CVE-2010-4249

Bug #769182 reported by Brad Figg on 2011-04-22
268
This bug affects 2 people
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-fsl-imx51 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-lts-backport-maverick (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned
linux-ti-omap4 (Ubuntu)
Undecided
Unassigned
Dapper
Undecided
Unassigned
Hardy
Undecided
Unassigned
Karmic
Undecided
Unassigned
Lucid
Undecided
Unassigned
Maverick
Undecided
Unassigned
Natty
Undecided
Unassigned

Bug Description

CVE-2010-4249

Vegard Nossum found a unix socket OOM was possible, posting an exploit
program.

My analysis is we can eat all LOWMEM memory before unix_gc() being
called from unix_release_sock(). Moreover, the thread blocked in
unix_gc() can consume huge amount of time to perform cleanup because of
huge working set.

One way to handle this is to have a sensible limit on unix_tot_inflight,
tested from wait_for_unix_gc() and to force a call to unix_gc() if this
limit is hit.

This solves the OOM and also reduce overall latencies, and should not
slowdown normal workloads.

Break-Fix: - 9915672d41273f5b77f1b3c29b391ffb7732b84b

Brad Figg (brad-figg) on 2011-04-22
security vulnerability: no → yes
Brad Figg (brad-figg) wrote :
Changed in linux-ti-omap4 (Ubuntu):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu):
status: New → Invalid
description: updated
Paolo Pisati (p-pisati) on 2011-04-28
Changed in linux-ti-omap4 (Ubuntu Dapper):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Karmic):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Dapper):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Karmic):
status: New → Invalid
Paolo Pisati (p-pisati) wrote :

fix already present

Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Fix Released
Changed in linux-fsl-imx51 (Ubuntu Dapper):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Paolo Pisati (p-pisati) wrote :

karmic is EOL

Changed in linux-fsl-imx51 (Ubuntu Karmic):
status: New → Won't Fix
Paolo Pisati (p-pisati) wrote :

fix already present

Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Fix Released
Paolo Pisati (p-pisati) on 2011-05-30
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Fix Released
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Fix Released

This bug was nominated against a series that is no longer supported, ie karmic. The bug task representing the karmic nomination is being closed as Won't Fix.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu Karmic):
status: New → Won't Fix

This bug is missing log files that will aid in dianosing the problem. From a terminal window please run:

apport-collect 769182

and then change the status of the bug back to 'New'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
Changed in linux (Ubuntu Dapper):
status: New → Incomplete
Changed in linux (Ubuntu Hardy):
status: New → Incomplete
Changed in linux (Ubuntu Lucid):
status: New → Incomplete
Changed in linux (Ubuntu Maverick):
status: New → Incomplete
Changed in linux (Ubuntu Natty):
status: New → Incomplete
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.24-29.92

---------------
linux (2.6.24-29.92) hardy-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #812360

  [Upstream Kernel Changes]

  * af_unix: limit unix_tot_inflight CVE-2010-4249
    - LP: #769182
    - CVE-2010-4249
  * xfs: zero proper structure size for geometry calls CVE-2011-0711
    - LP: #767740
    - CVE-2011-0711
  * netfilter: ip_tables: fix infoleak to userspace CVE-2011-1171
    - LP: #801482
    - CVE-2011-1171
  * econet: 4 byte infoleak to the network CVE-2011-1173
    - LP: #801484
    - CVE-2011-1173
  * netfilter: arp_tables: fix infoleak to userspace CVE-2011-1170
    - LP: #801480
  * ipv6: netfilter: ip6_tables: fix infoleak to userspace CVE-2011-1172
    - LP: #801483
    - CVE-2011-1172
  * xen: don't allow blkback virtual CDROM device, CVE-2010-4238
    - LP: #803931
    - CVE-2010-4238
  * IB/uverbs: Handle large number of entries in poll CQ CVE-2010-4649
    - LP: #805512
  * ipc: initialize structure memory to zero for compat functions
    CVE-2010-4073
    - LP: #806366
    - CVE-2010-4073
  * tcp: Increase TCP_MAXSEG socket option minimum CVE-2010-4165
    - LP: #806374
    - CVE-2010-4165
  * taskstats: don't allow duplicate entries in listener mode,
    CVE-2011-2484
    - LP: #806390
    - CVE-2011-2484
  * netfilter: ipt_CLUSTERIP: fix buffer overflow, CVE-2011-2534
    - LP: #801473
    - CVE-2011-2534
  * nfs4: Ensure that ACL pages sent over NFS were not allocated from the
    slab (v3), CVE-2011-1090
    - LP: #800775
    - CVE-2011-1090
  * fs/partitions: Validate map_count in Mac partition tables
    - LP: #804225
    - CVE-2011-1010
 -- Herton Ronaldo Krzesinski <email address hidden> Mon, 18 Jul 2011 12:36:01 -0300

Changed in linux (Ubuntu Hardy):
status: Incomplete → Fix Released
Changed in linux-lts-backport-maverick (Ubuntu Dapper):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Karmic):
status: New → Won't Fix
Changed in linux (Ubuntu Dapper):
status: Incomplete → Won't Fix

The attachment "dapper-patch.patch" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]

tags: added: patch
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) and is no longer supported. As a result, this bug
against maverick is being marked "Won't Fix". Please see
https://wiki.ubuntu.com/Releases for currently supported Ubuntu
releases.

Please feel free to report any other bugs you may find.

Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Won't Fix
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Won't Fix
Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. maverick has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against maverick is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Jamie Strandboge (jdstrand) wrote :

Thank you for reporting this bug to Ubuntu. natty has reached EOL
(End of Life) for this package and is no longer supported. As
a result, this bug against natty is being marked "Won't Fix".
Please see https://wiki.ubuntu.com/Releases for currently
supported Ubuntu releases.

Please feel free to report any other bugs you may find.

Julian Wiedmann (jwiedmann) wrote :

This release has reached end-of-life [0].

[0] https://wiki.ubuntu.com/Releases

Changed in linux (Ubuntu Maverick):
status: Incomplete → Invalid
Changed in linux (Ubuntu Natty):
status: Incomplete → Invalid
tags: added: kernel-cve-tracking-bug
Mathew Hodson (mathew-hodson) wrote :

This was fixed in lucid, maverick, and natty according to http://people.canonical.com/~ubuntu-security/cve/2010/CVE-2010-4249.html

Mathew Hodson (mathew-hodson) wrote :
Download full text (10.3 KiB)

linux (2.6.32-28.55) lucid-proposed; urgency=low

  * Another version bump because of abi check failure
  * Tracking Bug
    - LP: #699885

linux (2.6.32-28.54) lucid-proposed; urgency=low

  * Another version bump because of upload failure

linux (2.6.32-28.53) lucid-proposed; urgency=low

  * Another version bump because of upload failure

linux (2.6.32-28.52) lucid-proposed; urgency=low

  [ Steve Conklin ]

  * (removed old tracking bug link)

linux (2.6.32-28.51) lucid-proposed; urgency=low

  [ Steve Conklin ]

  * bumped version due to build fail

linux (2.6.32-28.50) lucid-proposed; urgency=low

  [ Tim Gardner ]

  * SAUCE: Change nodelayacct boot parameter polarity.
    - LP: #493156
  * [Config] CONFIG_TASK_DELAY_ACCT=y
    - LP: #493156

  [ Upstream Kernel Changes ]

  * ipc: initialize structure memory to zero for compat functions
  * tcp: Increase TCP_MAXSEG socket option minimum.
    - CVE-2010-4165
  * perf_events: Fix perf_counter_mmap() hook in mprotect()
    - CVE-2010-4169
  * af_unix: limit unix_tot_inflight
    - CVE-2010-4249
  * AppArmor: fix the upper bound check for the next/check table
    - LP: #581525
  * NFS: Fix panic after nfs_umount()
    - LP: #683938
  * block: Ensure physical block size is unsigned int
    - LP: #688669
  * block: limit vec count in bio_kmalloc() and bio_alloc_map_data()
    - LP: #688669
  * block: take care not to overflow when calculating total iov length
    - LP: #688669
  * block: check for proper length of iov entries in blk_rq_map_user_iov()
    - LP: #688669
  * jme: Fix PHY power-off error
    - LP: #688669
  * irda: Fix parameter extraction stack overflow
    - LP: #688669
  * irda: Fix heap memory corruption in iriap.c
    - LP: #688669
  * i2c-pca-platform: Change device name of request_irq
    - LP: #688669
  * microblaze: Fix build with make 3.82
    - LP: #688669
  * Staging: asus_oled: fix up some sysfs attribute permissions
    - LP: #688669
  * Staging: asus_oled: fix up my fixup for some sysfs attribute
    permissions
    - LP: #688669
  * Staging: line6: fix up some sysfs attribute permissions
    - LP: #688669
  * hpet: fix unwanted interrupt due to stale irq status bit
    - LP: #688669
  * hpet: unmap unused I/O space
    - LP: #688669
  * olpc_battery: Fix endian neutral breakage for s16 values
    - LP: #688669
  * percpu: fix list_head init bug in __percpu_counter_init()
    - LP: #688669
  * um: remove PAGE_SIZE alignment in linker script causing kernel
    segfault.
    - LP: #688669
  * um: fix global timer issue when using CONFIG_NO_HZ
    - LP: #688669
  * numa: fix slab_node(MPOL_BIND)
    - LP: #688669
  * hwmon: (lm85) Fix ADT7468 frequency table
    - LP: #688669
  * mm: fix return value of scan_lru_pages in memory unplug
    - LP: #688669
  * mm: fix is_mem_section_removable() page_order BUG_ON check
    - LP: #688669
  * ssb: b43-pci-bridge: Add new vendor for BCM4318
    - LP: #688669
  * sgi-xpc: XPC fails to discover partitions with all nasids above 128
    - LP: #688669
  * xen: ensure that all event channels start off bound to VCPU 0
    - LP: #6886...

Changed in linux (Ubuntu Lucid):
status: Incomplete → Fix Released
Mathew Hodson (mathew-hodson) wrote :
Download full text (25.0 KiB)

linux (2.6.35-25.44) maverick-proposed; urgency=low

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon/kms: properly compute group_size on 6xx/7xx"
    - LP: #703553

linux (2.6.35-25.43) maverick-proposed; urgency=low

  [ Brad Figg ]

  - LP: #697948

  [ Andy Whitcroft ]

  * [Config] add vmware-balloon driver to -virtual flavour
    - LP: #592039

  [ Manoj Iyer ]

  * SAUCE: Enable jack sense for Thinkpad Edge 13
    - LP: #685015

  [ Robert Hooker ]

  * Revert "(pre-stable): input: Support Clickpad devices in ClickZone
    mode"
    - LP: #669399

  [ Stefan Bader ]

  * Set virtual flavour maximum of domain visible memory to 70G
    - LP: #667796

  [ Takashi Iwai ]

  * SAUCE: input: Support Clickpad devices in ClickZone mode
    - LP: #516329

  [ Tim Gardner ]

  * [Config] Add nfsd modules to -virtual flavour
    - LP: #688070
  * [Config] Added autofs4.ko to -virtual flavour
    - LP: #692917

  [ Upstream Kernel Changes ]

  * intel_idle: delete substates DEBUG modparam
    - LP: #684888
  * intel_idle: delete power_policy modparam, and choose substate functions
    - LP: #684888
  * intel_idle: add support for Westmere-EX
    - LP: #684888
  * intel_idle: recognize Lincroft Atom Processor
    - LP: #684888
  * x86, mwait: Move mwait constants to a common header file
    - LP: #684888
  * intel_idle: Change mode 755 => 644
    - LP: #684888
  * intel_idle: add missing __percpu markup
    - LP: #684888
  * cpuidle: extend cpuidle and menu governor to handle dynamic states
    - LP: #684888
  * intel_idle: Voluntary leave_mm before entering deeper
    - LP: #684888
  * intel_idle: enable Atom C6
    - LP: #684888
  * intel_idle: simplify test for leave_mm()
    - LP: #684888
  * intel_idle: delete bogus data from cpuidle_state.power_usage
    - LP: #684888
  * intel_idle: add initial Sandy Bridge support
    - LP: #684888
  * intel_idle: do not use the LAPIC timer for ATOM C2
    - LP: #684888
  * staging: usbip: Notify usb core of port status changes
    - LP: #686158
  * staging: usbip: Process event flags without delay
    - LP: #686158
  * Staging: phison: fix problem caused by libata change
    - LP: #686158
  * perf_events: Fix bogus AMD64 generic TLB events
    - LP: #686158
  * perf_events: Fix bogus context time tracking
    - LP: #686158
  * powerpc/perf: Fix sampling enable for PPC970
    - LP: #686158
  * pcmcia: synclink_cs: fix information leak to userland
    - LP: #686158
  * sched: Drop all load weight manipulation for RT tasks
    - LP: #686158
  * sched: Fix string comparison in /proc/sched_features
    - LP: #686158
  * bluetooth: Fix missing NULL check
    - LP: #686158
  * futex: Fix errors in nested key ref-counting
    - LP: #686158
  * cifs: fix broken oplock handling
    - LP: #686158
  * libahci: fix result_tf handling after an ATA PIO data-in command
    - LP: #686158
  * mm, x86: Saving vmcore with non-lazy freeing of vmas
    - LP: #686158
  * x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit
    - LP: #686158
  * x86, kexec: Make sure to stop all CPUs before exiting the kernel
 ...

Changed in linux (Ubuntu Maverick):
status: Invalid → Fix Released
Changed in linux (Ubuntu):
status: Incomplete → Fix Released
Changed in linux (Ubuntu Natty):
status: Invalid → Fix Released
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers