Ubuntu
linux-flo package

x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)

Bug #1337339 reported by John Johansen
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
High
Unassigned
Precise
Fix Released
High
Unassigned
Trusty
Fix Released
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-armadaxp (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-ec2 (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-flo (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-goldfish (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-raring (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-mako (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-manta (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned
linux-raspi2 (Ubuntu)
New
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
New
High
Unassigned
Xenial
New
High
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
High
Unassigned
Vivid
Invalid
High
Unassigned
Wily
Invalid
High
Unassigned
Xenial
Invalid
High
Unassigned

Bug Description

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

Break-Fix: 427abfa28afedffadfca9dd8b067eb6d36bac53f b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a

See original description
John Johansen (jjohansen)
description: updated
Adam Conrad (adconrad)
no longer affects: linux-lts-trusty (Ubuntu Lucid)
no longer affects: linux-lts-trusty (Ubuntu Saucy)
no longer affects: linux-lts-trusty (Ubuntu Trusty)
no longer affects: linux-lts-trusty (Ubuntu Utopic)
no longer affects: linux-ec2 (Ubuntu Precise)
no longer affects: linux-ec2 (Ubuntu Saucy)
no longer affects: linux-ec2 (Ubuntu Trusty)
no longer affects: linux-ec2 (Ubuntu Utopic)
Changed in linux-ec2 (Ubuntu):
status: New → Invalid
no longer affects: linux-lowlatency (Ubuntu Lucid)
no longer affects: linux-lowlatency (Ubuntu Trusty)
no longer affects: linux-lts-saucy (Ubuntu Utopic)
no longer affects: linux-lowlatency (Ubuntu Utopic)
Changed in linux-lowlatency (Ubuntu):
status: New → Invalid
no longer affects: linux-lts-saucy (Ubuntu Trusty)
no longer affects: linux-lts-quantal (Ubuntu Lucid)
no longer affects: linux-lts-saucy (Ubuntu Lucid)
no longer affects: linux-lts-saucy (Ubuntu Saucy)
Adam Conrad (adconrad)
no longer affects: linux-lts-raring (Ubuntu Utopic)
no longer affects: linux-lts-quantal (Ubuntu Saucy)
no longer affects: linux-lts-quantal (Ubuntu Trusty)
no longer affects: linux-lts-quantal (Ubuntu Utopic)
no longer affects: linux-lts-raring (Ubuntu Lucid)
no longer affects: linux-lts-raring (Ubuntu Saucy)
no longer affects: linux-lts-raring (Ubuntu Trusty)
Changed in linux-lts-trusty (Ubuntu):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu):
status: New → Invalid
John Johansen (jjohansen)
information type: Private Security → Public Security
no longer affects: linux-armadaxp (Ubuntu)
John Johansen (jjohansen)
no longer affects: linux-armadaxp (Ubuntu)
John Johansen (jjohansen)
tags: added: kernel-cve-tracking-bug
no longer affects: linux-armadaxp (Ubuntu)
no longer affects: linux-ec2 (Ubuntu)
no longer affects: linux-ec2 (Ubuntu Lucid)
no longer affects: linux-lowlatency (Ubuntu Precise)
no longer affects: linux-lowlatency (Ubuntu Saucy)
no longer affects: linux-lowlatency (Ubuntu)
no longer affects: linux-lts-quantal (Ubuntu Precise)
no longer affects: linux-lts-quantal (Ubuntu)
no longer affects: linux-lts-raring (Ubuntu Precise)
no longer affects: linux-lts-raring (Ubuntu)
no longer affects: linux-lts-saucy (Ubuntu Precise)
no longer affects: linux-lts-saucy (Ubuntu)
no longer affects: linux-lts-trusty (Ubuntu)
no longer affects: linux-lts-trusty (Ubuntu Precise)
Changed in linux (Ubuntu Precise):
importance: Undecided → High
Changed in linux (Ubuntu Saucy):
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Lucid):
importance: Undecided → High
Changed in linux (Ubuntu Utopic):
importance: Undecided → High
description: updated
John Johansen (jjohansen)
no longer affects: linux-ti-omap4 (Ubuntu)
no longer affects: linux-mvl-dove (Ubuntu)
no longer affects: linux-lts-saucy (Ubuntu)
no longer affects: linux-lts-raring (Ubuntu)
no longer affects: linux-lts-quantal (Ubuntu)
no longer affects: linux-fsl-imx51 (Ubuntu)
no longer affects: linux-ec2 (Ubuntu)
no longer affects: linux-armadaxp (Ubuntu)
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-62.126

---------------
linux (2.6.32-62.126) lucid; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:45:45 +0100

Changed in linux (Ubuntu Lucid):
status: New → Fix Released
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-65.99

---------------
linux (3.2.0-65.99) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100

Changed in linux (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-quantal - 3.5.0-52.79~precise1

---------------
linux-lts-quantal (3.5.0-52.79~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:52:15 +0100

Changed in linux-lts-quantal (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-raring - 3.8.0-42.63~precise1

---------------
linux-lts-raring (3.8.0-42.63~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:14:37 +0100

Changed in linux-lts-raring (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-saucy - 3.11.0-24.42~precise1

---------------
linux-lts-saucy (3.11.0-24.42~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:47:04 +0100

Changed in linux-lts-saucy (Ubuntu):
status: New → Fix Released
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-24.42

---------------
linux (3.11.0-24.42) saucy; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:20:33 +0100

Changed in linux (Ubuntu Saucy):
status: New → Fix Released
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-30.55

---------------
linux (3.13.0-30.55) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Thu, 03 Jul 2014 16:15:57 +0100

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ec2 - 2.6.32-366.81

---------------
linux-ec2 (2.6.32-366.81) lucid; urgency=low

  [ Andy Whitcroft ]

  * rebase to Ubuntu-2.6.32-62.126

  [ Ubuntu: 2.6.32-62.126 ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Andy Whitcroft <email address hidden> Fri, 04 Jul 2014 18:32:47 +0100

Changed in linux-ec2 (Ubuntu):
status: New → Fix Released
John Johansen (jjohansen)
Changed in linux (Ubuntu Precise):
status: Fix Released → New
Changed in linux (Ubuntu Saucy):
status: Fix Released → New
Changed in linux (Ubuntu Trusty):
status: Fix Released → New
Changed in linux (Ubuntu Lucid):
status: Fix Released → New
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-65.99

---------------
linux (3.2.0-65.99) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100

Changed in linux (Ubuntu Precise):
status: New → Fix Released
Adam Conrad (adconrad)
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Saucy):
status: New → Fix Released
Changed in linux (Ubuntu Trusty):
status: New → Fix Released
John Johansen (jjohansen)
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-armadaxp - 3.2.0-1636.53

---------------
linux-armadaxp (3.2.0-1636.53) precise; urgency=low

  [ Andy Whitcroft ]

  * rebase to Ubuntu-3.2.0-67.101

  [ Ubuntu: 3.2.0-67.101 ]

  * l2tp: Privilege escalation in ppp over l2tp sockets
    - LP: #1341472
    - CVE-2014-4943

linux-armadaxp (3.2.0-1636.52) precise; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1338870
  * Rebase to Ubuntu-3.2.0-67.100

  [ Ubuntu: 3.2.0-67.100 ]

  * Merged back Ubuntu-3.2.0-65.99 security release
  * Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
    - LP: #1337339
  * Release Tracking Bug
    - LP: #1338654
  * ptrace,x86: force IRET path after a ptrace_stop()
    - LP: #1337339
    - CVE-2014-4699

linux-armadaxp (3.2.0-1636.51) precise-proposed; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1336144
  * Rebase to Ubuntu-3.2.0-66.99

  [ Ubuntu: 3.2.0-66.99 ]

  * Release Tracking Bug
    - LP: #1335906
  * skbuff: export skb_copy_ubufs
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: add an api to orphan frags
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: skb_segment: orphan frags before copying
    - LP: #1298119
    - CVE-2014-0131
  * lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
    - CVE-2014-4608
  * lib/lzo: Update LZO compression to current upstream version
    - CVE-2014-4608
  * lzo: properly check for overruns
    - CVE-2014-4608
  * KVM: x86 emulator: add support for vector alignment
    - LP: #1330177
  * KVM: x86: emulate movdqa
    - LP: #1330177
 -- Andy Whitcroft <email address hidden> Tue, 15 Jul 2014 10:19:39 +0100

Changed in linux-armadaxp (Ubuntu):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ti-omap4 - 3.2.0-1451.71

---------------
linux-ti-omap4 (3.2.0-1451.71) precise; urgency=low

  [ Luis Henriques ]

  * Rebased to 3.2.0-67.101

  [ Ubuntu: 3.2.0-67.101 ]

  * l2tp: Privilege escalation in ppp over l2tp sockets
    - LP: #1341472
    - CVE-2014-4943

  [ Ubuntu: 3.2.0-67.100 ]

  * Merged back Ubuntu-3.2.0-65.99 security release
  * Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
    - LP: #1337339
  * Release Tracking Bug
    - LP: #1338654
  * ptrace,x86: force IRET path after a ptrace_stop()
    - LP: #1337339
    - CVE-2014-4699

linux-ti-omap4 (3.2.0-1451.70) precise; urgency=low

  * Release Tracking Bug
    - LP: #1336143

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.2.0-66.99

  [ Ubuntu: 3.2.0-66.99 ]

  * Release Tracking Bug
    - LP: #1335906
  * skbuff: export skb_copy_ubufs
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: add an api to orphan frags
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: skb_segment: orphan frags before copying
    - LP: #1298119
    - CVE-2014-0131
  * lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
    - CVE-2014-4608
  * lib/lzo: Update LZO compression to current upstream version
    - CVE-2014-4608
  * lzo: properly check for overruns
    - CVE-2014-4608
  * KVM: x86 emulator: add support for vector alignment
    - LP: #1330177
  * KVM: x86: emulate movdqa
    - LP: #1330177
 -- Luis Henriques <email address hidden> Tue, 15 Jul 2014 10:12:30 +0100

Changed in linux-ti-omap4 (Ubuntu):
status: New → Fix Released
status: New → Fix Released
John Johansen (jjohansen)
Changed in linux (Ubuntu Utopic):
status: New → Invalid
John Johansen (jjohansen)
no longer affects: linux (Ubuntu Saucy)
John Johansen (jjohansen)
no longer affects: linux (Ubuntu Lucid)
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-mvl-dove (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mvl-dove (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-ec2 (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-ec2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-fsl-imx51 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-fsl-imx51 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Steve Beattie (sbeattie)
no longer affects: linux (Ubuntu Utopic)
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → High
Steve Beattie (sbeattie)
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.