CVE-2014-0038

Bug #1274349 reported by John Johansen on 2014-01-30
286
This bug affects 5 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-armadaxp (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-ec2 (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-fsl-imx51 (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-lts-quantal (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-lts-raring (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-lts-saucy (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-mvl-dove (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned
linux-ti-omap4 (Ubuntu)
Critical
Unassigned
Lucid
Critical
Unassigned
Precise
Critical
Unassigned
Quantal
Critical
Unassigned
Saucy
Critical
Unassigned
Trusty
Critical
Unassigned

Bug Description

The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before
3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain
privileges via a recvmmsg system call with a crafted timeout pointer
parameter.

Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268

CVE References

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.11.0-15.25

---------------
linux (3.11.0-15.25) saucy; urgency=low

  [ John Johansen ]

  * SAUCE: Fix compat_sys_recvmsg on x32 archs
    - LP: #1274349
 -- Brad Figg <email address hidden> Thu, 30 Jan 2014 08:13:36 -0800

Changed in linux (Ubuntu Saucy):
status: New → Fix Released
status: New → Fix Released
Adam Conrad (adconrad) on 2014-01-31
information type: Private Security → Public Security
Changed in linux (Ubuntu Precise):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Released
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
Adam Conrad (adconrad) on 2014-01-31
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Fix Released
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1274349

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Trusty):
status: Incomplete → New
Brad Figg (brad-figg) on 2014-01-31
Changed in linux (Ubuntu):
status: New → Incomplete
Ken Sharp (kennybobs) on 2014-01-31
tags: added: bot-stop-nagging
Changed in linux (Ubuntu Trusty):
status: Incomplete → Confirmed
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
description: updated

We got the update relating to this in kernel 3.11.0-15.25 (saucy) this morning and it broke remmina connectivity! Downgrading the kernel back to 3.11.0-15.23 fixed the remmina issues.

We are running standard saucy Ubuntu amd64.

Can you please provide full system details and the steps to reproduce.

summary: - Fix-compat_sys_recvmsg-on-x32-archs
+ Fix-compat_sys_recvmmsg-on-x32-archs
Andy Whitcroft (apw) wrote :

From my reading of the changes between the .23 and .25 kernels you could only be affected if you were using a compatibility interface which is only used if you use i386 binaries on amd64, otherwise the altered code is not in use even as remmina is a natively compiled application.

Changed in linux (Ubuntu Trusty):
status: Confirmed → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-7.26

---------------
linux (3.13.0-7.26) trusty; urgency=low

  [ John Johansen ]

  * SAUCE: apparmor: fix uninitialized lsm_audit membe
    - LP: #1268727
  * Add config option to optionally enable new apparmor 3 semantics

  [ Tim Gardner ]

  * [Config] Add lowlatency to getabis
  * [Config] CONFIG_SECURITY_APPARMOR_AA3_SEMANTICS=y
    - LP: #1270215
  * Release Tracking Bug
    - LP: #1276810

  [ Upstream Kernel Changes ]

  * x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274349
    - CVE-2014-0038
 -- Tim Gardner <email address hidden> Wed, 05 Feb 2014 15:49:44 -0500

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Mathew Hodson (mhodson) on 2015-07-06
summary: - Fix-compat_sys_recvmmsg-on-x32-archs
+ CVE-2014-0038
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers