use after free of BOS in usb_reset_and_verify_device

Bug #1582864 reported by Mike Gerow on 2016-05-17
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Medium
Joseph Salisbury
Trusty
Medium
Joseph Salisbury
Vivid
Medium
Joseph Salisbury
Wily
Medium
Joseph Salisbury

Bug Description

Should be fixed with upstream commit e5bdfd50d6f76077bf8441d130c606229e100d40, which reverts upstream commit d8f00cd685f5c8e0def8593e520a7fef12c22407.

With slub_debug enabled this manifests as a deref of 0x6b6b... in usb_disable_ltm

[ 218.235302] general protection fault: 0000 [#1] SMP
[ 218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_codec_realtek snd_hda_intel snd_usb_audio snd_hda_codec snd_usbmidi_lib uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core snd_hwdep snd_seq_midi joydev snd_pcm videodev snd_page_alloc snd_seq_midi_event nfsd snd_rawmidi snd_seq auth_rpcgss parport_pc nfs_acl ppdev nfs lockd sunrpc fscache honeevent(OX) snd_seq_device snd_timer snd drm lp parport sb_edac mei_me hp_wmi sparse_keymap gpio_ich hpuefi(OX) intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm soundcore edac_core mei serio_raw tpm_infineon lpc_ich mac_hid wmi shpchp dm_crypt hid_generic usbhid hid crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse isci e1000e ahci libsas libahci ptp pps_core scsi_transport_sas pata_acpi
[ 218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P OX 3.13.0-85-generic #129-Ubuntu
[ 218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
[ 218.235421] RIP: 0010:[<ffffffff815444b6>] [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235437] RSP: 0018:ffff8807effa1cd0 EFLAGS: 00010202
[ 218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
[ 218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
[ 218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
[ 218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
[ 218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
[ 218.235455] FS: 0000000000000000(0000) GS:ffff88101fce0000(0000) knlGS:0000000000000000
[ 218.235458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
[ 218.235463] Stack:
[ 218.235465] ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
[ 218.235476] ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
[ 218.235483] ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
[ 218.235490] Call Trace:
[ 218.235499] [<ffffffff81551236>] ? usb_disable_device+0x126/0x290
[ 218.235506] [<ffffffff81545c4d>] usb_disconnect+0xad/0x200
[ 218.235511] [<ffffffff815487d3>] hub_port_connect_change+0xd3/0xb20
[ 218.235518] [<ffffffff8154333d>] ? hub_port_status+0xdd/0x120
[ 218.235523] [<ffffffff815496f4>] hub_events+0x4d4/0xa20
[ 218.235528] [<ffffffff81549c75>] hub_thread+0x35/0x160
[ 218.235535] [<ffffffff810add60>] ? prepare_to_wait_event+0x100/0x100
[ 218.235540] [<ffffffff81549c40>] ? hub_events+0xa20/0xa20
[ 218.235549] [<ffffffff8108deb2>] kthread+0xd2/0xf0
[ 218.235554] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235564] [<ffffffff8173c2e8>] ret_from_fork+0x58/0x90
[ 218.235570] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41
[ 218.235618] RIP [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235624] RSP <ffff8807effa1cd0>
[ 218.235655] ---[ end trace 954cac763165b767 ]---

Without slub_debug you end up getting a double free and messing up the allocator and apparmor tends to be the first one to notice:

