[Bug 1855341] Re: CONFIG_USELIB should be disabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855341 Title: CONFIG_USELIB should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855341/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855335] Re: CONFIG_DEBUG_CREDENTIALS should be enabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855335 Title: CONFIG_DEBUG_CREDENTIALS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855339] Re: CONFIG_LEGACY_PTYS should be disabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855339 Title: CONFIG_LEGACY_PTYS should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855342] Re: CONFIG_SLAB_MERGE_DEFAULT should be disabled
** Changed in: linux (Ubuntu) Status: In Progress => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855342 Title: CONFIG_SLAB_MERGE_DEFAULT should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855342/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855338] Re: CONFIG_IO_STRICT_DEVMEM should be enabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855338 Title: CONFIG_IO_STRICT_DEVMEM should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855336] Re: CONFIG_DEBUG_SG should be enabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855336 Title: CONFIG_DEBUG_SG should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855336/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855337] Re: CONFIG_DEBUG_NOTIFIERS should be enabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855337 Title: CONFIG_DEBUG_NOTIFIERS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855337/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855340] Re: CONFIG_HARDENED_USERCOPY_FALLBACK should be disabled
** Changed in: linux (Ubuntu) Status: In Progress => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855340 Title: CONFIG_HARDENED_USERCOPY_FALLBACK should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855334] Re: CONFIG_DEBUG_LIST should be enabled
This change was applied during the Focal development cycle but then reverted pending performance testing results. That performance testing work was never finished and I'm no longer working on this bug. ** Changed in: linux (Ubuntu) Status: Fix Committed => Triaged ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855334 Title: CONFIG_DEBUG_LIST should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855334/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811162] Re: Turn on CONFIG_REFCOUNT_FULL for non-x86 arches
** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811162 Title: Turn on CONFIG_REFCOUNT_FULL for non-x86 arches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811162/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
On 2020-03-02 07:53:18, AceLan Kao wrote: > Here is the test kernel and the patches I reverted/applied, could > anyone helps me verify it. I can confirm that the new kernel does _not_ regress brightness controls on the machine that caused me to initially open this bug report. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
I enabled the KMS debug messages in the drm module:
$ cat /etc/modprobe.d/drm-debug.conf
options drm debug=0x04
$ sudo update-initramfs -u -k $(uname -r) && sudo reboot
...
Unfortunately, it doesn't look like my device_id is set after the
drm_dp_read_desc() in drm_dp_read_desc:
$ dmesg | grep -i OUI
[1.378026] [drm:drm_dp_read_desc [drm_kms_helper]] DP sink: OUI 38-ec-11
dev-ID HW-rev 0.0 SW-rev 0.0 quirks 0x
Hopefully the device_id is set for the Dell platform in bug #1856134 so
that commit 3269788061d2 ("USUNTU: SAUCE: drm/i915: Force DPCD backlight
mode on Dell Precision 4K sku") can be more specific to that device.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861521
Title:
[FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
Note that the quirks in the debug output from comment #9 are 0x
because I've got still got commit 3269788061d2 ("USUNTU: SAUCE:
drm/i915: Force DPCD backlight mode on Dell Precision 4K sku") reverted
locally.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861521
Title:
[FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
** Tags added: champagne -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
To provide further verification, I built Ubuntu-5.4-5.4.0-14.17 with a
single patch on top that reverts commit 3269788061d2 ("USUNTU: SAUCE:
drm/i915: Force DPCD backlight mode on Dell Precision 4K sku"). My
screen brightness controls are working again and I can undock from my
external monitor without having to forcibly reboot the system due to a
blank screen on my built-in monitor (I guess my screen brightness is
turned all the way down when I undock and I cannot adjust it).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861521
Title:
[FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
I noticed that upstream v5.4.18 allowed me to adjust my screen brightness while Ubuntu-5.4-5.4.0-14.17 does not, which indicates an Ubuntu SAUCE patch as the culprit. I bisected between the two kernels and this was the result: $ git bisect good 3269788061d24e316633165608259de1c110b801 is the first bad commit commit 3269788061d24e316633165608259de1c110b801 Author: AceLan Kao Date: Thu Dec 12 17:07:44 2019 +0800 USUNTU: SAUCE: drm/i915: Force DPCD backlight mode on Dell Precision 4K sku BugLink: https://bugs.launchpad.net/bugs/1856134 This platform using DPCD aux to control backlight, so adding the first 3 OUI bytes to the quirk. Signed-off-by: AceLan Kao Signed-off-by: Seth Forshee :04 04 5eb20635c698b49ae34aece26e3ee9f24631ca72 0a3389d202d1306745004ff8837731f2ceda317e M drivers I'm no expert in this area but it looks to me like that commit is being too generic and a more specific device_id is needed to target that Dell device. Here's the information on my panel: $ edid-decode /sys/class/drm/card0-eDP-1/edid edid-decode (hex): 00 ff ff ff ff ff ff 00 26 cf 7f 05 00 00 00 00 00 1b 01 04 a5 1f 11 78 0a 1d 39 a7 50 47 97 27 13 4f 54 00 00 00 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 60 6d 80 c8 70 38 14 40 18 30 a5 00 35 ae 10 00 00 19 00 00 00 fe 00 4d 31 34 30 4e 56 46 37 20 52 30 20 0a 00 00 00 03 00 04 30 ff 05 3c 9d 2b 14 39 9d 00 00 00 00 00 00 03 00 06 18 ff 0f 3c 3b 2a 0b 39 3b 01 01 00 00 ad EDID version: 1.4 Manufacturer: IVO Model 1407 Serial Number 0 Made in year 2017 Digital display 8 bits per primary color channel DisplayPort interface Maximum image size: 31 cm x 17 cm Gamma: 2.20 Supported color formats: RGB 4:4:4, YCrCb 4:4:4 First detailed timing includes the native pixel format and preferred refresh rate Color Characteristics Red: 0.6523, 0.3134 Green: 0.2802, 0.5908 Blue: 0.1523, 0.0771 White: 0.3105, 0.3291 Established Timings I & II: none Standard Timings: none Detailed mode: Clock 280.000 MHz, 309 mm x 174 mm 1920 1944 1992 2120 ( 24 48 128) 1080 1090 1095 1100 ( 10 5 5) -hsync -vsync VertFreq: 120.069 Hz, HorFreq: 132.075 kHz Alphanumeric Data String: M140NVF7 R0 Manufacturer-Specified Display Descriptor (0x03): 00 03 00 04 30 ff 05 3c 9d 2b 14 39 9d 00 00 00 0..<.+.9 Manufacturer-Specified Display Descriptor (0x03): 00 03 00 06 18 ff 0f 3c 3b 2a 0b 39 3b 01 01 00 ...<;*.9;... Checksum: 0xad ** Changed in: linux-5.4 (Ubuntu Focal) Assignee: (unassigned) => AceLan Kao (acelankao) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
Hi Brendan - What you're asking for is very different than the intent behind this bug report. It'll be best if you open a new bug report. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1863234 Title: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
Eoan: https://lists.ubuntu.com/archives/kernel-team/2020-February/107613.html Disco: https://lists.ubuntu.com/archives/kernel-team/2020-February/107616.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1863234 Title: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
** Description changed:
[Impact]
The bpf(2) system call is completely blocked in Disco and Eoan when
Secure Boot is enabled due to overly restrictive Lockdown policies. This
makes it so that all bpf related tools are not usable on those releases.
[Test Case]
Set up test BPF programs:
$ cat hello.bt
BEGIN { printf("hello\n"); exit(); }
- $ cat kprobe.bt
- kprobe:do_nanosleep { printf("task sleeping...\n"); }
- $ cat open.bt
+ $ cat kprobe.bt
+ kprobe:do_nanosleep { printf("task sleeping...\n"); exit(); }
+ $ cat open.bt
tracepoint:syscalls:sys_enter_openat {
- printf("filename: [%s]; flags: [%d]\n",
- str(args->filename), args->flags);
+ printf("filename: [%s]; flags: [%d]\n",
+ str(args->filename), args->flags);
}
-
Disable Secure Boot:
$ sudo mokutil --disable-validation
...
$ sudo reboot
Ensure that hello.bt can run:
$ sudo bpftrace hello.bt
Attaching 1 probe...
hello
Ensure that a BPF program triggered by a kprobe works (run `sleep 1` in
another terminal):
$ sudo bpftrace kprobe.bt
Attaching 1 probe...
task sleeping...
Ensure that a BPF program triggered by a tracepoint can access the filename
and flags of openat(2):
$ sudo bpftrace open.bt
Attaching 1 probe...
filename: [/proc/2317/cmdline]; flags: [0]
filename: [/dev/iio:device1]; flags: [2048]
...
Enable Secure Boot
$ sudo mokutil --enable-validation
...
$ sudo reboot
Ensure that a basic BPF program can run:
$ sudo bpftrace hello.bt
Attaching 1 probe...
hello
Ensure that a BPF program triggered by a kprobe is blocked (kprobes aren't
allowed under Secure Boot):
$ sudo bpftrace kprobe.bt
Attaching 1 probe...
cannot attach kprobe, Operation not permitted
Error attaching probe: 'kprobe:do_nanosleep'
You should see the following kernel message logged:
Lockdown: bpftrace: Use of kprobes is restricted; see man
kernel_lockdown.7
Ensure that a BPF program triggered by a tracepoint can NOT access the
filename and flags of openat(2) (all filenames should be empty and all flags
should be 0):
$ sudo bpftrace open.bt
Attaching 1 probe...
filename: []; flags: [0]
filename: []; flags: [0]
...
You should see the following kernel message logged:
Lockdown: iio-sensor-prox: BPF is restricted; see man kernel_lockdown.7
[Regression Potential]
Low. This is opening up the use of bpf(2) while under Lockdown. There
should be no new restrictions put in place.
[Original Report]
In disco and eoan, lockdown is automatically enforced when secure boot
is on [0]. Because lockdown was not in the mailine kernel at the time,
some disrto-specific patches were added to the kernel, including one
that drastically restricts BPF usage by completely disabling the use of
the `bpf()` system call when lockdown is on [1].
A consequence of that decision is that no application relying on eBPF
can run on 19.04/19.10, unless secure boot / lockdown is disabled. For
example, Cilium (cilium.io) strongly relies on BPF programs to implement
its datapath and securing network connectivity between containers. Other
applications like Suricata or Sysdig also rely on BPF to some extent.
None of which will work by default on a EFI machine with secure boot
activated.
If I understand correctly, kernel 5.4 (to be used in focal) will have a
different, lighter restricton (comming from mainline Linux kernel) [2],
so `bpf()` for networking use cases should mostly work on 20.04. Is my
understanding correct? If so, could this patch be backported to 19.10
(and 19.04, if still supported) instead of completely disabling the
syscall on lockdown?
Links:
[0]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=d0db99473fc3bb8a5d03f99ed454ac7ca5e7d517
[1]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=2a68c65abae66d28e2acb3245cb156ae2ea6eb1d
[2]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=9d1f8be5cf42b497a3bddf1d523f2bb142e9318c
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1863234
Title:
Disabling bpf() syscall on kernel lockdown break apps when secure boot
is on
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
** Description changed:
+ [Impact]
+
+ The bpf(2) system call is completely blocked in Disco and Eoan when
+ Secure Boot is enabled due to overly restrictive Lockdown policies. This
+ makes it so that all bpf related tools are not usable on those releases.
+
+ [Test Case]
+
+ Set up test BPF programs:
+
+ $ cat hello.bt
+ BEGIN { printf("hello\n"); exit(); }
+ $ cat kprobe.bt
+ kprobe:do_nanosleep { printf("task sleeping...\n"); }
+ $ cat open.bt
+ tracepoint:syscalls:sys_enter_openat {
+ printf("filename: [%s]; flags: [%d]\n",
+ str(args->filename), args->flags);
+ }
+
+
+ Disable Secure Boot:
+
+ $ sudo mokutil --disable-validation
+ ...
+ $ sudo reboot
+
+ Ensure that hello.bt can run:
+
+ $ sudo bpftrace hello.bt
+ Attaching 1 probe...
+ hello
+
+ Ensure that a BPF program triggered by a kprobe works (run `sleep 1` in
another terminal):
+ $ sudo bpftrace kprobe.bt
+ Attaching 1 probe...
+ task sleeping...
+
+ Ensure that a BPF program triggered by a tracepoint can access the filename
and flags of openat(2):
+ $ sudo bpftrace open.bt
+ Attaching 1 probe...
+ filename: [/proc/2317/cmdline]; flags: [0]
+ filename: [/dev/iio:device1]; flags: [2048]
+ ...
+
+ Enable Secure Boot
+
+ $ sudo mokutil --enable-validation
+ ...
+ $ sudo reboot
+
+ Ensure that a basic BPF program can run:
+
+ $ sudo bpftrace hello.bt
+ Attaching 1 probe...
+ hello
+
+ Ensure that a BPF program triggered by a kprobe is blocked (kprobes aren't
allowed under Secure Boot):
+ $ sudo bpftrace kprobe.bt
+ Attaching 1 probe...
+ cannot attach kprobe, Operation not permitted
+ Error attaching probe: 'kprobe:do_nanosleep'
+
+ You should see the following kernel message logged:
+
+ Lockdown: bpftrace: Use of kprobes is restricted; see man
+ kernel_lockdown.7
+
+ Ensure that a BPF program triggered by a tracepoint can NOT access the
filename and flags of openat(2) (all filenames should be empty and all flags
should be 0):
+ $ sudo bpftrace open.bt
+ Attaching 1 probe...
+ filename: []; flags: [0]
+ filename: []; flags: [0]
+ ...
+
+ You should see the following kernel message logged:
+
+ Lockdown: iio-sensor-prox: BPF is restricted; see man kernel_lockdown.7
+
+ [Regression Potential]
+
+ Low. This is opening up the use of bpf(2) while under Lockdown. There
+ should be no new restrictions put in place.
+
+ [Original Report]
+
In disco and eoan, lockdown is automatically enforced when secure boot
is on [0]. Because lockdown was not in the mailine kernel at the time,
- some disto-specific patches were added to the kernel, including one that
- drastically restricts BPF usage by completely disabling the use of the
- `bpf()` system call when lockdown is on [1].
+ some disrto-specific patches were added to the kernel, including one
+ that drastically restricts BPF usage by completely disabling the use of
+ the `bpf()` system call when lockdown is on [1].
A consequence of that decision is that no application relying on eBPF
can run on 19.04/19.10, unless secure boot / lockdown is disabled. For
example, Cilium (cilium.io) strongly relies on BPF programs to implement
its datapath and securing network connectivity between containers. Other
applications like Suricata or Sysdig also rely on BPF to some extent.
None of which will work by default on a EFI machine with secure boot
activated.
If I understand correctly, kernel 5.4 (to be used in focal) will have a
different, lighter restricton (comming from mainline Linux kernel) [2],
so `bpf()` for networking use cases should mostly work on 20.04. Is my
understanding correct? If so, could this patch be backported to 19.10
(and 19.04, if still supported) instead of completely disabling the
syscall on lockdown?
Links:
[0]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=d0db99473fc3bb8a5d03f99ed454ac7ca5e7d517
[1]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/disco/commit/?id=2a68c65abae66d28e2acb3245cb156ae2ea6eb1d
[2]
https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/focal/commit/?id=9d1f8be5cf42b497a3bddf1d523f2bb142e9318c
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1863234
Title:
Disabling bpf() syscall on kernel lockdown break apps when secure boot
is on
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
** Changed in: linux (Ubuntu Disco) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Eoan) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Disco) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1863234 Title: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1863234] Re: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on
Hi Quentin - Thanks for the bug report! I do think that relaxing the eBPF restrictions in Eoan and Disco would be acceptable for Secure Boot purposes. ** Also affects: linux (Ubuntu Eoan) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Disco) Status: New => Triaged ** Changed in: linux (Ubuntu Eoan) Status: New => Triaged ** Changed in: linux (Ubuntu Disco) Importance: Undecided => Medium ** Changed in: linux (Ubuntu Eoan) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1863234 Title: Disabling bpf() syscall on kernel lockdown break apps when secure boot is on To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1863234/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
I've also verified the fix in 5.3.0-41.33-generic. ** Tags removed: verification-needed-eoan ** Tags added: verification-done-eoan -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
I've verified the fix in 4.15.0-89.89-generic. The sysrq help message is printed to the kernel log when trying to lift lockdown with the proof- of-concept and when trying to lift lockdown with alt+sysrq+x. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862840] Re: [Bionic] i915 incomplete fix for CVE-2019-14615
I've verified that the proof-of-concept does not show an information leak when running 4.15.0-89.89-generic. ** Tags removed: verification-needed-bionic ** Tags added: verification-done-bionic -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862840 Title: [Bionic] i915 incomplete fix for CVE-2019-14615 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862840] Re: [Bionic] i915 incomplete fix for CVE-2019-14615
Submission to the Ubuntu kernel-team list: https://lists.ubuntu.com/archives/kernel-team/2020-February/107444.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862840 Title: [Bionic] i915 incomplete fix for CVE-2019-14615 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862840] Re: [Bionic] i915 incomplete fix for CVE-2019-14615
** Description changed:
[Impact]
Gregory Herrero reported that the proof-of-concept for CVE-2019-14615
indicates that the information leak is not fixed in the Bionic 4.15
kernel as indicated by USN-4255-1:
https://usn.ubuntu.com/4255-1/
This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco
(5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete
fix issue.
I've verified this by testing each Ubuntu release with the proof-of-
concept. I then tested vanilla 4.15 with commit bc8a76a152c5
("drm/i915/gen9: Clear residual context state on context switch")
applied, which is the fix for CVE-2019-14615, and verified that the
proof-of-concept showed that the info leak was still possible. I then
tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the
proof-of-concept showed that the info leak was fixed.
After bisecting changes to the DRM subsystem as well as the i915 driver,
it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw
state after reset upon load") as well as its prerequisites are necessary
to fully fix CVE-2019-14615 in 4.15 based kernels.
[Test Case]
A proof-of-concept for CVE-2019-14615 became available once the issue
was made public. It can be found here:
https://github.com/HE-Wenjian/iGPU-Leak
Steps to use the proof-of-concept:
$ git clone https://github.com/HE-Wenjian/iGPU-Leak.git
# In one terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_victim.sh
# In another terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_attacker.sh
# In the terminal running run_attacker.sh, ensure that all data dumped
# to the terminal is zeros and that there is no non-zero data. You'll
# have to closely monitor the script for a minute or so to ensure that
# the information leak is not possible.
[Regression Potential]
- TODO
+ High as the changes are complex in comparison to the typical SRU.
+ However, the bulk of the change is to the initialization stages of the
+ driver and we're just pulling back changes that landed in 4.16-rc1 to
+ our 4.15 kernel. I don't see any later Fixes tags that reference the
+ needed commits.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1862840
Title:
[Bionic] i915 incomplete fix for CVE-2019-14615
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862840] Re: [Bionic] i915 incomplete fix for CVE-2019-14615
I've pushed a set of proposed backports which prevents the information leak when running the proof-of-concept code: https://git.launchpad.net/~tyhicks/ubuntu/+source/linux/+git/bionic/log/?h=cves/CVE-2020-8832 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1862840 Title: [Bionic] i915 incomplete fix for CVE-2019-14615 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1862840/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled
Another Gen 9 GPU that I have is not affected by this bug: $ glxinfo | grep Device Device: Mesa DRI Intel(R) HD Graphics 515 (Skylake GT2) (0x191e) $ cat /proc/version_signature Ubuntu 5.4.0-12.15-generic 5.4.8 I can increase and decrease the brightness without any issues. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] Intel Gen 9 brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1862840] [NEW] [Bionic] i915 incomplete fix for CVE-2019-14615
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
Gregory Herrero reported that the proof-of-concept for CVE-2019-14615
indicates that the information leak is not fixed in the Bionic 4.15
kernel as indicated by USN-4255-1:
https://usn.ubuntu.com/4255-1/
This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco
(5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete
fix issue.
