subject:"Bug#886630\: linux\-image\-3.2.0\-5\-amd64 Kernel panic after upgrading when use hidepid Debian wheezy"

Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-05-03 Thread Stefan Benter


Hello Ben,

I can confirm that #886630 is fixed in linux-image-3.2.0-6-amd64. The 
parameter hidepid=2 is working as expected.


Thanks a lot!

Best regards,
Stefan Benter

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-01-16 Thread Ben Hutchings

On Tue, 2018-01-16 at 13:56 +0100, Niels Hendriks wrote:
> Hi Ben,
> 
> Thanks for your response. Is there any ETA for when the new version will be
> released ?

No, there isn't.

> We'd like to patch the Meltdown vulnerability and also keep
> hidepid enabled, but currently the system is unusable with this kernel and
> hidepid enabled. We tried running with wheezy-backports but it seems that
> kernel doesn't have the meltdown patch yet. We'd prefer not to compile the
> kernel manually from source.
[...]

wheezy-backports is not supported and will never get any more security
updates.

Ben.

-- 
Ben Hutchings
When in doubt, use brute force. - Ken Thompson



signature.asc
Description: This is a digitally signed message part

Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-01-16 Thread Niels Hendriks

Hi Ben,

Thanks for your response. Is there any ETA for when the new version will be
released ? We'd like to patch the Meltdown vulnerability and also keep
hidepid enabled, but currently the system is unusable with this kernel and
hidepid enabled. We tried running with wheezy-backports but it seems that
kernel doesn't have the meltdown patch yet. We'd prefer not to compile the
kernel manually from source.

Thank you,
Niels Hendriks


On 15 January 2018 at 00:02, Ben Hutchings  wrote:

> Control: tag -1 patch
>
> On Mon, 2018-01-08 at 10:29 +0100, Camilo Echevarne wrote:
> [...]
> > After updating the linux-image-amd64 system package, when we try to
> > mount proc with the hidepid option the server  throws a kernel panic.
> [...]
>
> This is a warning, not a panic (which would stop the kernel
> completely).  Still, I assume that the permission denial makes it
> impractical to use the system with hidepid enabled.
>
> This problem was not caused by any of the fixes in the latest update,
> but by a fix in 3.2.93 that meant I should have updated the backport of
> the hidepid feature.  However, I added a binary compatibility patch to
> avoid problems like this with any out-of-tree users of the API, and
> that hid the problem until I bumped the ABI number and removed all the
> binary compatibility patches.
>
> I'll fix this in the next upload.  As a temporary measure, you can
> rebuild the kernel package with the attached patch, by following the
> instructions here:
> https://kernel-handbook.alioth.debian.org/ch-common-
> tasks.html#s-common-official
>
> Ben.
>
> --
> Ben Hutchings
> The generation of random numbers is too important to be left to chance.
>- Robert Coveyou
>

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-01-14 Thread Ben Hutchings

Control: tag -1 patch

On Mon, 2018-01-08 at 10:29 +0100, Camilo Echevarne wrote:
[...]
> After updating the linux-image-amd64 system package, when we try to 
> mount proc with the hidepid option the server  throws a kernel panic.
[...]

This is a warning, not a panic (which would stop the kernel
completely).  Still, I assume that the permission denial makes it
impractical to use the system with hidepid enabled.

This problem was not caused by any of the fixes in the latest update,
but by a fix in 3.2.93 that meant I should have updated the backport of
the hidepid feature.  However, I added a binary compatibility patch to
avoid problems like this with any out-of-tree users of the API, and
that hid the problem until I bumped the ABI number and removed all the
binary compatibility patches.

I'll fix this in the next upload.  As a temporary measure, you can
rebuild the kernel package with the attached patch, by following the
instructions here:
https://kernel-handbook.alioth.debian.org/ch-common-tasks.html#s-common-official

Ben.

-- 
Ben Hutchings
The generation of random numbers is too important to be left to chance.
   - Robert Coveyou
From: Ben Hutchings 
Date: Sun, 14 Jan 2018 21:32:45 +
Subject: proc: Fix ptrace mode in has_pid_permissions()
Forwarded: not-needed
Bug-Debian: https://bugs.debian.org/887106

Commit caaee6234d05 "ptrace: use fsuid, fsgid, effective creds for fs
access checks" added the requirement that all calls to
ptrace_may_access() include one of the PTRACE_MODE_{REAL,FS}CREDS
flags in the mode argument, and updated all callers to do this.
This was backported in 3.2.93.  For backward binary compatibility,
I added a patch to make these flags optional.

When I bumped the ABI version recently, I removed that patch, and it
turns out that there is one in-tree caller that wasn't updated -
has_pid_permissions().  This is was part of the backport of the procfs
hidepid feature and not included in 3.2-stable.  So update it
separately here.

---
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -586,7 +586,7 @@ static bool has_pid_permissions(struct p
 		return true;
 	if (in_group_p(pid->pid_gid))
 		return true;
-	return ptrace_may_access(task, PTRACE_MODE_READ);
+	return ptrace_may_access(task, PTRACE_MODE_READ_FSCREDS);
 }

signature.asc
Description: This is a digitally signed message part

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-01-09 Thread Marc-Christian Petersen

This bug hit me too.

All my servers are using hidepid as default.

So every system I rebooted was unusable after reboot, everything
starting at boot gave the trace output, ssh'ing to the system gave
the trace output without successful ssh login :-(

-- 
ciao, Marc

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

2018-01-08 Thread Camilo Echevarne


Package: src:linux
Version: 3.2.96-3
Severity: grave
Justification: renders package unusable with hidepid proc mount option


After updating the linux-image-amd64 system package, when we try to 
mount proc with the hidepid option the server  throws a kernel panic.


mount -o remount,hidepid=2,gid=1001 /proc


** Version:

Linux hostname 3.2.0-5-amd64 #1 SMP Debian 3.2.96-3 x86_64 GNU/Linux


** Kernel log:

[  110.335792] [ cut here ]
[  110.335813] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 
__ptrace_may_access+0x47/0xf9()
[  110.335823] denying ptrace access check without PTRACE_MODE_*CREDS
[  110.335829] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit 
xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack 
iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp 
snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel 
aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront
[  110.335892] Pid: 4204, comm: bash Not tainted 3.2.0-5-amd64 #1 Debian 
3.2.96-3
[  110.335900] Call Trace:
[  110.335910]  [] ? warn_slowpath_common+0x78/0x8c
[  110.335918]  [] ? warn_slowpath_fmt+0x45/0x4a
[  110.335927]  [] ? __ptrace_may_access+0x47/0xf9
[  110.335935]  [] ? ptrace_may_access+0x24/0x36
[  110.335945]  [] ? proc_pid_permission+0x4e/0x90
[  110.335955]  [] ? inode_permission+0x65/0xd6
[  110.335963]  [] ? link_path_walk+0x7d/0x421
[  110.335971]  [] ? link_path_walk+0x2fd/0x421
[  110.335979]  [] ? path_lookupat+0x53/0x2bd
[  110.335988]  [] ? should_resched+0x5/0x23
[  110.335999]  [] ? _cond_resched+0x7/0x1c
[  110.336035]  [] ? do_path_lookup+0x1c/0x87
[  110.336049]  [] ? user_path_at_empty+0x47/0x7b
[  110.336066]  [] ? do_page_fault+0x30a/0x345
[  110.336088]  [] ? notify_remote_via_irq+0x20/0x25
[  110.336106]  [] ? test_tsk_need_resched+0xa/0x13
[  110.336127]  [] ? arch_local_irq_restore+0x7/0x8
[  110.336144]  [] ? _raw_spin_unlock_irqrestore+0xe/0xf
[  110.336161]  [] ? arch_local_irq_disable+0x7/0x8
[  110.336179]  [] ? _raw_spin_lock_irq+0xa/0x14
[  110.336197]  [] ? spin_unlock_irq+0xa/0xb
[  110.336214]  [] ? vfs_fstatat+0x32/0x60
[  110.336232]  [] ? arch_local_irq_restore+0x7/0x8
[  110.336248]  [] ? xen_mc_flush+0x13c/0x16b
[  110.336266]  [] ? sys_newstat+0x12/0x2b
[  110.336282]  [] ? page_fault+0x25/0x30
[  110.336302]  [] ? system_call_fastpath+0x16/0x1b
[  110.336317] ---[ end trace 89494c70e5dcd0b8 ]---
[  110.336342] [ cut here ]
[  110.336357] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 
__ptrace_may_access+0x47/0xf9()
[  110.336375] denying ptrace access check without PTRACE_MODE_*CREDS
[  110.336408] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit 
xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack 
iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp 
snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel 
aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront
[  110.336565] Pid: 4204, comm: bash Tainted: GW3.2.0-5-amd64 #1 
Debian 3.2.96-3
[  110.336575] Call Trace:
[  110.336583]  [] ? warn_slowpath_common+0x78/0x8c
[  110.336592]  [] ? warn_slowpath_fmt+0x45/0x4a
[  110.336601]  [] ? __ptrace_may_access+0x47/0xf9
[  110.336609]  [] ? ptrace_may_access+0x24/0x36
[  110.336618]  [] ? proc_pid_permission+0x4e/0x90
[  110.336627]  [] ? inode_permission+0x65/0xd6
[  110.336635]  [] ? link_path_walk+0x7d/0x421
[  110.336644]  [] ? link_path_walk+0x2fd/0x421
[  110.336652]  [] ? path_openat+0xac/0x33a
[  110.336660]  [] ? user_path_at_empty+0x53/0x7b
[  110.336669]  [] ? do_filp_open+0x2a/0x6e
[  110.336677]  [] ? _cond_resched+0x7/0x1c
[  110.336686]  [] ? alloc_fd+0x64/0x109
[  110.336695]  [] ? do_sys_open+0x5e/0xe5
[  110.336703]  [] ? system_call_fastpath+0x16/0x1b
[  110.336710] ---[ end trace 89494c70e5dcd0b9 ]---
[  111.176925] [ cut here ]
[  111.176949] WARNING: at /build/linux-HPGG73/linux-3.2.96/kernel/ptrace.c:228 
__ptrace_may_access+0x47/0xf9()
[  111.176959] denying ptrace access check without PTRACE_MODE_*CREDS
[  111.176966] Modules linked in: xt_multiport xt_owner ipt_REJECT xt_connlimit 
xt_tcpudp iptable_nat nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_conntrack 
iptable_filter ip_tables x_tables lockd sunrpc lp parport loop evdev coretemp 
snd_pcm snd_page_alloc crc32c_intel snd_timer snd soundcore aesni_intel 
aes_x86_64 aes_generic pcspkr cryptd ext3 mbcache jbd xen_netfront xen_blkfront
[  111.177033] Pid: 4283, comm: cron Tainted: GW3.2.0-5-amd64 #1 
Debian 3.2.96-3
[  111.177041] Call Trace:
[  111.177051]  [] ? warn_slowpath_common+0x78/0x8c
[  111.177060]  [] ? warn_slowpath_fmt+0x45/0x4a
[  111.177068]  [] ? __ptrace_may_access+0x47/0xf9
[  111.177077]  [] ? ptrace_may_access+0x24/0x36
[  111.177088]  [] ?

Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

Bug#887106: Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

Bug#886630: linux-image-3.2.0-5-amd64 Kernel panic after upgrading when use hidepid Debian wheezy

6 matches

Site Navigation

Mail list logo

Footer information