[ 574.027518] hub 4-0:1.0: Cannot enable port 3. Maybe the USB cable is bad?
[ 574.548076] usb 4-3: USB disconnect, device number 2
[ 576.040995] ------------[ cut here ]------------
[ 576.041003] WARNING: CPU: 17 PID: 11627 at /build/linux-03BQvT/linux-3.13.0/include/linux/kref.h:47 apparmor_file_alloc_security+0x167/0x180()
[ 576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_codec_realtek nvidia(POX) snd_hda_intel parport_pc snd_hda_codec ppdev lp snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd mei_me parport gpio_ich hpuefi(OX) sb_edac edac_core lpc_ich drm mei joydev hp_wmi sparse_keymap tpm_infineon soundcore mac_hid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw serio_raw gf128mul glue_helper ablk_helper cryptd shpchp wmi hid_generic usbhid hid psmouse e1000e isci ahci libsas ptp libahci scsi_transport_sas pps_core pata_acpi
[ 576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P OX 3.13.0-83-generic #127-Ubuntu
[ 576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 576.041071] 0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
[ 576.041076] ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
[ 576.041079] ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
[ 576.041082] Call Trace:
[ 576.041088] [<ffffffff81725992>] dump_stack+0x45/0x56
[ 576.041091] [<ffffffff8106790d>] warn_slowpath_common+0x7d/0xa0
[ 576.041094] [<ffffffff810679ea>] warn_slowpath_null+0x1a/0x20
[ 576.041096] [<ffffffff81316b67>] apparmor_file_alloc_security+0x167/0x180
[ 576.041100] [<ffffffff812d9076>] security_file_alloc+0x16/0x20
[ 576.041105] [<ffffffff811c04e0>] get_empty_filp+0x90/0x180
[ 576.041108] [<ffffffff811ce00d>] path_openat+0x3d/0x640
[ 576.041111] [<ffffffff811cd7db>] ? filename_lookup+0x2b/0xc0
[ 576.041114] [<ffffffff811cf47a>] do_filp_open+0x3a/0x90
[ 576.041116] [<ffffffff811c83a7>] ? path_get+0x27/0x30
[ 576.041120] [<ffffffff810fed4d>] ? __audit_getname+0x9d/0xa0
[ 576.041123] [<ffffffff811dc2d7>] ? __alloc_fd+0xa7/0x130
[ 576.041126] [<ffffffff811bda09>] do_sys_open+0x129/0x280
[ 576.041128] [<ffffffff811bdb7e>] SyS_open+0x1e/0x20
[ 576.041131] [<ffffffff8173659d>] system_call_fastpath+0x1a/0x1f
[ 576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
[ 576.041171] BUG: unable to handle kernel paging request at 000000000000472e
[ 576.041174] IP: [<ffffffff811a38b0>] kmem_cache_alloc_trace+0x80/0x1f0
[ 576.041177] PGD 0
[ 576.041179] Oops: 0000 [#1] SMP

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1582864

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
tags: added: kernel-da.key
Changed in linux (Ubuntu):
importance: Undecided → Medium
status: Incomplete → Triaged
Changed in linux (Ubuntu Trusty):
status: New → Triaged
importance: Undecided → Medium
Changed in linux (Ubuntu):
status: Triaged → In Progress
Changed in linux (Ubuntu Trusty):
status: Triaged → In Progress
Changed in linux (Ubuntu Vivid):
status: New → In Progress
Changed in linux (Ubuntu Wily):
status: New → In Progress
Changed in linux (Ubuntu Vivid):
importance: Undecided → Medium
Changed in linux (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux (Ubuntu):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Trusty):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Vivid):
assignee: nobody → Joseph Salisbury (jsalisbury)
Changed in linux (Ubuntu Wily):
assignee: nobody → Joseph Salisbury (jsalisbury)
Joseph Salisbury (jsalisbury) wrote :

This commit is in mainline as of: 4.5-rc6.

Per the commit message, this patch has already been included in several -stable kernels:
    4.5.0-rc4 (current git)
    4.4.2
    4.3.6 (currently in review)
    4.1.18
    3.18.27
    3.14.61

This indicates that this commit is needed in Trusty(3.13), lts-vivid(3.19) and Wily(4.2).

I built a Trusty test kernel with a pick of commit e5bdfd50. The test kernel can be downloaded from:

http://kernel.ubuntu.com/~jsalisbury/lp1582864/

Can you test this kernel and see if it resolves this bug?

