Ubuntu
linux package

Regression in commit 8e4e453d548e3c24e9070eda23c52f210951b921

Bug #1327300 reported by John Johansen on 2014-06-06
140
This bug affects 38 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
Undecided
Unassigned
Lucid
Fix Released
Critical
John Johansen
Also affects project (?) Also affects distribution/package Nominate for series

Bug Description

Phil Turnbull reported a problem with the Lucid (2.6.32) backport of
  futex: Always cleanup owner tid in unlock_pi
  commit: 8e4e453d548e3c24e9070eda23c52f210951b921

In patches-2.6.32.tgz:patches/0003-futex-Always-cleanup-owner-tid-in-unlock_pi.$
there is this change (ignoring whitespace changes):

        curval = cmpxchg_futex_value_locked(uaddr, uval, newval);
-
- if (curval == -EFAULT)
+ if (curval)
                ret = -EFAULT;

which seems to change the behaviour of the function.

The purpose of the return value of cmpxchg_futex_value_locked changed in

37a9d912b24f96a0591 "futex: Sanitize cmpxchg_futex_value_locked API"

which is not included in 2.6.32. This patch changes the return value to a
status code, but in 2.6.32 the return value is the value of the futex or
-EFAULT. With this backported patch, any futex with a non-zero value will
return -EFAULT.

CVE References

John Johansen (jjohansen) on 2014-06-06
Changed in linux (Ubuntu):
assignee: nobody → John Johansen (jjohansen)
status: New → Confirmed
Andy Whitcroft (apw) wrote :

This issue only exists in Lucid, cleaning up tasks to match.

Changed in linux (Ubuntu Lucid):
status: New → Fix Committed
importance: Undecided → Critical
Changed in linux (Ubuntu):
status: Confirmed → Invalid
Changed in linux (Ubuntu Lucid):
assignee: nobody → John Johansen (jjohansen)
Changed in linux (Ubuntu):
assignee: John Johansen (jjohansen) → nobody
Martin Hecht (mrbaseman) wrote :

the source diffs on https://launchpad.net/ubuntu/+source/linux/2.6.32-61.124 already contain the above fix,
but it seems it didn't make its way into the binary packages:
http://ubuntuforums.org/showthread.php?t=2228206
http://forum.ubuntuusers.de/topic/linux-image-2-6-32-61-generic-nach-update-haen/

pirx67 (pirx67) wrote :

Hi,

the described bug also hit me (as described in the mentioned forum threads, see post #2 here).
It was fixed by the kernel 2.6.32-62.125 from lucid-proposed. Thanks.

Brad Figg (brad-figg) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-lucid
tmstaedt (tmstaedt) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-lucid' to 'verification-done-lucid'.
>
> If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
>
> See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!
>
>
> tags: added: verification-needed-lucid
>
>

All right, I just installed the kernel from lucid-proposed and it would come up okay. Could log on into GNOME desktop and things appear to
be working normal, just like with previous kernel updates!

See also: https://bugs.launchpad.net/bugs/1327014
--
thomas

Andy Smith (grifferz) wrote :

Seems to be causing Firefox to completely lock up as soon as either right mouse button is clicked (for context menu) or a menu item is selected. Reverting to earlier kernel version makes the problem go away for me.

Also manifests itself using the latest stable release of Firefox (30.0) as downloaded from firefox.com, so I believe is not a Firefox issue.

Luis Henriques (henrix) wrote :

Andy, could you please confirm you're running the kernel in -proposed (2.6.32-62.125)? Because it looks like you're hitting the bug the fix described above is supposed to fix.

Kevin Tapperson (kevun) wrote :

I have also seen this manifest when running Update Manager under the 2.6.32-61 kernel. Launch Update Manager and click the Check button to reload the cache of software sources and Update Manager will hang.

Luis Henriques (henrix) wrote :

Kevin, can you please boot with an older kernel, enable the -proposed pocket (see comment #4) and install the 2.6.32-62.125? It should fix the issue

Barry Trent (barry-l) wrote :

I enabled the lucid-proposed repository (per comment #4) and installed the generic-pae version of the 2.6.32-62.125 kernel. I can confirm that sound operation returned to normal and the applications which were hanging, like Firefox and ThunderBird, are now working normally again.

Daniel Letzeisen (dtl131-deactivatedaccount) on 2014-06-14
tags: added: verification-done-lucid
removed: verification-needed-lucid
Benno Schulenberg (bennoschulenberg) wrote :

Also I can confirm that the -62 version of the kernel on Lucid (linux-image-2.6.32-62-generic) solves the hanging issue that the -61 version has. Sound works, Thunderbird runs, all is fine. Thanks.

Barry Trent (barry-l) wrote :

Doesn't this have to impact packages in the server edition as well as the desktop? Surely there are server packages that use futexes?

Joseph Salisbury (jsalisbury) wrote :

@Lucie B, Is your issue a regression? Was there a prior kernel version that did not exhibit the bug for you?

Also, would it be possible for you to open a new bug, so we can review your specific configuration? You can open a new bug by running the following from a terminal:

ubuntu-bug linux

tags: added: kernel-da-key
Camden McDonald (camdenmc) wrote :

kernel 2.6.32-62 fixed this for me. Many thanks!

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-62.125

---------------
linux (2.6.32-62.125) lucid; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1328140

  [ John Johansen ]

  * SAUCE: (no-up) Fix regression introduced by patch, for CVE-2014-3153
    - LP: #1327300

  [ Kamal Mostafa ]

  * [Config] add debian/gbp.conf

  [ Upstream Kernel Changes ]

  * filter: prevent nla extensions to peek beyond the end of the message
    - LP: #1319561, #1319563
    - CVE-2014-3145
 -- Brad Figg <email address hidden> Mon, 09 Jun 2014 07:11:00 -0700

Changed in linux (Ubuntu Lucid):
status: Fix Committed → Fix Released
Adam Conrad (adconrad) wrote : Update Released

The verification of the Stable Release Update for linux has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.

richard allen (richard6601) wrote :

Have just commented on bug/1327979 before saw this but seems to non-programmer like me that it was purposefully sorted out
Thanks all anyway

Glenn Talbott (gtalbott) wrote :

Update came through yesterday, everything working fine. Thanks to all who contributed to fixing, and insuring that this problem got fixed.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.
Subscribing...

Other bug subscribers