CVE-2014-0038

Bug #1274349 reported by John Johansen
286
This bug affects 5 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Fix Released
Critical
Unassigned
Trusty
Fix Released
Critical
Unassigned
linux-armadaxp (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-ec2 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-raring (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Fix Released
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Fix Released
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned

Bug Description

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before
3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain
privileges via a recvmmsg system call with a crafted timeout pointer
parameter.

Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268

CVE References

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-15.25

---------------
linux (3.11.0-15.25) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: Fix compat_sys_recvmsg on x32 archs
    - LP: #1274349
 -- Brad Figg <email address hidden> Thu, 30 Jan 2014 08:13:36 -0800

Changed in linux (Ubuntu Saucy):
status: New → Fix Released
status: New → Fix Released
Adam Conrad (adconrad)
information type: Private Security → Public Security
Changed in linux (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Released
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
Adam Conrad (adconrad)
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Fix Released
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1274349

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Trusty):
status: Incomplete → New
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Incomplete
Ken Sharp (kennybobs)
tags: added: bot-stop-nagging
Changed in linux (Ubuntu Trusty):
status: Incomplete → Confirmed
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
description: updated
Revision history for this message
Sebastian Unger (sebunger44) wrote : Re: Fix-compat_sys_recvmsg-on-x32-archs

We got the update relating to this in kernel 3.11.0-15.25 (saucy) this morning and it broke remmina connectivity! Downgrading the kernel back to 3.11.0-15.23 fixed the remmina issues.

We are running standard saucy Ubuntu amd64.

Revision history for this message
John Johansen (jjohansen) wrote : Re: Fix-compat_sys_recvmmsg-on-x32-archs

Can you please provide full system details and the steps to reproduce.

summary: - Fix-compat_sys_recvmsg-on-x32-archs
+ Fix-compat_sys_recvmmsg-on-x32-archs
Revision history for this message
Andy Whitcroft (apw) wrote :

From my reading of the changes between the .23 and .25 kernels you could only be affected if you were using a compatibility interface which is only used if you use i386 binaries on amd64, otherwise the altered code is not in use even as remmina is a natively compiled application.

Changed in linux (Ubuntu Trusty):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-7.26

---------------
linux (3.13.0-7.26) trusty; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix uninitialized lsm_audit membe
    - LP: #1268727
  * Add config option to optionally enable new apparmor 3 semantics

  [ Tim Gardner ]

  * [Config] Add lowlatency to getabis
  * [Config] CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS=y
    - LP: #1270215
  * Release Tracking Bug
    - LP: #1276810

  [ Upstream Kernel Changes ]

  * x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274349
    - CVE-2014-0038
 -- Tim Gardner <email address hidden> Wed, 05 Feb 2014 15:49:44 -0500

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson)
summary: - Fix-compat_sys_recvmmsg-on-x32-archs
+ CVE-2014-0038
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.