Public bug reported: [impact]
any package running build-time sanitizer tests may run inside a Xenial builder with the Xenial 4.4 kernel. However the gcc-7 built-in test to determine if the running kernel suffers from CVE-2016-2143 (which only affects s390x) considers the Xenial '4.4.0' kernel to be affected, strictly due to the version number. The Xenial kernel has been patched for this cve in bug 1556141. This will cause all sanitizer tests to abort and fail the build. [test case] build a package that runs sanitizer tests on a s390x ppa builder that is running Xenial and check for failure, e.g.: https://launchpadlibrarian.net/488534837/buildlog_ubuntu-bionic- s390x.systemd_245.6-1upstream202007141303~ubuntu18.04.1_BUILDING.txt.gz --- command --- UBSAN_OPTIONS='print_stacktrace=1:print_summary=1:halt_on_error=1' /usr/bin/env /<<PKGBUILDDIR>>/build-deb/fuzz-bus-message:address,undefined /<<PKGBUILDDIR>>/test/fuzz/fuzz-bus-message/crash-26bba7182dedc8848939931d9fcefcb7922f2e56 --- stderr --- ==27804==ERROR: Your kernel seems to be vulnerable to CVE-2016-2143. Using ASan, MSan, TSan, DFSan or LSan with such kernel can and will crash your machine, or worse. If you are certain your kernel is not vulnerable (you have compiled it yourself, or are using an unrecognized distribution kernel), you can override this safety check by exporting SANITIZER_IGNORE_CVE_2016_2143 with any value. ------- [regression potential] if gcc-7's calculation for whether the kernel is affected by this cve or not is adjusted, any regression would likely result in a miscalculation where sanitizer tests were incorrectly run on an affected kernel, which may crash the machine; or it may incorrectly abort tests on a kernel that is not affected. [scope] this is needed only in gcc-7, which is included in b/f/g, but gcc-7 is only the default in bionic. the ubuntu kernel version detection was added to gcc in this huge commit: https://github.com/gcc-mirror/gcc/commit/5d3805fca3e9a199fbaa18aee3c05ecb30ebca61#diff-56b6f240d7feb36a34222dc132ab5a41 which, according to github, is included in versions: releases/gcc-10.1.0 releases/gcc-9.3.0 releases/gcc-9.2.0 releases/gcc-9.1.0 releases/gcc-8.4.0 releases/gcc-8.3.0 releases/gcc-8.2.0 releases/gcc-8.1.0 misc/cutover-git embedded-9-2020q2 embedded-9-2020-q2 basepoints/gcc-11 basepoints/gcc-10 basepoints/gcc-9 we have gcc-8.4.0 and gcc-9.3.0 in focal and groovy, so this is fixed already there. we also have gcc-8.4.0 in bionic, but the default gcc is 7. ** Affects: gcc-7 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1887563 Title: gcc-7 kernel version check thinks Xenial 4.4 kernel is still affected by CVE-2016-2143 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gcc-7/+bug/1887563/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
