Ubuntu
linux package

kexec should get a disabling sysctl

Bug #1259570 reported by Philipp Kern
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Andy Whitcroft
Precise
Won't Fix
Medium
Unassigned
Quantal
Won't Fix
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
Saucy
Fix Released
Medium
Andy Whitcroft
Trusty
Fix Released
Medium
Andy Whitcroft
linux-lts-saucy (Ubuntu)
Invalid
Undecided
Unassigned
Precise
Fix Released
Undecided
Unassigned
Quantal
Invalid
Undecided
Unassigned
Raring
Invalid
Undecided
Unassigned
Saucy
Invalid
Undecided
Unassigned
Trusty
Invalid
Undecided
Unassigned

Bug Description

To enable kexec makes sense for a generic distro kernel. But if your users have root in their virtual machines, and you want to make it hard for them to run code in ring 0, you commonly disable further module loading and you also want to disable kexec[1]. Kees Cook wrote up a patch[2] that we'd like to see applied to the Ubuntu kernel to avoid recompilation of the distro kernel.

I'm marking this as a security issue on the ground that it's quite surprising that setting kernel.modules_disabled=1 as a hardening feature can be subverted by using kexec.

[1] http://mjg59.dreamwidth.org/28746.html
[2] https://lkml.org/lkml/2013/12/9/765

See original description

CVE References

Philipp Kern (pkern)
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1259570

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Revision history for this message
Margarita Manterola (marga-9) wrote :

This bug is a feature request, and therefore requires no apport traces. Furthermore, it also includes a link to a patch. What's being asked here is to apply that patch, no extra information should be needed.

Changed in linux (Ubuntu):
status: Incomplete → Confirmed
description: updated
Marc Deslauriers (mdeslaur)
Changed in linux (Ubuntu):
assignee: nobody → Tyler Hicks (tyhicks)
tags: added: rls-t-incoming
Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu):
importance: Undecided → Medium
tags: added: trusty
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Patch v2:
https://lkml.org/lkml/2013/12/9/790

Changed in linux (Ubuntu Precise):
status: New → Confirmed
importance: Undecided → Medium
assignee: nobody → Tyler Hicks (tyhicks)
Revision history for this message
Mark Russell (marrusl) wrote :

More discussion (thanks to Louis Bouchard for link): http://lists.infradead.org/pipermail/kexec/2013-December/010571.html

Patch v3:
http://lists.infradead.org/pipermail/kexec/2013-December/010606.html

Revision history for this message
Louis Bouchard (louis) wrote :

The patch has been accepted upstream and is not in Linus's tree in 3.14-rc1 :

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=7984754b99b6c89054edc405e9d9d35810a91d36

Kernel 3.13 is planned for Trusty but I will see if we can bring this patchset into Trusty

Revision history for this message
Andy Whitcroft (apw) wrote :

A trivial cherry-pick for trusty. Applied, will be in the next upload.

Changed in linux (Ubuntu Trusty):
assignee: Tyler Hicks (tyhicks) → Andy Whitcroft (apw)
status: Confirmed → Fix Committed
Andy Whitcroft (apw)
Changed in linux (Ubuntu Precise):
assignee: Tyler Hicks (tyhicks) → nobody
status: Confirmed → New
Andy Whitcroft (apw)
Changed in linux (Ubuntu Precise):
status: New → Won't Fix
Changed in linux (Ubuntu Quantal):
status: New → Won't Fix
Changed in linux (Ubuntu Raring):
status: New → Won't Fix
Changed in linux (Ubuntu Saucy):
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Andy Whitcroft (apw)
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Raring):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
Changed in linux (Ubuntu Raring):
status: Won't Fix → Invalid
Andy Whitcroft (apw)
Changed in linux-lts-saucy (Ubuntu Precise):
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
assignee: Andy Whitcroft (apw) → nobody
Andy Whitcroft (apw)
Changed in linux (Ubuntu Saucy):
status: In Progress → Fix Committed
Changed in linux-lts-saucy (Ubuntu Precise):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-8.28

---------------
linux (3.13.0-8.28) trusty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1278963

