Processed: Re: Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Debian Bug Tracking System]

Processing control commands:

> found -1 4.9.88-1+deb9u1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as found in versions linux/4.9.88-1+deb9u1.
> notfound -1 4.9.88-1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
No longer marked as found in versions linux/4.9.88-1.

-- 
900821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Diederik de Haas]

Control: found -1 4.9.88-1+deb9u1
Control: notfound -1 4.9.88-1

Hi Salvatore,

On zondag 20 november 2022 16:38:25 CET Salvatore Bonaccorso wrote:
> On Sun, Nov 20, 2022 at 04:26:45PM +0100, Diederik de Haas wrote:
> > Control: notfound -1 4.9.88-1+deb9u1
> > Control: found -1 4.9.88-1
> 
> Hmm this one I do not understand, as 4.9.88-1+deb9u1 was a very
> targetted fix for two CVEs and reverting the "random: fix crng_ready()
> test" changes re-opening CVE-2018-1108.

Oh, I thought that the +debXYZ thing confuses the bug tracker and therefor 
shouldn't be there*. All the notfound/found versions I reported were tested 
with a backports kernel, so +debXYZ, but I marked them without that suffix.
I thought that the 4.9.88-1+deb9u1 should therefor be corrected to be without 
the suffix.
(I don't see how that affects the CVEs though as that has nothing to do with 
this bug? But it's (very) possible I'm too tired atm)

*) The dependency graph at the top doesn't show the 4.9 version; later I 
realized that another 4.9 version was already there and that wasn't reflected 
in that graph either, so I reverted the change.

I don't know if the other found/notfound versions should be corrected.

> > IOW: that's your educated guess a git bisect could turn up?
> 
> Not really. I was more looking at between versions you are not able to
> reproduce the issue, looking through the upstream changes commits and
> noticing that dacb5d8875cc ("tcp: fix page frag corruption on page
> fault") mentions:
> 
> [...]
> Steffen reported a TCP stream corruption for HTTP requests
> served by the apache web-server using a cifs mount-point
> and memory mapping the relevant file.
> [...]
> 
> and then noticing that the upstrema commit was backported to 5.10.84
> an 5.15.7, which fall exactly in the ranges you have the switch of
> result.

That was what I actually meant, but I now realize that git bisect finds the 
cause while your educated guess is about the solution :-)

> > I can try that*, although I'm not clear onto what I should apply it.
> > Should I apply it to linux/5.10.70-1 or 5.10.46-4 f.e.? Or onto an
> > entirely
> > different version?
> 
> Basically I wonder if c6f340a331fb72e5ac23a083de9c780e132ca3ae in
> 5.10.84 fixes the issue, and
> c6f340a331fb72e5ac23a083de9c780e132ca3ae~1 still would show the
> problem.
> 
> Alterntively if 5.10.70-1 + commit fixes the issue.

It won't be tonight, but I'll likely try that :-)

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Salvatore Bonaccorso]

Hi Diederik,

On Sun, Nov 20, 2022 at 04:26:45PM +0100, Diederik de Haas wrote:
> Control: notfound -1 4.9.88-1+deb9u1
> Control: found -1 4.9.88-1

Hmm this one I do not understand, as 4.9.88-1+deb9u1 was a very
targetted fix for two CVEs and reverting the "random: fix crng_ready()
test" changes re-opening CVE-2018-1108.

> On zondag 20 november 2022 13:55:09 CET Salvatore Bonaccorso wrote:
> > Seems the BSP was productive :).
> 
> Yeah, once I set up the VM and created the script, it was actually quite easy.

:-)

> > If you have spare cycles, might you
> > check if dacb5d8875cc ("tcp: fix page frag corruption on page fault")
> > in 5.16-rc4 is the commit we are searching?
> > That one was backported to the 5.10.y series in 5.10.84 and in 5.15.y series
> > in 5.15.7 which would fall into your found ranges as well.
> 
> IOW: that's your educated guess a git bisect could turn up?

Not really. I was more looking at between versions you are not able to
reproduce the issue, looking through the upstream changes commits and
noticing that dacb5d8875cc ("tcp: fix page frag corruption on page
fault") mentions:

[...]
Steffen reported a TCP stream corruption for HTTP requests
served by the apache web-server using a cifs mount-point
and memory mapping the relevant file.
[...]

and then noticing that the upstrema commit was backported to 5.10.84
an 5.15.7, which fall exactly in the ranges you have the switch of
result.

> I can try that*, although I'm not clear onto what I should apply it.
> Should I apply it to linux/5.10.70-1 or 5.10.46-4 f.e.? Or onto an entirely 
> different version?

Basically I wonder if c6f340a331fb72e5ac23a083de9c780e132ca3ae in
5.10.84 fixes the issue, and
c6f340a331fb72e5ac23a083de9c780e132ca3ae~1 still would show the
problem.

Alterntively if 5.10.70-1 + commit fixes the issue.

Regards,
Salvatore

Processed: Re: Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Debian Bug Tracking System]

Processing control commands:

> notfound -1 4.9.88-1+deb9u1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
No longer marked as found in versions linux/4.9.88-1+deb9u1.
> found -1 4.9.88-1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as found in versions linux/4.9.88-1.

-- 
900821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Diederik de Haas]

Control: notfound -1 4.9.88-1+deb9u1
Control: found -1 4.9.88-1

On zondag 20 november 2022 13:55:09 CET Salvatore Bonaccorso wrote:
> Seems the BSP was productive :).

Yeah, once I set up the VM and created the script, it was actually quite easy.

> If you have spare cycles, might you
> check if dacb5d8875cc ("tcp: fix page frag corruption on page fault")
> in 5.16-rc4 is the commit we are searching?
> That one was backported to the 5.10.y series in 5.10.84 and in 5.15.y series
> in 5.15.7 which would fall into your found ranges as well.

IOW: that's your educated guess a git bisect could turn up?
I can try that*, although I'm not clear onto what I should apply it.
Should I apply it to linux/5.10.70-1 or 5.10.46-4 f.e.? Or onto an entirely 
different version?

> OTOH, it fixes 5640f7685831 ("net: use a per task frag allocator")
> which is way much longer back as where the people noticed to be
> introduced.

While the focus has been on the kernel (possibly rightly so), there were 2 
other packages (apache and samba) involved. It could be that on Buster f.e. 
the problem still exists (even with a backports kernel).
I actually did look for an oldstable (net-)installer, but I couldn't find one.
I later realized that maybe there are DVDs of old releases, but I doubt I'll 
do sth with that (at least wrt this bug).

*) I had plenty of cycles when I started this reply, but less so when I'm 
sending it. I may do this some other day though.

signature.asc
Description: This is a digitally signed message part.

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Salvatore Bonaccorso]

Hi,

On Sun, Nov 20, 2022 at 12:30:53PM +0100, Diederik de Haas wrote:
> Control: found -1 5.14.9-2 
> Control: found -1 5.15.5-2
> Control: fixed -1 5.15.15-2
> Control: fixed -1 5.16.11-1
> Control: fixed -1 5.18.16-1
> Control: fixed -1 6.0.3-1
> 
> On zondag 20 november 2022 12:18:50 CET you wrote:
> > Control: found -1 5.14.9-2 5.15.5-2
> > Control: fixed -1 5.15.15-2 5.16.11-1 5.18.16-1 6.0.3-1
> 
> That doesn't seem to work and I probably should just use the last version
> for 'found' and the first one for 'fixed', but I wanted to make sure (and 
> log) 
> that the latter ones *all* are fixed.

Seems the BSP was productive :). If you have spare cycles, might you
check if dacb5d8875cc ("tcp: fix page frag corruption on page fault")
in 5.16-rc4 is the commit we are searching? That one was backported to
the 5.10.y series in 5.10.84 and in 5.15.y series in 5.15.7 which
would fall into your found ranges as well.

OTOH, it fixes 5640f7685831 ("net: use a per task frag allocator")
which is way much longer back as where the people noticed to be
introduced.

Regards,
Salvatore

Processed: Re: Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Debian Bug Tracking System]

Processing control commands:

> found -1 5.14.9-2
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as found in versions linux/5.14.9-2.
> found -1 5.15.5-2
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as found in versions linux/5.15.5-2.
> fixed -1 5.15.15-2
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as fixed in versions linux/5.15.15-2.
> fixed -1 5.16.11-1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as fixed in versions linux/5.16.11-1.
> fixed -1 5.18.16-1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as fixed in versions linux/5.18.16-1.
> fixed -1 6.0.3-1
Bug #900821 [src:linux] apache reads wrong data over cifs filesystems served by 
samba
Marked as fixed in versions linux/6.0.3-1.

-- 
900821: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=900821
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Diederik de Haas]

Control: found -1 5.14.9-2 
Control: found -1 5.15.5-2
Control: fixed -1 5.15.15-2
Control: fixed -1 5.16.11-1
Control: fixed -1 5.18.16-1
Control: fixed -1 6.0.3-1

On zondag 20 november 2022 12:18:50 CET you wrote:
> Control: found -1 5.14.9-2 5.15.5-2
> Control: fixed -1 5.15.15-2 5.16.11-1 5.18.16-1 6.0.3-1

That doesn't seem to work and I probably should just use the last version
for 'found' and the first one for 'fixed', but I wanted to make sure (and log) 
that the latter ones *all* are fixed.

signature.asc
Description: This is a digitally signed message part.

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Diederik de Haas]

Control: found -1 5.14.9-2 5.15.5-2
Control: fixed -1 5.15.15-2 5.16.11-1 5.18.16-1 6.0.3-1

On zaterdag 19 november 2022 21:22:46 CET Diederik de Haas wrote:
> found 900821 5.10.70-1
> fixed 900821 5.10.84-1

I continued testing with kernels from backports and updated metadata 
accordingly.

Interesting to note is that the 2 kernels that failed, did NOT show any 
message either in my ssh session nor in `dmesg`.

Also interesting is that when it failed, it *always* failed at the first run.

So in conclusion, in *current* Stable and Testing and Unstable the issue is 
fixed!diederik@prancing-pony:~/dev/debian/bugs/900821$ ssh vm-bullseye
Linux debian-bullseye 5.14.0-0.bpo.2-amd64 #1 SMP Debian 5.14.9-2~bpo11+1 
(2021-10-10) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 20 11:22:02 2022 from 192.168.122.1
debian@debian-bullseye:~$ dpkg -l | grep linux-image
ii  linux-image-5.10.0-10-amd645.10.84-1  
amd64Linux 5.10 for 64-bit PCs (signed)
ii  linux-image-5.10.0-19-amd645.10.149-2 
amd64Linux 5.10 for 64-bit PCs (signed)
ii  linux-image-5.10.0-9-amd64 5.10.70-1  
amd64Linux 5.10 for 64-bit PCs (signed)
ii  linux-image-5.14.0-0.bpo.2-amd64   5.14.9-2~bpo11+1   
amd64Linux 5.14 for 64-bit PCs (signed)
ii  linux-image-5.15.0-0.bpo.2-amd64   5.15.5-2~bpo11+1   
amd64Linux 5.15 for 64-bit PCs (signed)
ii  linux-image-5.15.0-0.bpo.3-amd64   5.15.15-2~bpo11+1  
amd64Linux 5.15 for 64-bit PCs (signed)
ii  linux-image-5.16.0-0.bpo.3-amd64   5.16.11-1~bpo11+1  
amd64Linux 5.16 for 64-bit PCs (signed)
ii  linux-image-5.16.0-0.bpo.4-amd64   5.16.12-1~bpo11+1  
amd64Linux 5.16 for 64-bit PCs (signed)
ii  linux-image-5.18.0-0.bpo.1-amd64   5.18.2-1~bpo11+1   
amd64Linux 5.18 for 64-bit PCs (signed)
ii  linux-image-5.18.0-0.deb11.4-amd64 5.18.16-1~bpo11+1  
amd64Linux 5.18 for 64-bit PCs (signed)
ii  linux-image-6.0.0-0.deb11.2-amd64-unsigned 6.0.3-1~bpo11+1
amd64Linux 6.0 for 64-bit PCs
ii  linux-image-amd64  5.10.149-2 
amd64Linux for 64-bit PCs (meta-package)
debian@debian-bullseye:~$ mount /var/www/html/
debian@debian-bullseye:~$ sha256sum /var/www/html/100Mzero 
20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e  
/var/www/html/100Mzero
debian@debian-bullseye:~$ ./bug900821 
sha256sum should be:
   20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e

. 
Bug 900821 triggered! Calculated SHA256: 
5d9654b5f3258475e95313f7228fe142ad59f860e6d58ff4f47394bdc0b791ce
debian@debian-bullseye:~$ su -l
Password: 
root@debian-bullseye:~# reboot
Connection to 192.168.122.2 closed by remote host.
Connection to 192.168.122.2 closed.
diederik@prancing-pony:~/dev/debian/bugs/900821$ ssh vm-bullseye
Linux debian-bullseye 5.15.0-0.bpo.2-amd64 #1 SMP Debian 5.15.5-2~bpo11+1 
(2022-01-02) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 20 11:24:06 2022 from 192.168.122.1
debian@debian-bullseye:~$ mount /var/www/html/
debian@debian-bullseye:~$ sha256sum /var/www/html/100Mzero 
20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e  
/var/www/html/100Mzero
debian@debian-bullseye:~$ ./bug900821 
sha256sum should be:
   20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e

. 
Bug 900821 triggered! Calculated SHA256: 
7f7320e116b21b9867e42d8317dfd28a7c102ad7f5d28903debea699a144
debian@debian-bullseye:~$ su -l
Password: 
root@debian-bullseye:~# reboot
Connection to 192.168.122.2 closed by remote host.
Connection to 192.168.122.2 closed.
diederik@prancing-pony:~/dev/debian/bugs/900821$ ssh vm-bullseye
Linux debian-bullseye 5.15.0-0.bpo.3-amd64 #1 SMP Debian 5.15.15-2~bpo11+1 
(2022-02-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Nov 20 11:30:30 2022 from 192.168.122.1
debian@debian-bullseye:~$ mount /var/www/html/
debian@debian-bullseye:~$ sha256sum /var/www/html/100Mzero 

Bug#900821: Found working and failing 5.10 versions and got kernel crash, report from BSP Tilburg (https://deb.li/iiOID)

[Diederik de Haas]

user debian-rele...@lists.debian.org
usertag 900821 + bsp-2022-11-nl-tilburg
found 900821 5.10.70-1
fixed 900821 5.10.84-1
thanks

We have/had a BSP in Tilburg today and I went to work on this bug.
With success :-)

I first created a new Bullseye VM with virt-manager using the 
debian-11.5.0-amd64-netinst.iso installation media and installed only
the Standard System Utilities and SSH Server.
Upon reboot I installed vim (ofc) and followed the excellent instructions
from OP and installed the packages:
"apt-get install samba apache2 cifs-utils"

Then I added the `[ftp]` block to /etc/samba/smb.conf and created the 
`/srv/ftp/100Mzero` file consisting of only zero's.
As I'd be rebooting often, I made mounting easy by adding to `/etc/fstab/`:
//localhost/ftp /var/www/html   cifs
username=debian,password=root,noauto,user   0   0

Then I created the following script:
```
debian@debian-bullseye:~$ cat bug900821 
#!/bin/sh
#/srv/ftp/100Mzero
SHA256_STORED="20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e"

echo "sha256sum should be:"
echo "   $SHA256_STORED"
echo ""

i=0
while [ $i -ne 100 ]
do
i=$((i + 1))
#printf "$i "
printf ". "
SHA256_CALC="$(wget http://localhost/100Mzero -O - 2>/dev/null | 
sha256sum | awk '{ print $1 }')"
if [ "$SHA256_CALC" != "$SHA256_STORED" ] ; then
   printf "\nBug 900821 triggered! Calculated SHA256: %s\n" 
"$SHA256_CALC"
   exit 1
fi
done
printf "\nTest completed\n"
```

I tried it out on the installed kernel, 5.10.149-2 aka 5.10.0-19-amd64, and 
found out it all worked as expected. Idem ditto for 5.10.140-1/5.10.0-18-amd64.
I then tried 5.10.28-1/5.10.0-6-amd64 and got a kernel crash \o/
I then went on to narrow down which version worked and which next lower version
did fail and it turned out 5.10.70-1 failed, while 5.10.84-1 succeeded.

What was both odd and interesting was what happened during a crash.
With 5.10.28-1 I got this:
debian@debian-bullseye:~$ ./bug900821 
sha256sum should be:
   20492a4d0d84f8beb1767f6616229f85d44c2827b64bdbfb260ee12fa1109e0e

. 
Message from syslogd@debian-bullseye at Nov 19 18:43:22 ...
 kernel:[   40.266711] usercopy: Kernel memory exposure attempt detected from 
SLUB object 'vm_area_struct' (offset 0, size 117)!

That killed my SSH session. I don't know if it was the case each time, but
at least twice I was able to directly log in to the VM ... and I was able 
to secure `dmesg` which shows the kernel crash :-)
I have attached both that dmesg output as the Konsole output from my 
BSP session wrt this bug.

I don't know if it's useful to do a (lengthy!) git-bisect session as I'm quite
sure the issue is fixed.
I've updated the metadata, but I haven't closed it (yet?).

Cheers,
  Diederik[0.00] Linux version 5.10.0-9-amd64 (debian-ker...@lists.debian.org) 
(gcc-10 (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 
2.35.2) #1 SMP Debian 5.10.70-1 (2021-09-30)
[0.00] Command line: BOOT_IMAGE=/boot/vmlinuz-5.10.0-9-amd64 
root=UUID=a7893f33-27c0-4b56-8d49-b0e98db7f84a ro quiet
[0.00] x86/fpu: Supporting XSAVE feature 0x001: 'x87 floating point 
registers'
[0.00] x86/fpu: Supporting XSAVE feature 0x002: 'SSE registers'
[0.00] x86/fpu: Supporting XSAVE feature 0x004: 'AVX registers'
[0.00] x86/fpu: Supporting XSAVE feature 0x008: 'MPX bounds registers'
[0.00] x86/fpu: Supporting XSAVE feature 0x010: 'MPX CSR'
[0.00] x86/fpu: xstate_offset[2]:  576, xstate_sizes[2]:  256
[0.00] x86/fpu: xstate_offset[3]:  832, xstate_sizes[3]:   64
[0.00] x86/fpu: xstate_offset[4]:  896, xstate_sizes[4]:   64
[0.00] x86/fpu: Enabled xstate features 0x1f, context size is 960 
bytes, using 'compacted' format.
[0.00] BIOS-provided physical RAM map:
[0.00] BIOS-e820: [mem 0x-0x0009fbff] usable
[0.00] BIOS-e820: [mem 0x0009fc00-0x0009] reserved
[0.00] BIOS-e820: [mem 0x000f-0x000f] reserved
[0.00] BIOS-e820: [mem 0x0010-0x3ffdbfff] usable
[0.00] BIOS-e820: [mem 0x3ffdc000-0x3fff] reserved
[0.00] BIOS-e820: [mem 0xb000-0xbfff] reserved
[0.00] BIOS-e820: [mem 0xfed1c000-0xfed1] reserved
[0.00] BIOS-e820: [mem 0xfeffc000-0xfeff] reserved
[0.00] BIOS-e820: [mem 0xfffc-0x] reserved
[0.00] NX (Execute Disable) protection: active
[0.00] SMBIOS 2.8 present.
[0.00] DMI: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 
1.16.0-debian-1.16.0-4 04/01/2014
[0.00] Hypervisor detected: KVM
[0.00] kvm-clock: Using msrs 4b564d01 and 4b564d00
[0.00] kvm-clock: cpu 0, msr 2c4b3001, primary cpu clock
[0.00] kvm-clock: using sched offset of 1463003892121 cycles
[