APPLIED: [SRU][X][PATCH 0/1] Fix regression on symbols addresses (LP: #1922200)

Kleber Souza kleber.souza at canonical.com
Thu Apr 1 09:51:59 UTC 2021 

On 01.04.21 11:13, Kleber Sacilotto de Souza wrote:
> BugLink: https://bugs.launchpad.net/bugs/1922200
> 
> [Impact]
> The backport of upstream commit ad67b74d2469d9b82aaa572d76474c95bc484d57
> ("printk: hash addresses printed with %p"), applied to fix CVEs
> CVE-2018-5953/CVE-2018-5995/CVE-2018-7754 on xenial/linux 4.4.0-207.239,
> introduced a regression caught by testcases from
> ubuntu_qrt_kernel_security.test-kernel-security.py testsuite.
> 
> The failing testcases are:
> test_095_kernel_symbols_missing_kallsyms
> test_095_kernel_symbols_missing_proc_modules
> test_095_kernel_symbols_missing_proc_net_tcp
> test_300_test_kaslr_base
> 
> The '095' testcases expect the addresses read by a regular user to be zeroed out
> and test '300' expects the default address for 'startup_64' to be
> 'ffffffff81000000' for non-kaslr kernels (<4.15). The applied backport leaks
> what the address 0x0 hashes to on the /proc interfaces instead of the expected
> values.
> 
> Examples:
> $ head /proc/kallsyms
> 00000000b845aaf2 A irq_stack_union
> 00000000b845aaf2 A __per_cpu_start
> 00000000b845aaf2 A __per_cpu_user_mapped_start
> 00000000b845aaf2 A vector_irq
> 00000000b845aaf2 A unsafe_stack_register_backup
> 00000000b845aaf2 A cpu_debug_store
> 00000000b845aaf2 A cpu_tss
> 00000000b845aaf2 A exception_stacks
> 00000000b845aaf2 A gdt_page
> 00000000b845aaf2 A espfix_waddr
> 
> $ sudo head /proc/kallsyms
> 00000000b845aaf2 A irq_stack_union
> 00000000b845aaf2 A __per_cpu_start
> 00000000b845aaf2 A __per_cpu_user_mapped_start
> 00000000cd84b193 A vector_irq
> 00000000f271a77b A unsafe_stack_register_backup
> 00000000b451cc91 A cpu_debug_store
> 00000000108c2558 A cpu_tss
> 000000001484be48 A exception_stacks
> 000000000a1b6bc6 A gdt_page
> 00000000f38c128a A espfix_waddr
> 
> $ sudo grep -w startup_64 /proc/kallsyms
> 0000000028c44c50 T startup_64
> 
> [Fix]
> For the backport to work as expected, we would likely need to backport the
> following commits as well:
> 
> 57e734423add vsprintf: refactor %pK code out of pointer()
> ef0010a30935 vsprintf: don't use 'restricted_pointer()' when not restricting
> 
> However, this could introduce other regressions as there are several corner
> cases in this code path.
> 
> Given that the CVEs which are fixed by this patch are all low or negligible, the
> best solution seems to be to revert this patch altogether.
> 
> [Test]
> Run ubuntu_qrt_kernel_security.test-kernel-security.py tests from the kernel
> team autotest repository.
> 
> [Where problems could occur]
> Reverting this patch can't introduce any regression as it would return the code
> to the previous state, however it would keep the kernel vulnerable to these
> CVEs.
> 
> Kleber Sacilotto de Souza (1):
>    UBUNTU: SAUCE: Revert "printk: hash addresses printed with %p"
> 
>   Documentation/printk-formats.txt |  11 ----
>   lib/test_printf.c                | 108 +++++++++++--------------------
>   lib/vsprintf.c                   |  81 ++---------------------
>   3 files changed, 45 insertions(+), 155 deletions(-)
> 

Applied to xenial/linux.

Thanks,
Kleber

More information about the kernel-team mailing list