I've verified this by testing each Ubuntu release with the proof-of-
concept. I then tested vanilla 4.15 with commit bc8a76a152c5
("drm/i915/gen9: Clear residual context state on context switch")
applied, which is the fix for CVE-2019-14615, and verified that the
proof-of-concept showed that the info leak was still possible. I then
tested vanilla 4.16 with commit bc8a76a152c5 applied to verify that the
proof-of-concept showed that the info leak was fixed.
After bisecting changes to the DRM subsystem as well as the i915 driver,
it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw
state after reset upon load") as well as its prerequisites are necessary
to fully fix CVE-2019-14615 in 4.15 based kernels.
[Test Case]
A proof-of-concept for CVE-2019-14615 became available once the issue
was made public. It can be found here:
https://github.com/HE-Wenjian/iGPU-Leak
Steps to use the proof-of-concept:
$ git clone https://github.com/HE-Wenjian/iGPU-Leak.git
# In one terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_victim.sh
# In another terminal
$ cd iGPU-Leak/demo/SLM_Leak/
$ ./run_attacker.sh
# In the terminal running run_attacker.sh, ensure that all data dumped
# to the terminal is zeros and that there is no non-zero data. You'll
# have to closely monitor the script for a minute or so to ensure that
# the information leak is not possible.
[Regression Potential]
TODO
** Affects: linux (Ubuntu)
Importance: High
Assignee: Tyler Hicks (tyhicks)
Status: Invalid
** Affects: linux (Ubuntu Bionic)
Importance: High
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu)
Status: In Progress => Invalid
** Description changed:
[Impact]
Gregory Herrero reported that the proof-of-concept for CVE-2019-14615
indicates that the information leak is not fixed in the Bionic 4.15
kernel as indicated by USN-4255-1:
- https://usn.ubuntu.com/4255-1/
+ https://usn.ubuntu.com/4255-1/
After bisecting changes to the DRM subsystem as well as the i915 driver,
it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw
state after reset upon load") as well as some prerequisites are
necessary.
+ This only affects Ubuntu's 4.15 kernel series. Xenial (4.4), Disco
+ (5.0), Eoan (5.3), and Focal (5.4) are not affected by this incomplete
+ fix issue.
+
[Test Case]
A proof-of-concept for CVE-2019-14615 became available once the issue
was made public. It can be found here:
- https://github.com/HE-Wenjian/iGPU-Leak
+ https://github.com/HE-Wenjian/iGPU-Leak
Steps to use the proof-of-concept:
- $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git
+ $ git clone https://github.com/HE-Wenjian/iGPU-Leak.git
- # In one terminal
- $ cd iGPU-Leak/demo/SLM_Leak/
- $ ./run_victim.sh
+ # In one terminal
+ $ cd iGPU-Leak/demo/SLM_Leak/
+ $ ./run_victim.sh
- # In another terminal
- $ cd iGPU-Leak/demo/SLM_Leak/
- $ ./run_attacker.sh
+ # In another terminal
+ $ cd iGPU-Leak/demo/SLM_Leak/
+ $ ./run_attacker.sh
- # In the terminal running run_attacker.sh, ensure that all data dumped
- # to the terminal is zeros and that there is no non-zero data. You'll
- # have to closely monitor the script for a minute or so to ensure that
- # the information leak is not possible.
+ # In the terminal running run_attacker.sh, ensure that all data dumped
+ # to the terminal is zeros and that there is no non-zero data. You'll
+ # have to closely monitor the script for a minute or so to ensure that
+ # the information leak is not possible.
[Regression Potential]
TODO
** Description changed:
[Impact]
Gregory Herrero reported that the proof-of-concept for CVE-2019-14615
indicates that the information leak is not fixed in the Bionic 4.15
kernel as indicated by USN-4255-1:
https://usn.ubuntu.com/4255-1/
- After bisecting changes to the DRM subsystem as well as the i915 driver,
- it looks like commit d2b4b97933f5 ("drm/i915: Record the default hw
- state after reset upon load") as well as some prerequisites are
- necessary.
-
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
Proposed fixes have been sent to the kernel-team list. Focal: https://lists.ubuntu.com/archives/kernel-team/2020-February/107324.html Eoan: https://lists.ubuntu.com/archives/kernel-team/2020-February/107326.html Disco: https://lists.ubuntu.com/archives/kernel-team/2020-February/107328.html Bionic: https://lists.ubuntu.com/archives/kernel-team/2020-February/107330.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
Xenial doesn't have support for lifting lockdown features via sysrq so
I'm marking its task as invalid.
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: High
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Eoan)
Importance: Undecided => High
** Changed in: linux (Ubuntu Eoan)
Status: New => In Progress
** Changed in: linux (Ubuntu Disco)
Status: New => In Progress
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => High
** Changed in: linux (Ubuntu Bionic)
Status: New => In Progress
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
** Changed in: linux (Ubuntu Disco)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Bionic)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Eoan)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Xenial)
Status: New => Invalid
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1861238
Title:
Root can lift kernel lockdown via USB/IP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
Thanks for the report! After speaking with the security team, we've come to an agreement that removing the lockdown lift sysrq is the best thing to do. We understand that a small amount of users may rely on that sysrq today to do things like writing to an MSR but they'll still be able to achieve a lockdown free environment by running 'mokutil --disable- validation' and rebooting. ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Status: Confirmed => In Progress ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
** Description changed: + [Impact] + It's possible to turn off kernel lockdown by emulating a USB keyboard via USB/IP and sending an Alt+SysRq+X key combination through it. Ubuntu's kernels have USB/IP enabled (CONFIG_USBIP_VHCI_HCD=m and CONFIG_USBIP_CORE=m) with signed usbip_core and vhci_hcd modules provided in the linux-extra-modules-* package. See the PoC here: https://github.com/xairy/unlockdown#method-1-usbip + + [Test Case] + + $ git clone https://github.com/xairy/unlockdown.git + $ cd unlockdown/01-usbip/ + $ sudo ./run.sh + $ dmesg + + # Ensure there are no log entries talking about lifting lockdown: + sysrq: SysRq : Disabling Secure Boot restrictions + Lifting lockdown + + # You should see a SysRq help log entry because the Alt+SysRq+X + # combination should be disabled + sysrq: SysRq : HELP : loglevel(0-9) reboot(b) crash(c) terminate-all-tasks(e) memory-full-oom-kill(f) kill-all-tasks(i) thaw-filesystems(j) sak(k) show-backtrace-all-active-cpus(l) show-memory-usage(m) nice-all-RT-tasks(n) poweroff(o) show-registers(p) show-all-timers(q) unraw(r) sync(s) show-task-states(t) unmount(u) force-fb(V) show-blocked-tasks(w) dump-ftrace-buffer(z) + + [Regression Potential] + + Some users may see a usability regression due to the Lockdown lift sysrq + combination being removed. Some users are known to disable lockdown, + using the sysrq combination, in order to perform some "dangerous" + operation such as writing to an MSR. It is believed that this is a small + number of users but it is impossible to know for sure. + + Users that rely on this functionality may need to permanently disable + secure boot using 'mokutil --disable-validation'. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1859734] Re: i915 vulnerability
The fix for this bug has been released for a little while now. See the info here: https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-14615.html ** Changed in: linux (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859734 Title: i915 vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled
I rebooted into Eoan's 5.3.0-29.31 kernel, with Focal's userspace, and verified that the screen brightness is still adjustable under that kernel. Additionally, it is worth noting that I saw the same "hp_wmi: Unknown event_id" warnings mentioned in comment 2 so they probably don't have anything to do with this bug. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] [NEW] [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled
Public bug reported: After upgrading from Eoan (5.3.0-29.31) to Focal (5.4.0-12.15), I no longer have the ability to control the backlight brightness on my HP EliteBook 840 G5. When pressing the brightness hotkeys, the on-screen indicator pops up and shows that the brightness setting is being changed but the actual screen brightness is stuck on the lowest setting. This laptop has a built-in privacy screen. If I activate the privacy screen (fn-f2), then the actual screen brightness goes to the maximum setting and then I am able to dim and brighten the backlight as long as the privacy screen functionality is turned on. This is a regression from Eoan's 5.3.0-29.31 kernel where I was able to control the brightness with and without the privacy screen functionality being turned on. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: linux-image-5.4.0-12-generic 5.4.0-12.15 ProcVersionSignature: Ubuntu 5.4.0-12.15-generic 5.4.8 Uname: Linux 5.4.0-12-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair ApportVersion: 2.20.11-0ubuntu16 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Jan 31 11:42:16 2020 InstallationDate: Installed on 2019-06-24 (221 days ago) InstallationMedia: Ubuntu 19.04 "Disco Dingo" - Release amd64 (20190416) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR= LANG=en_US.UTF-8 SHELL=/bin/bash SourcePackage: linux-signed-5.4 UpgradeStatus: Upgraded to focal on 2020-01-28 (3 days ago) ** Affects: linux-signed-5.4 (Ubuntu) Importance: Medium Status: Confirmed ** Tags: amd64 apport-bug focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861521] Re: [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled
When the privacy screen functionality is enabled, I see the following warnings in the logs: [188829.782403] hp_wmi: Unknown event_id - 20 - 0x46fe [188834.848948] hp_wmi: Unknown event_id - 20 - 0x3c00 [188835.624987] hp_wmi: Unknown event_id - 20 - 0x4600 The first warning is when I press the privacy screen button (fn-f2). The second is when I press the brightness down button (fn-f3). The third is when I press the brightness up button (fn-f4). I do not see similar warnings after the privacy screen functionality is turned off and I press the brightness up or down hotkeys. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861521 Title: [FOCAL][REGRESSION] HP EliteBook 840 G5 screen brightness cannot be controlled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux-signed-5.4/+bug/1861521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1860657] Re: Placeholder bug
** Information type changed from Private Security to Public Security ** Summary changed: - Placeholder bug + arm64/KVM debug registers vulnerability ** Description changed: - Placeholder bug report for arm64 KVM issue. + [Impact] + + https://www.openwall.com/lists/oss-security/2020/01/30/5 + + A bug has been fixed in the arm64 KVM port (commit id + 4942dc6638b07b5326b6d2faa142635c559e7cd5 "KVM: arm64: Write + arch.mdcr_el2 changes since last vcpu_load on VHE") which would allow a + guest to access the debug/PMU registers used by the host without being + trapped. This can only happen during the vCPU start until the first + preemption. Systems with an ARMv8.1 or later CPU are affected (with the + Virtualisation Host Extensions). + + The implications are that a guest, for a brief period, may be able to + read event counters belonging to the host or potentially trigger + perf-related IRQs in the host. + + + [Test Case] + + [Regression Potential] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860657 Title: Prevent arm64 guest from accessing host debug registers To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860657/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861053] Re: no fatrace output in focal
FWIW, fatrace works fine for me under the same kernel and fatrace version: $ sudo fatrace ... bash(51938): O /tmp/hi bash(51938): CW /tmp/hi ... tyhicks@elm:~$ cat /proc/version_signature Ubuntu 5.4.0-12.15-generic 5.4.8 $ apt policy fatrace fatrace: Installed: 0.13-2 Candidate: 0.13-2 Version table: *** 0.13-2 500 500 http://us.archive.ubuntu.com/ubuntu focal/universe amd64 Packages 100 /var/lib/dpkg/status -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861053 Title: no fatrace output in focal To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fatrace/+bug/1861053/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1861238] Re: Root can lift kernel lockdown via USB/IP
** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1861238 Title: Root can lift kernel lockdown via USB/IP To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1861238/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1860231] Re: 5.4.0-11 crash on cryptsetup open
Upstream submission: https://lore.kernel.org/lkml/20200123091713.12623-1-stefan.ba...@canonical.com/T/#t -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860231 Title: 5.4.0-11 crash on cryptsetup open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860231/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1860231] Re: 5.4.0-11 crash on cryptsetup open
Fix submitted by smb: https://lists.ubuntu.com/archives/kernel-team/2020-January/107055.html ** Changed in: linux (Ubuntu) Assignee: Andrea Righi (arighi) => Stéphane Graber (stgraber) ** Changed in: linux (Ubuntu) Assignee: Stéphane Graber (stgraber) => Stefan Bader (smb) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1860231 Title: 5.4.0-11 crash on cryptsetup open To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1860231/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1860231] Re: 5.4.0-11 crash on cryptsetup open
** Description changed: - An attempt to run cryptsetup open on a newly created LUKS partition on - Ubuntu Core 20 causes a kernel crash. This happens in 100% of the - attempts on the snapd Core 20 installation test, but on an image created - to reproduce this bug it happens only when certain parameters are passed - to cryptsetup. Both images are built similarly so the reason for this - discrepancy is unknown. The kernel was installed from pc- - kernel_374.snap. + [Impact] + An attempt to run cryptsetup open on a newly created LUKS partition on Ubuntu Core 20 causes a kernel crash. This happens in 100% of the attempts on the snapd Core 20 installation test, but on an image created to reproduce this bug it happens only when certain parameters are passed to cryptsetup. Both images are built similarly so the reason for this discrepancy is unknown. The kernel was installed from pc-kernel_374.snap. - Linux version 5.4.0-11-generic (buildd@lgw01-amd64-021) (gcc version - 9.2.1 20200104 (Ubuntu 9.2.1-22ubuntu2)) #14-Ubuntu SMP Thu Jan 9 - 16:14:26 UTC 2020 + [Test Case] + + $ dir=$(mktemp -d /tmp/lp1860231.X) + $ dmsetup create lp1860231 --notable + $ mount -t ext4 \ + "/dev/dm-$(dmsetup info -c -o minor --noheadings lp1860231)" "$dir" + + Now check the logs for a backtrace. + + [Regression Potential] + + The currently proposed fix introduces no chance of stability + regressions. There is a chance of a very small performance regression + since an additional pointer comparison is performed on each block layer + request but this is unlikely to be noticeable. + + [Original Report] + + + Linux version 5.4.0-11-generic (buildd@lgw01-amd64-021) (gcc version 9.2.1 20200104 (Ubuntu 9.2.1-22ubuntu2)) #14-Ubuntu SMP Thu Jan 9 16:14:26 UTC 2020 Version signature: Ubuntu 5.4.0-11.14-generic 5.4.8 How to reproduce the crash in 3 "easy" steps: 1. Build a Core 20 image using the attached model file: 1.1. Install the ubuntu-image from latest/edge $ sudo snap install --channel latest/edge ubuntu-image 1.2. Build the image $ sudo ubuntu-image --image-size=4G ubuntu-core-20-amd64.model 2. Boot the image in kvm 2.1. Install ovmf version 0~20190606.20d2e5a1-2ubuntu1 or newer (the stock ovmf from bionic may not work) 2.2. Boot the image $ sudo kvm -snapshot -m 2048 -smp 4 \ -netdev user,id=mynet0,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80 \ -device virtio-net-pci,netdev=mynet0 \ -drive file=pc.img,if=virtio \ -bios /usr/share/OVMF/OVMF_CODE.ms.fd 2.3. In the grub menu, edit the default option to include parameter "systemd.debug-shell=1" in the kernel command line 2.4. Boot the kernel 3. Crash the kernel 3.1. When the system boots to the "Press enter to configure" message, press ALT-F9 to enter the debug shell. 3.2. The system should have two partitions in /dev/vda. Create a third one with fdisk. 3.3. Create a LUKS encrypted partition: # echo 123|cryptsetup luksFormat -q --type luks2 --key-file - --pbkdf argon2i --iter-time 1 /dev/vda3 (the system will complain about a missing locking directory, just ignore it.) 3.4. Open the encrypted device: # echo 123|cryptsetup open --key-file - /dev/vda name - The Core 20 images contain the following udev rule which causes - the new block device to be mounted automatically. This mount is - what triggers the BUG: - ACTION=="add", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*" \ - RUN+="/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/%k" + The Core 20 images contain the following udev rule which causes + the new block device to be mounted automatically. This mount is + what triggers the BUG: + ACTION=="add", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*" \ + RUN+="/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/%k" 3.5. Read the crash message The attached screenshots show these steps being executed. A few notes: - The backtrace seems very similar to the one reported in bug #1835279, however that problem was possibly caused by a race between partition creation and LUKS formatting. This time it doesn't seem to be the case, delays between commands don't help us here. - In the test case above using large values of KDF iter-time may prevent the crash. I successfully opened the device in kernel 5.4.0-9 with --iter-time larger than 100, but 5.4.0-11 seems to require values closer to 1000. Regardless of the --iter-time value used, the crash always happen when running the test in a spread-driven automated environment (same kernel with image built in the same way, some other variable seems to be disturbing the system). - All necessary modules are loaded before the LUKS partition creation (i.e. it doesn't seem to
[Bug 1860231] Re: 5.4.0-11 crash on cryptsetup open
** Description changed: An attempt to run cryptsetup open on a newly created LUKS partition on Ubuntu Core 20 causes a kernel crash. This happens in 100% of the attempts on the snapd Core 20 installation test, but on an image created to reproduce this bug it happens only when certain parameters are passed to cryptsetup. Both images are built similarly so the reason for this discrepancy is unknown. The kernel was installed from pc- kernel_374.snap. Linux version 5.4.0-11-generic (buildd@lgw01-amd64-021) (gcc version 9.2.1 20200104 (Ubuntu 9.2.1-22ubuntu2)) #14-Ubuntu SMP Thu Jan 9 16:14:26 UTC 2020 Version signature: Ubuntu 5.4.0-11.14-generic 5.4.8 How to reproduce the crash in 3 "easy" steps: 1. Build a Core 20 image using the attached model file: -1.1. Install the ubuntu-image from latest/edge - $ sudo snap install --channel latest/edge ubuntu-image -1.2. Build the image - $ sudo ubuntu-image --image-size=4G ubuntu-core-20-amd64.model + 1.1. Install the ubuntu-image from latest/edge + $ sudo snap install --channel latest/edge ubuntu-image + 1.2. Build the image + $ sudo ubuntu-image --image-size=4G ubuntu-core-20-amd64.model 2. Boot the image in kvm -2.1. Install ovmf version 0~20190606.20d2e5a1-2ubuntu1 or newer (the - stock ovmf from bionic may not work) -2.2. Boot the image - $ sudo kvm -snapshot -m 2048 -smp 4 \ - -netdev user,id=mynet0,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80 \ - -device virtio-net-pci,netdev=mynet0 \ - -drive file=pc.img,if=virtio \ - -bios /usr/share/OVMF/OVMF_CODE.ms.fd -2.3. In the grub menu, edit the default option to include parameter - "systemd.debug-shell=1" in the kernel command line -2.4. Boot the kernel + 2.1. Install ovmf version 0~20190606.20d2e5a1-2ubuntu1 or newer (the + stock ovmf from bionic may not work) + 2.2. Boot the image + $ sudo kvm -snapshot -m 2048 -smp 4 \ + -netdev user,id=mynet0,hostfwd=tcp::8022-:22,hostfwd=tcp::8090-:80 \ + -device virtio-net-pci,netdev=mynet0 \ + -drive file=pc.img,if=virtio \ + -bios /usr/share/OVMF/OVMF_CODE.ms.fd + 2.3. In the grub menu, edit the default option to include parameter + "systemd.debug-shell=1" in the kernel command line + 2.4. Boot the kernel 3. Crash the kernel -3.1. When the system boots to the "Press enter to configure" - message, press ALT-F9 to enter the debug shell. -3.2. The system should have two partitions in /dev/vda. Create a - third one with fdisk. -3.3. Create a LUKS encrypted partition: - # echo 123|cryptsetup luksFormat -q --type luks2 --key-file - --pbkdf argon2i --iter-time 1 /dev/vda3 - (the system will complain about a missing locking directory, - just ignore it.) -3.4. Open the encrypted device: - # echo 123|cryptsetup open --key-file - /dev/vda name -3.5. Read the crash message + 3.1. When the system boots to the "Press enter to configure" + message, press ALT-F9 to enter the debug shell. + 3.2. The system should have two partitions in /dev/vda. Create a + third one with fdisk. + 3.3. Create a LUKS encrypted partition: + # echo 123|cryptsetup luksFormat -q --type luks2 --key-file - --pbkdf argon2i --iter-time 1 /dev/vda3 + (the system will complain about a missing locking directory, + just ignore it.) + 3.4. Open the encrypted device: + # echo 123|cryptsetup open --key-file - /dev/vda name + + The Core 20 images contain the following udev rule which causes + the new block device to be mounted automatically. This mount is + what triggers the BUG: + ACTION=="add", SUBSYSTEM=="block", KERNEL!="loop*", KERNEL!="ram*" \ + RUN+="/usr/bin/unshare -m /usr/bin/snap auto-import --mount=/dev/%k" + 3.5. Read the crash message The attached screenshots show these steps being executed. A few notes: - The backtrace seems very similar to the one reported in bug #1835279, however that problem was possibly caused by a race between partition creation and LUKS formatting. This time it doesn't seem to be the case, delays between commands don't help us here. - In the test case above using large values of KDF iter-time may prevent the crash. I successfully opened the device in kernel 5.4.0-9 with --iter-time larger than 100, but 5.4.0-11 seems to require values closer to 1000. Regardless of the --iter-time value used, the crash always happen when running the test in a spread-driven automated environment (same kernel with image built in the same way, some other variable seems to be disturbing the system). - All necessary modules are loaded before the LUKS partition creation (i.e. it doesn't seem to be caused by a race between dm-crypt loading and cryptsetup luksFormat for e
Re: [Bug 1859734] Re: i915 vulnerability
On 2020-01-19 16:15:58, aaronleung wrote: > My OS have this bug, i try to install kernel 5.4 in my linuxmint19.3, > bug, instailing not found samething with from /lib/firmware/i915/ ,again. > i try to download from > https://git.kernel.org/pub/scm/linux/kernel/git/firmware/linux-firmware.git/tree/. > I download 5 .bin file and move to /lib/firmware/i915/. > after reinstall kernel 5.3 again, bug is fix!!! That is unrelated to this bug report. Please file a new bug report. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859734 Title: i915 vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855341] Re: CONFIG_USELIB should be disabled
** Description changed: - + We should disable CONFIG_USELIB to make the uselib(2) system call + unreachable in an effort to reduce the kernel attack surface. + + The system call is only used by very old libc implementations and is + unlikely to be used today. + + This config option is recommended by the Kernel Self Protection + Project[1] and a 2019 study performed by Capsule 8 shows that it is + enabled in some other major distro kernels[2]. + + [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings + [2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855341 Title: CONFIG_USELIB should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855341/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855339] Re: CONFIG_LEGACY_PTYS should be disabled
** Description changed: - + Legacy BSD PTYs have been replaced by UNIX 98 PTYs a long time ago. + Disable legacy BSD PTY support as it is no longer needed. + + This config option is recommended by the Kernel Self Protection + Project[1] and a 2019 study performed by Capsule 8 shows that it is + enabled in some other major distro kernels[2]. + + [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings + [2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855339 Title: CONFIG_LEGACY_PTYS should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855338] Re: CONFIG_IO_STRICT_DEVMEM should be enabled
** Description changed: - + We should enable CONFIG_IO_STRICT_DEVMEM to restrict userspace access of + active io-memory ranges. + + This could impact kernel debugability. In that case, you may reboot with + iomem=relaxed on the kernel commandline to override this setting. + + + This config option is recommended by the Kernel Self Protection Project[1] and a 2019 study performed by Capsule 8 shows that it is enabled in many other major distro kernels[2]. + + [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings + [2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855338 Title: CONFIG_IO_STRICT_DEVMEM should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855337] Re: CONFIG_DEBUG_NOTIFIERS should be enabled
** Description changed: - + We should enable CONFIG_DEBUG_NOTIFIERS to ensure that notifier functions are present in the core kernel text or module text sections before calling + those functions. + + If an invalid function pointer is detected, a warning is issued and the + function is not called. This helps in attack prevention and detection. + + This config option is recommended by the Kernel Self Protection + Project[1]. + + [1] + https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855337 Title: CONFIG_DEBUG_NOTIFIERS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855337/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855336] Re: CONFIG_DEBUG_SG should be enabled
** Description changed: - + Enable CONFIG_DEBUG_SG to perform sanity checks when performing + operations on scatterlists. If a sanity check fails a loud warning is + printed to the logs. + + This change may help in detection of an attack that relies on + scatterlist manipulation. ** Description changed: - Enable CONFIG_DEBUG_SG to perform sanity checks when performing + We should enable CONFIG_DEBUG_SG to perform sanity checks when performing operations on scatterlists. If a sanity check fails a loud warning is printed to the logs. This change may help in detection of an attack that relies on scatterlist manipulation. + + This config option is recommended by the Kernel Self Protection + Project[1]. + + [1] + https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855336 Title: CONFIG_DEBUG_SG should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855336/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855335] Re: CONFIG_DEBUG_CREDENTIALS should be enabled
** Description changed: - + We should enable CONFIG_DEBUG_CREDENTIALS to perform sanity checks, such as verifying usage counts and proper magic values, when handling cred + structs. If a cred sanity check fails a loud warning is printed to the + logs. + + The config option raises the bar on the effort required to implement an + exploit based on cred manipulation. CONFIG_DEBUG_CREDENTIALS will not + prevent the attack but may aide an administrator in discovering such an + attack on the system. + + This config option is recommended by the Kernel Self Protection + Project[1]. + + [1] + https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855335 Title: CONFIG_DEBUG_CREDENTIALS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855334] Re: CONFIG_DEBUG_LIST should be enabled
** Description changed: - + We should turn on CONFIG_DEBUG_LIST which does some sanity checking on the + surrounding linked list elements when adding or removing an element. If the sanity check fails, the list manipulation operation is not and a loud warning is printed to the logs in the form of a WARN(). + + This may prevent some exploits that involve manipulating a linked list. + + This config option is recommended by the Kernel Self Protection + Project[1] and a 2019 study performed by Capsule 8 shows that it is + enabled in some other major distro kernels[2]. + + [1] https://kernsec.org/wiki/index.php/Kernel_Self_Protection_Project/Recommended_Settings + [2] https://capsule8.com/blog/millions-of-binaries-later-a-look-into-linux-hardening-in-the-wild/ -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855334 Title: CONFIG_DEBUG_LIST should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855334/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1859734] Re: i915 vulnerability
Hi John - Thanks for the report. We've already been working on this issue. Patches have been tested, submitted, and applied for all supported releases: Eoan: https://lists.ubuntu.com/archives/kernel-team/2020-January/thread.html Disco: https://lists.ubuntu.com/archives/kernel-team/2020-January/106869.html Bionic: https://lists.ubuntu.com/archives/kernel-team/2020-January/106872.html Xenial: https://lists.ubuntu.com/archives/kernel-team/2020-January/106875.html This bug isn't going to be automatically updated when we release updates. The best place to track the status of a CVE in Ubuntu is the Ubuntu CVE Tracker: https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-14615.html Thanks again! ** Information type changed from Private Security to Public Security ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-14615 ** Changed in: linux (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859734 Title: i915 vulnerability To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859734/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1859522] Re: use-after-free in i915_ppgtt_close
This is CVE-2020-7053 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2020-7053 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859522 Title: use-after-free in i915_ppgtt_close To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1859522] Re: use-after-free in i915_ppgtt_close
** Information type changed from Private Security to Public Security ** Description changed: [Impact] Quan Luo and ycq from Codesafe Team of Legendsec at Qi'anxin Group reported a use-after-free issue in the i915 driver. This issue has been fixed in the upstream kernel starting in v5.2 with the following commit: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7dc40713618c884bf07c030d1ab1f47a9dc1f310 The flaw was introduced in v4.14 with this change: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1acfc104cdf8a3408f0e83b4115d4419c6315005 The problem can be fixed by expanding the usage of struct_mutex to - include the GEM context lookup. + include the GEM context lookup. A fix has been submitted to the upstream + stable list: + + https://lore.kernel.org/stable/20200114183937.12224-1-tyhi...@canonical.com/T/#u [Test Case] Enable KASAN and exercise the affected code path using the PoC provided by Quan Luo. [Regression Potential] Low. This approach was suggested by upstream and has been well tested. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1859522 Title: use-after-free in i915_ppgtt_close To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1859522/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1854225] Re: Kernel oops and system lock up when invoking wg-quick up
Hi Neil - I think that's a good idea since we haven't seen any progress on this private bug report. I'm not sure of the cause here but I think that we would have received a lot more reports if this was a widespread issue when using wg-quick (as we have in the past). ** Information type changed from Private Security to Public -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1854225 Title: Kernel oops and system lock up when invoking wg-quick up To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/wireguard/+bug/1854225/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1858815] Re: PAN is broken for execute-only user mappings on ARMv8
** Description changed:
[Impact]
It was discovered that upstream kernel commit cab15ce604e5 ("arm64:
Introduce execute-only page access permissions"), which introduced
execute-only user mappings, subverted the Privileged Access Never
protections.
The fix is to effectively revert commit cab15ce604e5. This is done in
upstream kernel commit 24cecc377463 ("arm64: Revert support for execute-
only user mappings").
[Test Case]
I'm not aware of any PAN test cases. Booting our arm64 kernels on an
- ARMv8 device and running through our typical regression tests are
+ ARMv8 device and running through our typical regression tests is
probably the best we can do at this time.
[Regression Potential]
Touching the page handling code always carries significant risk.
However, the fix is simply reverting the change that added the execute-
only user mappings feature in v4.9.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858815
Title:
PAN is broken for execute-only user mappings on ARMv8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1858815/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1858815] Re: PAN is broken for execute-only user mappings on ARMv8
** Changed in: linux (Ubuntu Bionic) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Disco) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Eoan) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Focal) Status: Triaged => In Progress ** Changed in: linux (Ubuntu Disco) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Eoan) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Focal) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1858815 Title: PAN is broken for execute-only user mappings on ARMv8 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1858815/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1858815] [NEW] PAN is broken for execute-only user mappings on ARMv8
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
It was discovered that upstream kernel commit cab15ce604e5 ("arm64:
Introduce execute-only page access permissions"), which introduced
execute-only user mappings, subverted the Privileged Access Never
protections.
The fix is to effectively revert commit cab15ce604e5. This is done in
upstream kernel commit 24cecc377463 ("arm64: Revert support for execute-
only user mappings").
[Test Case]
I'm not aware of any PAN test cases. Booting our arm64 kernels on an
ARMv8 device and running through our typical regression tests are
probably the best we can do at this time.
[Regression Potential]
Touching the page handling code always carries significant risk.
