Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
Hello Ben, I can confirm that #886630 is fixed in linux-image-3.2.0-6-amd64. The parameter hidepid=2 is working as expected. Thanks a lot! Best regards, Stefan Benter
Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
On Tue, 2018-01-16 at 13:56 +0100, Niels Hendriks wrote: > Hi Ben, > > Thanks for your response. Is there any ETA for when the new version will be > released ? No, there isn't. > We'd like to patch the Meltdown vulnerability and also keep > hidepid enabled, but currently the system is unusable with this kernel and > hidepid enabled. We tried running with wheezy-backports but it seems that > kernel doesn't have the meltdown patch yet. We'd prefer not to compile the > kernel manually from source. [...] wheezy-backports is not supported and will never get any more security updates. Ben. -- Ben Hutchings When in doubt, use brute force. - Ken Thompson signature.asc Description: This is a digitally signed message part
Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
Hi Ben, Thanks for your response. Is there any ETA for when the new version will be released ? We'd like to patch the Meltdown vulnerability and also keep hidepid enabled, but currently the system is unusable with this kernel and hidepid enabled. We tried running with wheezy-backports but it seems that kernel doesn't have the meltdown patch yet. We'd prefer not to compile the kernel manually from source. Thank you, Niels Hendriks On 15 January 2018 at 00:02, Ben Hutchingswrote: > Control: tag -1 patch > > On Mon, 2018-01-08 at 10:29 +0100, Camilo Echevarne wrote: > [...] > > After updating the linux-image-amd64 system package, when we try to > > mount proc with the hidepid option the server throws a kernel panic. > [...] > > This is a warning, not a panic (which would stop the kernel > completely). Still, I assume that the permission denial makes it > impractical to use the system with hidepid enabled. > > This problem was not caused by any of the fixes in the latest update, > but by a fix in 3.2.93 that meant I should have updated the backport of > the hidepid feature. However, I added a binary compatibility patch to > avoid problems like this with any out-of-tree users of the API, and > that hid the problem until I bumped the ABI number and removed all the > binary compatibility patches. > > I'll fix this in the next upload. As a temporary measure, you can > rebuild the kernel package with the attached patch, by following the > instructions here: > https://kernel-handbook.alioth.debian.org/ch-common- > tasks.html#s-common-official > > Ben. > > -- > Ben Hutchings > The generation of random numbers is too important to be left to chance. >- Robert Coveyou >
Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
Control: tag -1 patch On Mon, 2018-01-08 at 10:29 +0100, Camilo Echevarne wrote: [...] > After updating the linux-image-amd64 system package, when we try to > mount proc with the hidepid option the server throws a kernel panic. [...] This is a warning, not a panic (which would stop the kernel completely). Still, I assume that the permission denial makes it impractical to use the system with hidepid enabled. This problem was not caused by any of the fixes in the latest update, but by a fix in 3.2.93 that meant I should have updated the backport of the hidepid feature. However, I added a binary compatibility patch to avoid problems like this with any out-of-tree users of the API, and that hid the problem until I bumped the ABI number and removed all the binary compatibility patches. I'll fix this in the next upload. As a temporary measure, you can rebuild the kernel package with the attached patch, by following the instructions here: https://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official Ben. -- Ben Hutchings The generation of random numbers is too important to be left to chance. - Robert Coveyou From: Ben HutchingsDate: Sun, 14 Jan 2018 21:32:45 + Subject: proc: Fix ptrace mode in has_pid_permissions() Forwarded: not-needed Bug-Debian: https://bugs.debian.org/887106 Commit caaee6234d05 "ptrace: use fsuid, fsgid, effective creds for fs access checks" added the requirement that all calls to ptrace_may_access() include one of the PTRACE_MODE_{REAL,FS}CREDS flags in the mode argument, and updated all callers to do this. This was backported in 3.2.93. For backward binary compatibility, I added a patch to make these flags optional. When I bumped the ABI version recently, I removed that patch, and it turns out that there is one in-tree caller that wasn't updated - has_pid_permissions(). This is was part of the backport of the procfs hidepid feature and not included in 3.2-stable. So update it separately here. --- --- a/fs/proc/base.c +++ b/fs/proc/base.c @@ -586,7 +586,7 @@ static bool has_pid_permissions(struct p return true; if (in_group_p(pid->pid_gid)) return true; - return ptrace_may_access(task, PTRACE_MODE_READ); + return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS); } signature.asc Description: This is a digitally signed message part
Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
This bug hit me too. All my servers are using hidepid as default. So every system I rebooted was unusable after reboot, everything starting at boot gave the trace output, ssh'ing to the system gave the trace output without successful ssh login :-( -- ciao, Marc
Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy
Package: src:linux Version: 3.2.96-3 Severity: grave Justification: renders package unusable with hidepid proc mount option After updating the linux-image-amd64 system package, when we try to mount proc with the hidepid option the server throws a kernel panic. mount -o remount,hidepid=2,gid=1001 /proc ** Version: Linux hostname 3.2.0-5-amd64 #1 SMP Debian 3.2.96-3 x86_64 GNU/Linux ** Kernel log: [ 110.335792] [ cut here ] [ 110.335813] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 __ptrace_may_access+0x47/0xf9() [ 110.335823] denying ptrace access check without PTRACE_MODE_*CREDS [ 110.335829] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront [ 110.335892] Pid: 4204, comm: bash Not tainted 3.2.0-5-amd64 #1 Debian 3.2.96-3 [ 110.335900] Call Trace: [ 110.335910] [] ? warn_slowpath_common+0x78/0x8c [ 110.335918] [] ? warn_slowpath_fmt+0x45/0x4a [ 110.335927] [] ? __ptrace_may_access+0x47/0xf9 [ 110.335935] [] ? ptrace_may_access+0x24/0x36 [ 110.335945] [] ? proc_pid_permission+0x4e/0x90 [ 110.335955] [] ? inode_permission+0x65/0xd6 [ 110.335963] [] ? link_path_walk+0x7d/0x421 [ 110.335971] [] ? link_path_walk+0x2fd/0x421 [ 110.335979] [] ? path_lookupat+0x53/0x2bd [ 110.335988] [] ? should_resched+0x5/0x23 [ 110.335999] [] ? _cond_resched+0x7/0x1c [ 110.336035] [] ? do_path_lookup+0x1c/0x87 [ 110.336049] [] ? user_path_at_empty+0x47/0x7b [ 110.336066] [] ? do_page_fault+0x30a/0x345 [ 110.336088] [] ? notify_remote_via_irq+0x20/0x25 [ 110.336106] [] ? test_tsk_need_resched+0xa/0x13 [ 110.336127] [] ? arch_local_irq_restore+0x7/0x8 [ 110.336144] [] ? _raw_spin_unlock_irqrestore+0xe/0xf [ 110.336161] [] ? arch_local_irq_disable+0x7/0x8 [ 110.336179] [] ? _raw_spin_lock_irq+0xa/0x14 [ 110.336197] [] ? spin_unlock_irq+0xa/0xb [ 110.336214] [] ? vfs_fstatat+0x32/0x60 [ 110.336232] [] ? arch_local_irq_restore+0x7/0x8 [ 110.336248] [] ? xen_mc_flush+0x13c/0x16b [ 110.336266] [] ? sys_newstat+0x12/0x2b [ 110.336282] [] ? page_fault+0x25/0x30 [ 110.336302] [] ? system_call_fastpath+0x16/0x1b [ 110.336317] ---[ end trace 89494c70e5dcd0b8 ]--- [ 110.336342] [ cut here ] [ 110.336357] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 __ptrace_may_access+0x47/0xf9() [ 110.336375] denying ptrace access check without PTRACE_MODE_*CREDS [ 110.336408] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront [ 110.336565] Pid: 4204, comm: bash Tainted: GW3.2.0-5-amd64 #1 Debian 3.2.96-3 [ 110.336575] Call Trace: [ 110.336583] [] ? warn_slowpath_common+0x78/0x8c [ 110.336592] [] ? warn_slowpath_fmt+0x45/0x4a [ 110.336601] [] ? __ptrace_may_access+0x47/0xf9 [ 110.336609] [] ? ptrace_may_access+0x24/0x36 [ 110.336618] [] ? proc_pid_permission+0x4e/0x90 [ 110.336627] [] ? inode_permission+0x65/0xd6 [ 110.336635] [] ? link_path_walk+0x7d/0x421 [ 110.336644] [] ? link_path_walk+0x2fd/0x421 [ 110.336652] [] ? path_openat+0xac/0x33a [ 110.336660] [] ? user_path_at_empty+0x53/0x7b [ 110.336669] [] ? do_filp_open+0x2a/0x6e [ 110.336677] [] ? _cond_resched+0x7/0x1c [ 110.336686] [] ? alloc_fd+0x64/0x109 [ 110.336695] [] ? do_sys_open+0x5e/0xe5 [ 110.336703] [] ? system_call_fastpath+0x16/0x1b [ 110.336710] ---[ end trace 89494c70e5dcd0b9 ]--- [ 111.176925] [ cut here ] [ 111.176949] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 __ptrace_may_access+0x47/0xf9() [ 111.176959] denying ptrace access check without PTRACE_MODE_*CREDS [ 111.176966] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront [ 111.177033] Pid: 4283, comm: cron Tainted: GW3.2.0-5-amd64 #1 Debian 3.2.96-3 [ 111.177041] Call Trace: [ 111.177051] [] ? warn_slowpath_common+0x78/0x8c [ 111.177060] [] ? warn_slowpath_fmt+0x45/0x4a [ 111.177068] [] ? __ptrace_may_access+0x47/0xf9 [ 111.177077] [] ? ptrace_may_access+0x24/0x36 [ 111.177088] [] ?