mlock on stack will create guard page gap

Bug #646114 reported by Kees Cook
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Fix Released
Undecided
Unassigned
Jaunty
Fix Released
Undecided
Unassigned
Karmic
Fix Released
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Undecided
Unassigned
Dapper
Invalid
Undecided
Unassigned
Hardy
Invalid
Undecided
Unassigned
Jaunty
Invalid
Undecided
Unassigned
Karmic
Invalid
Undecided
Unassigned
Lucid
Fix Released
Undecided
Unassigned
Maverick
Fix Released
Undecided
Unassigned

Bug Description

Calling mlock on a portion of the stack will cause the kernel to incorrectly show a gap in /proc/$pid/maps between the old stack and the mlock region. This can confuse applications.

Revision history for this message
Kees Cook (kees) wrote :
Changed in linux (Ubuntu Maverick):
status: New → Fix Released
Revision history for this message
Stefan Bader (smb) wrote :

This should be fixed in Hardy. Those changes were part of the emergency fix to unbreak Xen.

Changed in linux (Ubuntu Hardy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.32-25.45

---------------
linux (2.6.32-25.45) lucid-security; urgency=low

  [ Upstream Kernel Changes ]

  * v4l: disable dangerous buggy compat function
    - CVE-2010-2963
  * Local privilege escalation vulnerability in RDS sockets
    - CVE-2010-3904
  * mm: (pre-stable) Move vma_stack_continue into mm.h
    - LP: #646114
  * net sched: fix some kernel memory leaks
    - CVE-2010-2942
  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
    - CVE-2010-2954
  * wireless extensions: fix kernel heap content leak
    - CVE-2010-2955
  * KEYS: Fix RCU no-lock warning in keyctl_session_to_parent()
    - CVE-2010-2960
  * KEYS: Fix bug in keyctl_session_to_parent() if parent has no session
    keyring
    - CVE-2010-2960
  * aio: check for multiplication overflow in do_io_submit
    - CVE-2010-3067
  * xfs: prevent reading uninitialized stack memory
    - CVE-2010-3078
  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
    - CVE-2010-3080
  * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
    - CVE-2010-3084
  * rose: Fix signedness issues wrt. digi count.
    - CVE-2010-3310
  * sctp: Do not reset the packet during sctp_packet_config().
    - CVE-2010-3432
  * Fix pktcdvd ioctl dev_minor range check
    - CVE-2010-3437
  * ALSA: prevent heap corruption in snd_ctl_new()
    - CVE-2010-3442
  * net sched: fix kernel leak in act_police
    - CVE-2010-3477
  * Fix out-of-bounds reading in sctp_asoc_get_hmac()
    - CVE-2010-3705
  * ocfs2: Don't walk off the end of fast symlinks.
    - CVE-2010-NNN2
 -- Steve Conklin <email address hidden> Wed, 06 Oct 2010 16:16:20 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.31-22.67

---------------
linux (2.6.31-22.67) karmic-security; urgency=low

  [ Upstream Kernel Changes ]

