph Salisbury (jsalisbury) |
|
2017-12-07 18:38:26 |
Joseph Salisbury |
description |
I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.13
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-101-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 4.4.0-101.124-generic 4.4.95
RelatedPackageVersions:
linux-restricted-modules-4.4.0-101-generic N/A
linux-backports-modules-4.4.0-101-generic N/A
linux-firmware N/A
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-101-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU |
== SRU Justification ==
The bug reporter was trying to enable IMA appraisal with signatures for executable
files on Xenial. However, when enabling IMA appriasl the system would crash
and generate a trace.
This bug is happening because the following commit was applied to Xenial in bug 1569924:
db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api")
However, the following commit is also required or this bug happens:
eb5798f2e28f ("integrity: convert digsig to akcipher api")
== Fix ==
commit eb5798f2e28f3b43091cecc71c84c3f6fb35c7de
Author: Tadeusz Struk <tadeusz.struk@intel.com>
Date: Tue Feb 2 10:08:58 2016 -0800
integrity: convert digsig to akcipher api
== Regression Potential ==
The requested commit is requred to fix an existing regression caused by bug 1569924.
== Test Case ==
A test kernel was built with this patch and tested by the original bug reporter.
The bug reporter states the test kernel resolved the bug.
== Original Bug Description ==
I'm trying to enable IMA appraisal with signatures for executable files on xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at /home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti: ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX: 0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI: ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09: 0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12: 0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15: ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4: 00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000 0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100 0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5 b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the akcipher api") has changed public keys APIs, but the IMA usage of that API was fixed only by commit eb5798f2e28f ("integrity: convert digsig to akcipher api")
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.13
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq', '/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-101-generic root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 4.4.0-101.124-generic 4.4.95
RelatedPackageVersions:
linux-restricted-modules-4.4.0-101-generic N/A
linux-backports-modules-4.4.0-101-generic N/A
linux-firmware N/A
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-101-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias: dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU |
|
2018-02-04 01:26:55 |
Khaled El Mously |
linux (Ubuntu Xenial): status |
In Progress |
Fix Committed |
|
2018-03-19 10:55:39 |
Stefan Bader |
tags |
apport-collected kernel-bug kernel-da-key uec-images xenial |
apport-collected kernel-bug kernel-da-key uec-images verification-needed-xenial xenial |
|
2018-03-19 13:26:38 |
rppt |
tags |
apport-collected kernel-bug kernel-da-key uec-images verification-needed-xenial xenial |
apport-collected kernel-bug kernel-da-key uec-images verification-done-xenial xenial |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
linux (Ubuntu Xenial): status |
Fix Committed |
Fix Released |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-15129 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-16995 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-17448 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-17450 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-17741 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-17862 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2017-5753 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2018-1000026 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2018-5333 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2018-5344 |
|
2018-04-04 09:27:25 |
Launchpad Janitor |
cve linked |
|
2018-8043 |
|
2019-01-23 01:11:51 |
Joseph Salisbury |
linux (Ubuntu): status |
In Progress |
Fix Released |
|
2019-07-24 21:08:13 |
Brad Figg |
tags |
apport-collected kernel-bug kernel-da-key uec-images verification-done-xenial xenial |
apport-collected cscc kernel-bug kernel-da-key uec-images verification-done-xenial xenial |
|