x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
High
|
Unassigned | |||
Precise |
High
|
Unassigned | |||
Trusty |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-armadaxp (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-ec2 (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-flo (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-fsl-imx51 (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-goldfish (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-quantal (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-raring (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-saucy (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-trusty (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-utopic (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-lts-vivid (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-mako (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-manta (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-mvl-dove (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-raspi2 (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned | |||
linux-ti-omap4 (Ubuntu) |
High
|
Unassigned | |||
Vivid |
High
|
Unassigned | |||
Wily |
High
|
Unassigned | |||
Xenial |
High
|
Unassigned |
Bug Description
The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved RIP address in the case of a system call that does not use IRET, which allows local users to leverage a race condition and gain privileges, or cause a denial of service (double fault), via a crafted application that makes ptrace and fork system calls.
Break-Fix: 427abfa28afedff
description: | updated |
no longer affects: | linux-lts-trusty (Ubuntu Lucid) |
no longer affects: | linux-lts-trusty (Ubuntu Saucy) |
no longer affects: | linux-lts-trusty (Ubuntu Trusty) |
no longer affects: | linux-lts-trusty (Ubuntu Utopic) |
no longer affects: | linux-ec2 (Ubuntu Precise) |
no longer affects: | linux-ec2 (Ubuntu Saucy) |
no longer affects: | linux-ec2 (Ubuntu Trusty) |
no longer affects: | linux-ec2 (Ubuntu Utopic) |
Changed in linux-ec2 (Ubuntu): | |
status: | New → Invalid |
no longer affects: | linux-lowlatency (Ubuntu Lucid) |
no longer affects: | linux-lowlatency (Ubuntu Trusty) |
no longer affects: | linux-lts-saucy (Ubuntu Utopic) |
no longer affects: | linux-lowlatency (Ubuntu Utopic) |
Changed in linux-lowlatency (Ubuntu): | |
status: | New → Invalid |
no longer affects: | linux-lts-saucy (Ubuntu Trusty) |
no longer affects: | linux-lts-quantal (Ubuntu Lucid) |
no longer affects: | linux-lts-saucy (Ubuntu Lucid) |
no longer affects: | linux-lts-saucy (Ubuntu Saucy) |
no longer affects: | linux-lts-raring (Ubuntu Utopic) |
no longer affects: | linux-lts-quantal (Ubuntu Saucy) |
no longer affects: | linux-lts-quantal (Ubuntu Trusty) |
no longer affects: | linux-lts-quantal (Ubuntu Utopic) |
no longer affects: | linux-lts-raring (Ubuntu Lucid) |
no longer affects: | linux-lts-raring (Ubuntu Saucy) |
no longer affects: | linux-lts-raring (Ubuntu Trusty) |
Changed in linux-lts-trusty (Ubuntu): | |
status: | New → Invalid |
Changed in linux-lts-saucy (Ubuntu): | |
status: | New → Invalid |
Changed in linux-lts-raring (Ubuntu): | |
status: | New → Invalid |
Changed in linux-lts-quantal (Ubuntu): | |
status: | New → Invalid |
information type: | Private Security → Public Security |
no longer affects: | linux-armadaxp (Ubuntu) |
no longer affects: | linux-armadaxp (Ubuntu) |
tags: | added: kernel-cve-tracking-bug |
no longer affects: | linux-armadaxp (Ubuntu) |
no longer affects: | linux-ec2 (Ubuntu) |
no longer affects: | linux-ec2 (Ubuntu Lucid) |
no longer affects: | linux-lowlatency (Ubuntu Precise) |
no longer affects: | linux-lowlatency (Ubuntu Saucy) |
no longer affects: | linux-lowlatency (Ubuntu) |
no longer affects: | linux-lts-quantal (Ubuntu Precise) |
no longer affects: | linux-lts-quantal (Ubuntu) |
no longer affects: | linux-lts-raring (Ubuntu Precise) |
no longer affects: | linux-lts-raring (Ubuntu) |
no longer affects: | linux-lts-saucy (Ubuntu Precise) |
no longer affects: | linux-lts-saucy (Ubuntu) |
no longer affects: | linux-lts-trusty (Ubuntu) |
no longer affects: | linux-lts-trusty (Ubuntu Precise) |
Changed in linux (Ubuntu Precise): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Saucy): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Lucid): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Utopic): | |
importance: | Undecided → High |
description: | updated |
no longer affects: | linux-ti-omap4 (Ubuntu) |
no longer affects: | linux-mvl-dove (Ubuntu) |
no longer affects: | linux-lts-saucy (Ubuntu) |
no longer affects: | linux-lts-raring (Ubuntu) |
no longer affects: | linux-lts-quantal (Ubuntu) |
no longer affects: | linux-fsl-imx51 (Ubuntu) |
no longer affects: | linux-ec2 (Ubuntu) |
no longer affects: | linux-armadaxp (Ubuntu) |
Launchpad Janitor (janitor) wrote : | #1 |
Changed in linux (Ubuntu Lucid): | |
status: | New → Fix Released |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package linux - 3.2.0-65.99
---------------
linux (3.2.0-65.99) precise; urgency=low
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100
Changed in linux (Ubuntu Precise): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package linux-lts-quantal - 3.5.0-52.