Mike Gerow (gerow) wrote :
Download full text (4.3 KiB)

Nice, looks like it works for me!

$ uname -rsov
Linux 3.13.0-86-generic #131~lp1582864 SMP Tue May 17 20:16:27 UTC 2016 GNU/Linux

And here's my dmesg (previously I was getting an oops when unplugging my usb3 thumbdrive).
$ dmesg
...
[ 90.797829] usb 4-3: new SuperSpeed USB device number 2 using xhci_hcd
[ 90.815906] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 90.819631] usb 4-3: New USB device found, idVendor=090c, idProduct=1000
[ 90.819633] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 90.819634] usb 4-3: Product: USB Flash Disk
[ 90.819635] usb 4-3: Manufacturer: General
[ 90.819636] usb 4-3: SerialNumber: 0411200000013498
[ 90.827444] usb-storage 4-3:1.0: USB Mass Storage device detected
[ 90.827485] scsi9 : usb-storage 4-3:1.0
[ 90.827522] usbcore: registered new interface driver usb-storage
[ 92.162200] scsi 9:0:0:0: Direct-Access General USB Flash Disk 1100 PQ: 0 ANSI: 6
[ 92.162387] sd 9:0:0:0: Attached scsi generic sg1 type 0
[ 92.162925] sd 9:0:0:0: [sdb] 125960192 512-byte logical blocks: (64.4 GB/60.0 GiB)
[ 92.163355] sd 9:0:0:0: [sdb] Write Protect is off
[ 92.163358] sd 9:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 92.163785] sd 9:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 92.171207] sdb: sdb1 sdb2
[ 92.172967] sd 9:0:0:0: [sdb] Attached SCSI removable disk
[ 94.797927] usb 4-3: USB disconnect, device number 2
[ 100.640350] usb 4-3: new SuperSpeed USB device number 3 using xhci_hcd
[ 100.658527] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 100.662189] usb 4-3: New USB device found, idVendor=090c, idProduct=1000
[ 100.662191] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 100.662192] usb 4-3: Product: USB Flash Disk
[ 100.662193] usb 4-3: Manufacturer: General
[ 100.662194] usb 4-3: SerialNumber: 0411200000013498
[ 100.663121] usb-storage 4-3:1.0: USB Mass Storage device detected
[ 100.663219] scsi10 : usb-storage 4-3:1.0
[ 101.996701] scsi 10:0:0:0: Direct-Access General USB Flash Disk 1100 PQ: 0 ANSI: 6
[ 101.996889] sd 10:0:0:0: Attached scsi generic sg1 type 0
[ 101.997446] sd 10:0:0:0: [sdb] 125960192 512-byte logical blocks: (64.4 GB/60.0 GiB)
[ 101.997894] sd 10:0:0:0: [sdb] Write Protect is off
[ 101.997897] sd 10:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 101.998325] sd 10:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 102.005805] sdb: sdb1 sdb2
[ 102.007584] sd 10:0:0:0: [sdb] Attached SCSI removable disk
[ 102.718253] usb 4-3: USB disconnect, device number 3
[ 102.718566] sd 10:0:0:0: [sdb] Synchronizing SCSI cache
[ 102.718599] sd 10:0:0:0: [sdb]
[ 102.718601] Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
[ 108.333005] usb 4-3: new SuperSpeed USB device number 4 using xhci_hcd
[ 108.351069] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 108.354758] usb 4-3: New USB device found, idVendor=090c, idProduct=1000
[ 108.354764] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[...

Read more...

Joseph Salisbury (jsalisbury) wrote :

Great, thanks for testing. I'll submit that commit to the appropriate upstream kernels and SRU it to Ubuntu.

Mike Gerow (gerow) wrote :

Excellent. Thanks for the prompt response!

Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Vivid):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Wily):
status: In Progress → Fix Committed
Philipp Kern (pkern) wrote :

It'd be helpful if this memory corruption regression could be accelerated. It means that unplugging a USB3 device can mess up the memory enough that file lookups that happen afterwards break if apparmor is enabled - just because the allocation size is similar by chance. The resulting oops is very misleading and it took a long time to track this down. It also causes process hangs. Thanks.

Changed in linux (Ubuntu):
status: In Progress → Fix Committed
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
Mike Gerow (gerow) wrote :
Download full text (3.1 KiB)

Looks good! Started with slub_debug and not seeing any Oopses when uplugging usb3 storage.

$ uname -rsov
Linux 3.13.0-87-generic #133-Ubuntu SMP Tue May 24 18:32:09 UTC 2016 GNU/Linux

$ dmesg
...
[ 79.103213] usb 4-3: new SuperSpeed USB device number 2 using xhci_hcd
[ 79.121274] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 79.124995] usb 4-3: New USB device found, idVendor=090c, idProduct=1000
[ 79.124997] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 79.124998] usb 4-3: Product: USB Flash Disk
[ 79.124999] usb 4-3: Manufacturer: General
[ 79.125000] usb 4-3: SerialNumber: 0411200000013498
[ 79.133013] usb-storage 4-3:1.0: USB Mass Storage device detected
[ 79.133058] scsi9 : usb-storage 4-3:1.0
[ 79.133100] usbcore: registered new interface driver usb-storage
[ 80.467553] scsi 9:0:0:0: Direct-Access General USB Flash Disk 1100 PQ: 0 ANSI: 6
[ 80.467749] sd 9:0:0:0: Attached scsi generic sg1 type 0
[ 80.468294] sd 9:0:0:0: [sdb] 125960192 512-byte logical blocks: (64.4 GB/60.0 GiB)
[ 80.468733] sd 9:0:0:0: [sdb] Write Protect is off
[ 80.468735] sd 9:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 80.469164] sd 9:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 80.476633] sdb: sdb1 sdb2
[ 80.478409] sd 9:0:0:0: [sdb] Attached SCSI removable disk
[ 84.533954] usb 4-3: USB disconnect, device number 2
[ 84.534205] sd 9:0:0:0: [sdb] Synchronizing SCSI cache
[ 84.534243] sd 9:0:0:0: [sdb]
[ 84.534246] Result: hostbyte=DID_NO_CONNECT driverbyte=DRIVER_OK
[ 92.110736] usb 4-3: new SuperSpeed USB device number 3 using xhci_hcd
[ 92.128888] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 92.132571] usb 4-3: New USB device found, idVendor=090c, idProduct=1000
[ 92.132573] usb 4-3: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 92.132574] usb 4-3: Product: USB Flash Disk
[ 92.132575] usb 4-3: Manufacturer: General
[ 92.132576] usb 4-3: SerialNumber: 0411200000013498
[ 92.133446] usb-storage 4-3:1.0: USB Mass Storage device detected
[ 92.133507] scsi10 : usb-storage 4-3:1.0
[ 93.393578] usb 4-3: reset SuperSpeed USB device number 3 using xhci_hcd
[ 93.411644] usb 4-3: Parent hub missing LPM exit latency info. Power management will be impacted.
[ 93.412809] xhci_hcd 0000:08:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff8807a239f400
[ 93.412811] xhci_hcd 0000:08:00.0: xHCI xhci_drop_endpoint called with disabled ep ffff8807a239f440
[ 93.751289] scsi 10:0:0:0: Direct-Access General USB Flash Disk 1100 PQ: 0 ANSI: 6
[ 93.751502] sd 10:0:0:0: Attached scsi generic sg1 type 0
[ 93.752012] sd 10:0:0:0: [sdb] 125960192 512-byte logical blocks: (64.4 GB/60.0 GiB)
[ 93.752456] sd 10:0:0:0: [sdb] Write Protect is off
[ 93.752459] sd 10:0:0:0: [sdb] Mode Sense: 43 00 00 00
[ 93.752888] sd 10:0:0:0: [sdb] Write cache: enabled, read cache: enabled, doesn't support DPO or FUA
[ 93.760680] sdb: sdb1 sdb2
[ 93.762441] sd 10:0:0:0: [sdb] Attached SCSI removable disk
[ 98.704248] usb 4-3: USB disconnect, devic...

