Message ID | 20210401091351.1690972-1-kleber.souza@canonical.com |
---|---|
Headers | show |
Series | Fix regression on symbols addresses (LP: #1922200) | expand |
On 01.04.21 11:13, Kleber Sacilotto de Souza wrote: > BugLink: https://bugs.launchpad.net/bugs/1922200 > > [Impact] > The backport of upstream commit ad67b74d2469d9b82aaa572d76474c95bc484d57 > ("printk: hash addresses printed with %p"), applied to fix CVEs > CVE-2018-5953/CVE-2018-5995/CVE-2018-7754 on xenial/linux 4.4.0-207.239, > introduced a regression caught by testcases from > ubuntu_qrt_kernel_security.test-kernel-security.py testsuite. > > The failing testcases are: > test_095_kernel_symbols_missing_kallsyms > test_095_kernel_symbols_missing_proc_modules > test_095_kernel_symbols_missing_proc_net_tcp > test_300_test_kaslr_base > > The '095' testcases expect the addresses read by a regular user to be zeroed out > and test '300' expects the default address for 'startup_64' to be > 'ffffffff81000000' for non-kaslr kernels (<4.15). The applied backport leaks > what the address 0x0 hashes to on the /proc interfaces instead of the expected > values. > > Examples: > $ head /proc/kallsyms > 00000000b845aaf2 A irq_stack_union > 00000000b845aaf2 A __per_cpu_start > 00000000b845aaf2 A __per_cpu_user_mapped_start > 00000000b845aaf2 A vector_irq > 00000000b845aaf2 A unsafe_stack_register_backup > 00000000b845aaf2 A cpu_debug_store > 00000000b845aaf2 A cpu_tss > 00000000b845aaf2 A exception_stacks > 00000000b845aaf2 A gdt_page > 00000000b845aaf2 A espfix_waddr > > $ sudo head /proc/kallsyms > 00000000b845aaf2 A irq_stack_union > 00000000b845aaf2 A __per_cpu_start > 00000000b845aaf2 A __per_cpu_user_mapped_start > 00000000cd84b193 A vector_irq > 00000000f271a77b A unsafe_stack_register_backup > 00000000b451cc91 A cpu_debug_store > 00000000108c2558 A cpu_tss > 000000001484be48 A exception_stacks > 000000000a1b6bc6 A gdt_page > 00000000f38c128a A espfix_waddr > > $ sudo grep -w startup_64 /proc/kallsyms > 0000000028c44c50 T startup_64 > > [Fix] > For the backport to work as expected, we would likely need to backport the > following commits as well: > > 57e734423add vsprintf: refactor %pK code out of pointer() > ef0010a30935 vsprintf: don't use 'restricted_pointer()' when not restricting > > However, this could introduce other regressions as there are several corner > cases in this code path. > > Given that the CVEs which are fixed by this patch are all low or negligible, the > best solution seems to be to revert this patch altogether. > > [Test] > Run ubuntu_qrt_kernel_security.test-kernel-security.py tests from the kernel > team autotest repository. > > [Where problems could occur] > Reverting this patch can't introduce any regression as it would return the code > to the previous state, however it would keep the kernel vulnerable to these > CVEs. > > Kleber Sacilotto de Souza (1): > UBUNTU: SAUCE: Revert "printk: hash addresses printed with %p" > > Documentation/printk-formats.txt | 11 ---- > lib/test_printf.c | 108 +++++++++++-------------------- > lib/vsprintf.c | 81 ++--------------------- > 3 files changed, 45 insertions(+), 155 deletions(-) > Applied to xenial/linux. Thanks, Kleber