My hunch about the length of struct aliases was correct; when a
parameter that is longer than the *entire* aliases struct element (146
characters) is compared the call to memcmp() is redirected to
"include/linux/fortify-string.h" [0] where checks are done to ensure
there are no out-of-bounds reads.
Because the 'buf' parameter is 146 characters long the call looks like:
memcmp("param146=...", aliases[i].alias, len + 1)
where 'len' is 146 and so 147 gets passed in. That triggers:
if (p_size < size || q_size < size)
fortify_panic(__func__);
because 'size' (from 'len + 1') is 147 and q_size is 146 ( size_t q_size
= __struct_size(q) )
('p' is `buf`, 'q' is 'aliases[i].alias' )
So, with a guard case to avoid calling memcmp() at all unless the
lengths match it works. I'll send the patch to the v6.8 stable tree
upstream.
$ qemu-system-aarch64 -machine virt,gic-version=3 -cpu max,pauth-impdef=on -smp
2 -m 4096 -nographic -kernel
/srv/NAS/Sunny/SourceCode/builds/linux-aarch64/arch/arm64/boot/Image -append
"debug
param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoot
haeph9xai7kier3aib7aejaengahghan2zojeebai3kad9meesh6eichaey2"
[ 0.000000] Booting Linux on physical CPU 0x0000000000 [0x000f0510]
[ 0.000000] Linux version 6.8.12 (li...@iam.tj) (aarch64-linux-gnu-gcc
(Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40) #10 SMP Fri
Jul 26 13:57:53 BST 2024
[ 0.000000] random: crng init done
[ 0.000000] Machine model: linux,dummy-virt
...
[ 0.000000] Kernel command line: debug
param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoothaeph9xai7kier3aib7aejae
ngahghan2zojeebai3kad9meesh6eichaey2
[ 0.000000] Unknown kernel command line parameters
"param146=ni4ohneo0oothieyeef9vo4ieth4yeiz6ohsiemae6aoy2asu9xei5eethoh0igaitha7laeghoothaeph9xai7k
ier3aib7aejaengahghan2zojeebai3kad9meesh6eichaey2", will be passed to user
space.
[0]
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/include/linux/fortify-string.h?h=v6.8#n659
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/2069534
Title:
linux 6.8 fails to boot on arm64 if any param is more than 140 chars
Status in linux package in Ubuntu:
Fix Released
Status in linux source package in Noble:
Confirmed
Bug description:
Hi,
Linux 6.8 kernel fails to boot on ARM64 when any Linux command line
param is more than 140 characters.
Test Machine
=============
Rockchip RK3399 based RockPro64 with latest u-boot 2024.07-rc3 in EFI
mode booting grubaa64.efi
Reproduced on
==============
Ubuntu 22.04.4 with Linux HWE Proposed 6.8
Ubuntu 24.04 with Linux 6.8
Works on
=========
Ubuntu 22.04.4 with Linux 5.15, 6.6, 6.7, 6.9
Steps to reproduce
====================
1. Install Ubuntu 24.04 which comes with Linux 6.8 by default or
Ubuntu 22.04.4 install Linux HWE 6.8 from
https://launchpad.net/~canonical-kernel-
team/+archive/ubuntu/proposed?field.series_filter=jammy
2. Edit /boot/grub/grub.cfg and add the following param to any boot
entry with Linux 6.8
testparam=f081c381e7b54edcba27e5f790d47911a4cc3e726d8d256878d3df9175c020e0f081c381e7b54edcba27e5f790d47911a4cc3e726d8d256878d3df9175c020e0f081c381e7b5
3. Reboot the machine and select the boot entry in grub with the
testparam as above.
4. Observe kernel never boots.
Cause
========
After bisecting the kernel, I found that the bug was introduced in
Linux 6.8-rc1 ( and released in Linux 6.8 ) with commit
commit dc3f5aae06381b43bc9d0d416bd15ee1682940e9
Author: Ard Biesheuvel <a...@kernel.org>
Date: Wed Nov 29 12:16:12 2023 +0100
arm64: idreg-override: Avoid parameq() and parameqn()
This got fixed with Linux 6.9-rc1 and released in Linux 6.9 as part of rework
commit e223a449125571daa62debd8249fa4fc2da0a961
Author: Ard Biesheuvel <a...@kernel.org>
Date: Wed Feb 14 13:28:50 2024 +0100
arm64: idreg-override: Move to early mini C runtime
That got merged to Linux 6.9-rc1 with commit
commit 6d75c6f40a03c97e1ecd683ae54e249abb9d922b
Merge: fe46a7dd189e 1ef21fcd6a50
Author: Linus Torvalds <torva...@linux-foundation.org>
Date: Thu Mar 14 15:35:42 2024 -0700
Merge tag 'arm64-upstream' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Fix Options
=============
Option 1.
For Linux 6.8 the safest fix would be to revert
commit dc3f5aae06381b43bc9d0d416bd15ee1682940e9
Author: Ard Biesheuvel <a...@kernel.org>
Date: Wed Nov 29 12:16:12 2023 +0100
arm64: idreg-override: Avoid parameq() and parameqn()
Option 2.
Unless Ubuntu Team is interested in bringing the whole Mini C Runtime rework
to Linux 6.8 with
commit 6d75c6f40a03c97e1ecd683ae54e249abb9d922b
Merge: fe46a7dd189e 1ef21fcd6a50
Author: Linus Torvalds <torva...@linux-foundation.org>
Date: Thu Mar 14 15:35:42 2024 -0700
Merge tag 'arm64-upstream' of
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux
Please revert the change in Linux 6.8
Thanks
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/2069534/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
