[Kernel-packages] [Bug 1747630] Re: Kernel security test test_022_aslr_hardy_vdso failed on Precise i386

Mon, 05 Aug 2019 17:46:18 -0700 

Okay, the reason this test (and bug 1717856) fail sporadically is that
ASLR in precise for i386 has very low number of random values for vdso
and shared library offsets, when ulimits are set such that unlimited
stack sizes are allowed:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-precise-i386 3.2.0-142-generic #189-Ubuntu SMP Fri Jul 5 18:40:43 
UTC 2019 i686 i686 i386 GNU/Linux
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; 
i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c
     1273 0x40000000
     8662 0x40022000
       65 0x40026000

Yes, all of 3 values, and 86% of the invocations result in one value.
The shared library base values are slightly better, but not much:

  ubuntu@sec-precise-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; 
i++)) ; do ./kernel-security/aslr/aslr --report libs ; done | sort | uniq -c
      499 0x40003d80
      285 0x40016d80
      566 0x40025d80
     7608 0x40038d80
      295 0x4003cd80
      250 0x4003dd80
      167 0x4003ed80
      153 0x4003fd80
      177 0x40040d80

Compare this with the 3.13 results:

  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ uname -a
  Linux sec-trusty-i386 3.13.0-170-generic #220-Ubuntu SMP Thu May 9 12:41:17 
UTC 2019 i686 i686 i686 GNU/Linux
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ ulimit -s
  unlimited
  ubuntu@sec-trusty-i386:~/tests/qrt-test-kernel-security$ for ((i=0; i<10000; 
i++)) ; do ./kernel-security/aslr/aslr --report vdso ; done | sort | uniq -c | 
wc -l
  256

(output is piped into wc -l, because there are 256 distinct results.) So
8 bits of randomisation, which is not great, but better than >2.

The tests were added in response to http://hmarco.org/bugs/CVE-2016-3672
-Unlimiting-the-stack-not-longer-disables-ASLR.html and fixes were
applied for the 3.2.0-104.145 kernel.

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-3672

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1747630

Title:
  Kernel security test test_022_aslr_hardy_vdso failed on Precise i386

Status in QA Regression Testing:
  New
Status in ubuntu-kernel-tests:
  Confirmed
Status in linux package in Ubuntu:
  Confirmed

Bug description:
  This issue can be reproduced in 3.2.0-133 in proposed and 3.2.0-131.
  So it should not be considered as a regression.

  We didn't spot this issue before, until I'm testing 3.2 kernel on one
  of the laptop (CID 201307-13930) in Cert lab instead of using our
  regular regression-testing test pool from kernel team this cycle.

    ======================================================================
    FAIL: test_022_aslr_hardy_vdso (__main__.KernelSecurityTest)
    ASLR of vdso
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "./test-kernel-security.py", line 1863, in test_022_aslr_hardy_vdso
        self._test_aslr('vdso', expected)
      File "./test-kernel-security.py", line 1795, in _test_aslr
        self._test_aslr_all(area, expected, "unlimited stack %s" % area)
      File "./test-kernel-security.py", line 1772, in _test_aslr_all
        self._test_aslr_exec(area, expected, target, name)
      File "./test-kernel-security.py", line 1765, in _test_aslr_exec
        self.assertShellExitEquals(aslr_expected, ["./%s" % (target), area, 
"--verbose"], msg="%s:\n" % name)
      File 
"/home/ubuntu/autotest/client/tmp/ubuntu_qrt_kernel_security/src/qa-regression-testing/scripts/testlib.py",
 line 1134, in assertShellExitEquals
        self.assertEqual(expected, rc, msg + result + report)
    AssertionError: unlimited stack vdso native:
    Got exit code 1, expected 0
    Command: './aslr', 'vdso', '--verbose'
    Output:
    Checking ASLR of vdso:
     0x40022000
     0x40022000
     0x40022000
    FAIL: ASLR not functional (vdso always at 0x40022000)

To manage notifications about this bug go to:
https://bugs.launchpad.net/qa-regression-testing/+bug/1747630/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to