CVE-2016-4557: use-after-free flaw via double-fdput in bpf

Bug #1578705 reported by Steve Beattie on 2016-05-05
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-armadaxp (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-flo (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-goldfish (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-quantal (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-raring (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-saucy (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-trusty (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-utopic (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-vivid (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-wily (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-lts-xenial (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-mako (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-manta (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-raspi2 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-snapdragon (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned
linux-ti-omap4 (Ubuntu)
High
Unassigned
Precise
High
Unassigned
Trusty
High
Unassigned
Xenial
High
Unassigned
Yakkety
High
Unassigned

Bug Description

The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.

Break-Fix: 1be7f75d1668d6296b80bf35dcf6762393530afc 8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7

Steve Beattie (sbeattie) on 2016-05-05
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Xenial):
importance: Undecided → High
Changed in linux (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-mako (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Yakkety):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-flo (Ubuntu Yakkety):
importance: Undecided → High
description: updated
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Xenial):
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Yakkety):
importance: Undecided → High
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → High
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → High
Adam Conrad (adconrad) on 2016-05-06
information type: Private Security → Public Security

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1578705

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Xenial):
status: New → Incomplete
Steve Beattie (sbeattie) on 2016-05-06
summary: - CVE-2016-NNN1
+ CVE-2016-NNN1: use-after-free flaw via double-fdput in bpf
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux (Ubuntu Yakkety):
status: Incomplete → New
description: updated
summary: - CVE-2016-NNN1: use-after-free flaw via double-fdput in bpf
+ CVE-2016-4557: use-after-free flaw via double-fdput in bpf
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux-lts-xenial (Ubuntu Trusty):
status: Invalid → Fix Committed
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Fix Committed
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Fix Committed
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux (Ubuntu Xenial):
status: Incomplete → Fix Committed
Brad Figg (brad-figg) on 2016-05-06
Changed in linux (Ubuntu):
status: New → Incomplete
Steve Beattie (sbeattie) on 2016-05-06
tags: added: kernel-cve-tracking-bug
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux-lts-xenial - 4.4.0-22.39~14.04.1

---------------
linux-lts-xenial (4.4.0-22.39~14.04.1) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578775

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux-lts-xenial (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Kamal Mostafa (kamalmostafa) wrote :

This bug was fixed in the package linux-snapdragon - 4.4.0-1013.14

---------------
linux-snapdragon (4.4.0-1013.14) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578759

  * Rebase to Ubuntu-4.4.0-22.39

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 11:17:11 -0700

Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Fix Released
status: New → Fix Released

Changed in linux-snapdragon (Ubuntu Xenial):
status: Fix Committed → Fix Released
Kamal Mostafa (kamalmostafa) wrote :

This bug was fixed in the package linux-raspi2 - 4.4.0-1010.12

---------------
linux-raspi2 (4.4.0-1010.12) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578741

  * Rebase against Ubuntu-4.4.0-22.39

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 10:19:22 -0700

Changed in linux-raspi2 (Ubuntu Xenial):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie) on 2016-05-06
Changed in linux (Ubuntu Yakkety):
status: Incomplete → New
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-22.39

---------------
linux (4.4.0-22.39) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1578721

  * LP: #1578705
    - bpf: fix double-fdput in replace_map_fd_with_map_ptr()

 -- Kamal Mostafa <email address hidden> Thu, 05 May 2016 09:30:58 -0700

Changed in linux (Ubuntu Yakkety):
status: New → Fix Released
Steve Beattie (sbeattie) on 2016-05-31
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers