Right, yeah, I don't mean that universally disabling the kstack
randomization is the permanent solution. It should be possible to add a
patch to Ubuntu's kernel to restore the prior bit width to deal with
Virtualbox.
--
You received this bug notification because you are a member of Kernel
Package
Anyone affected by this should be able to boot with
"randomize_kstack_offset=off" on the kernel command line to disable the
offset randomization. No need to upgrade anything nor revert anything.
:P
--
You received this bug notification because you are a member of Kernel
Packages, which is subscri
This is a CONFIG request, do no apport collection required. :)
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Also affects: linux (Ubuntu Groovy)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Hirsute)
Importance: Undecided
Status: C
Public bug reported:
Enabling CONFIG_UBSAN_BOUNDS is fast and provides good coverage for out-
of-bounds array indexing (i.e. it catchings the things that
CONFIG_FORTIFY doesn't).
** Affects: linux (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification bec
(This is a feature request, so no log needed.)
** Changed in: linux (Ubuntu)
Status: Incomplete => Confirmed
** Also affects: linux (Ubuntu Hirsute)
Importance: Undecided
Status: Confirmed
** Also affects: linux (Ubuntu Groovy)
Importance: Undecided
Status: New
** Cha
I think it's fine. It sounds like there will just be no way to override
package-installed blacklists any more. That's unfortunate, but it's a
very rare situation.
** Changed in: systemd (Ubuntu)
Status: Incomplete => Won't Fix
** Changed in: linux (Ubuntu)
Status: Incomplete => Inva
To clarify, I'm suggesting:
CONFIG_PAGE_POISONING=y
CONFIG_PAGE_POISONING_ZERO=y
CONFIG_PAGE_POISONING_NO_SANITY=y
this should have no impact on regular boots, and if someone boots with
"page_poison=1" then they get page wiping when page_alloc pages are
freed (and then GFP_ZERO is a no-op since i
Oh no, leave CONFIG_PAGE_POISONING_NO_SANITY=y. Things get REALLY slow
without that, and the default kernel is built with hibernation, so I
would expect to do =y for that option.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubu
Public bug reported:
I'd like to be able to use page poisoning, but CONFIG_PAGE_POISONING is
not enabled on Ubuntu. (This option itself has a near-zero performance
impact since it must be combined with the boot option "page_poison=1" to
actually enable the poisoning.)
To make the poisoning (when
ping...
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1766052
Title:
Incorrect blacklist of bcm2835_wdt
Status in linux package in Ubuntu:
Triaged
Status in linux source package in A
Oops, I missed the "|" ... fixed here:
https://lists.ubuntu.com/archives/kernel-team/2018-April/092002.html
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1766052
Title:
Incorrect black
This should fix it:
https://lists.ubuntu.com/archives/kernel-team/2018-April/091890.html
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1766052
Title:
Incorrect blacklist of bcm2835_wdt
Public bug reported:
Without bcm2835_wdt loaded, Raspberry Pi systems cannot reboot or shut
down. This needs to be removed from the automatic blacklist generated by
the kernel build that ends up in /lib/modprobe.d/blacklist_linux_$(uname
-r).conf
** Affects: linux (Ubuntu)
Importance: Undeci
Public bug reported:
In the v4.12 kernel, CONFIG_SECURITY_SELINUX_DISABLE (which allows
disabling selinux after boot) will conflict with read-only LSM
structures. Since Ubuntu is primarily using AppArmor for its LSM, and
SELinux is disabled by default, it makes sense to drop this feature in
favor
... why aren't all the kernels just signed? Why does this need to be a
separate package at all?
I can confirm installing the -signed package fixes it for me. Where in
the kernel source does this signature effect the output of
/proc/sys/kernel/secure_boot, though? I can't find that...
--
You rece
And it looks like this is specific to the 4.8 kernel. 4.4 thinks secure
boot is enabled.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not enforcing module signatu
And that must be doing something wrong, since:
sudo efivar -p -n $(efivar --list | grep SecureBoot)
shows "1"
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1658255
Title:
Kernel not e
the proc handler does:
secure_boot_enabled = efi_enabled(EFI_SECURE_BOOT);
this feature flag is set at boot:
#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE
if (boot_params.secure_boot == EFI_SECURE_BOOT) {
set_bit(EFI_SECURE_BOOT, &efi.flags);
enforce_sign
Oh, and that's not set up by the bootloader, it's in
arch/x86/boot/compressed/eboot.c:
boot_params->secure_boot = get_secure_boot();
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/
(Hm, dmesg WARN on IOMMU seems to think I need
910170442944e1f8674fd5ddbeeb8ccd1877ea98, but that's unrelated...)
** Attachment added: "dmesg.txt"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1658255/+attachment/4809482/+files/dmesg.txt
--
You received this bug notification because
$ cat /proc/sys/kernel/secure_boot
0
That seems weird. Everything else thinks it's enabled. What sets this
one (and what does it represent)?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/
Public bug reported:
$ sudo mokutil --sbstate
SecureBoot enabled
$ cat /proc/sys/kernel/moksbstate_disabled
0
$ sudo insmod ./hello.ko
$ echo $?
0
$ dmesg | grep Hello
[00112.530866] Hello, world!
$ strings /lib/modules/$(uname -r)/kernel/lib/test_module.ko | grep signature
~Module signature appen
What is needed to support this IOMMU? Kernel CONFIGs? New code? Can you
describe what is missing?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1385391
Title:
Carrizo : IOMMU v2.6 featu
Public bug reported:
The perf subsystem provides a rather large attack surface, and system
owners would like a way to disable access to non-root users. This is
already being done in Android and Debian, and I'd like to do the same on
my Ubuntu systems. :)
https://lkml.org/lkml/2016/1/11/587
** Af
Yup, but I wanted to avoid getting overwritten each time linux-firmware
gets updated. ;)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-firmware in Ubuntu.
https://bugs.launchpad.net/bugs/1436940
Title:
Qualcomm Atheros QCA6164 8
Adding ath10k/QCA6174/hw2.1/board-pci-168c:0041:17aa:3545.bin (from the
working board.bin in this thread) seems to fix it, though:
e6adc90ecaf55edc656990c6c50193ac board-pci-168c:0041:17aa:3545.bin
--
You received this bug notification because you are a member of Kernel
Packages, which is subsc
Hm, not fixed for me. still seeing firmware crashes. :(
** Changed in: linux-firmware (Ubuntu Xenial)
Status: Fix Released => Confirmed
** Changed in: linux-firmware (Ubuntu)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Kerne
Public bug reported:
Kernel Address Space Layout Randomization (KASLR) can make it harder to
accomplish kernel security vulnerability exploits, especially during
remote attacks or attacks from containers. On x86, KASLR has a run-time
conflict with Hibernation, and currently the kernel selects Hibe
Please also backport 3dfb7d8cdbc7ea0c2970450e60818bb3eefbad69 from
4.5-rc1.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1551894
Title:
linux: 4.4.0-9.X fails yama ptrace restrictions
Still no issues for me. Yay! :)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1448912
Title:
BUG: unable to handle kernel NULL pointer dereference (aa_label_merge)
Status in AppArmor:
It's been 3 days running the test kernel and I've seen no problems. Very
encouraging!
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1448912
Title:
BUG: unable to handle kernel NULL poin
** Attachment removed: "firmware for qca6174"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1436940/+attachment/4450449/+files/ath10k-qca6174.tar.bz2
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.
** Summary changed:
- Atheros wifi 168c:0041(QCA6164) is not supported
+ Atheros wifi 168c:0041(QCA6174) is not supported
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1436940
Title:
A
I have not tested these, but IIUC, this is where to get an upstream
kernel build, configured for Ubuntu, thought likely without Ubuntu-
specific patches: http://kernel.ubuntu.com/~kernel-
ppa/mainline/daily/current/
--
You received this bug notification because you are a member of Kernel
Packages
@jsalisbury is there a 4.2 ubuntu kernel we could test with? Here's a
tarball with the firmware files. It's unpacked as:
cd /lib/firmware
tar xf /tmp/ath10k-qca6174.tar.bz2
** Attachment added: "firmware for qca6174"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1436940/+attachment/44
With the new files, I still get the ath10k/QCA6174/hw2.1/firmware-4.bin
errors. Does the kernel need to be updated for a new driver that looks
for a -5 firmware?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs
The debug kernels reduced the frequency of the Oopsing, but this has
made AppArmor unusable with Apache for me.
** Also affects: linux (Ubuntu Wily)
Importance: Undecided
Assignee: John Johansen (jjohansen)
Status: Confirmed
** Also affects: linux (Ubuntu Trusty)
Importance: Und
Here is the Oops from a jj-special kernel. similar, but different.
** Attachment added: "debugging-oops.txt"
https://bugs.launchpad.net/apparmor/+bug/1448912/+attachment/4430738/+files/debugging-oops.txt
--
You received this bug notification because you are a member of Kernel
Packages, whic
** Attachment added: "two.txt"
https://bugs.launchpad.net/apparmor/+bug/1448912/+attachment/4429578/+files/two.txt
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1448912
Title:
BUG:
** Attachment added: "three.txt"
https://bugs.launchpad.net/apparmor/+bug/1448912/+attachment/4429579/+files/three.txt
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1448912
Title:
B
Three more crashes today, one after the other (the trigger must be some
kind of Apache access pattern, still trying to figure that out.)
** Attachment added: "one.txt"
https://bugs.launchpad.net/apparmor/+bug/1448912/+attachment/4429577/+files/one.txt
--
You received this bug notification b
** Summary changed:
- Wireless device not listed in driver's PCI IDs
+ Atheros 168c:0041 (Lenovo G50-80) is not supported
** Summary changed:
- Atheros 168c:0041 (Lenovo G50-80) is not supported
+ Atheros wifi 168c:0041 (Lenovo G50-80) is not supported
** Also affects: linux (Ubuntu Vivid)
I
I saw the same thing this morning.
Ubuntu 14.04.2 LTS
Kernel linux-image-3.16.0-30-generic
libapache2-mod-apparmor 2.8.95~2430-0ubuntu5.1
apache2-mpm-prefork 2.4.7-1ubuntu4.4
Attached is first the warning (like in bug 1447530), and then the Oops,
9 seconds later.
** Attachment added: "warn and
** Summary changed:
- BUG: unable to handle kernel NULL pointer dereference
+ BUG: unable to handle kernel NULL pointer dereference (aa_label_merge)
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.n
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2010-4249
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/812360
Title:
linux: 2.6.24-29.92 -proposed tracker
Status in K
Thanks! Tested Ubuntu 3.13.0-40.68-generic 3.13.11.10 with upstream
regression suite, all tests pass.
** Tags removed: verification-needed-trusty
** Tags added: verification-done-trusty
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linu
What does the output of "xrandr" show when VGA is working, and when it
is not?
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1300914
Title:
External screen undetected after first plug
** Attachment added: "after.log"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1379020/+attachment/4229706/+files/after.log
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1379020
** Attachment added: "before.log"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1379020/+attachment/4229705/+files/before.log
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/13790
Thanks for the backport to Utopic!
Pull request for Trusty is here: https://lists.ubuntu.com/archives
/kernel-team/2014-October/049110.html
Logs for test runs of https://github.com/redpig/seccomp.git
tests/seccomp_bpf_tests all pass now.
--
You received this bug notification because you are a m
2014-08-11 seccomp: Replace BUG(!spin_is_locked()) with assert_spin_lock
2014-07-18 seccomp: implement SECCOMP_FILTER_FLAG_TSYNC
2014-07-18 seccomp: allow mode setting across threads
2014-07-18 seccomp: introduce writer locking
2014-07-18 seccomp: split filter prep from che
Public bug reported:
For Chrome (and other seccomp users like LXC), the thread-sync features
for seccomp would provide better process isolation. The feature landed
in kernel 3.17, and is relatively easy to back-port. The upstream
seccomp regression tests can be used to verify both the new features
Works for me, thanks!
** Tags removed: verification-needed-precise
** Tags added: verified-precise
** Tags removed: verified-precise
** Tags added: verification-done-precise
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu
Reopened; it looks like this never landed and the auditsc fix in
3.13.0-33.58 typoed which bug it should close?
