[Bug 1887563] [NEW] gcc-7 kernel version check thinks Xenial 4.4 kernel is still affected by CVE-2016-2143

Dan Streetman 1887563 at bugs.launchpad.net
Tue Jul 14 18:16:26 UTC 2020 

Public bug reported:

[impact]

any package running build-time sanitizer tests may run inside a Xenial
builder with the Xenial 4.4 kernel. However the gcc-7 built-in test to
determine if the running kernel suffers from CVE-2016-2143 (which only
affects s390x) considers the Xenial '4.4.0' kernel to be affected,
strictly due to the version number. The Xenial kernel has been patched
for this cve in bug 1556141.

This will cause all sanitizer tests to abort and fail the build.

[test case]

build a package that runs sanitizer tests on a s390x ppa builder that is
running Xenial and check for failure, e.g.:

https://launchpadlibrarian.net/488534837/buildlog_ubuntu-bionic-
s390x.systemd_245.6-1upstream202007141303~ubuntu18.04.1_BUILDING.txt.gz

--- command ---
UBSAN_OPTIONS='print_stacktrace=1:print_summary=1:halt_on_error=1' /usr/bin/env /<<PKGBUILDDIR>>/build-deb/fuzz-bus-message:address,undefined /<<PKGBUILDDIR>>/test/fuzz/fuzz-bus-message/crash-26bba7182dedc8848939931d9fcefcb7922f2e56
--- stderr ---
==27804==ERROR: Your kernel seems to be vulnerable to CVE-2016-2143.  Using ASan,
MSan, TSan, DFSan or LSan with such kernel can and will crash your
machine, or worse.

If you are certain your kernel is not vulnerable (you have compiled it
yourself, or are using an unrecognized distribution kernel), you can
override this safety check by exporting SANITIZER_IGNORE_CVE_2016_2143
with any value.
-------

[regression potential]

if gcc-7's calculation for whether the kernel is affected by this cve or
not is adjusted, any regression would likely result in a miscalculation
where sanitizer tests were incorrectly run on an affected kernel, which
may crash the machine; or it may incorrectly abort tests on a kernel
that is not affected.

[scope]

this is needed only in gcc-7, which is included in b/f/g, but gcc-7 is
only the default in bionic.

the ubuntu kernel version detection was added to gcc in this huge commit:
https://github.com/gcc-mirror/gcc/commit/5d3805fca3e9a199fbaa18aee3c05ecb30ebca61#diff-56b6f240d7feb36a34222dc132ab5a41

which, according to github, is included in versions:
 releases/gcc-10.1.0  releases/gcc-9.3.0 releases/gcc-9.2.0 releases/gcc-9.1.0 releases/gcc-8.4.0 releases/gcc-8.3.0 releases/gcc-8.2.0 releases/gcc-8.1.0 misc/cutover-git embedded-9-2020q2 embedded-9-2020-q2 basepoints/gcc-11 basepoints/gcc-10 basepoints/gcc-9

we have gcc-8.4.0 and gcc-9.3.0 in focal and groovy, so this is fixed
already there.

we also have gcc-8.4.0 in bionic, but the default gcc is 7.

** Affects: gcc-7 (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to gcc-7 in Ubuntu.
https://bugs.launchpad.net/bugs/1887563

Title:
  gcc-7 kernel version check thinks Xenial 4.4 kernel is still affected
  by CVE-2016-2143

Status in gcc-7 package in Ubuntu:
  New

Bug description:
  [impact]

  any package running build-time sanitizer tests may run inside a Xenial
  builder with the Xenial 4.4 kernel. However the gcc-7 built-in test to
  determine if the running kernel suffers from CVE-2016-2143 (which only
  affects s390x) considers the Xenial '4.4.0' kernel to be affected,
  strictly due to the version number. The Xenial kernel has been patched
  for this cve in bug 1556141.

  This will cause all sanitizer tests to abort and fail the build.

  [test case]

  build a package that runs sanitizer tests on a s390x ppa builder that
  is running Xenial and check for failure, e.g.:

  https://launchpadlibrarian.net/488534837/buildlog_ubuntu-bionic-
  s390x.systemd_245.6-1upstream202007141303~ubuntu18.04.1_BUILDING.txt.gz

  --- command ---
  UBSAN_OPTIONS='print_stacktrace=1:print_summary=1:halt_on_error=1' /usr/bin/env /<<PKGBUILDDIR>>/build-deb/fuzz-bus-message:address,undefined /<<PKGBUILDDIR>>/test/fuzz/fuzz-bus-message/crash-26bba7182dedc8848939931d9fcefcb7922f2e56
  --- stderr ---
  ==27804==ERROR: Your kernel seems to be vulnerable to CVE-2016-2143.  Using ASan,
  MSan, TSan, DFSan or LSan with such kernel can and will crash your
  machine, or worse.

  If you are certain your kernel is not vulnerable (you have compiled it
  yourself, or are using an unrecognized distribution kernel), you can
  override this safety check by exporting SANITIZER_IGNORE_CVE_2016_2143
  with any value.
  -------

  [regression potential]

  if gcc-7's calculation for whether the kernel is affected by this cve
  or not is adjusted, any regression would likely result in a
  miscalculation where sanitizer tests were incorrectly run on an
  affected kernel, which may crash the machine; or it may incorrectly
  abort tests on a kernel that is not affected.

  [scope]

  this is needed only in gcc-7, which is included in b/f/g, but gcc-7 is
  only the default in bionic.

  the ubuntu kernel version detection was added to gcc in this huge commit:
  https://github.com/gcc-mirror/gcc/commit/5d3805fca3e9a199fbaa18aee3c05ecb30ebca61#diff-56b6f240d7feb36a34222dc132ab5a41

  which, according to github, is included in versions:
   releases/gcc-10.1.0  releases/gcc-9.3.0 releases/gcc-9.2.0 releases/gcc-9.1.0 releases/gcc-8.4.0 releases/gcc-8.3.0 releases/gcc-8.2.0 releases/gcc-8.1.0 misc/cutover-git embedded-9-2020q2 embedded-9-2020-q2 basepoints/gcc-11 basepoints/gcc-10 basepoints/gcc-9

  we have gcc-8.4.0 and gcc-9.3.0 in focal and groovy, so this is fixed
  already there.

  we also have gcc-8.4.0 in bionic, but the default gcc is 7.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gcc-7/+bug/1887563/+subscriptions

More information about the foundations-bugs mailing list