However, the fix is simply reverting the change that added the execute-
only user mappings feature in v4.9.
** Affects: linux (Ubuntu)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Bionic)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Disco)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Eoan)
Importance: High
Status: Triaged
** Affects: linux (Ubuntu Focal)
Importance: High
Status: Triaged
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Bionic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Focal)
Importance: High
Status: Triaged
** Also affects: linux (Ubuntu Eoan)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Eoan)
Status: New => Triaged
** Changed in: linux (Ubuntu Disco)
Status: New => Triaged
** Changed in: linux (Ubuntu Bionic)
Status: New => Triaged
** Changed in: linux (Ubuntu Eoan)
Importance: Undecided => High
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => High
** Changed in: linux (Ubuntu Bionic)
Importance: Undecided => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1858815
Title:
PAN is broken for execute-only user mappings on ARMv8
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1858815/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855341] [NEW] CONFIG_USELIB should be disabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855341 Title: CONFIG_USELIB should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855341/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855339] [NEW] CONFIG_LEGACY_PTYS should be disabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855339 Title: CONFIG_LEGACY_PTYS should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855339/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855342] [NEW] CONFIG_SLAB_MERGE_DEFAULT should be disabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855342 Title: CONFIG_SLAB_MERGE_DEFAULT should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855342/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855340] [NEW] CONFIG_HARDENED_USERCOPY_FALLBACK should be disabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855340 Title: CONFIG_HARDENED_USERCOPY_FALLBACK should be disabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855340/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855337] [NEW] CONFIG_DEBUG_NOTIFIERS should be enabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855337 Title: CONFIG_DEBUG_NOTIFIERS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855337/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855334] [NEW] CONFIG_DEBUG_LIST should be enabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855334 Title: CONFIG_DEBUG_LIST should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855334/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855336] [NEW] CONFIG_DEBUG_SG should be enabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855336 Title: CONFIG_DEBUG_SG should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855336/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855335] [NEW] CONFIG_DEBUG_CREDENTIALS should be enabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855335 Title: CONFIG_DEBUG_CREDENTIALS should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855335/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1855338] [NEW] CONFIG_IO_STRICT_DEVMEM should be enabled
Public bug reported: ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1855338 Title: CONFIG_IO_STRICT_DEVMEM should be enabled To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1855338/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1774711] Re: excessive seccomp audit logs
On 2019-11-30 21:44:33, A. Denton wrote: > Will the required pat set be backported to older kernel, such as Ubuntu > 4.15.0-70.79-generic 4.15.18? No, there are no plans to backport them at this time. If you'd like to make use of a kernel containing those patches in Ubuntu 18.04 LTS, please consider installing the enablement kernel: https://wiki.ubuntu.com/Kernel/LTSEnablementStack#Ubuntu_18.04_LTS_- _Bionic_Beaver > Will the patches be in 20.04 LTS (kernel >= 4.18), which is around the > corner? Yes. The patches landed upstream in 4.18 so they'll be in the 20.04 LTS kernel which will likely be based on upstream 5.4. ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Disco) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => Won't Fix ** Changed in: linux (Ubuntu Bionic) Status: New => Won't Fix ** Changed in: linux (Ubuntu Disco) Status: New => Fix Released ** Changed in: linux (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1774711 Title: excessive seccomp audit logs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1774711/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1844764] Re: ubuntu_lttng_smoke_test failed with module build on B-hwe-edge 5.3.0
** Also affects: lttng-modules (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: lttng-modules (Ubuntu Bionic) Status: New => In Progress ** Changed in: lttng-modules (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: lttng-modules (Ubuntu Bionic) Assignee: (unassigned) => Marcelo Cerri (mhcerri) ** Changed in: lttng-modules (Ubuntu) Status: In Progress => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1844764 Title: ubuntu_lttng_smoke_test failed with module build on B-hwe-edge 5.3.0 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu-kernel-tests/+bug/1844764/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1848588] Re: ndiswrapper 1.60-8ubuntu1 ADT test failure with linux 5.4.0-1.2
I've sponsored an upload from Paolo to address this issue. I've asked him to fill in the SRU template and I'm hoping that he's able to do that before the SRU team gets to the upload. ** Changed in: ndiswrapper (Ubuntu Bionic) Assignee: Thadeu Lima de Souza Cascardo (cascardo) => Paolo Pisati (p-pisati) ** Changed in: ndiswrapper (Ubuntu Bionic) Importance: Undecided => Medium -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1848588 Title: ndiswrapper 1.60-8ubuntu1 ADT test failure with linux 5.4.0-1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ndiswrapper/+bug/1848588/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1848596] Re: xtables-addons 3.2-1ubuntu3 ADT test failure with linux 5.4.0-1.2
I've sponsored an upload from Paolo to address this issue in Bionic. I've asked him to fill in the SRU template and I'm hoping that he's able to do that before the SRU team gets to the upload. ** Also affects: xtables-addons (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: xtables-addons (Ubuntu Bionic) Status: New => In Progress ** Changed in: xtables-addons (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: xtables-addons (Ubuntu Bionic) Assignee: (unassigned) => Paolo Pisati (p-pisati) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1848596 Title: xtables-addons 3.2-1ubuntu3 ADT test failure with linux 5.4.0-1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xtables-addons/+bug/1848596/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1837889] Re: ndiswrapper 1.60-8 ADT test failure with linux 5.3.0-0.1
Sorry Thadeu but Paolo had already passed me a debdiff to sponsor for this bug. ** Changed in: ndiswrapper (Ubuntu Bionic) Assignee: Thadeu Lima de Souza Cascardo (cascardo) => Paolo Pisati (p-pisati) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1837889 Title: ndiswrapper 1.60-8 ADT test failure with linux 5.3.0-0.1 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ndiswrapper/+bug/1837889/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1848584] Re: dahdi-linux 1:2.11.1~dfsg-1ubuntu5 ADT test failure with linux 5.4.0-1.2
I've sponsored an upload from Paolo to address this issue. I've asked him to fill in the SRU template and I'm hoping that he's able to do that before the SRU team gets to the upload. ** Also affects: dahdi-linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: dahdi-linux (Ubuntu Bionic) Status: New => In Progress ** Changed in: dahdi-linux (Ubuntu Bionic) Importance: Undecided => Medium ** Changed in: dahdi-linux (Ubuntu Bionic) Assignee: (unassigned) => Paolo Pisati (p-pisati) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1848584 Title: dahdi-linux 1:2.11.1~dfsg-1ubuntu5 ADT test failure with linux 5.4.0-1.2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dahdi-linux/+bug/1848584/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852575] Re: Kernels 5.022 or higher booting issues
Hi Martin - Thanks for the bug report. Please follow the instructions mentioned in comment 1 so that we can have a better view into what's going on. In the meantime, can you tell us if you use full disk encryption with LUKS/dm-crypt? Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852575 Title: Kernels 5.022 or higher booting issues To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852575/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852521] Re: Unable to boot "Gave up waiting for root device" for kernel version 5.3.0-19 & 5.3.0-22
Thanks for the report, Shaform. There are a few other bug reports against 5.3.0-22 and we're trying to understand if there's a common link. It looks like you're using LUKS/dm-crypt to do full disk encryption of your root partition so we're waiting to hear if that's common throughout the other reports. Thanks again! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852521 Title: Unable to boot "Gave up waiting for root device" for kernel version 5.3.0-19 & 5.3.0-22 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852521/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852586] Re: Boot hangs after "Loading initial ramdisk ..."
Hi Eugen - Thanks for the bug report and sorry about the trouble you're experiencing. I'm trying to figure out if there is any link between a few different bug reports that I'm seeing come in for 5.3.0-22. It looks like the dm_crypt module is loaded on your system so I'd like for you to verify here that you use full-disk encryption with LUKS/dm-crypt. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852586 Title: Boot hangs after "Loading initial ramdisk ..." To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852586/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852435] Re: Boots fine with 5.3.0-19, doesn't boot any more with 5.3.0-22
Hi Andrej - Thanks for the bug report and sorry for the trouble. The 5.3.0-22 kernel had a bunch of changes in addition to the Intel related security fixes. Lets start by ruling some things out. I'd like for you to *separately* try two different kernel command-line parameters. The first is "mitigations=off" which is an easy way to disable both of the Intel CPU related security fixes that landed in 5.3.0-22 in addition to all the pre-existing issues. This doesn't disable the i915 graphics driver security fixes but I don't suspect that those are the problem here. If that doesn't work, remove "mitigations=off" and try "dis_ucode_ldr" which disables the kernel's microcode loader to rule out a faulty CPU microcode. If that doesn't work, please try combining the two options and report back the results. It is important to note that both options are dangerous and leave your system vulnerable to known CPU security flaws. They should only be used temporarily for testing purposes. Also, do you perhaps use full disk encryption with LUKS/dm-crypt? Finally, I suspect that your issue is actually TPM related but I'd like to rule out the security fixes and microcode updates first. I see the following TPM related errors in your kernel logs: [7.104690] tpm_tis STM7308:00: 2.0 TPM (device-id 0x0, rev-id 78) [7.105311] tpm tpm0: tpm_try_transmit: send(): error -5 [7.105344] tpm tpm0: [Firmware Bug]: TPM interrupt not working, polling instead ... [8.598278] Call Trace: [8.598898] [8.599497] dump_stack+0x63/0x8a [8.600127] __report_bad_irq+0x3a/0xaf [8.600768] note_interrupt.cold+0xb/0x61 [8.601397] handle_irq_event_percpu+0x73/0x80 [8.602020] handle_irq_event+0x3b/0x5a [8.602657] handle_fasteoi_irq+0x9c/0x150 [8.603292] handle_irq+0x20/0x30 [8.603946] do_IRQ+0x50/0xe0 [8.604591] common_interrupt+0xf/0xf [8.605201] [8.605832] RIP: 0010:cpuidle_enter_state+0xc5/0x420 [8.606458] Code: ff e8 ef 8a 83 ff 80 7d c7 00 74 17 9c 58 0f 1f 44 00 00 f6 c4 02 0f 85 3d 03 00 00 31 ff e8 22 e1 89 ff fb 66 0f 1f 44 00 00 <45> 85 ed 0f 89 d1 01 00 00 41 c7 44 24 10 00 00 00 00 48 83 c4 18 [8.607134] RSP: 0018:a40a4010be38 EFLAGS: 0246 ORIG_RAX: ffde [8.607835] RAX: 954b1036b340 RBX: b555a700 RCX: 001f [8.608531] RDX: RSI: 4041a68b RDI: [8.609225] RBP: a40a4010be78 R08: 000200650069 R09: 7fff [8.609948] R10: 954b1036a0e4 R11: 954b1036a0c4 R12: 954b10376500 [8.610674] R13: 0001 R14: 0001 R15: 954b10376500 [8.611382] ? cpuidle_enter_state+0xa1/0x420 [8.612089] cpuidle_enter+0x2e/0x40 [8.612820] call_cpuidle+0x23/0x40 [8.613542] do_idle+0x1eb/0x280 [8.614230] cpu_startup_entry+0x20/0x30 [8.614940] start_secondary+0x168/0x1c0 [8.615653] secondary_startup_64+0xa4/0xb0 [8.616379] handlers: [8.617089] [<382c6122>] tis_int_handler [8.617815] Disabling IRQ #31 We've seen quite a few TPM related issues with 5.3 and these two changes, which landed in 5.3.0-22, look related: https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=f8595e0ab193dcb7840cd74690c6728ac6ca9dc1 https://git.launchpad.net/~ubuntu-kernel/ubuntu/+source/linux/+git/eoan/commit/?id=dd0bf321c5ea7ef5755e7e68d5e5b61010ad2ef9 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852435 Title: Boots fine with 5.3.0-19, doesn't boot any more with 5.3.0-22 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852435/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1850867] Re: refcount underflow and type confusion in shiftfs
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1850867 Title: refcount underflow and type confusion in shiftfs To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1850867/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852141] Re: CVE-2019-0155: incomplete fix for 64-bit x86 kernels
** Description changed: [Impact] The initial set of Ubuntu kernel updates to address CVE-2019-0155 are not complete for 64-bit x86 kernels (amd64). The 32-bit x86 kernel (i386) updates are complete. It may be possible for an attacker to bypass the mitigations on 64-bit systems. + + The following upstream patch is needed: + + https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea0b163b13ffc52818c079adb00d55e227a6da6f [Test Case] Upstream has ran the proposed fix through their regression test suite. We don't have a reproducer for CVE-2019-0155 so the test case is simply to ensure that desktop graphics continue to work. [Regression Potential] Low, the fix is obviously correct and, AAUI, the affected code path should only be legitimately used by the test suite. ** Description changed: [Impact] The initial set of Ubuntu kernel updates to address CVE-2019-0155 are not complete for 64-bit x86 kernels (amd64). The 32-bit x86 kernel (i386) updates are complete. It may be possible for an attacker to bypass the mitigations on 64-bit systems. The following upstream patch is needed: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea0b163b13ffc52818c079adb00d55e227a6da6f [Test Case] Upstream has ran the proposed fix through their regression test suite. We don't have a reproducer for CVE-2019-0155 so the test case is simply to ensure that desktop graphics continue to work. [Regression Potential] - Low, the fix is obviously correct and, AAUI, the affected code path - should only be legitimately used by the test suite. + Low, the fix is simple, tested, and, AAUI, the affected code path should + only be legitimately used by the test suite. ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852141 Title: CVE-2019-0155: incomplete fix for 64-bit x86 kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852141/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1852047] [NEW] [Bionic][Regression] Disabling EPT results in KVM guests that won't start
Public bug reported: Starting with 4.15.0-68.77, currently in bionic-proposed, I can no longer launch VMs when I disable EPT support in the kvm_intel module. This works fine under 4.15.0-66.75 from bionic-security. ubuntu@vought:~$ cat /proc/version_signature Ubuntu 4.15.0-68.77-generic 4.15.18 ubuntu@vought:~$ sudo rmmod kvm_intel ubuntu@vought:~$ sudo modprobe kvm_intel ept=0 ubuntu@vought:~$ cat /sys/module/kvm_intel/parameters/ept N ubuntu@vought:~$ virsh start --console l1 Domain l1 started Connected to domain l1 Escape character is ^] Under 4.15.0-66.75, I see full console output from the guest and reach a login prompt. Under 4.15.0-68.77, I see no output and the VM is unresponsive. I see nothing of use in /var/log/libvirt/qemu/l1.log. I see this on the following system: ubuntu@vought:~$ lscpu Architecture:x86_64 CPU op-mode(s): 32-bit, 64-bit Byte Order: Little Endian CPU(s): 96 On-line CPU(s) list: 0-95 Thread(s) per core: 2 Core(s) per socket: 24 Socket(s): 2 NUMA node(s):2 Vendor ID: GenuineIntel CPU family: 6 Model: 85 Model name: Intel(R) Xeon(R) Gold 6252 CPU @ 2.10GHz Stepping:6 CPU MHz: 1000.135 CPU max MHz: 3700. CPU min MHz: 1000. BogoMIPS:4200.00 Virtualization: VT-x L1d cache: 32K L1i cache: 32K L2 cache:1024K L3 cache:36608K NUMA node0 CPU(s): 0-23,48-71 NUMA node1 CPU(s): 24-47,72-95 Flags: fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc art arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc cpuid aperfmperf pni pclmulqdq dtes64 monitor ds_cpl vmx smx est tm2 ssse3 sdbg fma cx16 xtpr pdcm pcid dca sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch cpuid_fault epb cat_l3 cdp_l3 invpcid_single ssbd mba ibrs ibpb stibp ibrs_enhanced tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 hle avx2 smep bmi2 erms invpcid rtm cqm mpx rdt_a avx512f avx512dq rdseed adx smap clflushopt clwb intel_pt avx512cd avx512bw avx512vl xsaveopt xsavec xgetbv1 xsaves cqm_llc cqm_occup_llc cqm_mbm_total cqm_mbm_local dtherm ida arat pln pts hwp hwp_act_window hwp_epp hwp_pkg_req pku ospke avx512_vnni md_clear flush_l1d arch_capabilities ** Affects: linux (Ubuntu) Importance: High Status: Invalid ** Affects: linux (Ubuntu Bionic) Importance: High Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => High ** Changed in: linux (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1852047 Title: [Bionic][Regression] Disabling EPT results in KVM guests that won't start To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1852047/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1851412] Re: Verify kexec image signatures on arm64
** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1851412 Title: Verify kexec image signatures on arm64 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1851412/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1842751] Re: [disco] [eoan] After unmount, cannot open /dev/vdb: Device or resource busy
Hello - Does the recent switch from New -> Triaged for charm-cinder and charm-nova-compute mean that someone was able to determine that the charms are to blame and perhaps not the kernel? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1842751 Title: [disco] [eoan] After unmount, cannot open /dev/vdb: Device or resource busy To manage notifications about this bug go to: https://bugs.launchpad.net/charm-cinder/+bug/1842751/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847189] Re: Bad posix clock speculation mitigation backport
I've verified the kernel in xenial-proposed:
tyhicks@sec-xenial-amd64:~$ cat /proc/version_signature
Ubuntu 4.4.0-167.196-generic 4.4.197
tyhicks@sec-xenial-amd64:~$ cat test.c
#include
#include
int main(void)
{
int rc = clock_gettime(10, 0);
if (rc < 0)
perror("clock_gettime");
return rc;
}
tyhicks@sec-xenial-amd64:~$ gcc -o test test.c
tyhicks@sec-xenial-amd64:~$ ./test
clock_gettime: Invalid argument
There's no NULL pointer deref or any other sort of error induced by the test
case in the kernel log.
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1847189
Title:
Bad posix clock speculation mitigation backport
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847189/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
This is CVE-2019-18198 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2019-18198 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802622] Re: Ubuntu Cosmic nvidia-340 needs patch for "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_t'
Thanks for pointing that out! I'm marking this bug as fixed for nvidia- graphics-drivers-340. ** Changed in: nvidia-graphics-drivers-340 (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802622 Title: Ubuntu Cosmic nvidia-340 needs patch for "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_t' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/+bug/1802622/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1802622] Re: Ubuntu Cosmic nvidia-340 needs patch for "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_t'
We're considering disabling CONFIG_HARDENED_USERCOPY_FALLBACK in preparation for 20.04 LTS so getting this fixed soon would be necessary to keep the driver working. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1802622 Title: Ubuntu Cosmic nvidia-340 needs patch for "Bad or missing usercopy whitelist? Kernel memory exposure attempt detected from SLUB object 'nvidia_stack_t' To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nvidia-graphics-drivers-340/+bug/1802622/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1811162] Re: Turn on CONFIG_REFCOUNT_FULL for non-x86 arches
** Changed in: linux (Ubuntu) Status: Confirmed => Triaged ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1811162 Title: Turn on CONFIG_REFCOUNT_FULL for non-x86 arches To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1811162/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
Fix submitted: https://lists.ubuntu.com/archives/kernel- team/2019-October/104623.html Since we're just about one week from the release of Eoan, this fix may not make the Eoan release. If that's the case, it will be included in the initial set of Stable Release Updates (SRU) for the Eoan kernels. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
Thanks to Jason for alerting us of this issue and pointing us at the fix! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847478] Re: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule"
** Description changed: + [Impact] + + An unprivileged local attacker could cause a denial of service, or + possibly execute arbitrary code due to an ipv6 regression. + + [Test Case] + + An unpatched system will crash with the following command: + + $ unshare -rUn sh -c 'ip link add dummy1 type dummy && ip link set + dummy1 up && ip -6 route add default dev dummy1 && ip -6 rule add table + main suppress_prefixlength 0 && ping -f 1234::1' + + [Regression Potential] + + Low. The change could theoretically introduce a memory leak but that + would still be an improvement over immediate loss of system + availability. + + [Original Description] + Having recently upgraded to Eoan Ermine from Disco Dingo, my previously rock-solid wireguard now locks the system up shortly after I take the connection down with wg-quick down wg0. Package: wireguard: - Installed: 0.0.20190913-1ubuntu1 - Candidate: 0.0.20190913-1ubuntu1 - Version table: - *** 0.0.20190913-1ubuntu1 500 - 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages - 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe i386 Packages - 100 /var/lib/dpkg/status + Installed: 0.0.20190913-1ubuntu1 + Candidate: 0.0.20190913-1ubuntu1 + Version table: + *** 0.0.20190913-1ubuntu1 500 + 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe amd64 Packages + 500 http://gb.archive.ubuntu.com/ubuntu eoan/universe i386 Packages + 100 /var/lib/dpkg/status Kernel: 5.3.0-13-generic Snipped from /var/log/syslog: kernel: [ 776.930804] BUG: unable to handle page fault for address: 1070 kernel: [ 776.930807] #PF: supervisor read access in kernel mode kernel: [ 776.930808] #PF: error_code(0x) - not-present page - kernel: [ 776.930809] PGD 0 P4D 0 + kernel: [ 776.930809] PGD 0 P4D 0 kernel: [ 776.930811] Oops: [#1] SMP NOPTI kernel: [ 776.930813] CPU: 3 PID: 2598 Comm: Chrome_ChildIOT Tainted: G OE 5.3.0-13-generic #14-Ubuntu kernel: [ 776.930813] Hardware name: Dell Inc. XPS 13 9380/0KTW76, BIOS 1.7.0 08/05/2019 kernel: [ 776.930817] RIP: 0010:ip6_sk_dst_store_flow+0x80/0xc0 kernel: [ 776.930819] Code: 48 8b 42 30 48 33 47 40 48 09 c1 0f b6 4f 12 b8 01 00 00 00 4d 0f 45 e9 31 db d3 e0 a9 bf ef ff ff 74 07 48 8b 9f f8 02 00 00 <48> 8b 46 70 31 d2 48 85 c0 74 0c 48 8b 40 10 48 85 c0 74 03 8b 50 kernel: [ 776.930820] RSP: 0018:beb841a9fcd8 EFLAGS: 00010202 kernel: [ 776.930821] RAX: 0080 RBX: a0933c829360 RCX: 0007 kernel: [ 776.930822] RDX: beb841a9fd20 RSI: 1000 RDI: a0933c828f00 kernel: [ 776.930823] RBP: beb841a9fcf0 R08: R09: kernel: [ 776.930823] R10: R11: a093948fd800 R12: a0933c829360 kernel: [ 776.930824] R13: a0933c828f38 R14: 0001 R15: a0933c829360 kernel: [ 776.930825] FS: 7fbcd8a82700() GS:a0939e4c() knlGS: kernel: [ 776.930826] CS: 0010 DS: ES: CR0: 80050033 kernel: [ 776.930827] CR2: 1070 CR3: 00049172a004 CR4: 003606e0 kernel: [ 776.930828] Call Trace: kernel: [ 776.930832] ip6_datagram_dst_update+0x15e/0x280 kernel: [ 776.930835] ? _raw_read_unlock_bh+0x20/0x30 kernel: [ 776.930837] __ip6_datagram_connect+0x1da/0x380 kernel: [ 776.930839] ip6_datagram_connect+0x2d/0x50 kernel: [ 776.930841] inet_dgram_connect+0x3f/0xc0 kernel: [ 776.930843] __sys_connect+0xf1/0x130 kernel: [ 776.930846] ? do_fcntl+0xe4/0x550 kernel: [ 776.930848] ? fput+0x13/0x15 kernel: [ 776.930849] __x64_sys_connect+0x1a/0x20 kernel: [ 776.930852] do_syscall_64+0x5a/0x130 kernel: [ 776.930854] entry_SYSCALL_64_after_hwframe+0x44/0xa9 kernel: [ 776.930855] RIP: 0033:0x7fbcde6324eb kernel: [ 776.930856] Code: 83 ec 18 89 54 24 0c 48 89 34 24 89 7c 24 08 e8 ab fa ff ff 8b 54 24 0c 48 8b 34 24 41 89 c0 8b 7c 24 08 b8 2a 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 2f 44 89 c7 89 44 24 08 e8 e1 fa ff ff 8b 44 kernel: [ 776.930857] RSP: 002b:7fbcd8a7ec90 EFLAGS: 0293 ORIG_RAX: 002a kernel: [ 776.930859] RAX: ffda RBX: ff94 RCX: 7fbcde6324eb kernel: [ 776.930859] RDX: 001c RSI: 7fbcd8a7ecf0 RDI: 0022 kernel: [ 776.930860] RBP: 7fbcd8a7edb0 R08: R09: 7fbcd8a7edf8 kernel: [ 776.930861] R10: 7fbcd8a7edf0 R11: 0293 R12: 250e77c19710 kernel: [ 776.930862] R13: 250e77c19900 R14: 7fbcd8a7edc8 R15: 7fbcd8a7edc8 kernel: [ 776.930863] Modules linked in: binfmt_misc wireguard(OE) ip6_udp_tunnel udp_tunnel ccm rfcomm uhid algif_hash algif_skcipher af_alg cmac bnep sof_pci_dev snd_sof_intel_hda_common snd_sof_intel_byt snd_sof_intel_ipc snd_sof snd_sof_nocodec snd_sof_xtensa_dsp snd_soc
[Bug 1847478] Re: wireguard crashes system shortly after wg-quick down wg0
** Also affects: linux (Ubuntu) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Status: New => In Progress ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: wireguard (Ubuntu) Status: New => Invalid -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847478 Title: eoan kernel does not contain "ipv6: do not free rt if FIB_LOOKUP_NOREF is set on suppress rule" To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847478/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847189] Re: Bad posix clock speculation mitigation backport
Fix submitted: https://lists.ubuntu.com/archives/kernel- team/2019-October/104582.html -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1847189 Title: Bad posix clock speculation mitigation backport To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847189/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1847189] [NEW] Bad posix clock speculation mitigation backport
*** This bug is a security vulnerability ***
Public security bug reported:
[Impact]
Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can
be used to perform a denial of service (system crash) or possibly
execute arbitrary code in the Ubuntu Xenial kernel:
https://twitter.com/vnik5287/status/1180666151216435200
[Test Case]
Execute the following test program and verify that it prints out
"clock_gettime: Invalid argument" rather than triggering a NULL pointer
dereference and stack trace in the kernel logs.
==
#include
#include
int main(void)
{
int rc = clock_gettime(10, 0);
if (rc < 0)
perror("clock_gettime");
return rc;
}
==
[Regression Potential]
Low. The fix is easy to review and fixes a denial of service issue
that's trivial to trigger.
** Affects: linux (Ubuntu)
Importance: Undecided
Status: Invalid
** Affects: linux (Ubuntu Xenial)
Importance: Medium
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => In Progress
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Changed in: linux (Ubuntu Xenial)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu)
Status: In Progress => Invalid
** Changed in: linux (Ubuntu)
Assignee: Tyler Hicks (tyhicks) => (unassigned)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1847189
Title:
Bad posix clock speculation mitigation backport
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847189/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845391] Re: SafeSetID LSM should be built but disabled by default
A pull request for 5.4 included a fix to make SafeSetID useful due to a bug in 5.3. Details can be read here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1b5fb415442eb3ec946d48afe8c87b0f2fd42d7c The needed commit is located here: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21ab8580b383f27b7f59b84ac1699cb26d6c3d69 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845391 Title: SafeSetID LSM should be built but disabled by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845391] [NEW] SafeSetID LSM should be built but disabled by default
Public bug reported: The SafeSetID LSM is unlikely to be useful, by default, for a general purpose OS but a system integrator may want to make use of it in certain cases. We should build SafeSetID but not enable it by default in Ubuntu. The LSM can be put to use using the lsm= kernel boot parameter. For example, lsm=capability,yama,safesetid,apparmor could be specified to make use of SafeSetID in addition to the LSMs that we use by default in Ubuntu 19.10. You can verify that it is enabled by reading the lsm file in securityfs: $ cat /sys/kernel/security/lsm capability,yama,safesetid,apparmor Documentation on configuring SafeSetID can be found here: https://www.kernel.org/doc/html/latest/admin-guide/LSM/SafeSetID.html ** Affects: linux (Ubuntu) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1845391 Title: SafeSetID LSM should be built but disabled by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845391/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1845383] [NEW] CONFIG_LSM should not specify loadpin since it is not built
Public bug reported:
[Impact]
While inspecting our kernel configs, I noticed that "loadpin" is present
in the CONFIG_LSM string but CONFIG_SECURITY_LOADPIN is not enabled.
This is harmless but should be cleaned up.
[Test Case]
Ensure that /sys/kernel/security/lsm still contains
"capability,yama,apparmor" after rebooting into the new kernel:
$ cat /sys/kernel/security/lsm
capability,yama,apparmor
Ensure that the current kernel's config does not specify "loadpin" in
the CONFIG_LSM value:
$ grep CONFIG_LSM= /boot/config-$(uname -r)
CONFIG_LSM="yama,integrity,apparmor"
[Regression Potential]
Low. This just limits the CONFIG_LSM value to only contain LSMs that are
being built.
** Affects: linux (Ubuntu)
Importance: Low
Assignee: Tyler Hicks (tyhicks)
Status: In Progress
** Affects: linux (Ubuntu Disco)
Importance: Low
Assignee: Tyler Hicks (tyhicks)
Status: Triaged
** Also affects: linux (Ubuntu Disco)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Disco)
Status: New => Triaged
** Changed in: linux (Ubuntu Disco)
Importance: Undecided => Low
** Changed in: linux (Ubuntu Disco)
Assignee: (unassigned) => Tyler Hicks (tyhicks)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1845383
Title:
CONFIG_LSM should not specify loadpin since it is not built
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1845383/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1829055] Re: CVE-2019-11815
This has been fixed for some time. Please see the Ubuntu CVE Tracker for kernel version information: https://people.canonical.com/~ubuntu- security/cve/2019/CVE-2019-11815.html ** Changed in: linux (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1829055 Title: CVE-2019-11815 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1829055/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1839890] Re: openafs 1.8.0~pre5-1ubuntu1 fails to build on 5.0 kernels
I've sponsored an upload from Connor to Bionic. Thanks, Connor! ** Changed in: openafs (Ubuntu Bionic) Status: Incomplete => In Progress -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1839890 Title: openafs 1.8.0~pre5-1ubuntu1 fails to build on 5.0 kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openafs/+bug/1839890/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
