q-r-t security test wants SCHED_STACK_END_CHECK to be enabled in KVM kernels
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
ubuntu-kernel-tests |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
linux-kvm (Ubuntu) |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
Xenial |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
Bionic |
Fix Released
|
Undecided
|
Po-Hsu Lin | ||
Cosmic |
Won't Fix
|
Undecided
|
Po-Hsu Lin | ||
Disco |
Fix Released
|
Undecided
|
Po-Hsu Lin |
Bug Description
== SRU Justification ==
Security team requires the SCHED_STACK_
on all of our kernel.
The test_380_
Copied from the config help text:
This option checks for a stack overrun on calls to schedule(). If the
stack end location is found to be over written always panic as the
content of the corrupted region can no longer be trusted. This is to
ensure no erroneous behaviour occurs which could result in data
corruption or a sporadic crash at a later stage once the region is
examined. The runtime overhead introduced is minimal.
== Test ==
Test kernels could be found here:
https:/
This issue case be verified with the test_380_
== Regression Potential ==
Low, the introduced runtime overhead is minimal, and it's already enabled in the generic kernel.
== Original Bug report ==
The test_380_
KVM kernel
FAIL: test_380_
Ensure SCHED_STACK_
------
Traceback (most recent call last):
File "./test-
self.assertKer
File "./test-
self.assertKer
File "./test-
'%s option was expected to be set in the kernel config' % name)
AssertionError: SCHED_STACK_
ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: linux-image-
ProcVersionSign
Uname: Linux 4.15.0-1028-kvm x86_64
ApportVersion: 2.20.9-0ubuntu7.5
Architecture: amd64
Date: Thu Jan 17 06:44:41 2019
SourcePackage: linux-kvm
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
Changed in ubuntu-kernel-tests: | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu Xenial): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu Bionic): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu Cosmic): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu Disco): | |
assignee: | nobody → Po-Hsu Lin (cypressyew) |
Changed in linux-kvm (Ubuntu Xenial): | |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Bionic): | |
status: | New → In Progress |
Changed in ubuntu-kernel-tests: | |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Cosmic): | |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu Disco): | |
status: | New → In Progress |
Changed in linux-kvm (Ubuntu): | |
status: | New → In Progress |
description: | updated |
description: | updated |
tags: | added: ubuntu-qrt-kernel-security |
tags: | added: linux-kvm |
Changed in linux-kvm (Ubuntu Xenial): | |
status: | In Progress → Fix Committed |
Changed in linux-kvm (Ubuntu Bionic): | |
status: | In Progress → Fix Committed |
Changed in linux-kvm (Ubuntu Cosmic): | |
status: | In Progress → Fix Committed |
Changed in linux-kvm (Ubuntu Disco): | |
status: | In Progress → Fix Committed |
Changed in ubuntu-kernel-tests: | |
status: | In Progress → Fix Released |
Changed in linux-kvm (Ubuntu): | |
status: | In Progress → Fix Released |
Changed in linux-kvm (Ubuntu Cosmic): | |
status: | Fix Committed → Won't Fix |
This option checks for a stack overrun on calls to schedule(). If the stack end location is found to be over written always panic as the content of the corrupted region can no longer be trusted. This is to ensure no erroneous behaviour occurs which could result in data corruption or a sporadic crash at a later stage once the region is examined. The runtime overhead introduced is minimal.
Ref: https://cateee.net/lkddb/web-lkddb/SCHED_STACK_END_CHECK.html
Looks like this is debug related, not sure if we want this on KVM kernels.