x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)

Bug #1337339 reported by John Johansen on 2014-07-03
264
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-armadaxp (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-ec2 (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-flo (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-fsl-imx51 (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-quantal (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-raring (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-saucy (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-trusty (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-utopic (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-lts-vivid (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-mvl-dove (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-raspi2 (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned
linux-ti-omap4 (Ubuntu)
High
Unassigned
Vivid
High
Unassigned
Wily
High
Unassigned
Xenial
High
Unassigned

Bug Description

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.

Break-Fix: 427abfa28afedffadfca9dd8b067eb6d36bac53f b9cd18de4db3c9ffa7e17b0dc0ca99ed5aa4d43a

description: updated
Adam Conrad (adconrad) on 2014-07-04
no longer affects: linux-lts-trusty (Ubuntu Lucid)
no longer affects: linux-lts-trusty (Ubuntu Saucy)
no longer affects: linux-lts-trusty (Ubuntu Trusty)
no longer affects: linux-lts-trusty (Ubuntu Utopic)
no longer affects: linux-ec2 (Ubuntu Precise)
no longer affects: linux-ec2 (Ubuntu Saucy)
no longer affects: linux-ec2 (Ubuntu Trusty)
no longer affects: linux-ec2 (Ubuntu Utopic)
Changed in linux-ec2 (Ubuntu):
status: New → Invalid
no longer affects: linux-lowlatency (Ubuntu Lucid)
no longer affects: linux-lowlatency (Ubuntu Trusty)
no longer affects: linux-lts-saucy (Ubuntu Utopic)
no longer affects: linux-lowlatency (Ubuntu Utopic)
Changed in linux-lowlatency (Ubuntu):
status: New → Invalid
no longer affects: linux-lts-saucy (Ubuntu Trusty)
no longer affects: linux-lts-quantal (Ubuntu Lucid)
no longer affects: linux-lts-saucy (Ubuntu Lucid)
no longer affects: linux-lts-saucy (Ubuntu Saucy)
Adam Conrad (adconrad) on 2014-07-04
no longer affects: linux-lts-raring (Ubuntu Utopic)
no longer affects: linux-lts-quantal (Ubuntu Saucy)
no longer affects: linux-lts-quantal (Ubuntu Trusty)
no longer affects: linux-lts-quantal (Ubuntu Utopic)
no longer affects: linux-lts-raring (Ubuntu Lucid)
no longer affects: linux-lts-raring (Ubuntu Saucy)
no longer affects: linux-lts-raring (Ubuntu Trusty)
Changed in linux-lts-trusty (Ubuntu):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu):
status: New → Invalid
information type: Private Security → Public Security
no longer affects: linux-armadaxp (Ubuntu)
no longer affects: linux-armadaxp (Ubuntu)
tags: added: kernel-cve-tracking-bug
no longer affects: linux-armadaxp (Ubuntu)
no longer affects: linux-ec2 (Ubuntu)
no longer affects: linux-ec2 (Ubuntu Lucid)
no longer affects: linux-lowlatency (Ubuntu Precise)
no longer affects: linux-lowlatency (Ubuntu Saucy)
no longer affects: linux-lowlatency (Ubuntu)
no longer affects: linux-lts-quantal (Ubuntu Precise)
no longer affects: linux-lts-quantal (Ubuntu)
no longer affects: linux-lts-raring (Ubuntu Precise)
no longer affects: linux-lts-raring (Ubuntu)
no longer affects: linux-lts-saucy (Ubuntu Precise)
no longer affects: linux-lts-saucy (Ubuntu)
no longer affects: linux-lts-trusty (Ubuntu)
no longer affects: linux-lts-trusty (Ubuntu Precise)
Changed in linux (Ubuntu Precise):
importance: Undecided → High
Changed in linux (Ubuntu Saucy):
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
Changed in linux (Ubuntu Lucid):
importance: Undecided → High
Changed in linux (Ubuntu Utopic):
importance: Undecided → High
description: updated
no longer affects: linux-ti-omap4 (Ubuntu)
no longer affects: linux-mvl-dove (Ubuntu)
no longer affects: linux-lts-saucy (Ubuntu)
no longer affects: linux-lts-raring (Ubuntu)
no longer affects: linux-lts-quantal (Ubuntu)
no longer affects: linux-fsl-imx51 (Ubuntu)
no longer affects: linux-ec2 (Ubuntu)
no longer affects: linux-armadaxp (Ubuntu)
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-62.126

---------------
linux (2.6.32-62.126) lucid; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:45:45 +0100

Changed in linux (Ubuntu Lucid):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-65.99

---------------
linux (3.2.0-65.99) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100

Changed in linux (Ubuntu Precise):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-quantal - 3.5.0-52.79~precise1

---------------
linux-lts-quantal (3.5.0-52.79~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:52:15 +0100

Changed in linux-lts-quantal (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-raring - 3.8.0-42.63~precise1

---------------
linux-lts-raring (3.8.0-42.63~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:14:37 +0100

Changed in linux-lts-raring (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-saucy - 3.11.0-24.42~precise1

---------------
linux-lts-saucy (3.11.0-24.42~precise1) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:47:04 +0100

Changed in linux-lts-saucy (Ubuntu):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-24.42

---------------
linux (3.11.0-24.42) saucy; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:20:33 +0100

Changed in linux (Ubuntu Saucy):
status: New → Fix Released
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-30.55

---------------
linux (3.13.0-30.55) trusty; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Thu, 03 Jul 2014 16:15:57 +0100

Changed in linux (Ubuntu Trusty):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ec2 - 2.6.32-366.81

---------------
linux-ec2 (2.6.32-366.81) lucid; urgency=low

  [ Andy Whitcroft ]

  * rebase to Ubuntu-2.6.32-62.126

  [ Ubuntu: 2.6.32-62.126 ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Andy Whitcroft <email address hidden> Fri, 04 Jul 2014 18:32:47 +0100

Changed in linux-ec2 (Ubuntu):
status: New → Fix Released
Changed in linux (Ubuntu Precise):
status: Fix Released → New
Changed in linux (Ubuntu Saucy):
status: Fix Released → New
Changed in linux (Ubuntu Trusty):
status: Fix Released → New
Changed in linux (Ubuntu Lucid):
status: Fix Released → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-65.99

---------------
linux (3.2.0-65.99) precise; urgency=low

  [ Upstream Kernel Changes ]

  * x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
    - LP: #1337339
    - CVE-2014-4699
 -- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100

Changed in linux (Ubuntu Precise):
status: New → Fix Released
Adam Conrad (adconrad) on 2014-07-05
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Changed in linux (Ubuntu Saucy):
status: New → Fix Released
Changed in linux (Ubuntu Trusty):
status: New → Fix Released
description: updated
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-armadaxp - 3.2.0-1636.53

---------------
linux-armadaxp (3.2.0-1636.53) precise; urgency=low

  [ Andy Whitcroft ]

  * rebase to Ubuntu-3.2.0-67.101

  [ Ubuntu: 3.2.0-67.101 ]

  * l2tp: Privilege escalation in ppp over l2tp sockets
    - LP: #1341472
    - CVE-2014-4943

linux-armadaxp (3.2.0-1636.52) precise; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1338870
  * Rebase to Ubuntu-3.2.0-67.100

  [ Ubuntu: 3.2.0-67.100 ]

  * Merged back Ubuntu-3.2.0-65.99 security release
  * Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
    - LP: #1337339
  * Release Tracking Bug
    - LP: #1338654
  * ptrace,x86: force IRET path after a ptrace_stop()
    - LP: #1337339
    - CVE-2014-4699

linux-armadaxp (3.2.0-1636.51) precise-proposed; urgency=low

  [ Ike Panhc ]

  * Release Tracking Bug
    - LP: #1336144
  * Rebase to Ubuntu-3.2.0-66.99

  [ Ubuntu: 3.2.0-66.99 ]

  * Release Tracking Bug
    - LP: #1335906
  * skbuff: export skb_copy_ubufs
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: add an api to orphan frags
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: skb_segment: orphan frags before copying
    - LP: #1298119
    - CVE-2014-0131
  * lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
    - CVE-2014-4608
  * lib/lzo: Update LZO compression to current upstream version
    - CVE-2014-4608
  * lzo: properly check for overruns
    - CVE-2014-4608
  * KVM: x86 emulator: add support for vector alignment
    - LP: #1330177
  * KVM: x86: emulate movdqa
    - LP: #1330177
 -- Andy Whitcroft <email address hidden> Tue, 15 Jul 2014 10:19:39 +0100

Changed in linux-armadaxp (Ubuntu):
status: New → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-ti-omap4 - 3.2.0-1451.71

---------------
linux-ti-omap4 (3.2.0-1451.71) precise; urgency=low

  [ Luis Henriques ]

  * Rebased to 3.2.0-67.101

  [ Ubuntu: 3.2.0-67.101 ]

  * l2tp: Privilege escalation in ppp over l2tp sockets
    - LP: #1341472
    - CVE-2014-4943

  [ Ubuntu: 3.2.0-67.100 ]

  * Merged back Ubuntu-3.2.0-65.99 security release
  * Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
    - LP: #1337339
  * Release Tracking Bug
    - LP: #1338654
  * ptrace,x86: force IRET path after a ptrace_stop()
    - LP: #1337339
    - CVE-2014-4699

linux-ti-omap4 (3.2.0-1451.70) precise; urgency=low

  * Release Tracking Bug
    - LP: #1336143

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.2.0-66.99

  [ Ubuntu: 3.2.0-66.99 ]

  * Release Tracking Bug
    - LP: #1335906
  * skbuff: export skb_copy_ubufs
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: add an api to orphan frags
    - LP: #1298119
    - CVE-2014-0131
  * skbuff: skb_segment: orphan frags before copying
    - LP: #1298119
    - CVE-2014-0131
  * lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompress_safe.c
    - CVE-2014-4608
  * lib/lzo: Update LZO compression to current upstream version
    - CVE-2014-4608
  * lzo: properly check for overruns
    - CVE-2014-4608
  * KVM: x86 emulator: add support for vector alignment
    - LP: #1330177
  * KVM: x86: emulate movdqa
    - LP: #1330177
 -- Luis Henriques <email address hidden> Tue, 15 Jul 2014 10:12:30 +0100

Changed in linux-ti-omap4 (Ubuntu):
status: New → Fix Released
status: New → Fix Released
Changed in linux (Ubuntu Utopic):
status: New → Invalid
no longer affects: linux (Ubuntu Saucy)
no longer affects: linux (Ubuntu Lucid)
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-mvl-dove (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mvl-dove (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-ec2 (Ubuntu Wily):
status: Fix Released → Invalid
importance: Undecided → High
Changed in linux-ec2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-fsl-imx51 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-fsl-imx51 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Wily):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Steve Beattie (sbeattie) on 2016-01-27
no longer affects: linux (Ubuntu Utopic)
Changed in linux-raspi2 (Ubuntu Vivid):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → High
Steve Beattie (sbeattie) on 2016-01-27
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers