CVE-2010-3086

Bug #706060 reported by Brad Figg on 2011-01-21
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Low
Andy Whitcroft
Dapper
Low
Andy Whitcroft
Hardy
Low
Andy Whitcroft
Karmic
Low
Andy Whitcroft
Lucid
Low
Andy Whitcroft
Maverick
Low
Andy Whitcroft
Natty
Low
Andy Whitcroft

Bug Description

include/asm-x86/futex.h in the Linux kernel before 2.6.25 does not properly implement exception fixup, which allows local users to cause a denial of service (panic) via an invalid application that triggers a page fault.

Brad Figg (brad-figg) on 2011-01-21
description: updated
description: updated
Jeremy Foshee (jeremyfoshee) wrote :

Hi Brad,

Please be sure to confirm this issue exists with the latest development release of Ubuntu. ISO CD images are available from http://cdimage.ubuntu.com/daily/current/ . If the issue remains, please run the following command from a Terminal (Applications->Accessories->Terminal). It will automatically gather and attach updated debug information to this report.

apport-collect -p linux 706060

Also, if you could test the latest upstream kernel available that would be great. It will allow additional upstream developers to examine the issue. Refer to https://wiki.ubuntu.com/KernelMainlineBuilds . Once you've tested the upstream kernel, please remove the 'needs-upstream-testing' tag. This can be done by clicking on the yellow pencil icon next to the tag located at the bottom of the bug description and deleting the 'needs-upstream-testing' text. Please let us know your results.

Thanks in advance.

    [This is an automated message. Apologies if it has reached you inappropriately; please just reply to this message indicating so.]

tags: added: needs-kernel-logs
tags: added: needs-upstream-testing
tags: added: kj-triage
Changed in linux (Ubuntu):
status: New → Incomplete
Andy Whitcroft (apw) on 2011-01-26
tags: added: kj-triagekernel-logs
removed: kj-triage needs-kernel-logs
tags: added: kj-triage
removed: kj-triagekernel-logs needs-upstream-testing
Changed in linux (Ubuntu):
status: Incomplete → Triaged
security vulnerability: no → yes
Andy Whitcroft (apw) wrote :

Confirmed that the fixes related here are indeed applied to Karmic and Later.

Changed in linux (Ubuntu Karmic):
status: New → Invalid
Changed in linux (Ubuntu Maverick):
status: New → Invalid
importance: Undecided → Low
Changed in linux (Ubuntu Lucid):
status: New → Invalid
Changed in linux (Ubuntu Dapper):
importance: Undecided → Low
Changed in linux (Ubuntu Natty):
importance: Undecided → Low
Changed in linux (Ubuntu Karmic):
importance: Undecided → Low
Changed in linux (Ubuntu Hardy):
importance: Undecided → Low
Changed in linux (Ubuntu Lucid):
importance: Undecided → Low
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu Natty):
assignee: nobody → Andy Whitcroft (apw)
status: Triaged → Invalid
Changed in linux (Ubuntu Karmic):
assignee: nobody → Andy Whitcroft (apw)
Changed in linux (Ubuntu Maverick):
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) wrote :

The fix below is claimed to fix this issue:

  commit 9d55b9923a1b7ea8193b8875c57ec940dc2ff027
  Author: Thomas Gleixner <email address hidden>
  Date: Fri Feb 1 17:45:14 2008 +0100

    x86: replace LOCK_PREFIX in futex.h

    The exception fixup for the futex macros __futex_atomic_op1/2 and
    futex_atomic_cmpxchg_inatomic() is missing an entry when the lock
    prefix is replaced by a NOP via SMP alternatives.

    Chuck Ebert tracked this down from the information provided in:
    https://bugzilla.redhat.com/show_bug.cgi?id=429412

    A possible solution would be to add another fixup after the
    LOCK_PREFIX, so both the LOCK and NOP case have their own entry in the
    exception table, but it's not really worth the trouble.

    Simply replace LOCK_PREFIX with lock and keep those untouched by SMP
    alternatives.

    Signed-off-by: Thomas Gleixner <email address hidden>

    Signed-off-by: Ingo Molnar <email address hidden>

Andy Whitcroft (apw) wrote :

This has hit v2.6.24.4 via the stable process and has been applied and released into Hardy already. Closed Fix Released.

  commit a026091e22cc64d1045af9c53adb635fc938b23e
  Author: Thomas Gleixner <email address hidden>
  Date: Sat Feb 23 11:56:56 2008 -0500

    x86: replace LOCK_PREFIX in futex.h

    Bug: #301608

    Commit: 9d55b9923a1b7ea8193b8875c57ec940dc2ff027

Changed in linux (Ubuntu Hardy):
status: New → Fix Released
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) on 2011-02-01
Changed in linux (Ubuntu Dapper):
status: New → In Progress
assignee: nobody → Andy Whitcroft (apw)
Andy Whitcroft (apw) on 2011-02-02
Changed in linux (Ubuntu Dapper):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Dapper):
status: Fix Committed → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.