CVE-2019-0155: incomplete fix for 64-bit x86 kernels

Bug #1852141 reported by Tyler Hicks on 2019-11-11
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Critical
Unassigned
Xenial
Critical
Tyler Hicks
Bionic
Critical
Tyler Hicks
Disco
Critical
Tyler Hicks
Eoan
Critical
Tyler Hicks

Bug Description

[Impact]

The initial set of Ubuntu kernel updates to address CVE-2019-0155 are not complete for 64-bit x86 kernels (amd64). The 32-bit x86 kernel (i386) updates are complete. It may be possible for an attacker to bypass the mitigations on 64-bit systems.

The following upstream patch is needed:

 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea0b163b13ffc52818c079adb00d55e227a6da6f

[Test Case]

Upstream has ran the proposed fix through their regression test suite. We don't have a reproducer for CVE-2019-0155 so the test case is simply to ensure that desktop graphics continue to work.

[Regression Potential]

Low, the fix is simple, tested, and, AAUI, the affected code path should only be legitimately used by the test suite.

CVE References

Tyler Hicks (tyhicks) on 2019-11-12
Changed in linux (Ubuntu Xenial):
status: New → In Progress
Changed in linux (Ubuntu Bionic):
status: New → In Progress
Changed in linux (Ubuntu Disco):
status: New → In Progress
Changed in linux (Ubuntu Eoan):
status: New → In Progress
Changed in linux (Ubuntu Xenial):
importance: Undecided → Critical
Changed in linux (Ubuntu Bionic):
importance: Undecided → Critical
Changed in linux (Ubuntu Disco):
importance: Undecided → Critical
Changed in linux (Ubuntu Eoan):
importance: Undecided → Critical
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Disco):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Bionic):
assignee: nobody → Tyler Hicks (tyhicks)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tyler Hicks (tyhicks)
Tyler Hicks (tyhicks) on 2019-11-12
summary: - incomplete fix
+ CVE-2019-0155: incomplete fix for 64-bit x86 kernels
description: updated
Stefan Bader (smb) on 2019-11-12
Changed in linux (Ubuntu Eoan):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Disco):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Bionic):
status: In Progress → Fix Committed
Stefan Bader (smb) on 2019-11-12
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Tyler Hicks (tyhicks) on 2019-11-12
description: updated
description: updated
information type: Private Security → Public Security
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.3.0-23.25

---------------
linux (5.3.0-23.25) eoan; urgency=medium

  * Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
    - SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

 -- Stefan Bader <email address hidden> Tue, 12 Nov 2019 09:46:03 +0100

Changed in linux (Ubuntu Eoan):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 5.0.0-36.39

---------------
linux (5.0.0-36.39) disco; urgency=medium

  * Ubuntu-5.0.0-33.35 introduces KVM regression with old Intel CPUs and Linux
    guests (LP: #1851709)
    - Revert "KVM: x86: Manually calculate reserved bits when loading PDPTRS"

  * Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
    - SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

 -- Stefan Bader <email address hidden> Tue, 12 Nov 2019 10:33:14 +0100

Changed in linux (Ubuntu Disco):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.15.0-70.79

---------------
linux (4.15.0-70.79) bionic; urgency=medium

  * Ubuntu-5.0.0-33.35 introduces KVM regression with old Intel CPUs and Linux
    guests (LP: #1851709)
    - Revert "KVM: x86: Manually calculate reserved bits when loading PDPTRS"

  * Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
    - SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

 -- Stefan Bader <email address hidden> Tue, 12 Nov 2019 10:54:50 +0100

Changed in linux (Ubuntu Bionic):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-169.198

---------------
linux (4.4.0-169.198) xenial; urgency=medium

  * Incomplete i915 fix for 64-bit x86 kernels (LP: #1852141) // CVE-2019-0155
    - SAUCE: drm/i915/cmdparser: Fix jump whitelist clearing

 -- Stefan Bader <email address hidden> Tue, 12 Nov 2019 11:19:22 +0100

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (33.2 KiB)

This bug was fixed in the package linux - 5.3.0-24.26

---------------
linux (5.3.0-24.26) eoan; urgency=medium

  * eoan/linux: 5.3.0-24.26 -proposed tracker (LP: #1852232)

  * Eoan update: 5.3.9 upstream stable release (LP: #1851550)
    - io_uring: fix up O_NONBLOCK handling for sockets
    - dm snapshot: introduce account_start_copy() and account_end_copy()
    - dm snapshot: rework COW throttling to fix deadlock
    - Btrfs: fix inode cache block reserve leak on failure to allocate data space
    - btrfs: qgroup: Always free PREALLOC META reserve in
      btrfs_delalloc_release_extents()
    - iio: adc: meson_saradc: Fix memory allocation order
    - iio: fix center temperature of bmc150-accel-core
    - libsubcmd: Make _FORTIFY_SOURCE defines dependent on the feature
    - perf tests: Avoid raising SEGV using an obvious NULL dereference
    - perf map: Fix overlapped map handling
    - perf script brstackinsn: Fix recovery from LBR/binary mismatch
    - perf jevents: Fix period for Intel fixed counters
    - perf tools: Propagate get_cpuid() error
    - perf annotate: Propagate perf_env__arch() error
    - perf annotate: Fix the signedness of failure returns
    - perf annotate: Propagate the symbol__annotate() error return
    - perf annotate: Fix arch specific ->init() failure errors
    - perf annotate: Return appropriate error code for allocation failures
    - perf annotate: Don't return -1 for error when doing BPF disassembly
    - staging: rtl8188eu: fix null dereference when kzalloc fails
    - RDMA/siw: Fix serialization issue in write_space()
    - RDMA/hfi1: Prevent memory leak in sdma_init
    - RDMA/iw_cxgb4: fix SRQ access from dump_qp()
    - RDMA/iwcm: Fix a lock inversion issue
    - HID: hyperv: Use in-place iterator API in the channel callback
    - kselftest: exclude failed TARGETS from runlist
    - selftests/kselftest/runner.sh: Add 45 second timeout per test
    - nfs: Fix nfsi->nrequests count error on nfs_inode_remove_request
    - arm64: cpufeature: Effectively expose FRINT capability to userspace
    - arm64: Fix incorrect irqflag restore for priority masking for compat
    - arm64: ftrace: Ensure synchronisation in PLT setup for Neoverse-N1 #1542419
    - tty: serial: owl: Fix the link time qualifier of 'owl_uart_exit()'
    - tty: serial: rda: Fix the link time qualifier of 'rda_uart_exit()'
    - serial/sifive: select SERIAL_EARLYCON
    - tty: n_hdlc: fix build on SPARC
    - misc: fastrpc: prevent memory leak in fastrpc_dma_buf_attach
    - RDMA/core: Fix an error handling path in 'res_get_common_doit()'
    - RDMA/cm: Fix memory leak in cm_add/remove_one
    - RDMA/nldev: Reshuffle the code to avoid need to rebind QP in error path
    - RDMA/mlx5: Do not allow rereg of a ODP MR
    - RDMA/mlx5: Order num_pending_prefetch properly with synchronize_srcu
    - RDMA/mlx5: Add missing synchronize_srcu() for MW cases
    - gpio: max77620: Use correct unit for debounce times
    - fs: cifs: mute -Wunused-const-variable message
    - arm64: vdso32: Fix broken compat vDSO build warnings
    - arm64: vdso32: Detect binutils support for dmb ishld
    - serial: mctrl_gpio: Check for NULL pointer
    - serial: 8250_...

Changed in linux (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers