Ubuntu
haproxy package

Merge ~ahasenack/ubuntu/+source/haproxy:cosmic-haproxy-arm-sigbus-1804069 into ubuntu/+source/haproxy:ubuntu/cosmic-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/haproxy
  3. cosmic-haproxy-arm-sigbus-1804069
  4. Merge into ubuntu/cosmic-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: Christian Ehrhardt 
Approved revision: 5b18f963fbdfcf769aedbc4b701cee8d44252328
Merged at revision: 5b18f963fbdfcf769aedbc4b701cee8d44252328
Proposed branch: ~ahasenack/ubuntu/+source/haproxy:cosmic-haproxy-arm-sigbus-1804069
Merge into: ubuntu/+source/haproxy:ubuntu/cosmic-devel
Diff against target: 162 lines (+126/-0)
5 files modified
debian/changelog (+9/-0)
debian/patches/series (+1/-0)
debian/patches/stksess-align.patch (+64/-0)
debian/tests/control (+4/-0)
debian/tests/proxy-localhost (+48/-0)
Reviewer Review Type Date Requested Status
Christian Ehrhardt  (community) Approve
Canonical Server Pending
Review via email: mp+362209@code.launchpad.net

Description of the change

Fix a crash error on arm64. The patch was taken as-is from upstream with a tiny offset of 1 line. I checked and it applies correctly, therefore I didn't change it other than added a few dep3 headers.

The linked bug contains testing instructions and has the SRU template filled out.

Bileto ticket, still in progress as I write this: https://bileto.ubuntu.com/#/ticket/3610 (for some reason, tests haven't even started yet).

If you need arm64 hardware to test, ping me here or in telegram if I'm away, it's easy to arrange if you have vpn access to http://10.229.32.21.

To post a comment you must log in.
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

sil2100 is troubleshooting the bileto issues:
<sil2100> ahasenack: hey! hm, weird, let me take a look
<sil2100> argh
<sil2100> 2019-01-29 10:59:45.746494 Updating ticket 3610: 401 UNAUTHORIZED
<sil2100> ahasenack: let me try getting that fixed, but in the meantime it seems that 3610 was passing: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_39a8dbb93caf4ec889f8a1b7f69885db/bileto-3610-excuses/2019-01-29_10:20:01/3610_cosmic_excuses.html
<ahasenack> thanks
<sil2100> I'll quickly look at the other two and then try to find a way to make Bileto update the tickets contents again

3610, which represents this MP, is green: https://objectstorage.prodstack4-5.canonical.com/v1/AUTH_39a8dbb93caf4ec889f8a1b7f69885db/bileto-3610-excuses/2019-01-29_10:20:01/3610_cosmic_excuses.html

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Change LGTM, small but effective.
I tried the case on x86 and arm64 and agree to the issue, the fix and the SRU template.
Please feel free to go on as-is if you want.

OTOH as I outlined on the Disco MP - I'd encourage you to bundle the Dep8 test that you added there with the SRU.

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Going to add the new dep8 test from disco.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Triggered a bileto run with the new cmp based dep8 test, copied from disco. All green:

https://bileto.ubuntu.com/excuses/3610/cosmic.html

haproxy (1.8.13-2ubuntu0.1 to 1.8.13-2ubuntu0.2~ppa3)
Maintainer: Ubuntu Developers
0 days old
autopkgtest for haproxy/1.8.13-2ubuntu0.2~ppa3: amd64: Pass [artifacts], armhf: Pass [artifacts], i386: Pass [artifacts], ppc64el: Pass [artifacts], s390x: Pass [artifacts]
autopkgtest for neutron/2:13.0.2-0ubuntu1: amd64: Pass [artifacts], armhf: Pass [artifacts], i386: Pass [artifacts], ppc64el: Pass [artifacts], s390x: Pass [artifacts]
autopkgtest for neutron-lbaas/2:13.0.0-0ubuntu1: amd64: Pass [artifacts], armhf: Pass [artifacts], i386: Pass [artifacts], ppc64el: Pass [artifacts], s390x: Pass [artifacts]
Valid candidate

Revision history for this message
Christian Ehrhardt  (paelzer) wrote :

Fix was already good, the test matches what we reivewed for Disco.
Thanks for making sure it works on the SRU target release!

Overall +1

Revision history for this message
Christian Ehrhardt  (paelzer) :
review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Tagged and uploaded:
$ git push pkg upload/1.8.13-2ubuntu0.2
Enumerating objects: 29, done.
Counting objects: 100% (29/29), done.
Delta compression using up to 4 threads
Compressing objects: 100% (21/21), done.
Writing objects: 100% (22/22), 4.04 KiB | 4.04 MiB/s, done.
Total 22 (delta 13), reused 4 (delta 1)
To ssh://git.launchpad.net/~usd-import-team/ubuntu/+source/haproxy
 * [new tag] upload/1.8.13-2ubuntu0.2 -> upload/1.8.13-2ubuntu0.2

$ dput ubuntu ../haproxy_1.8.13-2ubuntu0.2_source.changes
Checking signature on .changes
gpg: ../haproxy_1.8.13-2ubuntu0.2_source.changes: Valid signature from AC983EB5BF6BCBA9
Checking signature on .dsc
gpg: ../haproxy_1.8.13-2ubuntu0.2.dsc: Valid signature from AC983EB5BF6BCBA9
Uploading to ubuntu (via ftp to upload.ubuntu.com):
  Uploading haproxy_1.8.13-2ubuntu0.2.dsc: done.
  Uploading haproxy_1.8.13-2ubuntu0.2.debian.tar.xz: done.
  Uploading haproxy_1.8.13-2ubuntu0.2_source.buildinfo: done.
  Uploading haproxy_1.8.13-2ubuntu0.2_source.changes: done.
Successfully uploaded packages.

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 1759af2..ae6c7c9 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,12 @@
6+haproxy (1.8.13-2ubuntu0.2) cosmic; urgency=medium
7+
8+ * d/p/stksess-align.patch: Make sure stksess is properly aligned.
9+ (LP: #1804069)
10+ * d/t/control, d/t/proxy-localhost: simple DEP8 test to actually
11+ generate traffic through haproxy.
12+
13+ -- Andreas Hasenack <andreas@canonical.com> Wed, 23 Jan 2019 17:24:30 -0200
14+
15 haproxy (1.8.13-2ubuntu0.1) cosmic-security; urgency=medium
16
17 * SECURITY UPDATE: Out-of-bounds read
18diff --git a/debian/patches/series b/debian/patches/series
19index 6044ff4..1dfbfa2 100644
20--- a/debian/patches/series
21+++ b/debian/patches/series
22@@ -9,3 +9,4 @@ CVE-2018-14645
23 CVE-2018-20102.patch
24 CVE-2018-20103.patch
25 CVE-2018-20615.patch
26+stksess-align.patch
27diff --git a/debian/patches/stksess-align.patch b/debian/patches/stksess-align.patch
28new file mode 100644
29index 0000000..0c3d9ce
30--- /dev/null
31+++ b/debian/patches/stksess-align.patch
32@@ -0,0 +1,64 @@
33+From 52dabbc4fad338233c7f0c96f977a43f8f81452a Mon Sep 17 00:00:00 2001
34+From: Olivier Houchard <ohouchard@haproxy.com>
35+Date: Wed, 14 Nov 2018 17:54:36 +0100
36+Subject: [PATCH] BUG/MEDIUM: Make sure stksess is properly aligned.
37+
38+When we allocate struct stksess, we also allocate memory to store the
39+associated data before the struct itself.
40+As the data can be of different types, they can have different size. However,
41+we need the struct stksess to be properly aligned, as it can do 64bits
42+load/store (including atomic load/stores) on 64bits platforms, and some of
43+them doesn't support unaligned access.
44+So, when allocating the struct stksess, round the size up to the next
45+multiple of sizeof(void *), and make sure the struct stksess itself is
46+properly aligned.
47+Many thanks to Paul Martin for investigating and reporting that bug.
48+
49+This should be backported to earlier releases.
50+
51+Origin: https://github.com/haproxy/haproxy/commit/52dabbc4fad338233c7f0c96f977a43f8f81452a
52+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/haproxy/+bug/1804069
53+Last-Update: 2019-01-23
54+---
55+ src/stick_table.c | 7 ++++---
56+ 1 file changed, 4 insertions(+), 3 deletions(-)
57+
58+diff --git a/src/stick_table.c b/src/stick_table.c
59+index 7f141631..5e55b7a9 100644
60+--- a/src/stick_table.c
61++++ b/src/stick_table.c
62+@@ -45,6 +45,7 @@
63+ /* structure used to return a table key built from a sample */
64+ static THREAD_LOCAL struct stktable_key static_table_key;
65+
66++#define round_ptr_size(i) (((i) + (sizeof(void *) - 1)) &~ (sizeof(void *) - 1))
67+ /*
68+ * Free an allocated sticky session <ts>, and decrease sticky sessions counter
69+ * in table <t>.
70+@@ -52,7 +53,7 @@ static THREAD_LOCAL struct stktable_key static_table_key;
71+ void __stksess_free(struct stktable *t, struct stksess *ts)
72+ {
73+ t->current--;
74+- pool_free(t->pool, (void *)ts - t->data_size);
75++ pool_free(t->pool, (void *)ts - round_ptr_size(t->data_size));
76+ }
77+
78+ /*
79+@@ -230,7 +231,7 @@ struct stksess *__stksess_new(struct stktable *t, struct stktable_key *key)
80+ ts = pool_alloc(t->pool);
81+ if (ts) {
82+ t->current++;
83+- ts = (void *)ts + t->data_size;
84++ ts = (void *)ts + round_ptr_size(t->data_size);
85+ __stksess_init(t, ts);
86+ if (key)
87+ stksess_setkey(t, ts, key);
88+@@ -598,7 +599,7 @@ int stktable_init(struct stktable *t)
89+ t->updates = EB_ROOT_UNIQUE;
90+ HA_SPIN_INIT(&t->lock);
91+
92+- t->pool = create_pool("sticktables", sizeof(struct stksess) + t->data_size + t->key_size, MEM_F_SHARED);
93++ t->pool = create_pool("sticktables", sizeof(struct stksess) + round_ptr_size(t->data_size) + t->key_size, MEM_F_SHARED);
94+
95+ t->exp_next = TICK_ETERNITY;
96+ if ( t->expire ) {
97diff --git a/debian/tests/control b/debian/tests/control
98index 13837c2..70649e3 100644
99--- a/debian/tests/control
100+++ b/debian/tests/control
101@@ -1,3 +1,7 @@
102 Tests: cli
103 Depends: haproxy, socat
104 Restrictions: needs-root
105+
106+Tests: proxy-localhost
107+Depends: haproxy, wget, apache2
108+Restrictions: needs-root, allow-stderr, isolation-container
109diff --git a/debian/tests/proxy-localhost b/debian/tests/proxy-localhost
110new file mode 100644
111index 0000000..2824287
112--- /dev/null
113+++ b/debian/tests/proxy-localhost
114@@ -0,0 +1,48 @@
115+#!/bin/sh
116+
117+set -eux
118+
119+cat > /etc/haproxy/haproxy.cfg <<EOF
120+global
121+ chroot /var/lib/haproxy
122+ user haproxy
123+ group haproxy
124+ daemon
125+ maxconn 4096
126+
127+defaults
128+ log global
129+ option dontlognull
130+ option redispatch
131+ retries 3
132+ timeout client 50s
133+ timeout connect 10s
134+ timeout http-request 5s
135+ timeout server 50s
136+ maxconn 4096
137+
138+frontend test-front
139+ bind *:8080
140+ mode http
141+ default_backend test-back
142+
143+backend test-back
144+ mode http
145+ stick store-request src
146+ stick-table type ip size 256k expire 30m
147+ server test-1 localhost:80
148+EOF
149+
150+systemctl restart haproxy
151+
152+# index.html is shipped with apache2
153+# Download it via haproxy and compare
154+if wget -t1 http://localhost:8080 -O- | cmp /var/www/html/index.html -; then
155+ echo "OK: index.html downloaded via haproxy matches the source file."
156+else
157+ echo "FAIL: downloaded index.html via haproxy is different from the"
158+ echo " file delivered by apache."
159+ exit 1
160+fi
161+
162+exit 0

Subscribers

People subscribed via source and target branches