[SRU][X][PATCH 0/1] Fix regression on symbols addresses (LP: #1922200)

Kleber Sacilotto de Souza kleber.souza at canonical.com
Thu Apr 1 09:13:50 UTC 2021 

BugLink: https://bugs.launchpad.net/bugs/1922200

[Impact]
The backport of upstream commit ad67b74d2469d9b82aaa572d76474c95bc484d57
("printk: hash addresses printed with %p"), applied to fix CVEs
CVE-2018-5953/CVE-2018-5995/CVE-2018-7754 on xenial/linux 4.4.0-207.239,
introduced a regression caught by testcases from
ubuntu_qrt_kernel_security.test-kernel-security.py testsuite.

The failing testcases are:
test_095_kernel_symbols_missing_kallsyms
test_095_kernel_symbols_missing_proc_modules
test_095_kernel_symbols_missing_proc_net_tcp
test_300_test_kaslr_base

The '095' testcases expect the addresses read by a regular user to be zeroed out
and test '300' expects the default address for 'startup_64' to be
'ffffffff81000000' for non-kaslr kernels (<4.15). The applied backport leaks
what the address 0x0 hashes to on the /proc interfaces instead of the expected
values.

Examples:
$ head /proc/kallsyms
00000000b845aaf2 A irq_stack_union
00000000b845aaf2 A __per_cpu_start
00000000b845aaf2 A __per_cpu_user_mapped_start
00000000b845aaf2 A vector_irq
00000000b845aaf2 A unsafe_stack_register_backup
00000000b845aaf2 A cpu_debug_store
00000000b845aaf2 A cpu_tss
00000000b845aaf2 A exception_stacks
00000000b845aaf2 A gdt_page
00000000b845aaf2 A espfix_waddr

$ sudo head /proc/kallsyms
00000000b845aaf2 A irq_stack_union
00000000b845aaf2 A __per_cpu_start
00000000b845aaf2 A __per_cpu_user_mapped_start
00000000cd84b193 A vector_irq
00000000f271a77b A unsafe_stack_register_backup
00000000b451cc91 A cpu_debug_store
00000000108c2558 A cpu_tss
000000001484be48 A exception_stacks
000000000a1b6bc6 A gdt_page
00000000f38c128a A espfix_waddr

$ sudo grep -w startup_64 /proc/kallsyms
0000000028c44c50 T startup_64

[Fix]
For the backport to work as expected, we would likely need to backport the
following commits as well:

57e734423add vsprintf: refactor %pK code out of pointer()
ef0010a30935 vsprintf: don't use 'restricted_pointer()' when not restricting

However, this could introduce other regressions as there are several corner
cases in this code path.

Given that the CVEs which are fixed by this patch are all low or negligible, the
best solution seems to be to revert this patch altogether.

[Test]
Run ubuntu_qrt_kernel_security.test-kernel-security.py tests from the kernel
team autotest repository.

[Where problems could occur]
Reverting this patch can't introduce any regression as it would return the code
to the previous state, however it would keep the kernel vulnerable to these
CVEs.

Kleber Sacilotto de Souza (1):
  UBUNTU: SAUCE: Revert "printk: hash addresses printed with %p"

 Documentation/printk-formats.txt |  11 ----
 lib/test_printf.c                | 108 +++++++++++--------------------
 lib/vsprintf.c                   |  81 ++---------------------
 3 files changed, 45 insertions(+), 155 deletions(-)

-- 
2.27.0

More information about the kernel-team mailing list