Linux netfilter local privilege escalation issues

Bug #1595350 reported by Steve Beattie
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned

Bug Description

The upstream stable rc git tree (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-4.6.y) currently has the following commits for netfilter that address (with unprivileged user namespaces enabled) local privilege escalation. These are the commit references in linus' tree:

f24e230d257af1ad7476c6e81a8dc3127a74204e
   netfilter: x_tables: don't move to non-existent next rule
36472341017529e2b12573093cc0f68719300997
   netfilter: x_tables: validate targets of jumps
7d35812c3214afa5b37a675113555259cfd67b98
   netfilter: x_tables: add and use xt_check_entry_offsets
aa412ba225dd3bc36d404c28cdc3d674850d80d0
   netfilter: x_tables: kill check_entry helper
a08e4e190b866579896c09af59b3bdca821da2cd
   netfilter: x_tables: assert minimum target size
fc1221b3a163d1386d1052184202d5dc50d302d1
   netfilter: x_tables: add compat version of xt_check_entry_offsets
7ed2abddd20cf8f6bd27f65bd218f26fa5bf7f44
   netfilter: x_tables: check standard target size too
ce683e5f9d045e5d67d1312a42b359cb2ab2a13c
   netfilter: x_tables: check for bogus target offset
13631bfc604161a9d69cd68991dff8603edd66f9
   netfilter: x_tables: validate all offsets and sizes in a rule
7b7eba0f3515fca3296b8881d583f7c1042f5226
   netfilter: x_tables: don't reject valid target size on some architectures
8dddd32756f6fe8e4e82a63361119b7e2384e02f
   netfilter: arp_tables: simplify translate_compat_table args
7d3f843eed29222254c9feab481f55175a1afcc9
   netfilter: ip_tables: simplify translate_compat_table args
329a0807124f12fe1c8032f95d8a8eb47047fb0e
   netfilter: ip6_tables: simplify translate_compat_table args
0188346f21e6546498c2a0f84888797ad4063fc5
   netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
09d9686047dbbe1cf4faa558d3ecc4aae2046054
   netfilter: x_tables: do compat validation via translate_table
d7591f0c41ce3e67600a982bab6989ef0f07b3ce
   netfilter: x_tables: introduce and use xt_copy_counters_from_user

They have also been backported to the 4.4 (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-4.4.y) and 3.14 (http://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable-rc.git/log/?h=linux-3.14.y) stable trees, with 3 additional prerequisite backported commits:

bdf533de6968e9686df777dc178486f600c6e617
   netfilter: x_tables: validate e->target_offset early
6e94e0cfb0887e4013b3b930fa6ab1fe6bb6ba91
   netfilter: x_tables: make sure e->next_offset covers remaining blob size
54d83fc74aa9ec72794373cb47432c5f7fb1a309
   netfilter: x_tables: fix unconditional helper

CRD: Public

Steve Beattie (sbeattie)
description: updated
description: updated
information type: Private Security → Public Security
Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1595350

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Steve Beattie (sbeattie)
Changed in linux (Ubuntu):
status: Incomplete → Confirmed
Revision history for this message
Tim Gardner (timg-tpi) wrote :

It looks like we'll pick these up with the 4.4.x stable update. Is there a pressing need to cherry-pick them earlier then that ?

Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-trusty' to 'verification-done-trusty'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-trusty
tags: added: verification-needed-vivid
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-vivid' to 'verification-done-vivid'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-wily
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-wily' to 'verification-done-wily'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

tags: added: verification-needed-xenial
Revision history for this message
Kamal Mostafa (kamalmostafa) wrote :

This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-needed-xenial' to 'verification-done-xenial'.

If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.

See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you!

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (26.1 KiB)

This bug was fixed in the package linux - 4.4.0-28.47

---------------
linux (4.4.0-28.47) xenial; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595874

  * Linux netfilter local privilege escalation issues (LP: #1595350)
    - netfilter: x_tables: don't move to non-existent next rule
    - netfilter: x_tables: validate targets of jumps
    - netfilter: x_tables: add and use xt_check_entry_offsets
    - netfilter: x_tables: kill check_entry helper
    - netfilter: x_tables: assert minimum target size
    - netfilter: x_tables: add compat version of xt_check_entry_offsets
    - netfilter: x_tables: check standard target size too
    - netfilter: x_tables: check for bogus target offset
    - netfilter: x_tables: validate all offsets and sizes in a rule
    - netfilter: x_tables: don't reject valid target size on some architectures
    - netfilter: arp_tables: simplify translate_compat_table args
    - netfilter: ip_tables: simplify translate_compat_table args
    - netfilter: ip6_tables: simplify translate_compat_table args
    - netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - netfilter: x_tables: do compat validation via translate_table
    - netfilter: x_tables: introduce and use xt_copy_counters_from_user

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - netfilter: x_tables: validate e->target_offset early
    - netfilter: x_tables: make sure e->next_offset covers remaining blob size
    - netfilter: x_tables: fix unconditional helper

linux (4.4.0-27.46) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594906

  * Support Edge Gateway's Bluetooth LED (LP: #1512999)
    - Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"

linux (4.4.0-26.45) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1594442

  * linux: Implement secure boot state variables (LP: #1593075)
    - SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl

  * failures building userspace packages that include ethtool.h (LP: #1592930)
    - ethtool.h: define INT_MAX for userland

linux (4.4.0-25.44) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591289

  * Xenial update to v4.4.13 stable release (LP: #1590455)
    - MIPS64: R6: R2 emulation bugfix
    - MIPS: math-emu: Fix jalr emulation when rd == $0
    - MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
    - MIPS: Don't unwind to user mode with EVA
    - MIPS: Avoid using unwind_stack() with usermode
    - MIPS: Fix siginfo.h to use strict posix types
    - MIPS: Fix uapi include in exported asm/siginfo.h
    - MIPS: Fix watchpoint restoration
    - MIPS: Flush highmem pages in __flush_dcache_page
    - MIPS: Handle highmem pages in __update_cache
    - MIPS: Sync icache & dcache in set_pte_at
    - MIPS: ath79: make bootconsole wait for both THRE and TEMT
    - MIPS: Reserve nosave data for hibernation
    - MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
    - MIPS: Use copy_s.fmt rather than copy_u.fmt
    - MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
    - MIPS: Prevent "restoration" of MSA c...

Changed in linux (Ubuntu):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.