** Changed in: linux
Status: Unknown => Confirmed
** Changed in: linux
Importance: Unknown => High
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary
submitted https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1876856
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails
Guys,
your commit d6572202d986 ("UBUNTU:SAUCE: exec: ensure file system accounting in
check_unsafe_exec is correct") looks wrong for me,
it leads to endless cycle in check_unsafe_exec().
fs/exec.c:: check_unsafe_exec()
...
recheck:
fs_recheck = false;
t = p;
n_fs = 1;
This bug was fixed in the package golang-1.6 - 1.6.2-0ubuntu5~16.04.3
---
golang-1.6 (1.6.2-0ubuntu5~16.04.3) xenial; urgency=medium
* Backport workaround for execve issue that causes the setuid bit to be
ignored when losing a race in the kernel. (LP: #1672819)
-- Michael
I've verified the fix in the way I suspected I'd have to, with one extra
wrinkle.
1) In a trusty VM, I verified that the C test case from the gist failed. (It
did).
2) I launched a xenial lxd container on the VM and built the Go test case with
version 1.6.2-0ubuntu5~16.04.2 of golang-1.6-go.
3)
Hello John, or anyone else affected,
Accepted golang-1.6 into xenial-proposed. The package will build now and
be available at
https://launchpad.net/ubuntu/+source/golang-1.6/1.6.2-0ubuntu5~16.04.3
in a few hours, and then in the -proposed repository.
Please help us by testing this new package.
** Changed in: golang-1.6 (Ubuntu Xenial)
Status: New => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes
** Description changed:
+ == SRU template for golang-1.6 ==
+
+ [Impact]
+ The kernel bug reported below means that occasionally (maybe 1 in 1000 times)
the snapd -> snap-confine exec that is part of a snap execution fails to take
the setuid bit on the snap-confine binary into account which
** Also affects: golang-1.6 (Ubuntu)
Importance: Undecided
Status: New
** Changed in: golang-1.6 (Ubuntu)
Status: New => Invalid
** Changed in: golang-1.6 (Ubuntu Yakkety)
Status: New => Invalid
** Changed in: golang-1.6 (Ubuntu Zesty)
Status: New => Invalid
**
This bug was fixed in the package linux - 4.10.0-26.30
---
linux (4.10.0-26.30) zesty; urgency=low
* linux: 4.10.0-26.30 -proposed tracker (LP: #1700528)
* CVE-2017-1000364
- Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
- Revert "mm: do not collapse
This bug was fixed in the package linux - 4.10.0-26.30
---
linux (4.10.0-26.30) zesty; urgency=low
* linux: 4.10.0-26.30 -proposed tracker (LP: #1700528)
* CVE-2017-1000364
- Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
- Revert "mm: do not collapse
This bug was fixed in the package linux - 4.8.0-58.63
---
linux (4.8.0-58.63) yakkety; urgency=low
* linux: 4.8.0-58.63 -proposed tracker (LP: #1700533)
* CVE-2017-1000364
- Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
- Revert "mm: do not collapse
This bug was fixed in the package linux - 4.4.0-83.106
---
linux (4.4.0-83.106) xenial; urgency=low
* linux: 4.4.0-83.106 -proposed tracker (LP: #1700541)
* CVE-2017-1000364
- Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
- Revert "mm: do not
This bug was fixed in the package linux - 4.4.0-83.106
---
linux (4.4.0-83.106) xenial; urgency=low
* linux: 4.4.0-83.106 -proposed tracker (LP: #1700541)
* CVE-2017-1000364
- Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
- Revert "mm: do not
tested on zesty, 4.10.0-23-generic #25-Ubuntu, passed the test.
** Tags removed: verification-needed-zesty
** Tags added: verification-done-zesty
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
tested on yakkety, 4.8.0-55-generic #58-Ubuntu, passed the test.
** Tags removed: verification-needed-yakkety
** Tags added: verification-done-yakkety
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
tested on xenial, 4.4.0-80-generic #101-Ubuntu, passed the test.
** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: linux (Ubuntu)
Assignee: (unassigned) => Colin Ian King (colin-king)
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
yakkety' to 'verification-done-yakkety'. If the problem still exists,
change the tag
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
zesty' to 'verification-done-zesty'. If the problem still exists, change
the tag
This bug is awaiting verification that the kernel in -proposed solves
the problem. Please test the kernel and update this bug with the
results. If the problem is solved, change the tag 'verification-needed-
xenial' to 'verification-done-xenial'. If the problem still exists,
change the tag
** Changed in: linux (Ubuntu Yakkety)
Assignee: (unassigned) => Colin Ian King (colin-king)
** Changed in: linux (Ubuntu Zesty)
Assignee: (unassigned) => Colin Ian King (colin-king)
** Changed in: linux (Ubuntu Zesty)
Importance: Undecided => High
** Changed in: linux (Ubuntu
** Changed in: linux (Ubuntu Xenial)
Status: In Progress => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program
** Changed in: linux (Ubuntu Zesty)
Status: New => Fix Committed
** Changed in: linux (Ubuntu Yakkety)
Status: New => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
** Also affects: linux (Ubuntu Yakkety)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Zesty)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Changed in: linux (Ubuntu)
Status: Triaged => Fix Committed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails
** Description changed:
+ == SRU REQUEST XENIAL, YAKKETY, ZESTY ==
+
+ Due to two race conditions in check_unsafe_exec(), exec'ing a setuid
+ binary from a threaded program sometimes fails to setuid.
+
+ == Fix ==
+
+ Sauce patch for Xenial, Yakkety + Zesty:
+
+
** Changed in: linux (Ubuntu Xenial)
Status: Incomplete => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes
With the kernel from #16 I am no longer able to reproduce the issue, not
with the simplified reproducers described in this bug, nor with the
original (slower and more convoluted) snapd reproducer.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed
I think I've found the simplest solution that avoids costly locking
overhead and seems to work in my tests. I've uploaded the debs for
Xenial in:
http://kernel.ubuntu.com/~cking/lp-1672819/
Would you mind testing these and seeing if it helps.
** Changed in: linux (Ubuntu Xenial)
Status:
On 8 May 2017 at 10:32, Colin Ian King <1672...@bugs.launchpad.net>
wrote:
> exec'ing from a thread is an interesting problem; the semantics of exec
> should be to terminal all the threads before the exec occurs according
> to http://maxim.int.ru/bookshelf/PthreadsProgram/htm/r_44.html
>
> The
"to terminal all the threads" should read "to terminate all the threads"
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes
exec'ing from a thread is an interesting problem; the semantics of exec
should be to terminal all the threads before the exec occurs according
to http://maxim.int.ru/bookshelf/PthreadsProgram/htm/r_44.html
The normal idiom would be to do:
fork()
child exec's
parent waits for child
** Tags removed: kernel-key
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
setuid
** Bug watch added: Linux Kernel Bug Tracker #195453
http://bugzilla.kernel.org/195453
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded
This bug has been around since at least 2009.
Kernel Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195453
** Bug watch added: Linux Kernel Bug Tracker #195453
http://bugzilla.kernel.org/195453
** Also affects: linux via
http://bugzilla.kernel.org/195453
Importance: Unknown
This also happens on Fedora 25 running 4.10.8-200.fc25.x64_64
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
With the change mentioned in comment #8 I now cannot reproduce the
issue.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes
Might this be related to https://bugs.debian.org/cgi-
bin/bugreport.cgi?bug=857909 ?
** Bug watch added: Debian Bug tracker #857909
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=857909
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to
So the thread fs has been torn down and so t->fs is null which then
triggers the miscounting of n_fs; so I'm sspeculating we may need to
try:
while_each_thread(p, t) {
if (t->fs == p->fs || !t->fs)
n_fs++;
}
--
You received this bug notification because you are a member of Ubuntu
Bugs,
Nope, that fails too.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
setuid
To manage notifications about this
The following seems to fix it, but I need to exercise this a bit more to
be 100% certain it is rock solid:
diff --git a/fs/fs_struct.c b/fs/fs_struct.c
index 7dca743..cd7175e2 100644
--- a/fs/fs_struct.c
+++ b/fs/fs_struct.c
@@ -98,8 +98,10 @@ void exit_fs(struct task_struct *tsk)
** Changed in: linux (Ubuntu Xenial)
Assignee: (unassigned) => Colin Ian King (colin-king)
** Changed in: linux (Ubuntu Xenial)
Status: Triaged => In Progress
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
** Tags removed: kernel-da-key
** Tags added: kernel-key
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
setuid
** Tags removed: kernel-key
** Tags added: kernel-da-key
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
setuid
I had a bit of a stare at the kernel source and suspected that the
downgrade of uid is happening here:
https://github.com/torvalds/linux/blob/v4.4/security/commoncap.c#L547-L548
I added a "WARN(1, "downgrading in subprocess %d %d\n", bprm->unsafe,
(int)capable(CAP_SETUID))" which revealed that
An AWS instance (t2.xlarge with 4 vCPU's) running 4.4.0-1001-aws
reproduces the problem:
$ for i in `seq 1`; do ./a_p; done | wc -l
124
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
I can reproduce this with the simple pthreads-only reproducer (loop of
./a_p running setuid binary ./b) running 4.4.0-57-generic on bare metal.
$ for i in `seq 10`; do ./a_p; done
GOT 1000
GOT 1000
$ for i in `seq 1000`; do ./a_p; done | wc -l
117
--
You received this bug notification
** Changed in: linux (Ubuntu)
Status: New => Triaged
** Changed in: linux (Ubuntu)
Importance: Undecided => High
** Also affects: linux (Ubuntu Xenial)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Xenial)
Status: New => Triaged
** Changed in: linux
I also tried this in 4.10.0-11-generic, same results.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1672819
Title:
exec'ing a setuid binary from a threaded program sometimes fails to
setuid
To
50 matches
Mail list logo