Bug #1595350 “Linux netfilter local privilege escalation issues” : Bugs : linux package : Ubuntu

Steve Beattie (sbeattie) on 2016-06-23

description:	updated
description:	updated
information type:	Private Security → Public Security

Revision history for this message

Brad Figg (brad-figg) wrote on 2016-06-23: Missing required logs.

#1

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1595350

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status:	New → Incomplete

Steve Beattie (sbeattie) on 2016-06-23

Changed in linux (Ubuntu):
status:	Incomplete → Confirmed

Revision history for this message

Tim Gardner (timg-tpi) wrote on 2016-06-23:

#2

It looks like we'll pick these up with the 4.4.x stable update. Is there a pressing need to cherry-pick them earlier then that ?

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2016-06-27:

#3

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:	added: verification-needed-trusty
tags:	added: verification-needed-vivid

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2016-06-27:

#4

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-wily

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2016-06-27:

#5

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags:

added: verification-needed-xenial

Revision history for this message

Kamal Mostafa (kamalmostafa) wrote on 2016-06-27:

#6

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message

Launchpad Janitor (janitor) wrote on 2016-06-27:

#7

Download full text (26.1 KiB)

This bug was fixed in the package linux - 4.4.0-28.47

---------------
linux (4.4.0-28.47) xenial; urgency=low

[ Luis Henriques ]

* Release Tracking Bug
- LP: #1595874

  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux (4.4.0-27.46) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
- LP: #1594906

* Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux (4.4.0-26.45) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
- LP: #1594442

* linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl

* failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland

linux (4.4.0-25.44) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
- LP: #1591289

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
    - MIPS: Use copy_s.fmt rather than copy_u.fmt
    - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
    - MIPS: Prevent "restoration" of MSA c...

This bug was fixed in the package linux - 4.4.0-28.47

---------------
linux (4.4.0-28.47) xenial; urgency=low

[ Luis Henriques ]

* Release Tracking Bug
    - LP: #1595874

* Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user

* Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux (4.4.0-27.46) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
    - LP: #1594906

* Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux (4.4.0-26.45) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
    - LP: #1594442

* linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl

* failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux (4.4.0-25.44) xenial; urgency=low

[ Kamal Mostafa ]

* Release Tracking Bug
    - LP: #1591289

* Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
    - MIPS: Use copy_s.fmt rather than copy_u.fmt
    - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
    - MIPS: Prevent "restoration" of MSA context in non-MSA kernels
    - MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
    - MIPS: ptrace: Fix FP context restoration FCSR regression
    - MIPS: ptrace: Prevent writes to read-only FCSR bits
    - MIPS: Fix sigreturn via VDSO on microMIPS kernel
    - MIPS: Build microMIPS VDSO for microMIPS kernels
    - MIPS: lib: Mark intrinsics notrace
    - MIPS: VDSO: Build with `-fno-strict-aliasing'
    - affs: fix remount failure when there are no options changed
    - ASoC: ak4642: Enable cache usage to fix crashes on resume
    - Input: uinput - handle compat ioctl for UI_SET_PHYS
    - ARM: mvebu: fix GPIO config on the Linksys boards
    - ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
    - ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
    - ARM: dts: imx35: restore existing used clock enumeration
    - ath9k: Add a module parameter to invert LED polarity.
    - ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
    - ath10k: fix debugfs pktlog_filter write
    - ath10k: fix firmware assert in monitor mode
    - ath10k: fix rx_channel during hw reconfigure
    - ath10k: fix kernel panic, move arvifs list head init before htt init
    - ath5k: Change led pin configuration for compaq c700 laptop
    - hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
    - rtlwifi: rtl8723be: Add antenna select module parameter
    - rtlwifi: btcoexist: Implement antenna selection
    - rtlwifi: Fix logic error in enter/exit power-save mode
    - rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
      rtl_pci_reset_trx_ring
    - aacraid: Relinquish CPU during timeout wait
    - aacraid: Fix for aac_command_thread hang
    - aacraid: Fix for KDUMP driver hang
    - hwmon: (ads7828) Enable internal reference
    - mfd: intel-lpss: Save register context on suspend
    - mfd: intel_soc_pmic_core: Terminate panel control GPIO lookup table
      correctly
    - PM / Runtime: Fix error path in pm_runtime_force_resume()
    - cpuidle: Indicate when a device has been unregistered
    - cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
    - clk: bcm2835: Fix PLL poweron
    - clk: at91: fix check of clk_register() returned value
    - clk: bcm2835: pll_off should only update CM_PLL_ANARST
    - clk: bcm2835: divider value has to be 1 or more
    - pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
    - PCI: Disable all BAR sizing for devices with non-compliant BARs
    - media: v4l2-compat-ioctl32: fix missing reserved field copy in
      put_v4l2_create32
    - mm: use phys_addr_t for reserve_bootmem_region() arguments
    - wait/ptrace: assume __WALL if the child is traced
    - QE-UART: add "fsl,t1040-ucc-uart" to of_device_id
    - powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
    - powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
    - powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()
    - xen/events: Don't move disabled irqs
    - xen: use same main loop for counting and remapping pages
    - sunrpc: fix stripping of padded MIC tokens
    - drm/gma500: Fix possible out of bounds read
    - drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
    - drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
    - drm/vmwgfx: Fix order of operation
    - drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh
    - drm/amdgpu: Fix hdmi deep color support.
    - drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
    - drm/fb_helper: Fix references to dev->mode_config.num_connector
    - drm/atomic: Verify connector->funcs != NULL when clearing states
    - drm/i915: Don't leave old junk in ilk active watermarks on readout
    - drm/imx: Match imx-ipuv3-crtc components using device node in platform data
    - ext4: fix hang when processing corrupted orphaned inode list
    - ext4: clean up error handling when orphan list is corrupted
    - ext4: fix oops on corrupted filesystem
    - ext4: address UBSAN warning in mb_find_order_for_block()
    - ext4: silence UBSAN in ext4_mb_init()
    - PM / sleep: Handle failures in device_suspend_late() consistently
    - dma-debug: avoid spinlock recursion when disabling dma-debug
    - scripts/package/Makefile: rpmbuild add support of RPMOPTS
    - gcov: disable tree-loop-im to reduce stack usage
    - xfs: disallow rw remount on fs with unknown ro-compat features
    - xfs: Don't wrap growfs AGFL indexes
    - xfs: xfs_iflush_cluster fails to abort on error
    - xfs: fix inode validity check in xfs_iflush_cluster
    - xfs: skip stale inodes in xfs_iflush_cluster
    - xfs: print name of verifier if it fails
    - xfs: handle dquot buffer readahead in log recovery correctly
    - Linux 4.4.13

* 168c:001c [HP Compaq Presario C700 Notebook PC] Wireless led button doesn't
    switch colors (LP: #972604)
    - ath5k: Change led pin configuration for compaq c700 laptop

* Extended statistics from balloon for proper memory management (LP: #1587091)
    - mm/page_alloc.c: calculate 'available' memory in a separate function
    - virtio_balloon: export 'available' memory to balloon statistics

* CAPI: CGZIP AFU contexts do not receive interrupts after heavy afu
    open/close (LP: #1588468)
    - misc: cxl: use kobj_to_dev()
    - cxl: Move common code away from bare-metal-specific files
    - cxl: Move bare-metal specific code to specialized files
    - cxl: Define process problem state area at attach time only
    - cxl: Introduce implementation-specific API
    - cxl: Rename some bare-metal specific functions
    - cxl: Isolate a few bare-metal-specific calls
    - cxl: Update cxl_irq() prototype
    - cxl: IRQ allocation for guests
    - powerpc: New possible return value from hcall
    - cxl: New hcalls to support cxl adapters
    - cxl: Separate bare-metal fields in adapter and AFU data structures
    - cxlflash: Simplify PCI registration
    - cxlflash: Unmap problem state area before detaching master context
    - cxlflash: Split out context initialization
    - cxlflash: Simplify attach path error cleanup
    - cxlflash: Reorder user context initialization
    - cxl: Add guest-specific code
    - cxl: sysfs support for guests
    - cxl: Support to flash a new image on the adapter from a guest
    - cxl: Parse device tree and create cxl device(s) at boot
    - cxl: Support the cxl kernel API from a guest
    - cxl: Adapter failure handling
    - cxl: Add tracepoints around the cxl hcall
    - cxlflash: Use new cxl_pci_read_adapter_vpd() API
    - cxl: Remove cxl_get_phys_dev() kernel API
    - cxl: Ignore probes for virtual afu pci devices
    - cxl: Poll for outstanding IRQs when detaching a context

* NVMe max_segments queue parameter gets set to 1 (LP: #1588449)
    - nvme: set queue limits for the admin queue
    - nvme: fix max_segments integer truncation
    - block: fix blk_rq_get_max_sectors for driver private requests

* workaround cavium thunderx silicon erratum 23144 (LP: #1589704)
    - irqchip/gicv3-its: numa: Enable workaround for Cavium thunderx erratum 23144

* Xenial update to v4.4.12 stable release (LP: #1588945)
    - Btrfs: don't use src fd for printk
    - perf/x86/intel/pt: Generate PMI in the STOP region as well
    - perf/core: Fix perf_event_open() vs. execve() race
    - perf test: Fix build of BPF and LLVM on older glibc libraries
    - ext4: iterate over buffer heads correctly in move_extent_per_page()
    - arm64: Fix typo in the pmdp_huge_get_and_clear() definition
    - arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
    - arm64: Implement ptep_set_access_flags() for hardware AF/DBM
    - arm64: Implement pmdp_set_access_flags() for hardware AF/DBM
    - arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
    - arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
    - kvm: arm64: Fix EC field in inject_abt64
    - remove directory incorrectly tries to set delete on close on non-empty
      directories
    - fs/cifs: correctly to anonymous authentication via NTLMSSP
    - fs/cifs: correctly to anonymous authentication for the LANMAN authentication
    - fs/cifs: correctly to anonymous authentication for the NTLM(v1)
      authentication
    - fs/cifs: correctly to anonymous authentication for the NTLM(v2)
      authentication
    - asix: Fix offset calculation in asix_rx_fixup() causing slow transmissions
    - ring-buffer: Use long for nr_pages to avoid overflow failures
    - ring-buffer: Prevent overflow of size in ring_buffer_resize()
    - crypto: caam - fix caam_jr_alloc() ret code
    - crypto: talitos - fix ahash algorithms registration
    - crypto: sun4i-ss - Replace spinlock_bh by spin_lock_irq{save|restore}
    - clk: qcom: msm8916: Fix crypto clock flags
    - sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded
      systems
    - mfd: omap-usb-tll: Fix scheduling while atomic BUG
    - Input: pwm-beeper - fix - scheduling while atomic
    - irqchip/gic: Ensure ordering between read of INTACK and shared data
    - irqchip/gic-v3: Configure all interrupts as non-secure Group-1
    - can: fix handling of unmodifiable configuration options
    - mmc: mmc: Fix partition switch timeout for some eMMCs
    - mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
    - ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal
      strings
    - dell-rbtn: Ignore ACPI notifications if device is suspended
    - mmc: longer timeout for long read time quirk
    - mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
    - Bluetooth: vhci: fix open_timeout vs. hdev race
    - Bluetooth: vhci: purge unhandled skbs
    - Bluetooth: vhci: Fix race at creating hci device
    - mei: fix NULL dereferencing during FW initiated disconnection
    - mei: amthif: discard not read messages
    - mei: bus: call mei_cl_read_start under device lock
    - USB: serial: mxuport: fix use-after-free in probe error path
    - USB: serial: keyspan: fix use-after-free in probe error path
    - USB: serial: quatech2: fix use-after-free in probe error path
    - USB: serial: io_edgeport: fix memory leaks in attach error path
    - USB: serial: io_edgeport: fix memory leaks in probe error path
    - USB: serial: option: add support for Cinterion PH8 and AHxx
    - USB: serial: option: add more ZTE device ids
    - USB: serial: option: add even more ZTE device ids
    - usb: gadget: f_fs: Fix EFAULT generation for async read operations
    - usb: f_mass_storage: test whether thread is running before starting another
    - usb: misc: usbtest: fix pattern tests for scatterlists.
    - usb: gadget: udc: core: Fix argument of dev_err() in
      usb_gadget_map_request()
    - staging: comedi: das1800: fix possible NULL dereference
    - KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
    - MIPS: KVM: Fix timer IRQ race when freezing timer
    - MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
    - KVM: x86: mask CPUID(0xD,0x1).EAX against host value
    - xen/x86: actually allocate legacy interrupts on PV guests
    - tty: vt, return error when con_startup fails
    - TTY: n_gsm, fix false positive WARN_ON
    - tty/serial: atmel: fix hardware handshake selection
    - Fix OpenSSH pty regression on close
    - serial: 8250_pci: fix divide error bug if baud rate is 0
    - serial: 8250_mid: use proper bar for DNV platform
    - serial: 8250_mid: recognize interrupt source in handler
    - serial: samsung: Reorder the sequence of clock control when call
      s3c24xx_serial_set_termios()
    - locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait()
    - clk: bcm2835: add locking to pll*_on/off methods
    - mcb: Fixed bar number assignment for the gdd
    - ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294
    - ALSA: hda - Fix headphone noise on Dell XPS 13 9360
    - ALSA: hda/realtek - Add support for ALC295/ALC3254
    - ALSA: hda - Fix headset mic detection problem for one Dell machine
    - IB/srp: Fix a debug kernel crash
    - thunderbolt: Fix double free of drom buffer
    - SIGNAL: Move generic copy_siginfo() to signal.h
    - UBI: Fix static volume checks when Fastmap is used
    - hpfs: fix remount failure when there are no options changed
    - hpfs: implement the show_options method
    - scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
    - Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
    - kbuild: move -Wunused-const-variable to W=1 warning level
    - Linux 4.4.12

* [Hyper-V] fixes for kdump when running on a VM (LP: #1588965)
    - clocksource: Allow unregistering the watchdog

* net_admin apparmor denial when using Go (LP: #1465724)
    - SAUCE: kernel: Add noaudit variant of ns_capable()
    - SAUCE: net: Use ns_capable_noaudit() when determining net sysctl permissions

* [Hyper-V] Put tools/hv/lsvmbus in /usr/sbin (LP: #1585311)
    - [Debian] Install lsvmbus in cloud tools
    - SAUCE: tools/hv/lsvmbus -- convert to python3
    - SAUCE: tools/hv/lsvmbus -- add manual page

* btrfs: file write crashes with false ENOSPC during snapshot creation since
    kernel 4.4 - fix available (LP: #1584052)
    - btrfs: Continue write in case of can_not_nocow

* boot stalls on USB detection errors (LP: #1437492)
    - usb: core: hub: hub_port_init lock controller instead of bus

* [Bug]KNL:Spread MWAIT cache lines over all nodes (LP: #1585850)
    - kernek/fork.c: allocate idle task for a CPU always on its local node

* [Hyper-V] PCI Passthrough kernel hang and explicit barriers (LP: #1581243)
    - PCI: hv: Report resources release after stopping the bus
    - PCI: hv: Add explicit barriers to config space access

* Kernel 4.2.X and 4.4.X - Fix USB3.0 link power management (LPM)
    claim/release logic in USBFS (LP: #1577024)
    - USB: leave LPM alone if possible when binding/unbinding interface drivers

* STC840.20:tuleta:tul516p01 panic after injecting Leaf EEH (LP: #1581034)
    - NVMe: Fix namespace removal deadlock
    - NVMe: Requeue requests on suspended queues
    - NVMe: Move error handling to failed reset handler
    - blk-mq: End unstarted requests on dying queue

* conflicting modules in udebs - arc4.ko (LP: #1582991)
    - [Config] Remove arc4 from nic-modules

* CVE-2016-4482 (LP: #1578493)
    - USB: usbfs: fix potential infoleak in devio

* mlx5_core kexec fail  (LP: #1585978)
    - net/mlx5: Add pci shutdown callback

* backport fix for /proc/net issues with containers (LP: #1584953)
    - netfilter: Set /proc/net entries owner to root in namespace

* CVE-2016-4951 (LP: #1585365)
    - tipc: check nl sock before parsing nested attributes

* CVE-2016-4578 (LP: #1581866)
    - ALSA: timer: Fix leak in events via snd_timer_user_ccallback
    - ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt

* CVE-2016-4569 (LP: #1580379)
    - ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS

* s390/pci: fix use after free in dma_init (LP: #1584828)
    - s390/pci: fix use after free in dma_init

* s390/mm: fix asce_bits handling with dynamic pagetable levels (LP: #1584827)
    - s390/mm: fix asce_bits handling with dynamic pagetable levels

* CAPI: CGZIP Wrong CAPI MMIO timeout (256usec desired but 1usec default
    setting in cxl.ko driver) (LP: #1584066)
    - powerpc: Define PVR value for POWER8NVL processor
    - cxl: Configure the PSL for two CAPI ports on POWER8NVL
    - cxl: Increase timeout for detection of AFU mmio hang

* ThunderX: soft lockup in cursor_timer_handler() (LP: #1574814)
    - SAUCE: tty: vt: Fix soft lockup in fbcon cursor blink timer.

* debian.master/.../getabis bogus warnings "inconsistant compiler versions"
    and "not a git repository" (LP: #1584890)
    - [debian] getabis: Only git add $abidir if running in local repo
    - [debian] getabis: Fix inconsistent compiler versions check

* Backport cxlflash patch related to EEH recovery into Xenial SRU stream
    (LP: #1584935)
    - cxlflash: Fix to resolve dead-lock during EEH recovery

* Xenial update to 4.4.11 stable release (LP: #1584912)
    - decnet: Do not build routes to devices without decnet private data.
    - route: do not cache fib route info on local routes with oif
    - packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
    - net: sched: do not requeue a NULL skb
    - bpf/verifier: reject invalid LD_ABS | BPF_DW instruction
    - cdc_mbim: apply "NDP to end" quirk to all Huawei devices
    - net: use skb_postpush_rcsum instead of own implementations
    - vlan: pull on __vlan_insert_tag error path and fix csum correction
    - openvswitch: use flow protocol when recalculating ipv6 checksums
    - ipv4/fib: don't warn when primary address is missing if in_dev is dead
    - net/mlx4_en: fix spurious timestamping callbacks
    - bpf: fix check_map_func_compatibility logic
    - samples/bpf: fix trace_output example
    - net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
    - gre: do not pull header in ICMP error processing
    - net_sched: introduce qdisc_replace() helper
    - net_sched: update hierarchical backlog too
    - sch_htb: update backlog as well
    - sch_dsmark: update backlog as well
    - netem: Segment GSO packets on enqueue
    - net: fec: only clear a queue's work bit if the queue was emptied
    - VSOCK: do not disconnect socket when peer has shutdown SEND only
    - net: bridge: fix old ioctl unlocked net device walk
    - bridge: fix igmp / mld query parsing
    - uapi glibc compat: fix compile errors when glibc net/if.h included before
      linux/if.h MIME-Version: 1.0
    - net: fix a kernel infoleak in x25 module
    - net: thunderx: avoid exposing kernel stack
    - tcp: refresh skb timestamp at retransmit time
    - net/route: enforce hoplimit max value
    - ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
    - ocfs2: fix posix_acl_create deadlock
    - zsmalloc: fix zs_can_compact() integer overflow
    - crypto: qat - fix invalid pf2vf_resp_wq logic
    - crypto: hash - Fix page length clamping in hash walk
    - crypto: testmgr - Use kmalloc memory for RSA input
    - ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
    - ALSA: usb-audio: Yet another Phoneix Audio device quirk
    - ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
    - ALSA: hda - Fix white noise on Asus UX501VW headset
    - ALSA: hda - Fix broken reconfig
    - spi: pxa2xx: Do not detect number of enabled chip selects on Intel SPT
    - spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden
    - spi: spi-ti-qspi: Handle truncated frames properly
    - pinctrl: at91-pio4: fix pull-up/down logic
    - regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
    - perf/core: Disable the event on a truncated AUX record
    - vfs: add vfs_select_inode() helper
    - vfs: rename: check backing inode being equal
    - ARM: dts: at91: sam9x5: Fix the memory range assigned to the PMC
    - workqueue: fix rebind bound workers warning
    - regulator: s2mps11: Fix invalid selector mask and voltages for buck9
    - regulator: axp20x: Fix axp22x ldo_io voltage ranges
    - atomic_open(): fix the handling of create_error
    - qla1280: Don't allocate 512kb of host tags
    - tools lib traceevent: Do not reassign parg after collapse_tree()
    - get_rock_ridge_filename(): handle malformed NM entries
    - Input: max8997-haptic - fix NULL pointer dereference
    - Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
    - drm/radeon: fix PLL sharing on DCE6.1 (v2)
    - drm/i915: Bail out of pipe config compute loop on LPT
    - drm/i915/bdw: Add missing delay during L3 SQC credit programming
    - drm/radeon: fix DP link training issue with second 4K monitor
    - nf_conntrack: avoid kernel pointer value leak in slab name
    - Linux 4.4.11

* Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - SAUCE: Bluetooth: Support for LED on Marvell modules

* Support Edge Gateway's WIFI LED (LP: #1512997)
    - SAUCE: mwifiex: Switch WiFi LED state according to the device status

* Marvell wireless driver update for FCC regulation (LP: #1528910)
    - mwifiex: parse adhoc start/join result
    - mwifiex: handle start AP error paths correctly
    - mwifiex: set regulatory info from EEPROM
    - mwifiex: don't follow AP if country code received from EEPROM
    - mwifiex: correction in region code to country mapping
    - mwifiex: update region_code_index array
    - mwifiex: use world for unidentified region code
    - SAUCE: mwifiex: add iw vendor command support

* Kernel can be oopsed using remap_file_pages (LP: #1558120)
    - Revert "UBUNTU: SAUCE: mm/mmap: fix oopsing on remap_file_pages"
    - SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap: bugfix,
      mainly for linux-4.5-rc5, remap_file_pages(2) emulation

* cgroup namespace update (LP: #1584163)
    - Revert "UBUNTU: SAUCE: cgroup mount: ignore nsroot="
    - Revert "UBUNTU: SAUCE: (noup) cgroup namespaces: add a 'nsroot=' mountinfo
      field"
    - cgroup, kernfs: make mountinfo show properly scoped path for cgroup
      namespaces
    - kernfs: kernfs_sop_show_path: don't return 0 after seq_dentry call
    - cgroup: fix compile warning

* Missing libunwind support in perf (LP: #1248289)
    - [Config] add binutils-dev to the Build-Depends: to fix perf unwinding

* e1000 Tx Unit Hang  (LP: #1582328)
    - e1000: Double Tx descriptors needed check for 82544
    - e1000: Do not overestimate descriptor counts in Tx pre-check

* Unsharing user and ipc namespaces simultaneously makes mqueue unmountable
    (LP: #1582378)
    - SAUCE: (namespace) mqueue: Super blocks must be owned by the user ns which
      owns the ipc ns

* Pull in the amdgpu/radeon code from Linux 4.5.3 (LP: #1580526)
    - drm/radeon: rework fbdev handling on chips with no connectors
    - drm/radeon/mst: fix regression in lane/link handling.
    - drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance
      issue for CZ
    - drm/amd/powerplay: fix segment fault issue in multi-display case.
    - drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail

* aufs CONFIG_AUFS_EXPORT build option should be enabled (LP: #1121699)
    - [Config] enable CONFIG_AUFS_EXPORT

* promote *_diag modules from linux-image-extra to linux-image (LP: #1580355)
    - [Config] Update inclusion list for CRIU

* [Xenial] net: updates to ethtool and virtio_net for speed/duplex support
    (LP: #1581132)
    - ethtool: add speed/duplex validation functions
    - ethtool: make validate_speed accept all speeds between 0 and INT_MAX
    - virtio_net: add ethtool support for set and get of settings
    - virtio_net: validate ethtool port setting and explain the user validation

* perf tool: Display event codes for Generic HW (PMU) events (LP: #1578211)
    - powerpc/perf: Remove PME_ prefix for power7 events
    - powerpc/perf: Export Power8 generic and cache events to sysfs

* Mellanox ConnectX4 MTU limits: max and min (LP: #1528466)
    - net/mlx5: Introduce a new header file for physical port functions
    - net/mlx5e: Device's mtu field is u16 and not int
    - net/mlx5e: Fix minimum MTU

* Miscellaneous Ubuntu changes
    - [Config] CONFIG_CAVIUM_ERRATUM_23144=y

-- Luis Henriques <luis.henriques@canonical.com>  Fri, 24 Jun 2016 09:57:21 +0100

Changed in linux (Ubuntu):
status:	Confirmed → Fix Released

Ubuntu
linux package

Linux netfilter local privilege escalation issues

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntulinux package

Linux netfilter local privilege escalation issues

Bug Description

Related branches

CVE References

Other bug subscribers

Remote bug watches

Ubuntu
linux package