  * Local privilege escalation vulnerability in RDS sockets
    - CVE-2010-3904
  * v4l: disable dangerous buggy compat function
    - CVE-2010-2963
  * mm: Do not assume ENOMEM when looking at a split stack vma
    - LP: #646114
  * mm: Use helper to find real vma with stack guard page
    - LP: #646114
  * Fix race in tty_fasync() properly
    - CVE-2009-4895
  * ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files
    - CVE-2010-2066
  * xfs: prevent swapext from operating on write-only files
    - CVE-2010-2226
  * cifs: Fix a kernel BUG with remote OS/2 server (try #3)
    - CVE-2010-2248
  * ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
    - CVE-2010-2478
  * l2tp: Fix oops in pppol2tp_xmit
    - CVE-2010-2495
  * nfsd4: bug in read_buf
    - CVE-2010-2521
  * CIFS: Fix a malicious redirect problem in the DNS lookup code
    - CVE-2010-2524
  * GFS2: rename causes kernel Oops
    - CVE-2010-2798
  * net sched: fix some kernel memory leaks
    - CVE-2010-2942
  * jfs: don't allow os2 xattr namespace overlap with others
    - CVE-2010-2946
  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
    - CVE-2010-2954
  * wireless extensions: fix kernel heap content leak
    - CVE-2010-2955
  * ext4: consolidate in_range() definitions
    - CVE-2010-3015
  * aio: check for multiplication overflow in do_io_submit
    - CVE-2010-3067
  * xfs: prevent reading uninitialized stack memory
    - CVE-2010-3078
  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
    - CVE-2010-3080
  * niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
    - CVE-2010-3084
  * rose: Fix signedness issues wrt. digi count.
    - CVE-2010-3310
  * sctp: Do not reset the packet during sctp_packet_config().
    - CVE-2010-3432
  * Fix pktcdvd ioctl dev_minor range check
    - CVE-2010-3437
  * ALSA: prevent heap corruption in snd_ctl_new()
    - CVE-2010-3442
  * net sched: fix kernel leak in act_police
    - CVE-2010-3477
  * Fix out-of-bounds reading in sctp_asoc_get_hmac()
    - CVE-2010-3705
  * ocfs2: Don't walk off the end of fast symlinks.
    - CVE-2010-NNN2
 -- Steve Conklin <email address hidden> Wed, 06 Oct 2010 16:05:21 +0100

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 2.6.28-19.66

---------------
linux (2.6.28-19.66) jaunty-security; urgency=low

  [ Stefan Bader ]

  * Revert "SAUCE: (no-up) Modularize vesafb -- fix initialization"
  * mm: Use helper to find real vma with stack guard page
    - LP: #646114
  * mm: Do not assume ENOMEM when looking at a split stack vma
    - LP: #646114

  [ Upstream Kernel Changes ]

  * x86-64, compat: Test %rax for the syscall number, not %eax
    - CVE-2010-3301
  * x86-64, compat: Retruncate rax after ia32 syscall entry tracing
    - CVE-2010-3301
  * compat: Make compat_alloc_user_space() incorporate the access_ok()
    - CVE-2010-3081
  * Fix race in tty_fasync() properly
    - CVE-2009-4895
  * xfs: prevent swapext from operating on write-only files
    - CVE-2010-2226
  * cifs: Fix a kernel BUG with remote OS/2 server (try #3)
    - CVE-2010-2248
  * nfsd4: bug in read_buf
    - CVE-2010-2521
  * GFS2: rename causes kernel Oops
    - CVE-2010-2798
  * net sched: fix some kernel memory leaks
    - CVE-2010-2942
  * jfs: don't allow os2 xattr namespace overlap with others
    - CVE-2010-2946
  * irda: Correctly clean up self->ias_obj on irda_bind() failure.
    - CVE-2010-2954
  * wireless extensions: fix kernel heap content leak
    - CVE-2010-2955
  * ext4: consolidate in_range() definitions
    - CVE-2010-3015
  * aio: check for multiplication overflow in do_io_submit
    - CVE-2010-3067
  * xfs: prevent reading uninitialized stack memory
    - CVE-2010-3078
  * ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
    - CVE-2010-3080
  * rose: Fix signedness issues wrt. digi count.
    - CVE-2010-3310
  * sctp: Do not reset the packet during sctp_packet_config().
    - CVE-2010-3432
  * Fix pktcdvd ioctl dev_minor range check
    - CVE-2010-3437
  * ALSA: prevent heap corruption in snd_ctl_new()
    - CVE-2010-3442
  * net sched: fix kernel leak in act_police
    - CVE-2010-3477
  * Fix out-of-bounds reading in sctp_asoc_get_hmac()
    - CVE-2010-3705
  * v4l: disable dangerous buggy compat function
 -- Steve Conklin <email address hidden> Fri, 15 Oct 2010 16:26:53 -0500

Changed in linux (Ubuntu Jaunty):
status: New → Fix Released
Changed in linux (Ubuntu Karmic):
status: New → Fix Released
Changed in linux (Ubuntu Lucid):
status: New → Fix Released
Tim Gardner (timg-tpi)
Changed in linux-mvl-dove (Ubuntu):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Dapper):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Jaunty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Karmic):
status: New → Invalid
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (65.1 KiB)

This bug was fixed in the package linux-mvl-dove - 2.6.32-216.33

---------------
linux-mvl-dove (2.6.32-216.33) lucid-proposed; urgency=low

  [ Ubuntu: 2.6.32-31.60 ]

  * Release Tracking Bug
    - LP: #734950
  * SAUCE: Clear new_profile in error path
    - LP: #732700
  * [Config] CONFIG_BOOT_PRINTK_DELAY=y
    - LP: #733191
  * Revert "drm/radeon/bo: add some fallback placements for VRAM only
    objects."
    - LP: #652934
  * drm/radeon: fall back to GTT if bo creation/validation in VRAM fails.
    - LP: #652934
  * drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.
    - LP: #652934
  * xfs: always use iget in bulkstat
    - LP: #692848
  * drm/radeon/kms: make the mac rv630 quirk generic
    - LP: #728687
  * drm/radeon/kms: add pll debugging output
    - LP: #728687
  * drm/radeon: remove 0x4243 pci id
    - LP: #728687
  * drm/radeon/kms: fix s/r issues with bios scratch regs
    - LP: #728687
  * drm/i915/lvds: Add AOpen i915GMm-HFS to the list of false-positive LVDS
    - LP: #728687
  * drm/i915: Add dependency on CONFIG_TMPFS
    - LP: #728687
  * Linux 2.6.32.29+drm33.14
    - LP: #728687
  * NFSD: memory corruption due to writing beyond the stat array
    - LP: #728687
  * mptfusion: mptctl_release is required in mptctl.c
    - LP: #728687
  * mptfusion: Fix Incorrect return value in mptscsih_dev_reset
    - LP: #728687
  * ocfs2_connection_find() returns pointer to bad structure
    - LP: #728687
  * x25: decrement netdev reference counts on unload
    - LP: #728687
  * x86, hpet: Disable per-cpu hpet timer if ARAT is supported
    - LP: #728687
  * OHCI: work around for nVidia shutdown problem
    - LP: #728687
  * x86/pvclock: Zero last_value on resume
    - LP: #728687
  * av7110: check for negative array offset
    - LP: #728687
  * CRED: Fix get_task_cred() and task_state() to not resurrect dead
    credentials
    - LP: #728687
  * bonding/vlan: Avoid mangled NAs on slaves without VLAN tag insertion
    - LP: #728687
  * CRED: Fix kernel panic upon security_file_alloc() failure.
    - LP: #728687
  * CRED: Fix BUG() upon security_cred_alloc_blank() failure
    - LP: #728687
  * CRED: Fix memory and refcount leaks upon security_prepare_creds()
    failure
    - LP: #728687
  * sendfile(): check f_op.splice_write() rather than f_op.sendpage()
    - LP: #728687
  * isdn: hisax: Replace the bogus access to irq stats
    - LP: #728687
  * ixgbe: add support for 82599 based Express Module X520-P2
    - LP: #728687
  * ixgbe: prevent speculative processing of descriptors before ready
    - LP: #728687
  * scsi_dh_alua: add netapp to dev list
    - LP: #728687
  * scsi_dh_alua: Add IBM Power Virtual SCSI ALUA device to dev list
    - LP: #728687
  * dm raid1: fail writes if errors are not handled and log fails
    - LP: #728687
  * GFS2: Fix bmap allocation corner-case bug
    - LP: #728687
  * dm raid1: fix null pointer dereference in suspend
    - LP: #728687
  * sunrpc/cache: fix module refcnt leak in a failure path
    - LP: #728687
  * be2net: Maintain tx and rx counters in driver
    - LP: #728687
  * tcp: Make TCP_MAXSEG minimum more correct.
    - LP: #728687
  * nfsd: correctly handle return value from ...

Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Fix Released
Paolo Pisati (p-pisati)
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Fix Released
Revision history for this message
Julian Wiedmann (jwiedmann) wrote :

Dapper reached EOL a long while ago.

Changed in linux (Ubuntu Dapper):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.