← Back to team overview

touch-packages team mailing list archive

[Bug 1430403] [NEW] ubuntu-touch livefs builds kill upstart in host

 

*** This bug is a security vulnerability ***

Public security bug reported:

ubuntu-touch livefs builds have started killing upstart in the host
system (in this case, precise, although a similar bug appears to be
present in current versions).  The livefs build completes, but the host
dies shortly after launchpad-buildd starts trying to remove the build
chroot.  The kernel log looks like this:

Mar 10 13:46:55 allspice kernel: [3743880.621603] init: /home/buildd/build-LIVEFSBUILD-22254/chroot-autobuild/build/chroot/etc/init/tty1.conf: Unable to reload configuration after override deletion
Mar 10 13:46:55 allspice kernel: [3743880.642455] init: file.c:110: Unhandled error from nih_file_read: No such file or directory
Mar 10 13:46:55 allspice kernel: [3743880.754281] init: Caught abort, core dumped
Mar 10 13:46:55 allspice kernel: [3743880.754375] init: file.c:110: Unhandled error from nih_file_read: No such file or directory
Mar 10 13:46:55 allspice kernel: [3743880.757830] init: Caught abort, core dumped

This appears to be because a couple of functions call conf_reload_path,
which may leave an nih_error in place if nih_file_read fails, but then
do not dispose of the nih_error.  The pattern near the end of
conf_file_visitor (in precise) is probably appropriate.

We're working around this to some extent in livecd-rootfs by removing
the .override files first, but it should never be possible for a chroot
to crash the host's init.

** Affects: upstart (Ubuntu)
     Importance: High
         Status: Confirmed

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to upstart in Ubuntu.
https://bugs.launchpad.net/bugs/1430403

Title:
  ubuntu-touch livefs builds kill upstart in host

Status in upstart package in Ubuntu:
  Confirmed

Bug description:
  ubuntu-touch livefs builds have started killing upstart in the host
  system (in this case, precise, although a similar bug appears to be
  present in current versions).  The livefs build completes, but the
  host dies shortly after launchpad-buildd starts trying to remove the
  build chroot.  The kernel log looks like this:

  Mar 10 13:46:55 allspice kernel: [3743880.621603] init: /home/buildd/build-LIVEFSBUILD-22254/chroot-autobuild/build/chroot/etc/init/tty1.conf: Unable to reload configuration after override deletion
  Mar 10 13:46:55 allspice kernel: [3743880.642455] init: file.c:110: Unhandled error from nih_file_read: No such file or directory
  Mar 10 13:46:55 allspice kernel: [3743880.754281] init: Caught abort, core dumped
  Mar 10 13:46:55 allspice kernel: [3743880.754375] init: file.c:110: Unhandled error from nih_file_read: No such file or directory
  Mar 10 13:46:55 allspice kernel: [3743880.757830] init: Caught abort, core dumped

  This appears to be because a couple of functions call
  conf_reload_path, which may leave an nih_error in place if
  nih_file_read fails, but then do not dispose of the nih_error.  The
  pattern near the end of conf_file_visitor (in precise) is probably
  appropriate.

  We're working around this to some extent in livecd-rootfs by removing
  the .override files first, but it should never be possible for a
  chroot to crash the host's init.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/upstart/+bug/1430403/+subscriptions


Follow ups

References