** Changed in: linux (Ubuntu Xenial)
       Status: Triaged => In Progress

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1922200

Title:
  linux ADT test failure with linux/4.4.0-207.239 -
  ubuntu_qrt_kernel_security.test-kernel-security.py

Status in linux package in Ubuntu:
  Invalid
Status in linux source package in Xenial:
  In Progress

Bug description:
  [Impact]
  The backport of upstream commit ad67b74d2469d9b82aaa572d76474c95bc484d57 
("printk: hash addresses printed with %p"), applied to fix CVEs 
CVE-2018-5953/CVE-2018-5995/CVE-2018-7754 on xenial/linux 4.4.0-207.239, 
introduced a regression caught by testcases from 
ubuntu_qrt_kernel_security.test-kernel-security.py testsuite.

  The failing testcases are:
  test_095_kernel_symbols_missing_kallsyms
  test_095_kernel_symbols_missing_proc_modules
  test_095_kernel_symbols_missing_proc_net_tcp
  test_300_test_kaslr_base

  The '095' testcases expect the addresses read by a regular user to be
  zeroed out and test '300' expects the default address for 'startup_64'
  to be 'ffffffff81000000' for non-kaslr kernels (<4.15). The applied
  backport leaks what the address 0x0 hashes to on the /proc interfaces
  instead of the expected values.

  Examples:
  $ head /proc/kallsyms
  00000000b845aaf2 A irq_stack_union
  00000000b845aaf2 A __per_cpu_start
  00000000b845aaf2 A __per_cpu_user_mapped_start
  00000000b845aaf2 A vector_irq
  00000000b845aaf2 A unsafe_stack_register_backup
  00000000b845aaf2 A cpu_debug_store
  00000000b845aaf2 A cpu_tss
  00000000b845aaf2 A exception_stacks
  00000000b845aaf2 A gdt_page
  00000000b845aaf2 A espfix_waddr

  $ sudo head /proc/kallsyms
  00000000b845aaf2 A irq_stack_union
  00000000b845aaf2 A __per_cpu_start
  00000000b845aaf2 A __per_cpu_user_mapped_start
  00000000cd84b193 A vector_irq
  00000000f271a77b A unsafe_stack_register_backup
  00000000b451cc91 A cpu_debug_store
  00000000108c2558 A cpu_tss
  000000001484be48 A exception_stacks
  000000000a1b6bc6 A gdt_page
  00000000f38c128a A espfix_waddr

  $ sudo grep -w startup_64 /proc/kallsyms
  0000000028c44c50 T startup_64

  [Fix]
  For the backport to work as expected, we would likely need to backport the 
following commits as well:

  57e734423add vsprintf: refactor %pK code out of pointer()
  ef0010a30935 vsprintf: don't use 'restricted_pointer()' when not restricting

  However, this could introduce other regressions as there are several
  corner cases in this code path.

  Given that the CVEs which are fixed by this patch are all low or
  negligible, the best solution seems to be to revert this patch
  altogether.

  [Test]
  Run ubuntu_qrt_kernel_security.test-kernel-security.py tests from the kernel 
team autotest repository.

  [Where problems could occur]
  Reverting this patch can't introduce any regression as it would return the 
code to the previous state, however it would keep the kernel vulnerable to 
these CVEs.

  [Additional Info]
  Testing failed on:
      amd64: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/amd64/l/linux/20210331_014541_79861@/log.gz
      i386: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/i386/l/linux/20210331_012734_ec0bc@/log.gz
      ppc64el: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/ppc64el/l/linux/20210331_014757_ec0bc@/log.gz
      s390x: 
https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_77e2ada1e7a84929a74ba3b87153c0ac/autopkgtest-xenial/xenial/s390x/l/linux/20210330_031532_e87f8@/log.gz

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1922200/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to