Read more...

tags: added: verification-done-trusty
removed: verification-needed-trusty
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.13.0-87.133

---------------
linux (3.13.0-87.133) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1585315

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864

linux (3.13.0-87.132) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582398

  [ Kamal Mostafa ]

  * [Config] Drop ozwpan from the ABI

  [ Luis Henriques ]

  * [Config] CONFIG_USB_WPAN_HCD=n
    - LP: #1463740
    - CVE-2015-4004

  [ Prarit Bhargava ]

  * SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive
    method calls
    - LP: #1577898

  [ Upstream Kernel Changes ]

  * usbnet: cleanup after bind() in probe()
    - LP: #1567191
    - CVE-2016-3951
  * KVM: x86: bit-ops emulation ignores offset on 64-bit
    - LP: #1423672
  * USB: usbip: fix potential out-of-bounds write
    - LP: #1572666
    - CVE-2016-3955
  * x86/mm/32: Enable full randomization on i386 and X86_32
    - LP: #1568523
    - CVE-2016-3672
  * Input: gtco - fix crash on detecting device without endpoints
    - LP: #1575706
    - CVE-2016-2187
  * atl2: Disable unimplemented scatter/gather feature
    - LP: #1561403
    - CVE-2016-2117
  * ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock
    - LP: #1577905
  * fs/pnode.c: treat zero mnt_group_id-s as unequal
    - LP: #1572316
  * propogate_mnt: Handle the first propogated copy being a slave
    - LP: #1572316
  * drm: Balance error path for GEM handle allocation
    - LP: #1579610
  * x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
    - LP: #1538429
    - CVE-2016-2069
  * x86/mm: Improve switch_mm() barrier comments
    - LP: #1538429
    - CVE-2016-2069
  * net: fix infoleak in llc
    - LP: #1578496
    - CVE-2016-4485
  * net: fix infoleak in rtnetlink
    - LP: #1578497
    - CVE-2016-4486

 -- Kamal Mostafa <email address hidden> Tue, 24 May 2016 11:04:30 -0700

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-vivid
tags: added: verification-needed-wily
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Mike Gerow (gerow) wrote :

$ uname -a
Linux gerow0 4.2.0-39-generic #46~14.04.1-Ubuntu SMP Mon Jun 13 15:40:38 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

No oopses in wily, verified. Booting into vivid next.

tags: added: verification-done-wily
removed: verification-needed-wily
Mike Gerow (gerow) wrote :

$ uname -a
Linux gerow0 3.19.0-62-generic #70~14.04.1-Ubuntu SMP Mon Jun 13 16:30:31 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

No oopses in vivid either, verified.

tags: added: verification-done-vivid
removed: verification-needed-vivid
Launchpad Janitor (janitor) wrote :
Download full text (7.4 KiB)

This bug was fixed in the package linux - 4.2.0-41.48

---------------
linux (4.2.0-41.48) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595914

  [ Upstream Kernel Changes ]

