SRU request submitted:
https://lists.ubuntu.com/archives/kernel-team/2017-December/088677.html
** Description changed:
+
+ == SRU Justification ==
+ The bug reporter was trying to enable IMA appraisal with signatures for
executable
+ files on Xenial. However, when enabling IMA appriasl the system would crash
+ and generate a trace.
+
+ This bug is happening because the following commit was applied to Xenial in
bug 1569924:
+ db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the
akcipher api")
+
+ However, the following commit is also required or this bug happens:
+ eb5798f2e28f ("integrity: convert digsig to akcipher api")
+
+
+ == Fix ==
+ commit eb5798f2e28f3b43091cecc71c84c3f6fb35c7de
+ Author: Tadeusz Struk <tadeusz.st...@intel.com>
+ Date: Tue Feb 2 10:08:58 2016 -0800
+
+ integrity: convert digsig to akcipher api
+
+ == Regression Potential ==
+ The requested commit is requred to fix an existing regression caused by bug
1569924.
+
+ == Test Case ==
+ A test kernel was built with this patch and tested by the original bug
reporter.
+ The bug reporter states the test kernel resolved the bug.
+
+
+
+ == Original Bug Description ==
I'm trying to enable IMA appraisal with signatures for executable files on
xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to
my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to
build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
- appraise fowner=0 appraise_type=imasig
+ appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at
/home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
- [ 1395.038963] invalid opcode: 0000 [#1] SMP
+ [ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev
input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa
ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul
crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul
glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti:
ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>]
public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX:
0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI:
ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09:
0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12:
0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15:
ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000)
knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4:
00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec
ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000
0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100
0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
- [ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5
b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b
0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
+ [ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5
b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b
0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto:
KEYS: convert public key and digsig asym to the akcipher api") has changed
public keys APIs, but the IMA usage of that API was fixed only by commit
eb5798f2e28f ("integrity: convert digsig to akcipher api")
- ---
+ ---
AlsaDevices:
- total 0
- crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
- crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
+ total 0
+ crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
+ crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.13
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
-
+
ProcFB:
-
+
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-101-generic
root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 4.4.0-101.124-generic 4.4.95
RelatedPackageVersions:
- linux-restricted-modules-4.4.0-101-generic N/A
- linux-backports-modules-4.4.0-101-generic N/A
- linux-firmware N/A
+ linux-restricted-modules-4.4.0-101-generic N/A
+ linux-backports-modules-4.4.0-101-generic N/A
+ linux-firmware N/A
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-101-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias:
dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1735977
Title:
Using asymmetric key for IMA appraisal crashes the system in Ubuntu
16.04
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Xenial:
In Progress
Bug description:
== SRU Justification ==
The bug reporter was trying to enable IMA appraisal with signatures for
executable
files on Xenial. However, when enabling IMA appriasl the system would crash
and generate a trace.
This bug is happening because the following commit was applied to Xenial in
bug 1569924:
db6c43bd2132 ("crypto: KEYS: convert public key and digsig asym to the
akcipher api")
However, the following commit is also required or this bug happens:
eb5798f2e28f ("integrity: convert digsig to akcipher api")
== Fix ==
commit eb5798f2e28f3b43091cecc71c84c3f6fb35c7de
Author: Tadeusz Struk <tadeusz.st...@intel.com>
Date: Tue Feb 2 10:08:58 2016 -0800
integrity: convert digsig to akcipher api
== Regression Potential ==
The requested commit is requred to fix an existing regression caused by bug
1569924.
== Test Case ==
A test kernel was built with this patch and tested by the original bug
reporter.
The bug reporter states the test kernel resolved the bug.
== Original Bug Description ==
I'm trying to enable IMA appraisal with signatures for executable files on
xenial with Linux 4.4. I took the following steps:
* Downloaded ubuntu-xenial kernel sources
* Run fakeroot debian/rules editconfigs to set CONFIG_SYSTEM_TRUSTED_KEYS to
my key
* Run fakeroot debian/rules binary-headers binary-generic binary-perarch to
build the kernel deb packaes
* Installed the kernel
* Signed the filesystem with my key using 'evmctl sing'
* Enabled IMA policy so that it will include the following line
appraise fowner=0 appraise_type=imasig
* From this point invocation of a signed binary cases a kernel BUG():
[ 1395.036910] kernel BUG at
/home/rapoport/git/ubuntu-xenial/crypto/asymmetric_keys/public_key.c:80!
[ 1395.038963] invalid opcode: 0000 [#1] SMP
[ 1395.039973] Modules linked in: isofs ppdev kvm_intel kvm irqbypass joydev
input_leds serio_raw parport_pc parport ib_iser rdma_cm iw_cm ib_cm ib_sa
ib_mad ib_core ib_addr iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi
autofs4 btrfs raid10 raid456 async_raid6_recov async_memcpy async_pq async_xor
async_tx xor raid6_pq libcrc32c raid1 raid0 multipath linear crct10dif_pclmul
crc32_pclmul ghash_clmulni_intel aesni_intel aes_x86_64 lrw gf128mul
glue_helper ablk_helper psmouse cryptd floppy
[ 1395.050761] CPU: 6 PID: 31586 Comm: bash Not tainted 4.4.0-101-generic #124
[ 1395.051909] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu1 04/01/2014
[ 1395.053510] task: ffff8800bae9c600 ti: ffff88042c52c000 task.ti:
ffff88042c52c000
[ 1395.054763] RIP: 0010:[<ffffffff813bdb76>] [<ffffffff813bdb76>]
public_key_verify_signature+0x46/0x50
[ 1395.056406] RSP: 0018:ffff88042c52fa98 EFLAGS: 00010246
[ 1395.057307] RAX: ffffffff813bdb80 RBX: 00000000fffffff4 RCX:
0000000000000001
[ 1395.058518] RDX: ffffffff81ea73c0 RSI: ffff88042c52fac8 RDI:
ffff88042a107c10
[ 1395.059709] RBP: ffff88042c52faa0 R08: ffff88042a849100 R09:
0000000000000007
[ 1395.061109] R10: ffff88042a0f9d00 R11: ffff88042c52fb07 R12:
0000000000000080
[ 1395.062289] R13: ffff88042abd9a80 R14: 0000000000000014 R15:
ffff88042a849ac4
[ 1395.063404] FS: 00007f5e21958700(0000) GS:ffff88043fd80000(0000)
knlGS:0000000000000000
[ 1395.064771] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1395.065809] CR2: 00007f5e20f5c3cc CR3: 000000042cabc000 CR4:
00000000000406e0
[ 1395.067058] Stack:
[ 1395.067540] ffffffff813bdb95 ffff88042c52fab0 ffffffff813bdaec
ffff88042c52fb38
[ 1395.068964] ffffffff813a759e ffff88042c52fac8 0000000000000000
0000000000000000
[ 1395.070417] ffff88042a849ac4 0000000002000114 ffff88042a849100
0000000000000000
[ 1395.071973] Call Trace:
[ 1395.072510] [<ffffffff813bdb95>] ? public_key_verify_signature_2+0x15/0x20
[ 1395.073605] [<ffffffff813bdaec>] verify_signature+0x3c/0x50
[ 1395.074526] [<ffffffff813a759e>] asymmetric_verify+0x17e/0x2a0
[ 1395.075475] [<ffffffff813a7380>] integrity_digsig_verify+0x70/0x110
[ 1395.076481] [<ffffffff813ab424>] ima_appraise_measurement+0x244/0x420
[ 1395.077518] [<ffffffff813a83fa>] process_measurement+0x3fa/0x480
[ 1395.078479] [<ffffffff813a8498>] ima_file_check+0x18/0x20
[ 1395.079381] [<ffffffff8121f0f3>] path_openat+0x1f3/0x1330
[ 1395.080274] [<ffffffff811ef49b>] ? __slab_free+0xcb/0x2c0
[ 1395.081165] [<ffffffff81221421>] do_filp_open+0x91/0x100
[ 1395.082050] [<ffffffff813933df>] ? apparmor_cred_prepare+0x2f/0x50
[ 1395.083046] [<ffffffff8134b483>] ? security_prepare_creds+0x43/0x60
[ 1395.084056] [<ffffffff81216148>] do_open_execat+0x78/0x1d0
[ 1395.084952] [<ffffffff812181b0>] do_execveat_common.isra.33+0x240/0x760
[ 1395.086016] [<ffffffff8121892a>] SyS_execve+0x3a/0x50
[ 1395.086877] [<ffffffff81844a95>] stub_execve+0x5/0x5
[ 1395.087711] [<ffffffff818447f2>] ? entry_SYSCALL_64_fastpath+0x16/0x71
[ 1395.088746] Code: 2a 0f b6 57 0c b8 bf ff ff ff 80 fa 01 77 14 48 8b 14 d5
b0 05 a5 81 48 85 d2 74 07 55 48 89 e5 ff d2 5d f3 c3 0f 0b 0f 0b 0f 0b <0f> 0b
0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 8b bf a0 00
[ 1395.093215] RIP [<ffffffff813bdb76>] public_key_verify_signature+0x46/0x50
[ 1395.094322] RSP <ffff88042c52fa98>
[ 1395.095364] ---[ end trace 7ee330317745ad36 ]---
I did some checks and it appears that upstream commit db6c43bd2132 ("crypto:
KEYS: convert public key and digsig asym to the akcipher api") has changed
public keys APIs, but the IMA usage of that API was fixed only by commit
eb5798f2e28f ("integrity: convert digsig to akcipher api")
---
AlsaDevices:
total 0
crw-rw---- 1 root audio 116, 1 Dec 3 09:36 seq
crw-rw---- 1 root audio 116, 33 Dec 3 09:36 timer
AplayDevices: Error: [Errno 2] No such file or directory
ApportVersion: 2.20.1-0ubuntu2.13
Architecture: amd64
ArecordDevices: Error: [Errno 2] No such file or directory
AudioDevicesInUse: Error: command ['fuser', '-v', '/dev/snd/seq',
'/dev/snd/timer'] failed with exit code 1:
CRDA: N/A
DistroRelease: Ubuntu 16.04
IwConfig: Error: [Errno 2] No such file or directory
Lsusb: Error: command ['lsusb'] failed with exit code 1:
MachineType: QEMU Standard PC (i440FX + PIIX, 1996)
Package: linux (not installed)
PciMultimedia:
ProcFB:
ProcKernelCmdLine: BOOT_IMAGE=/boot/vmlinuz-4.4.0-101-generic
root=UUID=aef88a4e-dbea-4cc7-be8b-03cf8501cc8f ro console=tty1 console=ttyS0
ProcVersionSignature: User Name 4.4.0-101.124-generic 4.4.95
RelatedPackageVersions:
linux-restricted-modules-4.4.0-101-generic N/A
linux-backports-modules-4.4.0-101-generic N/A
linux-firmware N/A
RfKill: Error: [Errno 2] No such file or directory
Tags: xenial uec-images
Uname: Linux 4.4.0-101-generic x86_64
UpgradeStatus: No upgrade log present (probably fresh install)
UserGroups: adm audio cdrom dialout dip floppy lxd netdev plugdev sudo video
_MarkForUpload: True
dmi.bios.date: 04/01/2014
dmi.bios.vendor: SeaBIOS
dmi.bios.version: Ubuntu-1.8.2-1ubuntu1
dmi.chassis.type: 1
dmi.chassis.vendor: QEMU
dmi.chassis.version: pc-i440fx-xenial
dmi.modalias:
dmi:bvnSeaBIOS:bvrUbuntu-1.8.2-1ubuntu1:bd04/01/2014:svnQEMU:pnStandardPC(i440FX+PIIX,1996):pvrpc-i440fx-xenial:cvnQEMU:ct1:cvrpc-i440fx-xenial:
dmi.product.name: Standard PC (i440FX + PIIX, 1996)
dmi.product.version: pc-i440fx-xenial
dmi.sys.vendor: QEMU
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1735977/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
