0-day Maverick Kernel Upload

Bug #647071 reported by Leann Ogasawara on 2010-09-24
282
This bug affects 3 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
High
Canonical Kernel Team
Maverick
High
Canonical Kernel Team

Bug Description

The Ubuntu Kernel Team would like to propose the following fixes which would warrant a 0-day Maverick kernel upload. All of the fixes are security related in nature:

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3080.html

    ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()

    CVE-2010-3080

    The error handling in snd_seq_oss_open() has several bad codes that
    do dereferecing released pointers and double-free of kmalloc'ed
    data. The object dp is release in free_devinfo() that is called via
    private_free callback. The rest shouldn't touch this object any
    more.

    The patch changes delete_port() to call kfree() in any case, and
    gets rid of unnecessary calls of destructors in snd_seq_oss_open().

    Reported-and-tested-by: Tavis Ormandy <email address hidden>
    Cc: <email address hidden>
    Signed-off-by: Takashi Iwai <email address hidden>
    (cherry picked from commit 27f7ad53829f79e799a253285318bff79ece15bd)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-2960.html

    KEYS: Fix bug in keyctl_session_to_parent() if parent has no session
          keyring

    CVE-2010-2960

    Fix a bug in keyctl_session_to_parent() whereby it tries to check
    the ownership of the parent process's session keyring whether or
    not the parent has a session keyring [CVE-2010-2960].

    This results in the following oops:

      BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0
      IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443
      ...
      Call Trace:
       [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443
       [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0
       [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8
       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b

    if the parent process has no session keyring.

    If the system is using pam_keyinit then it mostly protected against
    this as all processes derived from a login will have inherited the
    session keyring created by pam_keyinit during the log in procedure.

    To test this, pam_keyinit calls need to be commented out in
    /etc/pam.d/.

    Reported-by: Tavis Ormandy <email address hidden>
    Signed-off-by: David Howells <email address hidden>
    Acked-by: Tavis Ormandy <email address hidden>
    Signed-off-by: Linus Torvalds <email address hidden>
    (cherry picked from commit 3d96406c7da1ed5811ea52a3b0905f4f0e295376)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-2960.html

    KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()

    CVE-2010-2960

    There's an protected access to the parent process's credentials in
    the middle of keyctl_session_to_parent(). This results in the
    following RCU warning:

      ===================================================
      [ INFO: suspicious rcu_dereference_check() usage. ]
      ---------------------------------------------------
      security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection!

      other info that might help us debug this:

      rcu_scheduler_active = 1, debug_locks = 0
      1 lock held by keyctl-session-/2137:
       #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236

      stack backtrace:
      Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1
      Call Trace:
       [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3
       [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236
       [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6
       [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b

    The code should take the RCU read lock to make sure the parents
    credentials don't go away, even though it's holding a spinlock
    and has IRQ disabled.

    Signed-off-by: David Howells <email address hidden>
    Signed-off-by: Linus Torvalds <email address hidden>
    (cherry picked from commit 9d1ac65a9698513d00e5608d93fca0c53f536c14)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-2955.html

    wireless extensions: fix kernel heap content leak

    CVE-2010-2955

    Wireless extensions have an unfortunate, undocumented
    requirement which requires drivers to always fill
    iwp->length when returning a successful status. When
    a driver doesn't do this, it leads to a kernel heap
    content leak when userspace offers a larger buffer
    than would have been necessary.

    Arguably, this is a driver bug, as it should, if it
    returns 0, fill iwp->length, even if it separately
    indicated that the buffer contents was not valid.

    However, we can also at least avoid the memory content
    leak if the driver doesn't do this by setting the iwp
    length to max_tokens, which then reflects how big the
    buffer is that the driver may fill, regardless of how
    big the userspace buffer is.

    To illustrate the point, this patch also fixes a
    corresponding cfg80211 bug (since this requirement
    isn't documented nor was ever pointed out by anyone
    during code review, I don't trust all drivers nor
    all cfg80211 handlers to implement it correctly).

    Cc: <email address hidden> [all the way back]
    Signed-off-by: Johannes Berg <email address hidden>
    Signed-off-by: John W. Linville <email address hidden>
    (cherry picked from commit 42da2f948d949efd0111309f5827bf0298bcc9a4)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-2954.html

    irda: Correctly clean up self->ias_obj on irda_bind() failure.

    CVE-2010-2954

    If irda_open_tsap() fails, the irda_bind() code tries to destroy
    the ->ias_obj object by hand, but does so wrongly.

    In particular, it fails to a) release the hashbin attached to the
    object and b) reset the self->ias_obj pointer to NULL.

    Fix both problems by using irias_delete_object() and explicitly
    setting self->ias_obj to NULL, just as irda_release() does.

    Reported-by: Tavis Ormandy <email address hidden>
    Signed-off-by: David S. Miller <email address hidden>
    (cherry picked from commit 628e300cccaa628d8fb92aa28cb7530a3d5f2257)

=====

https://lists.ubuntu.com/archives/kernel-team/2010-September/012894.html

AppArmor: Initialize sa.aad.error within audit_net()

    sa.aad.error is always 0 and therefore aa_net_perm() will always
    return 0 (rather than -EACCESS) no matter how "net_allowed_af"
    is specified.

=====

http://launchpad.net/bugs/634702

    intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang

    When the Lenovo Ideapad S10-3 is booted with HT enabled,
    it hits a boot hang in the intel_idle driver.

    This occurs when entering ATM-C4 for the first time,
    unless BM_STS is first cleared.

    acpi_idle doesn't see this because it first checks
    and clears BM_STS, but it would hit the same hang
    if that check were disabled.

    http://bugs.meego.com/show_bug.cgi?id=7093
    BugLink: http://launchpad.net/bugs/634702

    Signed-off-by: Len Brown <email address hidden>
    Signed-off-by: Ike Panhc <email address hidden>
    Acked-by: Tim Gardner <email address hidden>
    Acked-by: Colin King <email address hidden>
    Signed-off-by: Leann Ogasawara <email address hidden>

=====

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Rephrase pwrite bounds checking to avoid any potential
    overflow

    CVE-2010-2962

    ... and do the same for pread.

=====

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Skip pread/pwrite if size to copy is 0.

    CVE-2010-2962

=====

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Sanity check pread/pwrite

    CVE-2010-2962

    Move the access control up from the fast paths which are no longer
    universally taken first up into the caller. This then duplicates
    some sanity checking along the slow paths, but is much simpler.

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3437.html

    Fix pktcdvd ioctl dev_minor range check

    CVE-2010-3437

    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
    pktcdvd_device from the global pkt_devs array. The index into this
    array is provided directly by the user and is a signed integer, so
    the comparison to ensure that it falls within the bounds of this
    array will fail when provided with a negative index.

    This can be used to read arbitrary kernel memory or cause a crash
    due to an invalid pointer dereference. This can be exploited by
    users with permission to open /dev/pktcdvd/control (on many
    distributions, this is readable by group "cdrom").

    Signed-off-by: Dan Rosenberg <email address hidden>
    [ Rather than add a cast, just make the function take the right type -Linus ]
    Signed-off-by: Linus Torvalds <email address hidden>
    (cherry picked from commit 252a52aa4fa22a668f019e55b3aac3ff71ec1c29)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3705.html

    CVE-2010-3705

    The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
    array and attempts to ensure that only a supported hmac entry is
    returned. The current code fails to do this properly - if the last
    id in the array is out of range (greater than
    SCTP_AUTH_HMAC_ID_MAX), the id integer remains set after exiting the
    loop, and the address of an out-of-bounds entry will be returned and
    subsequently used in the parent function, causing potentially ugly
    memory corruption. This patch resets the id integer to 0 on
    encountering an invalid id so that NULL will be returned after
    finishing the loop if no valid ids are found.

    Signed-off-by: Dan Rosenberg <email address hidden>
    (cherry-picked from http://marc.info/?l=linux-kernel&m=128596992418814&w=2)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-NNN2.html

    ocfs2: Don't walk off the end of fast symlinks.

    CVE-2010-NNN2

    (Official CVE # not yet assigned)

    ocfs2 fast symlinks are NUL terminated strings stored inline in the
    inode data area. However, disk corruption or a local attacker
    could, in theory, remove that NUL. Because we're using strlen() (my
    fault, introduced in a731d1 when removing vfs_follow_link()), we
    could walk off the end of that string.

    Signed-off-by: Joel Becker <email address hidden>
    Cc: <email address hidden>
    (cherry picked from commit 1fc8a117865b54590acd773a55fbac9221b018f0)

description: updated
Changed in linux (Ubuntu Maverick):
milestone: none → maverick-updates
description: updated
Changed in linux (Ubuntu Maverick):
assignee: nobody → Canonical Kernel Team (canonical-kernel-team)
importance: Undecided → High
milestone: maverick-updates → none
status: New → Triaged
Kate Stewart (kate.stewart) wrote :

update to pick this up as part of maverick-updates

Changed in linux (Ubuntu Maverick):
milestone: none → maverick-updates

I'd also like to propose the fix for bug 634702 - "Kernel 2.6.35-19 fails to boot Lenovo S10-3" be included in the 0-day kernel upload. The patch has been tested and confirmed by a Canonical kernel dev to resolve the boot issue for Lenovo S10-3's.

https://lists.ubuntu.com/archives/kernel-team/2010-September/012959.html

Changed in linux (Ubuntu Maverick):
status: Triaged → Confirmed

3 patches to resolve CVE-2010-2962 were embargoed until Oct 4. They are meant to prevent a local root escalation hole in the i915 driver. These patches should also be included in this day 0 kernel upload.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Rephrase pwrite bounds checking to avoid any potential overflow

    CVE-2010-2962

    ... and do the same for pread.

=====

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Skip pread/pwrite if size to copy is 0.

    CVE-2010-2962

=====

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2962

    drm/i915: Sanity check pread/pwrite

    CVE-2010-2962

    Move the access control up from the fast paths which are no longer
    universally taken first up into the caller. This then duplicates some
    sanity checking along the slow paths, but is much simpler.

And I've just been notified of 3 more CVE fixes which should be included:

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3437.html

    Fix pktcdvd ioctl dev_minor range check

    CVE-2010-3437

    The PKT_CTRL_CMD_STATUS device ioctl retrieves a pointer to a
    pktcdvd_device from the global pkt_devs array. The index into this
    array is provided directly by the user and is a signed integer, so
    the comparison to ensure that it falls within the bounds of this
    array will fail when provided with a negative index.

    This can be used to read arbitrary kernel memory or cause a crash
    due to an invalid pointer dereference. This can be exploited by
    users with permission to open /dev/pktcdvd/control (on many
    distributions, this is readable by group "cdrom").

    Signed-off-by: Dan Rosenberg <email address hidden>
    [ Rather than add a cast, just make the function take the right type -Linus ]
    Signed-off-by: Linus Torvalds <email address hidden>
    (cherry picked from commit 252a52aa4fa22a668f019e55b3aac3ff71ec1c29)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-3705.html

    CVE-2010-3705

    The sctp_asoc_get_hmac() function iterates through a peer's hmac_ids
    array and attempts to ensure that only a supported hmac entry is
    returned. The current code fails to do this properly - if the last
    id in the array is out of range (greater than
    SCTP_AUTH_HMAC_ID_MAX), the id integer remains set after exiting the
    loop, and the address of an out-of-bounds entry will be returned and
    subsequently used in the parent function, causing potentially ugly
    memory corruption. This patch resets the id integer to 0 on
    encountering an invalid id so that NULL will be returned after
    finishing the loop if no valid ids are found.

    Signed-off-by: Dan Rosenberg <email address hidden>
    (cherry-picked from http://marc.info/?l=linux-kernel&m=128596992418814&w=2)

=====

http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-NNN2.html

    ocfs2: Don't walk off the end of fast symlinks.

    CVE-2010-NNN2

    (Official CVE # not yet assigned)

    ocfs2 fast symlinks are NUL terminated strings stored inline in the
    inode data area. However, disk corruption or a local attacker
    could, in theory, remove that NUL. Because we're using strlen() (my
    fault, introduced in a731d1 when removing vfs_follow_link()), we
    could walk off the end of that string.

    Signed-off-by: Joel Becker <email address hidden>
    Cc: <email address hidden>
    (cherry picked from commit 1fc8a117865b54590acd773a55fbac9221b018f0)

description: updated
Martin Pitt (pitti) wrote :

Seems this was accidentally uploaded to maverick-proposed. Rejecting, please reupload to -security instead.

security vulnerability: no → yes
Tim Gardner (timg-tpi) wrote :

re-uploaded with -security in the pocket.

Accepted linux into maverick-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in linux (Ubuntu Maverick):
status: Confirmed → Fix Committed
tags: added: verification-needed
Martin Pitt (pitti) wrote :

Tim says that last time we also did the -proposed -> -security route, so I accepted this after all. I guess the move to -security will happen together with the USN?

On Sun, Oct 10, 2010 at 09:25:49AM -0000, Martin Pitt wrote:
> Tim says that last time we also did the -proposed -> -security route, so
> I accepted this after all. I guess the move to -security will happen
> together with the USN?

This should be fine.

--
Kees Cook @outflux.net

Gary M (garym) on 2010-10-11
Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

Needs to be published by security team now.

Changed in linux (Ubuntu Maverick):
status: Fix Released → Fix Committed
Martin Pitt (pitti) wrote :

Since I updated to this kernel, I now get intermittent screen hiccups, i. e. it turns off and back on for half a second. There is nothing in dmesg about this. How can I debug this?

Per the following discussion on #ubuntu-devel, I've built pitti a test kernel that reverts the 3 patches for CVE-2010-2962 in case he notices the issue returning. The patches for CVE-2010-2962 touched the i915 driver and would have been my initial assumption for being the culprit. The test kernel can be found at:

http://people.canonical.com/~ogasawara/lp647071/amd64/

<ogasawara> pitti: Re: https://bugs.edge.launchpad.net/ubuntu/+source/linux/+bug/647071/comments/11 , are you seeing this on an i386 or amd64 box? 3 patches touch the i915 driver so I can build you a test kernel with those reverted to see if they are the culprit.
<pitti> ogasawara: actually I haven't seen it for a few hours now, so don't worry too much about it for now
<pitti> ogasawara: I'm on amd64
<ogasawara> pitti: ok, I'll build you a test kernel anyways in case it returns. How often was it happening at first?
<pitti> ogasawara: if I'm able to reproduce, I'll boot with drm.debug=0x02 (or whatever that was called like)
<pitti> ogasawara: I saw it flicker about 3 or 4 times
<pitti> with perhaps a minute or two in between
<pitti> I'm not sure why it only happened back then
<pitti> I had kvm open, that was the primary difference to what I have now

Kees Cook (kees) wrote :

On Mon, Oct 11, 2010 at 06:28:45AM -0000, Martin Pitt wrote:
> Needs to be published by security team now.

No, it must be pocket-copied; security team can only unembargo from our ppa
to -security.

--
Kees Cook @outflux.net

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.35-22.34

---------------
linux (2.6.35-22.34) maverick-proposed; urgency=low

  [ John Johansen ]

  * SAUCE: Return correct error code for mediated network connections
    - LP: #647071

  [ Upstream Kernel Changes ]

  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
    - CVE-2010-2954
  * wireless extensions: fix kernel heap content leak
    - CVE-2010-2955
  * KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
    - CVE-2010-2960
  * KEYS: Fix bug in keyctl_session_to_parent() if parent has no session
    keyring
    - CVE-2010-2960
  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
    - CVE-2010-3080
  * intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
    - LP: #634702
  * drm/i915: Rephrase pwrite bounds checking to avoid any potential
    overflow
    - CVE-2010-2962
  * drm/i915: Skip pread/pwrite if size to copy is 0.
    - CVE-2010-2962
  * drm/i915: Sanity check pread/pwrite
    - CVE-2010-2962
  * Fix pktcdvd ioctl dev_minor range check
    - CVE-2010-3437
  * Fix out-of-bounds reading in sctp_asoc_get_hmac()
    - CVE-2010-3705
  * ocfs2: Don't walk off the end of fast symlinks.
    - CVE-2010-NNN2
 -- Leann Ogasawara <email address hidden> Mon, 20 Sep 2010 08:36:53 -0700

Changed in linux (Ubuntu Maverick):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

The flickering bug hasn't come back so far, so it might just have been bad coincidence. I'll watch out for it and report back if it happens again.

Kees asked me to pocket-copy this now, doing.

Martin Pitt (pitti) wrote :

Copied to maverick-{updates,security} and natty.

Changed in linux (Ubuntu):
milestone: maverick-updates → none
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers