ACK/Cmnt: [Xenial][SRU][CVE-2018-20784][PATCHv2 0/6] Fix for fair scheduler

Stefan Bader stefan.bader at canonical.com
Thu Nov 7 09:12:10 UTC 2019


On 17.10.19 19:51, Connor Kuehl wrote:
> https://people.canonical.com/~ubuntu-security/cve/2018/CVE-2018-20784.html
> 
> From the link above:
> 
> 	"In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf
> 	cfs_rq's, which allows attackers to cause a denial of service (infinite
> 	loop in update_blocked_averages) or possibly have unspecified other impact
> 	by inducing a high load."
> 
> In the first submission for this backport, I had only backported c40f7d74c741
> ("sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c")
> which ends up reverting a fix that was SRU'd previously.
> 
> Here is that previous SRU: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1747896
> 
> This submission contains the fix for this CVE as well as the necessary
> patches for preserving the fix for the previously SRU'd patch (these
> were found by Tyler Hicks. Thank you, Tyler!)
> 
> For posterity, my testing was as follows (taken from the LP report
> above in the bug description):
> 
> I booted Xenial in a 64 bit VM twice. The first time was without this
> CVE backport applied. The second time was with it applied. I ran the
> reproducer in both cases and experienced the same CPU utilization (both
> cores I allocated to my VM were at 100%) and in both cases I experienced
> stable memory pressure. They would both hover around 120MB ± 3-5MB.
> 
> With this submission, I also observed the same results with watching the
> cfs_rqs. With and without this backport applied, the cfs_rqs fluctuated
> between 13-18. This is an improvement over the previous submission of
> this CVE backport since the previous version experienced different
> results by watching the cfs_rqs (namely, they'd remain at 61 for the
> duration of the tests).
> 
> Linus Torvalds (1):
>   sched/fair: Fix infinite loop in update_blocked_averages() by
>     reverting a9e7f6544b9c
> 
> Peter Zijlstra (1):
>   sched/fair: Add tmp_alone_branch assertion
> 
> Vincent Guittot (4):
>   sched/fair: Fix hierarchical order in rq->leaf_cfs_rq_list
>   sched/fair: Fix insertion in rq->leaf_cfs_rq_list
>   sched/fair: Optimize update_blocked_averages()
>   sched/fair: Fix O(nr_cgroups) in the load balancing path
> 
>  kernel/sched/core.c  |   1 +
>  kernel/sched/fair.c  | 140 ++++++++++++++++++++++++++++++++++++-------
>  kernel/sched/sched.h |   1 +
>  3 files changed, 119 insertions(+), 23 deletions(-)
> 
Rather complex change but security relevant and promising test results.

Acked-by: Stefan Bader <stefan.bader at canonical.com>

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20191107/478a42c9/attachment.sig>


More information about the kernel-team mailing list