| 2014-01-30 00:58:00 |
John Johansen |
bug |
|
|
added bug |
| 2014-01-30 00:59:14 |
John Johansen |
nominated for series |
|
Ubuntu Saucy |
|
| 2014-01-30 00:59:14 |
John Johansen |
bug task added |
|
linux (Ubuntu Saucy) |
|
| 2014-01-30 00:59:14 |
John Johansen |
nominated for series |
|
Ubuntu Trusty |
|
| 2014-01-30 00:59:14 |
John Johansen |
bug task added |
|
linux (Ubuntu Trusty) |
|
| 2014-01-31 04:17:00 |
Launchpad Janitor |
linux (Ubuntu Saucy): status |
New |
Fix Released |
|
| 2014-01-31 04:17:01 |
Launchpad Janitor |
linux (Ubuntu Saucy): status |
New |
Fix Released |
|
| 2014-01-31 05:21:06 |
Adam Conrad |
information type |
Private Security |
Public Security |
|
| 2014-01-31 05:22:34 |
Adam Conrad |
cve linked |
|
2014-0038 |
|
| 2014-01-31 05:24:41 |
Adam Conrad |
bug task added |
|
linux-lts-saucy (Ubuntu) |
|
| 2014-01-31 05:24:57 |
Adam Conrad |
bug task added |
|
linux-lts-raring (Ubuntu) |
|
| 2014-01-31 05:25:11 |
Adam Conrad |
nominated for series |
|
Ubuntu Precise |
|
| 2014-01-31 05:25:11 |
Adam Conrad |
bug task added |
|
linux (Ubuntu Precise) |
|
| 2014-01-31 05:25:11 |
Adam Conrad |
bug task added |
|
linux-lts-raring (Ubuntu Precise) |
|
| 2014-01-31 05:25:11 |
Adam Conrad |
bug task added |
|
linux-lts-saucy (Ubuntu Precise) |
|
| 2014-01-31 05:25:23 |
Adam Conrad |
linux (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-01-31 05:25:36 |
Adam Conrad |
linux-lts-raring (Ubuntu Precise): status |
New |
Fix Released |
|
| 2014-01-31 05:25:45 |
Adam Conrad |
linux-lts-raring (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-01-31 05:25:55 |
Adam Conrad |
linux-lts-raring (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-01-31 05:26:06 |
Adam Conrad |
linux-lts-saucy (Ubuntu Precise): status |
New |
Fix Released |
|
| 2014-01-31 05:26:14 |
Adam Conrad |
linux-lts-saucy (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-01-31 05:26:24 |
Adam Conrad |
linux-lts-saucy (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-01-31 05:30:10 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2014-01-31 13:25:41 |
Stephan Springer |
bug |
|
|
added subscriber Stephan Springer |
| 2014-01-31 13:27:49 |
Stephan Springer |
linux (Ubuntu Trusty): status |
Incomplete |
New |
|
| 2014-01-31 13:30:10 |
Brad Figg |
linux (Ubuntu): status |
New |
Incomplete |
|
| 2014-01-31 21:44:02 |
Ken Sharp |
tags |
|
bot-stop-nagging |
|
| 2014-01-31 21:44:43 |
Ken Sharp |
linux (Ubuntu Trusty): status |
Incomplete |
Confirmed |
|
| 2014-02-01 10:49:57 |
John Johansen |
nominated for series |
|
Ubuntu Lucid |
|
| 2014-02-01 10:49:57 |
John Johansen |
bug task added |
|
linux (Ubuntu Lucid) |
|
| 2014-02-01 10:49:57 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Lucid) |
|
| 2014-02-01 10:49:57 |
John Johansen |
bug task added |
|
linux-armadaxp (Ubuntu Lucid) |
|
| 2014-02-01 10:49:57 |
John Johansen |
bug task added |
|
linux-lts-raring (Ubuntu Lucid) |
|
| 2014-02-01 10:49:57 |
John Johansen |
bug task added |
|
linux-lts-saucy (Ubuntu Lucid) |
|
| 2014-02-01 10:50:02 |
John Johansen |
nominated for series |
|
Ubuntu Quantal |
|
| 2014-02-01 10:50:03 |
John Johansen |
bug task added |
|
linux (Ubuntu Quantal) |
|
| 2014-02-01 10:50:03 |
John Johansen |
bug task added |
|
linux-ec2 (Ubuntu Quantal) |
|
| 2014-02-01 10:50:03 |
John Johansen |
bug task added |
|
linux-armadaxp (Ubuntu Quantal) |
|
| 2014-02-01 10:50:03 |
John Johansen |
bug task added |
|
linux-lts-raring (Ubuntu Quantal) |
|
| 2014-02-01 10:50:03 |
John Johansen |
bug task added |
|
linux-lts-saucy (Ubuntu Quantal) |
|
| 2014-02-01 10:50:14 |
John Johansen |
linux-armadaxp (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:50:18 |
John Johansen |
linux-armadaxp (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:20 |
John Johansen |
linux-armadaxp (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:50:24 |
John Johansen |
linux-armadaxp (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:25 |
John Johansen |
linux-armadaxp (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:50:28 |
John Johansen |
linux-armadaxp (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:31 |
John Johansen |
linux-armadaxp (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:50:34 |
John Johansen |
linux-armadaxp (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:36 |
John Johansen |
linux-armadaxp (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:50:40 |
John Johansen |
linux-armadaxp (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:42 |
John Johansen |
linux-ec2 (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:50:46 |
John Johansen |
linux-ec2 (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:47 |
John Johansen |
linux-ec2 (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:50:51 |
John Johansen |
linux-ec2 (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:52 |
John Johansen |
linux-ec2 (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:50:55 |
John Johansen |
linux-ec2 (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:50:58 |
John Johansen |
linux-ec2 (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:51:01 |
John Johansen |
linux-ec2 (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:03 |
John Johansen |
linux-ec2 (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:51:06 |
John Johansen |
linux-ec2 (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:08 |
John Johansen |
linux-lts-quantal (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:51:11 |
John Johansen |
linux-lts-quantal (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:13 |
John Johansen |
linux-lts-quantal (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:51:16 |
John Johansen |
linux-lts-quantal (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:19 |
John Johansen |
linux-lts-quantal (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:51:23 |
John Johansen |
linux-lts-quantal (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:25 |
John Johansen |
linux-lts-quantal (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:51:28 |
John Johansen |
linux-lts-quantal (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:31 |
John Johansen |
linux-lts-quantal (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:51:35 |
John Johansen |
linux-lts-quantal (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:37 |
John Johansen |
linux-mvl-dove (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:51:40 |
John Johansen |
linux-mvl-dove (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:42 |
John Johansen |
linux-mvl-dove (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:51:45 |
John Johansen |
linux-mvl-dove (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:47 |
John Johansen |
linux-mvl-dove (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:51:50 |
John Johansen |
linux-mvl-dove (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:52 |
John Johansen |
linux-mvl-dove (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:51:56 |
John Johansen |
linux-mvl-dove (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:51:58 |
John Johansen |
linux-mvl-dove (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:52:01 |
John Johansen |
linux-mvl-dove (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:04 |
John Johansen |
linux-lts-saucy (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:07 |
John Johansen |
linux-lts-saucy (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:09 |
John Johansen |
linux-lts-saucy (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:52:13 |
John Johansen |
linux-lts-saucy (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:15 |
John Johansen |
linux-lts-saucy (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:17 |
John Johansen |
linux-lts-saucy (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:52:21 |
John Johansen |
linux-lts-saucy (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:24 |
John Johansen |
linux (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:25 |
John Johansen |
linux (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:27 |
John Johansen |
linux (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:52:30 |
John Johansen |
linux (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:34 |
John Johansen |
linux (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:36 |
John Johansen |
linux (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:52:39 |
John Johansen |
linux (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:41 |
John Johansen |
linux-ti-omap4 (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:52:43 |
John Johansen |
linux-ti-omap4 (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:45 |
John Johansen |
linux-ti-omap4 (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:52:48 |
John Johansen |
linux-ti-omap4 (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:50 |
John Johansen |
linux-ti-omap4 (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:52:53 |
John Johansen |
linux-ti-omap4 (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:52:55 |
John Johansen |
linux-ti-omap4 (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:52:58 |
John Johansen |
linux-ti-omap4 (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:01 |
John Johansen |
linux-ti-omap4 (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:53:05 |
John Johansen |
linux-ti-omap4 (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:06 |
John Johansen |
linux-fsl-imx51 (Ubuntu Precise): status |
New |
Invalid |
|
| 2014-02-01 10:53:10 |
John Johansen |
linux-fsl-imx51 (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:39 |
John Johansen |
linux-fsl-imx51 (Ubuntu Saucy): status |
New |
Invalid |
|
| 2014-02-01 10:53:42 |
John Johansen |
linux-fsl-imx51 (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:44 |
John Johansen |
linux-fsl-imx51 (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:53:46 |
John Johansen |
linux-fsl-imx51 (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:48 |
John Johansen |
linux-fsl-imx51 (Ubuntu Trusty): status |
New |
Invalid |
|
| 2014-02-01 10:53:51 |
John Johansen |
linux-fsl-imx51 (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:53 |
John Johansen |
linux-fsl-imx51 (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:53:56 |
John Johansen |
linux-fsl-imx51 (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:53:59 |
John Johansen |
linux-lts-raring (Ubuntu Precise): importance |
Undecided |
Critical |
|
| 2014-02-01 10:54:02 |
John Johansen |
linux-lts-raring (Ubuntu Saucy): importance |
Undecided |
Critical |
|
| 2014-02-01 10:54:05 |
John Johansen |
linux-lts-raring (Ubuntu Lucid): status |
New |
Invalid |
|
| 2014-02-01 10:54:07 |
John Johansen |
linux-lts-raring (Ubuntu Lucid): importance |
Undecided |
Critical |
|
| 2014-02-01 10:54:09 |
John Johansen |
linux-lts-raring (Ubuntu Trusty): importance |
Undecided |
Critical |
|
| 2014-02-01 10:54:12 |
John Johansen |
linux-lts-raring (Ubuntu Quantal): status |
New |
Invalid |
|
| 2014-02-01 10:54:15 |
John Johansen |
linux-lts-raring (Ubuntu Quantal): importance |
Undecided |
Critical |
|
| 2014-02-01 10:54:17 |
John Johansen |
description |
Reported by pageexec
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
/*...*/
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be < 1G).
The bug was introduced by commit
http://git.kernel.org/linus/ee4fa23c4b (other uses of
COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
3.4 (and perhaps vendor kernels if they backported x32 support along
with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
time and only if CONFIG_X86_X32 is enabled and ld can build x32
executables. |
The timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first. The impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users where the to-be-written area must contain valid timespec data initially (the first 64 bit long field must be positive and the second one must be < 1G).
Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268 |
|
| 2014-02-02 21:46:17 |
Sebastian Unger |
bug |
|
|
added subscriber Sebastian Unger |
| 2014-02-03 04:25:02 |
John Johansen |
summary |
Fix-compat_sys_recvmsg-on-x32-archs |
Fix-compat_sys_recvmmsg-on-x32-archs |
|
| 2014-02-03 05:28:23 |
AdamOutler |
bug |
|
|
added subscriber AdamOutler |
| 2014-02-03 09:55:44 |
JackT |
bug |
|
|
added subscriber JackT |
| 2014-02-05 21:57:53 |
John Johansen |
linux (Ubuntu Trusty): status |
Confirmed |
Fix Committed |
|
| 2014-02-06 04:07:52 |
Launchpad Janitor |
linux (Ubuntu Trusty): status |
Fix Committed |
Fix Released |
|
| 2014-02-10 01:45:39 |
Alberto Jovito |
bug |
|
|
added subscriber Alberto Jovito |
| 2014-02-10 01:50:21 |
Alberto Jovito |
removed subscriber Alberto Jovito |
|
|
|
| 2015-07-06 03:26:08 |
Mathew Hodson |
summary |
Fix-compat_sys_recvmmsg-on-x32-archs |
CVE-2014-0038 |
|
| 2015-07-06 03:27:49 |
Mathew Hodson |
description |
The timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first. The impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users where the to-be-written area must contain valid timespec data initially (the first 64 bit long field must be positive and the second one must be < 1G).
Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268 |
The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before
3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain
privileges via a recvmmsg system call with a crafted timeout pointer
parameter.
Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268 |
|
