CVE-2016-4557: use-after-free flaw via double-fdput in bpf

Bug #1578705 reported by Steve Beattie
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
Fix Released
High
Unassigned
linux-armadaxp (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-flo (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-goldfish (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-raring (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-wily (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-lts-xenial (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Fix Released
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-mako (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
New
High
Unassigned
Yakkety
New
High
Unassigned
linux-manta (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned
linux-raspi2 (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
New
High
Unassigned
linux-snapdragon (Ubuntu)
New
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Fix Released
High
Unassigned
Yakkety
New
High
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
High
Unassigned
Precise
Invalid
High
Unassigned
Trusty
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
Yakkety
Invalid
High
Unassigned

Bug Description

The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.

Break-Fix: 1be7f75d1668d6296b80bf35dcf6762393530afc 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

Steve Beattie (sbeattie)
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Changed in linux (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Yakkety):
importance: Undecided → High
description: updated
Steve Beattie (sbeattie)
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Adam Conrad (adconrad)
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1578705

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Xenial):
status: New → Incomplete
Steve Beattie (sbeattie)
summary: - CVE-2016-NNN1
+ CVE-2016-NNN1: use-after-free flaw via double-fdput in bpf
Steve Beattie (sbeattie)
Changed in linux (Ubuntu Yakkety):
status: Incomplete → New
description: updated
summary: - CVE-2016-NNN1: use-after-free flaw via double-fdput in bpf
+ CVE-2016-4557: use-after-free flaw via double-fdput in bpf
Steve Beattie (sbeattie)
Changed in linux-lts-xenial (Ubuntu Trusty):
status: Invalid → Fix Committed
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Fix Committed
Steve Beattie (sbeattie)
Changed in linux (Ubuntu Xenial):
status: Incomplete → Fix Committed
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: New → Incomplete
Steve Beattie (sbeattie)
tags: added: kernel-cve-tracking-bug
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-xenial - 4.4.0-22.39~14.04.1

---------------
linux-lts-xenial (4.4.0-22.39~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578775

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux-lts-xenial (Ubuntu Trusty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug was fixed in the package linux-snapdragon - 4.4.0-1013.14

---------------
linux-snapdragon (4.4.0-1013.14) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578759

  * Rebase to Ubuntu-4.4.0-22.39

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 11:17:11 -0700

Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Fix Released
status: New → Fix Released

Changed in linux-snapdragon (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug was fixed in the package linux-raspi2 - 4.4.0-1010.12

---------------
linux-raspi2 (4.4.0-1010.12) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578741

  * Rebase against Ubuntu-4.4.0-22.39

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 10:19:22 -0700

Changed in linux-raspi2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie)
Changed in linux (Ubuntu Yakkety):
status: Incomplete → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu Yakkety):
status: New → Fix Released
Steve Beattie (sbeattie)
description: updated
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.