  * netfilter: x_tables: validate e->target_offset early
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: fix unconditional helper
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: don't move to non-existent next rule
    - LP: #1595350
  * netfilter: x_tables: validate targets of jumps
    - LP: #1595350
  * netfilter: x_tables: add and use xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: kill check_entry helper
    - LP: #1595350
  * netfilter: x_tables: assert minimum target size
    - LP: #1595350
  * netfilter: x_tables: add compat version of xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: check standard target size too
    - LP: #1595350
  * netfilter: x_tables: check for bogus target offset
    - LP: #1595350
  * netfilter: x_tables: validate all offsets and sizes in a rule
    - LP: #1595350
  * netfilter: x_tables: don't reject valid target size on some
    architectures
    - LP: #1595350
  * netfilter: arp_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip6_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - LP: #1595350
  * netfilter: x_tables: do compat validation via translate_table
    - LP: #1595350
  * netfilter: x_tables: introduce and use xt_copy_counters_from_user
    - LP: #1595350

linux (4.2.0-40.47) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595725

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing
    - LP: #1555338, #1595350

linux (4.2.0-39.46) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591301

  [ J. R. Okajima ]

  * SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap:
    bugfix, mainly for linux-4.5-rc5, remap_file_pages(2) emulation
    - LP: #1558120

  [ Kamal Mostafa ]

  * [debian] getabis: Only git add $abidir if running in local repo
    - LP: #1584890
  * [debian] getabis: Fix inconsistent compiler versions check
    - LP: #1584890

  [ Tim Gardner ]

  * Revert "SAUCE: mm/mmap: fix oopsing on remap_file_pages"
    - LP: #1558120
  * [Config] Remove arc4 from nic-modules
    - LP: #1582991

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864
  * hpsa: move lockup_detected attribute to host attr
    - LP: #1581169
  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
    - LP: #1580379
    - CVE-2016-4569
  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback
    - LP: #1581866
    - CVE-2016-4578
  * ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
    - LP: #1581866
    - CVE-2016-4578
  * net: fix a kernel inf...

Read more...

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (6.2 KiB)

This bug was fixed in the package linux - 3.19.0-64.72

---------------
linux (3.19.0-64.72) vivid; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595976

  [ Upstream Kernel Changes ]

  * netfilter: x_tables: validate e->target_offset early
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: fix unconditional helper
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: don't move to non-existent next rule
    - LP: #1595350
  * netfilter: x_tables: validate targets of jumps
    - LP: #1595350
  * netfilter: x_tables: add and use xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: kill check_entry helper
    - LP: #1595350
  * netfilter: x_tables: assert minimum target size
    - LP: #1595350
  * netfilter: x_tables: add compat version of xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: check standard target size too
    - LP: #1595350
  * netfilter: x_tables: check for bogus target offset
    - LP: #1595350
  * netfilter: x_tables: validate all offsets and sizes in a rule
    - LP: #1595350
  * netfilter: x_tables: don't reject valid target size on some
    architectures
    - LP: #1595350
  * netfilter: arp_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip6_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - LP: #1595350
  * netfilter: x_tables: do compat validation via translate_table
    - LP: #1595350
  * netfilter: x_tables: introduce and use xt_copy_counters_from_user
    - LP: #1595350

linux (3.19.0-63.71) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595723

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing
    - LP: #1555338, #1595350

linux (3.19.0-62.70) vivid; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591307

  [ Kamal Mostafa ]

  * [debian] getabis: Only git add $abidir if running in local repo
    - LP: #1584890
  * [debian] getabis: Fix inconsistent compiler versions check
    - LP: #1584890

  [ Tim Gardner ]

  * [Config] Remove arc4 from nic-modules
    - LP: #1582991

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864
  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
    - LP: #1580379
    - CVE-2016-4569
  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback
    - LP: #1581866
    - CVE-2016-4578
  * ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
    - LP: #1581866
    - CVE-2016-4578
  * net: fix a kernel infoleak in x25 module
    - LP: #1585366
    - CVE-2016-4580
  * get_rock_ridge_filename(): handle malformed NM entries
    - LP: #1583962
    - CVE-2016-4913
  * tipc: check nl sock before parsing nested attributes
    - LP: #1585365
    - CVE-2016-4951
  * netfilter: Set /proc/net entries owner to root in namespace
    - L...

Read more...

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers