Hello,

Here is an update on the situation.

I completed a kernel bisection between 4.7.8 and 4.8-rc1 (15 kernel
builds) and identified the kernel commit that causes the problem :

commit 021182e52fe01c1f7b126f97fd6ba048dc4234fd
Author: Thomas Garnier <thgar...@google.com>
Date:   Tue Jun 21 17:47:03 2016 -0700

    x86/mm: Enable KASLR for physical mapping memory regions
    
    Add the physical mapping in the list of randomized memory regions.
    
    The physical memory mapping holds most allocations from boot and heap
    allocators. Knowing the base address and physical memory size, an attacker
    can deduce the PDE virtual address for the vDSO memory page. This attack
    was demonstrated at CanSecWest 2016, in the following presentation:
    
      "Getting Physical: Extreme Abuse of Intel Based Paged Systems":
      
https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/blob/master/Presentation/CanSec2016_Presentation.pdf
    
    (See second part of the presentation).
    
    The exploits used against Linux worked successfully against 4.6+ but
    fail with KASLR memory enabled:
    
      
https://github.com/n3k/CansecWest2016_Getting_Physical_Extreme_Abuse_of_Intel_Based_Paging_Systems/tree/master/Demos/Linux/exploits
    
    Similar research was done at Google leading to this patch proposal.
    
    Variants exists to overwrite /proc or /sys objects ACLs leading to
    elevation of privileges. These variants were tested against 4.6+.
    
    The page offset used by the compressed kernel retains the static value
    since it is not yet randomized during this boot stage.
    
    Signed-off-by: Thomas Garnier <thgar...@google.com>
    Signed-off-by: Kees Cook <keesc...@chromium.org>

As you can see, this modification is specific to the x86 architecture
which is why you don't see the issue.

In parallel to that, a patch to fix this situation has been published
yesterday to the makedumpfile mailing list and is currently under review
by the main developper :

 https://www.mail-archive.com/kexec@lists.infradead.org/msg16628.html

There is a debian bug opened for this issue : 
  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842019

While I understand your concern, I cannot push a modification that will
trigger makedumpfile to generate dozen of error messages and a
potentially unusable vmcore to all of the x86 world in order to satisfy
only one architecture.

It is important to remember that, while makedumpfile fails, the kernel
dump capture mechanism reverts to using 'cp' to copy /proc/vmcore
uncompressed so this vmcore file is still usable for analysis.

Hopefully, we should get an ACK for the upstream bug soon, so I can push
a new package to Debian. I will then proceed with the synchronization to
Zesty and SRU to the other stable releases.

I hope that this clarifies the situation.

Kind regards

** Bug watch added: Debian Bug tracker #842019
   http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842019

** Changed in: makedumpfile (Ubuntu)
       Status: Confirmed => In Progress

** Changed in: makedumpfile (Ubuntu)
   Importance: High => Medium

** Changed in: makedumpfile (Ubuntu Yakkety)
   Importance: High => Medium

** Changed in: makedumpfile (Ubuntu Trusty)
       Status: New => Confirmed

** Changed in: makedumpfile (Ubuntu Xenial)
       Status: New => Confirmed

** Changed in: makedumpfile (Ubuntu Trusty)
   Importance: Undecided => Medium

** Changed in: makedumpfile (Ubuntu Xenial)
   Importance: Undecided => Medium

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to makedumpfile in Ubuntu.
https://bugs.launchpad.net/bugs/1626269

Title:
  Ubuntu 16.10: kdump is not working in 4.8 kernel.

Status in makedumpfile package in Ubuntu:
  In Progress
Status in makedumpfile source package in Trusty:
  Confirmed
Status in makedumpfile source package in Xenial:
  Confirmed
Status in makedumpfile source package in Yakkety:
  Confirmed

Bug description:
  == Comment: #0 - PAVITHRA R. PRAKASH - 2016-09-21 00:50:22 ==
  ---Problem Description---

  Ubuntu 16.10: kdump is not working in 4.8 kernel.

  ---Steps to Reproduce---

  1) apt-get install linux-crashdump
  2) increase crashdump size:
  sudo vim /etc/default/grub.d/kexec-tools.cfg

  GRUB_CMDLINE_LINUX_DEFAULT="$GRUB_CMDLINE_LINUX_DEFAULT crashkernel
  =2G-4G:320M,4G-32G:512M,32G-64G:1024M,64G-128G:2048M,128G-:4096M"

  3) sudo update-grub ; reboot the machine
  4) sudo sed -i 's/USE_KDUMP=0/USE_KDUMP=1/g' /etc/default/kdump-tools
  5) kdump-config show
  6) echo "c" > /proc/sysrq-trigger

  Logs
  ====

  root@ubuntu:/home/ubuntu# uname -a
  Linux ubuntu 4.8.0-11-generic #12-Ubuntu SMP Sat Sep 17 19:58:16 UTC 2016 
ppc64le ppc64le ppc64le GNU/Linux

  
  root@ubuntu:/home/ubuntu# kdump-config show
  DUMP_MODE:        kdump
  USE_KDUMP:        1
  KDUMP_SYSCTL:     kernel.panic_on_oops=1
  KDUMP_COREDIR:    /var/crash
  crashkernel addr: 
     /var/lib/kdump/vmlinuz: symbolic link to /boot/vmlinux-4.8.0-11-generic
  kdump initrd: 
     /var/lib/kdump/initrd.img: symbolic link to 
/var/lib/kdump/initrd.img-4.8.0-11-generic
  current state:    ready to kdump

  kexec command:
    /sbin/kexec -p --command-line="BOOT_IMAGE=/boot/vmlinux-4.8.0-11-generic 
root=UUID=7ea3831b-f4c3-4f69-8f77-79aefcda70e3 ro splash quiet irqpoll 
nr_cpus=1 nousb systemd.unit=kdump-tools.service" 
--initrd=/var/lib/kdump/initrd.img /var/lib/kdump/vmlinuz
  root@ubuntu:/home/ubuntu# cd
  root@ubuntu:~# echo "c" > /proc/sysrq-trigger
  [   50.733424] sysrq: SysRq : Trigger a crash
  [   50.733437] Unable to handle kernel paging request for data at address 
0x00000000
  [   50.733441] Faulting instruction address: 0xc0000000005af3f4
  [   50.733444] Oops: Kernel access of bad area, sig: 11 [#1]
  [   50.733446] SMP NR_CPUS=2048 NUMA pSeries
  [   50.733450] Modules linked in: rpadlpar_io rpaphp dccp_diag dccp tcp_diag 
udp_diag inet_diag unix_diag af_packet_diag netlink_diag pseries_rng sg 
rng_core binfmt_misc ghash_generic gf128mul vmx_crypto ip_tables x_tables 
autofs4 ext4 crc16 jbd2 fscrypto mbcache sr_mod cdrom sd_mod bnx2x ibmvscsi 
ibmveth scsi_transport_srp ptp pps_core mdio libcrc32c crc32c_generic 
crc32c_vpmsum
  [   50.733477] CPU: 2 PID: 1517 Comm: bash Not tainted 4.8.0-11-generic 
#12-Ubuntu
  [   50.733480] task: c0000004f7906880 task.stack: c0000004f7898000
  [   50.733482] NIP: c0000000005af3f4 LR: c0000000005b04d8 CTR: 
c0000000005af3c0
  [   50.733485] REGS: c0000004f789b990 TRAP: 0300   Not tainted  
(4.8.0-11-generic)
  [   50.733488] MSR: 8000000000009033 <SF,EE,ME,IR,DR,RI,LE>  CR: 28242422  
XER: 00000001
  [   50.733496] CFAR: c0000000000087d0 DAR: 0000000000000000 DSISR: 42000000 
SOFTE: 1 
  GPR00: c0000000005b04d8 c0000004f789bc10 c000000000f46700 0000000000000063 
  GPR04: c0000005ef78a9b8 c0000005ef79f7d8 c00000063fe82300 0000000000005970 
  GPR08: 0000000000000007 0000000000000001 0000000000000000 0000000000000001 
  GPR12: c0000000005af3c0 c000000007b31200 ffffffffffffffff 0000000022000000 
  GPR16: 0000000010170dc8 00000100111c0538 0000000010140f58 00000000100c7570 
  GPR20: 0000000000000000 000000001017dd58 0000000010153618 000000001017b608 
  GPR24: 00003ffff10b9624 0000000000000001 c000000000e9fd40 0000000000000004 
  GPR28: c000000000ea0100 0000000000000063 c000000000e528e8 0000000000000000 
  [   50.733536] NIP [c0000000005af3f4] sysrq_handle_crash+0x34/0x50
  [   50.733539] LR [c0000000005b04d8] __handle_sysrq+0xe8/0x280
  [   50.733541] Call Trace:
  [   50.733544] [c0000004f789bc10] [c0000000009ff9e8] 0xc0000000009ff9e8 
(unreliable)
  [   50.733548] [c0000004f789bc30] [c0000000005b04d8] __handle_sysrq+0xe8/0x280
  [   50.733552] [c0000004f789bcd0] [c0000000005b0c88] 
write_sysrq_trigger+0x78/0xa0
  [   50.733556] [c0000004f789bd00] [c0000000003a9a90] proc_reg_write+0xb0/0x110
  [   50.733560] [c0000004f789bd50] [c00000000030c27c] __vfs_write+0x6c/0xe0
  [   50.733564] [c0000004f789bd90] [c00000000030d784] vfs_write+0xd4/0x240
  [   50.733567] [c0000004f789bde0] [c00000000030f49c] SyS_write+0x6c/0x110
  [   50.733571] [c0000004f789be30] [c0000000000095e0] system_call+0x38/0x108
  [   50.733574] Instruction dump:
  [   50.733576] 38427340 7c0802a6 f8010010 f821ffe1 60000000 60000000 3d220019 
3949cde0 
  [   50.733582] 39200001 912a0000 7c0004ac 39400000 <992a0000> 38210020 
e8010010 7c0803a6 
  [   50.733589] ---[ end trace f58d72cacaada0df ]---
  [   50.735307] 
  [   50.735313] Sending IPI to other CPUs
  [   50.736336] IPI complete
  I'm in purgatory
   -> smp_release_cpus()
  spinning_secondaries = 8
   <- smp_release_cpus()
  [    7.250999] sd 0:0:1:0: [sda] Assuming drive cache: write through
  /dev/sda2: recovering journal
  /dev/sda2: clean, 139510/1884160 files, 1253112/7531008 blocks
  [    8.263985] EXT4-fs (sda2): Cannot load crc32c driver.
  mount: mounting /dev/sda2 on /root failed: No such file or directory
  mount: mounting /dev on /root/dev failed: No such file or directory
  mount: mounting /run on /root/run failed: No such file or directory
  run-init: current directory on the same filesystem as the root: error 0
  Target filesystem doesn't have requested /sbin/init.
  run-init: current directory on the same filesystem as the root: error 0
  run-init: current directory on the same filesystem as the root: error 0
  run-init: current directory on the same filesystem as the root: error 0
  run-init: current directory on the same filesystem as the root: error 0
  run-init: current directory on the same filesystem as the root: error 0
  No init found. Try passing init= bootarg.

  
  BusyBox v1.22.1 (Ubuntu 1:1.22.0-19ubuntu2) built-in shell (ash)
  Enter 'help' for a list of built-in commands.

  (initramfs) 
  (initramfs) 
  (initramfs) 
  (initramfs) exit
  mount: mounting /sys on /root/sys failed: No such file or directory
  mount: mounting /proc on /root/proc failed: No such file or directory
  /init: line 338: can't open /root/dev/console: no such file
  [  381.386973] Kernel panic - not syncing: Attempted to kill init! 
exitcode=0x00000200
  [  381.386973] 
  [  381.386980] CPU: 0 PID: 1 Comm: init Not tainted 4.8.0-11-generic 
#12-Ubuntu
  [  381.386983] Call Trace:
  [  381.386988] [c000000026513c20] [c00000000888bb9c] dump_stack+0xb0/0xf0 
(unreliable)
  [  381.386993] [c000000026513c60] [c00000000888832c] panic+0x144/0x308
  [  381.386997] [c000000026513cf0] [c0000000080ce298] do_exit+0xd08/0xd10
  [  381.387001] [c000000026513dc0] [c0000000080ce384] do_group_exit+0x64/0x100
  [  381.387005] [c000000026513e00] [c0000000080ce44c] SyS_exit_group+0x2c/0x30
  [  381.387008] [c000000026513e30] [c0000000080095e0] system_call+0x38/0x108
  [  381.390557] ---[ end Kernel panic - not syncing: Attempted to kill init! 
exitcode=0x00000200
  [  381.390557]

  
  == Comment: #5 - Kevin W. Rudd - 2016-09-21 16:26:35 ==
  This appears to be similar to the issue noted in the following discussion:

  https://lists.debian.org/debian-kernel/2016/04/msg00013.html

  (from the kdump dmesg info attached):

  [    9.115577] call_modprobe: crypto-crc32c   2 
  [    9.116170] call_modprobe: crypto-crc32c-all   2 
  [    9.116709] EXT4-fs (sda2): Cannot load crc32c driver.

  Forcing the crc32c module by adding it to /etc/initramfs-tools/modules
  got me past the initial EXT4-fs failure, but kdump then ran into a
  regression with makedumpfile:

  [   12.331294] kdump-tools[1546]: Starting kdump-tools:  * running 
makedumpfile -c -d 31 /proc/vmcore /var/crash/201609211609/dump-incomplete
  [   12.391902] kdump-tools[1546]: get_mem_map: Can't distinguish the memory 
type.
  [   12.392406] kdump-tools[1546]: The kernel version is not supported.
  [   12.392715] kdump-tools[1546]: The makedumpfile operation may be 
incomplete.
  [   12.392997] kdump-tools[1546]: makedumpfile Failed.
  [   12.393309] kdump-tools[1546]:  * kdump-tools: makedumpfile failed, 
falling back to 'cp'

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/makedumpfile/+bug/1626269/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to