Livepatch has fixed kernel vulnerabilities. Or not???

Bo Berglund bo.berglund at gmail.com
Wed Apr 12 15:32:18 UTC 2023 

On Mon, 27 Mar 2023 13:01:33 -0500, Keith <keithw at caramail.com> wrote:

>On 3/27/23 3:01 AM, Bo Berglund wrote:
>> On Sun, 26 Mar 2023 10:50:40 +0200, Bo Berglund <bo.berglund at gmail.com> wrote:
>> 
>>> I saw this yesterday when I logged on via SSH to my Ubuntu Server 20.04.6 LTS:
>>>
>>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>>> the closest maintenance window ***
>>>
>>> Today was the possible "maintenance window" so I rebooted the server.
>>>
>>> Now when I log on *after* the reboot I see this greeting:
>>>
>>> -------------
>>> Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-89-generic x86_64)
>>>
>>>   System information as of Sun 26 Mar 2023 09:56:23 AM CEST
>>>
>>>   System load:    0.04                Users logged in:       0
>>>   Usage of /home: 80.1% of 258.81GB   IPv4 address for eth0: 192.168.xxx.yyy
>>>   Memory usage:   6%                  IPv4 address for tun0: 10.8.0.1
>>>   Swap usage:     0%                  IPv4 address for tun1: 10.8.139.1
>>>   Processes:      247
>>>
>>> Expanded Security Maintenance for Applications is enabled.
>>>
>>> 0 updates can be applied immediately.
>>>
>>> New release '22.04.2 LTS' available.
>>> Run 'do-release-upgrade' to upgrade to it.
>>>
>>>
>>> *** Livepatch has fixed kernel vulnerabilities. System restart recommended on
>>> the closest maintenance window ***
>>> -------------
>>>
>>> What gives?
>>> Do I have to do multiple reboots to get this done, if so why?
>>> Otherwise: What should I do now?
>>>
>> 
>> I found this thread about the same issue:
>> https://askubuntu.com/questions/1411986/livepatch-behaviour-and-restart-in
>> 
>> It suggests doing this to solve it:
>>   apt update && apt full-upgrade -y && sudo reboot
>> 
>> But that is exactly what I have done multiple times and the messge still
>> persists! I have rebooted twice to no avail.
>> 
>> What is going on and why does it not stop????
>> 
>> 
>Hi Bo
>
>You can use the pro and/or canonical-livepatch commands to figure out 
>what the status is on kernel patches and reboot requirements.
>
>$ pro security-status

$ pro security-status
1261 packages installed:
     908 packages from Ubuntu Main/Restricted repository
     188 packages from Ubuntu Universe/Multiverse repository
     1 package from a third party
     164 packages no longer available for download

To get more information about the packages, run
    pro security-status --help
for a list of available options.

This machine is attached to an Ubuntu Pro subscription.

Main/Restricted packages are receiving security updates from
Ubuntu Pro with 'esm-infra' enabled until 2030.

Universe/Multiverse packages are receiving security updates from
Ubuntu Pro with 'esm-apps' enabled until 2030. You have received 17 security
updates.


>$ pro system reboot-required

$ pro system reboot-required
no


>$ canonical-livepatch status --verbose

$ canonical-livepatch status --verbose
last check: 8 minutes ago
kernel: 5.4.0-89.100-generic
server check-in: succeeded
kernel state: ? kernel is supported by Canonical.
patch state: ? all applicable livepatch modules inserted
patch version: 92.1
tier: updates (Free usage; This machine beta tests new patches.)
machine id: f604e0e6137f58f8d2b3ebfc5a6fb461
client version: 10.5.3
architecture: x86_64
cpu model: AMD Ryzen 5 3500U with Radeon Vega Mobile Gfx
boot time: 2 weeks ago
fixes:
  * cve-2013-1798
    Andrew Honig reported a flaw in the way KVM (Kernel-based Virtual
    Machine) emulated the IOAPIC. A privileged guest user could exploit
    this flaw to read host memory or cause a denial of service (crash the
    host).
  * cve-2018-25020
    LP bug:
.... Here a really long list of stuff I know nothing about ......
  * cve-2022-43945
    It was discovered that the NFSD implementation in the Linux kernel did
    not properly handle some RPC messages, leading to a buffer overflow. A
    remote attacker could use this to cause a denial of service (system
    crash) or possibly execute arbitrary code.


># canonical-livepatch refresh   downloads and applies kernel patches
>$ canonical-livepatch kernel-upgrade-required; echo $?
>Exit code of 0 means restart is necessary
>Exit code of 1 means restart is not necessary, but recommended at later time
>Exit code of 2 means no restart is necessary.

$ canonical-livepatch kernel-upgrade-required; echo $?
*** Livepatch has fixed kernel vulnerabilities. System restart recommended on
the closest maintenance window ***Kernel upgrade recommended.
1

>Some "turn it off/turn it back on" level things to try:
>1. Disable the livepatch service and reboot. see if motd updates and 
>still indicates a system restart. If not, re-enable service and see if 
>issue comes back. If a system restart is indicated even with livepatch 
>disabled, then the problem is somewhere else.
>$ sudo pro disable/enable livepatch

I cannot easily reboot this system, I have 3 hours on Sunday mornings only
available...

>2. Disable the etc-update-motd-d plugin for the canonical-livepatch snap
>$ sudo snap disconnect canonical-livepatch:etc-update-motd-d --forget

>That should remove 
>/etc/update-motd.d/99-livepatch-kernel-upgrade-required script which is 
>generating the motd restart message but still leave livepatch enabled. 

$ sudo snap disconnect canonical-livepatch:etc-update-motd-d --forget

There is no output, cursor just moves down after some highspeed stuff flashes
and disappears.


>Re-enable the plugin and then logout/login to see if issue persists
>$ sudo snap connect canonical-livepatch:etc-update-motd-d

sudo snap connect canonical-livepatch:etc-update-motd-d

There is no output, again cursor just moves down after some highspeed stuff
flashes and disappears.

Logging in anew still shows the message..


>
>3. check the /var/run/ directory to see if reboot-required and 
>reboot-required.pkgs files are in there. Check the pkgs file and see 
>what packages are listed. Verify they are installed correctly. The "dpkg 
>-V <packagename>" command will help here.

No files starting with reboot are there:

$ ll /var/run/reboot*
ls: cannot access '/var/run/reboot*': No such file or directory

>If there are no reboot files in /var/run, then I'm out of ideas. 
>Probably should file a bug against the canonical-livepatch client. Might 
>make a inquiry on another venue like Ubuntu Forums, Ubuntu community 
>discourse server, or AskUbuntu also.

Or live with it even though it will nag me for reboots that are not needed....


-- 
Bo Berglund
Developer in Sweden

More information about the ubuntu-users mailing list