[Kernel-packages] [Bug 1766832] Re: test_140_kernel_modules_not_tainted in kernel security test failed with 4.15 kvm kernel

Thu, 24 May 2018 13:47:00 -0700 

This bug was fixed in the package linux-kvm - 4.15.0-1010.10

---------------
linux-kvm (4.15.0-1010.10) bionic; urgency=medium

  [ Ubuntu: 4.15.0-22.24 ]

  * CVE-2018-3639 (powerpc)
    - powerpc/64s: Add support for a store forwarding barrier at kernel 
entry/exit
    - stf-barrier: set eieio instruction bit 6 for future optimisations
  * CVE-2018-3639 (x86)
    - x86/nospec: Simplify alternative_msr_write()
    - x86/bugs: Concentrate bug detection into a separate function
    - x86/bugs: Concentrate bug reporting into a separate function
    - x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
    - x86/bugs, KVM: Support the combination of guest and host IBRS
    - x86/bugs: Expose /sys/../spec_store_bypass
    - x86/cpufeatures: Add X86_FEATURE_RDS
    - x86/bugs: Provide boot parameters for the spec_store_bypass_disable
      mitigation
    - x86/bugs/intel: Set proper CPU features and setup RDS
    - x86/bugs: Whitelist allowed SPEC_CTRL MSR values
    - x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
    - x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
    - x86/speculation: Create spec-ctrl.h to avoid include hell
    - prctl: Add speculation control prctls
    - x86/process: Allow runtime control of Speculative Store Bypass
    - x86/speculation: Add prctl for Speculative Store Bypass mitigation
    - nospec: Allow getting/setting on non-current task
    - proc: Provide details on speculation flaw mitigations
    - seccomp: Enable speculation flaw mitigations
    - x86/bugs: Make boot modes __ro_after_init
    - prctl: Add force disable speculation
    - seccomp: Use PR_SPEC_FORCE_DISABLE
    - seccomp: Add filter flag to opt-out of SSB mitigation
    - seccomp: Move speculation migitation control to arch code
    - x86/speculation: Make "seccomp" the default mode for Speculative Store
      Bypass
    - x86/bugs: Rename _RDS to _SSBD
    - proc: Use underscores for SSBD in 'status'
    - Documentation/spec_ctrl: Do some minor cleanups
    - x86/bugs: Fix __ssb_select_mitigation() return type
    - x86/bugs: Make cpu_show_common() static
  * LSM Stacking prctl values should be redefined as to not collide with
    upstream prctls (LP: #1769263) // CVE-2018-3639
    - SAUCE: LSM stacking: adjust prctl values

linux-kvm (4.15.0-1009.9) bionic; urgency=medium

  * linux-kvm: 4.15.0-1009.9 -proposed tracker (LP: #1767409)

  * linux-image-4.15.0-20-generic install after upgrade from xenial breaks
    (LP: #1767133)
    - Packaging: Depends on linux-base that provides the necessary tools

  * Unable to start docker application with B-KVM kernel (LP: #1763630)
    - kvm: [config] enable NF_NAT, NF_CONNTRACK
    - kvm: [config] enable IP_NF_TABLES

  * test_078_SLAB_freelist_randomization failed on 4.15 KVM kernel
    (LP: #1764975)
    - kvm: [config] enable CONFIG_SLAB_FREELIST_{HARDENED,RANDOM}

  * linux-kvm 4.15 needs CONFIG_VMAP_STACK set (LP: #1764985)
    - kvm: [config] enable CONFIG_VMAP_STACK

  * test_140_kernel_modules_not_tainted in kernel security test failed with 4.15
    kvm kernel (LP: #1766832)
    - kvm: [config] enable CONFIG_MODULE_UNLOAD

  [ Ubuntu: 4.15.0-21.22 ]

  * linux: 4.15.0-21.22 -proposed tracker (LP: #1767397)
  * initramfs-tools exception during pm.DoInstall with  do-release-upgrade from
    16.04 to 18.04  (LP: #1766727)
    - Add linux-image-* Breaks on s390-tools (<< 2.3.0-0ubuntu3)
  * linux-image-4.15.0-20-generic install after upgrade from xenial breaks
    (LP: #1767133)
    - Packaging: Depends on linux-base that provides the necessary tools
  * linux-image packages need to Breaks flash-kernel << 3.90ubuntu2
    (LP: #1766629)
    - linux-image-* breaks on flash-kernel (<< 3.90ubuntu2)

 -- Stefan Bader <stefan.ba...@canonical.com>  Thu, 17 May 2018 10:30:53
+0200

** Changed in: linux-kvm (Ubuntu)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-kvm in Ubuntu.
https://bugs.launchpad.net/bugs/1766832

Title:
  test_140_kernel_modules_not_tainted in kernel security test failed
  with 4.15 kvm kernel

Status in linux-kvm package in Ubuntu:
  Fix Released
Status in linux-kvm source package in Xenial:
  Fix Committed
Status in linux-kvm source package in Bionic:
  Fix Released

Bug description:
  == Justification ==
  In the Bionic KVM and Xenial KVM kernel, the CONFIG_MODULE_UNLOAD was not 
set, this will cause the rmmod command in test_072_strict_devmem test from the 
kernel security test suite fail to run, and induce a failure in the following 
test_140_kernel_modules_not_tainted test.

  == Test ==
  Before enabling the config, rmmod command will return:
  "ERROR: Module signpost is in use"
  After the config was enabled, rmmod will succeed and it will pass with this 
test_140_kernel_modules_not_tainted test.

  == Fix ==
  Set CONFIG_MODULE_UNLOAD to "y" to allow user to unload a module.

  == Regression Potential ==
  Minimal.
  No code changes, just one config change without disabling any other configs.

  Similar to bug 1760654.

  But this time the test_072_strict_devmem passed on the testing node.
  And the test_140_kernel_modules_not_tainted test still failed with the same 
error message:

    FAIL: test_140_kernel_modules_not_tainted (__main__.KernelSecurityTest)
    kernel modules are not marked with a taint flag (especially 'E' for 
TAINT_UNSIGNED_MODULE)
    ----------------------------------------------------------------------
    Traceback (most recent call last):
      File "./test-kernel-security.py", line 1865, in 
test_140_kernel_modules_not_tainted
        self.fail('Module \'%s\' is tainted: %s' % (fields[0], last_field))
    AssertionError: Module 'signpost' is tainted: (OE)

  If you try to remove the module after this, you will get:
  $ sudo rmmod signpost
  rmmod: ERROR: Module signpost is in use

  And the lsmod shows:
  $ lsmod | grep signpost
  signpost               12288  -2

  From the Internet [1], the "-2" here indicates that the CONFIG_MODULE_UNLOAD 
is not set.
  Which is true for the Bionic KVM kernel.

  $ grep -i CONFIG_MODULE_UNLOAD debian.kvm/config/config.common.ubuntu
  # CONFIG_MODULE_UNLOAD is not set

  https://unix.stackexchange.com/questions/269500/lsmod-shows-2-in-the-
  used-by-colum

  ProblemType: Bug
  DistroRelease: Ubuntu 18.04
  Package: linux-image-4.15.0-1008-kvm 4.15.0-1008.8
  ProcVersionSignature: User Name 4.15.0-1008.8-kvm 4.15.17
  Uname: Linux 4.15.0-1008-kvm x86_64
  NonfreeKernelModules: signpost
  ApportVersion: 2.20.9-0ubuntu7
  Architecture: amd64
  Date: Wed Apr 25 08:35:29 2018
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=C.UTF-8
   SHELL=/bin/bash
  SourcePackage: linux-kvm
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-kvm/+bug/1766832/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to