  [ Paolo Pisati ]

  * [Config] armhf: RTC_DRV_PL031=y

  [ Serge Hallyn ]

  * SAUCE: Overlayfs: allow unprivileged mounts

  [ Upstream Kernel Changes ]

  * kexec: add sysctl to disable kexec_load
    - LP: #1259570
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
 -- Tim Gardner <email address hidden> Tue, 11 Feb 2014 08:35:39 -0500

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-saucy' to 'verification-done-saucy'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-saucy
Revision history for this message
Philipp Kern (pkern) wrote :

Trying to kexec with the sysctl enabled correctly gives "kexec_load failed: Operation not permitted". Re-enabling it does not work, as expected. With the sysctl untouched kexec works just fine.

tags: added: verification-done-saucy
removed: verification-needed-saucy
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (18.1 KiB)

This bug was fixed in the package linux-lts-saucy - 3.11.0-18.32~precise1

---------------
linux-lts-saucy (3.11.0-18.32~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281894

  [ Bjorn Helgaas ]

  * SAUCE: Revert "EISA: Log device resources in dmesg"
    - LP: #1251816
  * SAUCE: Revert "EISA: Initialize device before its resources"
    - LP: #1251816

  [ Upstream Kernel Changes ]

  * Revert "ip6tnl: fix use after free of fb_tnl_dev"
    - LP: #1279399
  * mmc: sdhci-pci: break out definitions to header file
    - LP: #1239938
  * mmc: sdhci-pci: add support of O2Micro/BayHubTech SD hosts
    - LP: #1239938
  * kexec: add sysctl to disable kexec_load
    - LP: #1259570
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * br: fix use of ->rx_handler_data in code executed on non-rx_handler
    path
    - LP: #1279399
  * arc_emac: fix potential use after free
    - LP: #1279399
  * ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC
    - LP: #1279399
  * sfc: Add length checks to efx_xmit_with_hwtstamp() and
    efx_ptp_is_ptp_tx()
    - LP: #1279399
  * sfc: PTP: Moderate log message on event queue overflow
    - LP: #1279399
  * sfc: Rate-limit log message for PTP packets without a matching
    timestamp event
    - LP: #1279399
  * sfc: Stop/re-start PTP when stopping/starting the datapath.
    - LP: #1279399
  * sfc: Maintain current frequency adjustment when applying a time offset
    - LP: #1279399
  * dm thin: switch to read-only mode if metadata space is exhausted
    - LP: #1279399
  * dm thin: always fallback the pool mode if commit fails
    - LP: #1279399
  * mm: memcg: fix race condition between memcg teardown and swapin
    - LP: #1279399
  * ARM: dts: exynos5250: Fix MDMA0 clock number
    - LP: #1279399
  * ARM: shmobile: kzm9g: Fix coherent DMA mask
    - LP: #1279399
  * ARM: shmobile: armadillo: Fix coherent DMA mask
    - LP: #1279399
  * ARM: shmobile: mackerel: Fix coherent DMA mask
    - LP: #1279399
  * clk: samsung: exynos4: Correct SRC_MFC register
    - LP: #1279399
  * clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg
    clock
    - LP: #1279399
  * clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks
    - LP: #1279399
  * [SCSI] sd: Reduce buffer size for vpd request
    - LP: #1279399
  * netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
    - LP: #1279399
  * writeback: Fix data corruption on NFS
    - LP: #1279399
  * drm/i915: fix DDI PLLs HW state readout code
    - LP: #1279399
  * drm/i915: Don't grab crtc mutexes in intel_modeset_gem_init()
    - LP: #1279399
  * md/raid5: Fix possible confusion when multiple write errors occur.
    - LP: #1279399
  * md/raid10: fix two bugs in handling of known-bad-blocks.
    - LP: #1279399
  * md/raid10: fix bug when raid10 recovery fails to recover a block.
    - LP: #1279399
  * md: fix problem when adding device to read-only array with bitmap.
    - LP: #1279399
  * hwmon: (coretemp) Fix truncated name of alarm attributes
    - LP: #1279399
  * nilfs2: fix segctor bug that causes file system corruption
    - LP: #1279399
  * mm: fix crash when using XFS on l...

Changed in linux-lts-saucy (Ubuntu Precise):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (18.1 KiB)

This bug was fixed in the package linux - 3.11.0-18.32

---------------
linux (3.11.0-18.32) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1281764

  [ Bjorn Helgaas ]

  * SAUCE: Revert "EISA: Log device resources in dmesg"
    - LP: #1251816
  * SAUCE: Revert "EISA: Initialize device before its resources"
    - LP: #1251816

  [ Upstream Kernel Changes ]

  * Revert "ip6tnl: fix use after free of fb_tnl_dev"
    - LP: #1279399
  * mmc: sdhci-pci: break out definitions to header file
    - LP: #1239938
  * mmc: sdhci-pci: add support of O2Micro/BayHubTech SD hosts
    - LP: #1239938
  * kexec: add sysctl to disable kexec_load
    - LP: #1259570
  * SELinux: Fix kernel BUG on empty security contexts.
    - CVE-2014-1874
  * br: fix use of ->rx_handler_data in code executed on non-rx_handler
    path
    - LP: #1279399
  * arc_emac: fix potential use after free
    - LP: #1279399
  * ipv4: fix tunneled VM traffic over hw VXLAN/GRE GSO NIC
    - LP: #1279399
  * sfc: Add length checks to efx_xmit_with_hwtstamp() and
    efx_ptp_is_ptp_tx()
    - LP: #1279399
  * sfc: PTP: Moderate log message on event queue overflow
    - LP: #1279399
  * sfc: Rate-limit log message for PTP packets without a matching
    timestamp event
    - LP: #1279399
  * sfc: Stop/re-start PTP when stopping/starting the datapath.
    - LP: #1279399
  * sfc: Maintain current frequency adjustment when applying a time offset
    - LP: #1279399
  * dm thin: switch to read-only mode if metadata space is exhausted
    - LP: #1279399
  * dm thin: always fallback the pool mode if commit fails
    - LP: #1279399
  * mm: memcg: fix race condition between memcg teardown and swapin
    - LP: #1279399
  * ARM: dts: exynos5250: Fix MDMA0 clock number
    - LP: #1279399
  * ARM: shmobile: kzm9g: Fix coherent DMA mask
    - LP: #1279399
  * ARM: shmobile: armadillo: Fix coherent DMA mask
    - LP: #1279399
  * ARM: shmobile: mackerel: Fix coherent DMA mask
    - LP: #1279399
  * clk: samsung: exynos4: Correct SRC_MFC register
    - LP: #1279399
  * clk: samsung: exynos5250: Add CLK_IGNORE_UNUSED flag for the sysreg
    clock
    - LP: #1279399
  * clk: exynos5250: fix sysmmu_mfc{l,r} gate clocks
    - LP: #1279399
  * [SCSI] sd: Reduce buffer size for vpd request
    - LP: #1279399
  * netfilter: nf_nat: fix access to uninitialized buffer in IRC NAT helper
    - LP: #1279399
  * writeback: Fix data corruption on NFS
    - LP: #1279399
  * drm/i915: fix DDI PLLs HW state readout code
    - LP: #1279399
  * drm/i915: Don't grab crtc mutexes in intel_modeset_gem_init()
    - LP: #1279399
  * md/raid5: Fix possible confusion when multiple write errors occur.
    - LP: #1279399
  * md/raid10: fix two bugs in handling of known-bad-blocks.
    - LP: #1279399
  * md/raid10: fix bug when raid10 recovery fails to recover a block.
    - LP: #1279399
  * md: fix problem when adding device to read-only array with bitmap.
    - LP: #1279399
  * hwmon: (coretemp) Fix truncated name of alarm attributes
    - LP: #1279399
  * nilfs2: fix segctor bug that causes file system corruption
    - LP: #1279399
  * mm: fix crash when using XFS on loopback
    - LP: #1279399
  * vfs: In d...

Changed in linux (Ubuntu Saucy):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.