---------------
linux-lts-quantal (3.5.0-
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:52:15 +0100
Changed in linux-lts-quantal (Ubuntu): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux-lts-raring - 3.8.0-42.
---------------
linux-lts-raring (3.8.0-
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 10:14:37 +0100
Changed in linux-lts-raring (Ubuntu): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux-lts-saucy - 3.11.0-
---------------
linux-lts-saucy (3.11.0-
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:47:04 +0100
Changed in linux-lts-saucy (Ubuntu): | |
status: | New → Fix Released |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package linux - 3.11.0-24.42
---------------
linux (3.11.0-24.42) saucy; urgency=low
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 09:20:33 +0100
Changed in linux (Ubuntu Saucy): | |
status: | New → Fix Released |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux - 3.13.0-30.55
---------------
linux (3.13.0-30.55) trusty; urgency=low
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Thu, 03 Jul 2014 16:15:57 +0100
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #11 |
This bug was fixed in the package linux-ec2 - 2.6.32-366.81
---------------
linux-ec2 (2.6.32-366.81) lucid; urgency=low
[ Andy Whitcroft ]
* rebase to Ubuntu-
[ Ubuntu: 2.6.32-62.126 ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Andy Whitcroft <email address hidden> Fri, 04 Jul 2014 18:32:47 +0100
Changed in linux-ec2 (Ubuntu): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Precise): | |
status: | Fix Released → New |
Changed in linux (Ubuntu Saucy): | |
status: | Fix Released → New |
Changed in linux (Ubuntu Trusty): | |
status: | Fix Released → New |
Changed in linux (Ubuntu Lucid): | |
status: | Fix Released → New |
Launchpad Janitor (janitor) wrote : | #12 |
This bug was fixed in the package linux - 3.2.0-65.99
---------------
linux (3.2.0-65.99) precise; urgency=low
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:24:43 +0100
Changed in linux (Ubuntu Precise): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Saucy): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Trusty): | |
status: | New → Fix Released |
description: | updated |
Launchpad Janitor (janitor) wrote : | #13 |
This bug was fixed in the package linux-armadaxp - 3.2.0-1636.53
---------------
linux-armadaxp (3.2.0-1636.53) precise; urgency=low
[ Andy Whitcroft ]
* rebase to Ubuntu-3.2.0-67.101
[ Ubuntu: 3.2.0-67.101 ]
* l2tp: Privilege escalation in ppp over l2tp sockets
- LP: #1341472
- CVE-2014-4943
linux-armadaxp (3.2.0-1636.52) precise; urgency=low
[ Ike Panhc ]
* Release Tracking Bug
- LP: #1338870
* Rebase to Ubuntu-3.2.0-67.100
[ Ubuntu: 3.2.0-67.100 ]
* Merged back Ubuntu-3.2.0-65.99 security release
* Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
- LP: #1337339
* Release Tracking Bug
- LP: #1338654
* ptrace,x86: force IRET path after a ptrace_stop()
- LP: #1337339
- CVE-2014-4699
linux-armadaxp (3.2.0-1636.51) precise-proposed; urgency=low
[ Ike Panhc ]
* Release Tracking Bug
- LP: #1336144
* Rebase to Ubuntu-3.2.0-66.99
[ Ubuntu: 3.2.0-66.99 ]
* Release Tracking Bug
- LP: #1335906
* skbuff: export skb_copy_ubufs
- LP: #1298119
- CVE-2014-0131
* skbuff: add an api to orphan frags
- LP: #1298119
- CVE-2014-0131
* skbuff: skb_segment: orphan frags before copying
- LP: #1298119
- CVE-2014-0131
* lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompres
- CVE-2014-4608
* lib/lzo: Update LZO compression to current upstream version
- CVE-2014-4608
* lzo: properly check for overruns
- CVE-2014-4608
* KVM: x86 emulator: add support for vector alignment
- LP: #1330177
* KVM: x86: emulate movdqa
- LP: #1330177
-- Andy Whitcroft <email address hidden> Tue, 15 Jul 2014 10:19:39 +0100
Changed in linux-armadaxp (Ubuntu): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #14 |
This bug was fixed in the package linux-ti-omap4 - 3.2.0-1451.71
---------------
linux-ti-omap4 (3.2.0-1451.71) precise; urgency=low
[ Luis Henriques ]
* Rebased to 3.2.0-67.101
[ Ubuntu: 3.2.0-67.101 ]
* l2tp: Privilege escalation in ppp over l2tp sockets
- LP: #1341472
- CVE-2014-4943
[ Ubuntu: 3.2.0-67.100 ]
* Merged back Ubuntu-3.2.0-65.99 security release
* Revert "x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)"
- LP: #1337339
* Release Tracking Bug
- LP: #1338654
* ptrace,x86: force IRET path after a ptrace_stop()
- LP: #1337339
- CVE-2014-4699
linux-ti-omap4 (3.2.0-1451.70) precise; urgency=low
* Release Tracking Bug
- LP: #1336143
[ Paolo Pisati ]
* rebased on Ubuntu-3.2.0-66.99
[ Ubuntu: 3.2.0-66.99 ]
* Release Tracking Bug
- LP: #1335906
* skbuff: export skb_copy_ubufs
- LP: #1298119
- CVE-2014-0131
* skbuff: add an api to orphan frags
- LP: #1298119
- CVE-2014-0131
* skbuff: skb_segment: orphan frags before copying
- LP: #1298119
- CVE-2014-0131
* lib/lzo: Rename lzo1x_decompress.c to lzo1x_decompres
- CVE-2014-4608
* lib/lzo: Update LZO compression to current upstream version
- CVE-2014-4608
* lzo: properly check for overruns
- CVE-2014-4608
* KVM: x86 emulator: add support for vector alignment
- LP: #1330177
* KVM: x86: emulate movdqa
- LP: #1330177
-- Luis Henriques <email address hidden> Tue, 15 Jul 2014 10:12:30 +0100
Changed in linux-ti-omap4 (Ubuntu): | |
status: | New → Fix Released |
status: | New → Fix Released |
Changed in linux (Ubuntu Utopic): | |
status: | New → Invalid |
no longer affects: | linux (Ubuntu Saucy) |
no longer affects: | linux (Ubuntu Lucid) |
Changed in linux-lts-trusty (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-trusty (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-lts-quantal (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-ti-omap4 (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-lts-raring (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-armadaxp (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mvl-dove (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mvl-dove (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-lts-saucy (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-manta (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-ec2 (Ubuntu Wily): | |
status: | Fix Released → Invalid |
importance: | Undecided → High |
Changed in linux-ec2 (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-vivid (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-mako (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-fsl-imx51 (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-fsl-imx51 (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-lts-utopic (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-goldfish (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-flo (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
no longer affects: | linux (Ubuntu Utopic) |
Changed in linux-raspi2 (Ubuntu Vivid): | |
status: | New → Invalid |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Wily): | |
importance: | Undecided → High |
Changed in linux-raspi2 (Ubuntu Xenial): | |
importance: | Undecided → High |
This bug was fixed in the package linux - 2.6.32-62.126
---------------
linux (2.6.32-62.126) lucid; urgency=low
[ Upstream Kernel Changes ]
* x86_64,ptrace: Enforce RIP <= TASK_SIZE_MAX (CVE-2014-4699)
- LP: #1337339
- CVE-2014-4699
-- Luis Henriques <email address hidden> Fri, 04 Jul 2014 11:45:45 +0100