** Changed in: linux (Ubuntu Trusty)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to
Patch sent to kernel-team list:
https://lists.ubuntu.com/archives/kernel-team/2014-July/045729.html
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1338883
Title:
Yama PR_SET_PTRACER_ANY
Test-case:
sudo apt-get install gcc-multilib
gcc -Wall yama-test.c -m32 -o yama-test
./yama-test
This should return 0 and report "ok", but on precise, it fails.
** Attachment added: "yama-test.c"
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1338883/+attachment/4147811/+files/yama-tes
Public bug reported:
This is an old bug that looks like the fix missed Precise since Yama was
backported there. Yama was introduced in 3.4, but Precise is 3.2 with
Yama backported. The upstream fix for this bug is missing, which can
cause problems when a Yama-aware program is running in 32-bit use
Will Utopic be 3.16 based? If so, once
24f2e0273f80ec262a772059e140a0adef35296d is in the Ubuntu kernel, it
will be possible to enable CONFIG_RANDOMIZE_BASE along with
CONFIG_HIBERNATE on i386 and amd64.
Otherwise, please backport a6e15a39048ec3229b9a53425f4384f55f6cc1b3 and
24f2e0273f80ec262a7720
I've confirmed this is fixed. Thanks!
$ cat /proc/version_signature
Ubuntu 3.2.0-65.98-generic 3.2.60
$ ./seccomp_bpf_tests
...
[ RUN ] TRACE.read_has_side_effects
[ OK ] TRACE.read_has_side_effects
[ RUN ] TRACE.getpid_runs_normally
[ OK ] TRACE.getpid_runs_normally
...
*
Notes from IRC:
You can either turn off CONFIG_HIBERNATE to gain it, or write patches to
make those work together in some way. :) one idea I had that I haven't
had time to see if it could work is to make kaslr disabled by default if
CONFIG_HIBERNATE is enabled, and then if boot with "kaslr" on the
** Description changed:
In v3.2, there was confusion over the new "PTRACE_EVENT_EXIT" value.
Ultimately, upstream fixed it, but in the precise backporting of
seccomp, the wrong value was used:
5cdf389aee90109e2e3d88085dea4dd5508a3be7
As a result, seccomp filteres expecting ptrace mana
Wrong:
$ cd /src/kernels/ubuntu/precise ; git grep PTRACE_EVENT_SECCOMP
...
include/linux/ptrace.h:#define PTRACE_EVENT_SECCOMP 8
Correct:
$ cd /src/kernels/ubuntu/trusty ; git grep PTRACE_EVENT_SECCOMP
...
include/uapi/linux/ptrace.h:#define PTRACE_EVENT_SECCOMP7
** Patch added:
"
Public bug reported:
In v3.2, there was confusion over the new "PTRACE_EVENT_EXIT" value.
Ultimately, upstream fixed it, but in the precise backporting of
seccomp, the wrong value was used:
5cdf389aee90109e2e3d88085dea4dd5508a3be7
As a result, seccomp filteres expecting ptrace managers don't work
For making sure IMA isn't enabled at boot by default, here's some
details From http://sourceforge.net/p/linux-ima/wiki/Home/
Enabling IMA
IMA was first included in the 2.6.30 kernel. For distros that enable IMA by
default in their kernels, collecting IMA measurements simply requires rebooting
th
Moving to main linux package. Waiting for memory benchmark comparison of:
- without CONFIG_IMA
- with CONFIG_IMA
- with CONFIG_IMG + policy
** Package changed: linux-meta-lts-saucy (Ubuntu) => linux (Ubuntu)
--
You received this bug notification because you are a member of Kernel
Packages, whic
"sudo rmmod mei_me mei" should stop the messages. Usually means AMT has
been disabled in the BIOS.
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1196155
Title:
mei_me resets spamming dm
My testing was with a Debian userspace. I don't have a functional Ubuntu
ARM environment. I can boot rebuilt kernels in KVM.
Can you just adjust the header file to get it compiled? I have no idea
why __NR_time is stripped out like that. It's a valid syscall.
--
You received this bug notification
** Description changed:
While seccomp-bpf was backported into precise, it was only for x86. Now
that the ARM support is upstream too, it would be great to have the same
level of support on ARM in the LTS kernel.
I'll prepare patches.
+
+ [Impact]
+ ARM devices lack seccomp-bpf protecti
68 matches
Mail list logo
