CVE-2010-4258
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Brad Figg | |||
Hardy |
Undecided
|
Brad Figg | |||
Karmic |
Undecided
|
Brad Figg | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Unassigned | |||
Natty |
Undecided
|
Unassigned | |||
linux-fsl-imx51 (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Unassigned | |||
Natty |
Undecided
|
Unassigned | |||
linux-lts-backport-maverick (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Unassigned | |||
Natty |
Undecided
|
Unassigned | |||
linux-mvl-dove (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Paolo Pisati | |||
Maverick |
Undecided
|
Paolo Pisati | |||
Natty |
Undecided
|
Unassigned | |||
linux-ti-omap4 (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Paolo Pisati | |||
Natty |
Undecided
|
Unassigned |
Bug Description
If a user manages to trigger an oops with fs set to KERNEL_DS, fs is not
otherwise reset before do_exit(). do_exit may later (via mm_release in
fork.c) do a put_user to a user-controlled address, potentially allowing
a user to leverage an oops into a controlled write into kernel memory.
This is only triggerable in the presence of another bug, but this
potentially turns a lot of DoS bugs into privilege escalations, so it's
worth fixing. I have proof-of-concept code which uses this bug along
with CVE-2010-3849 to write a zero to an arbitrary kernel address, so
I've tested that this is not theoretical.
A more logical place to put this fix might be when we know an oops has
occurred, before we call do_exit(), but that would involve changing
every architecture, in multiple places.
Let's just stick it in do_exit instead.
security vulnerability: | no → yes |
description: | updated |
summary: |
- CVE-2010-4258 + lockdep warning in KSM |
Nelson Elhage (nelhage) wrote : | #2 |
If that title was intentional, I think you have the wrong CVE here -- CVE-2010-4258 is a bug in do_exit that has nothing to do with ksm or lockdep: see https:/
Nelson Elhage (nelhage) wrote : | #3 |
Interesting, the commit message quoted here is the commit immediately *before* the one that fixes CVE-2010-4258 (a0b0f58cdd32ab
Brad Figg (brad-figg) wrote : | #4 |
@nelson,
Thanks for the pointer, I'll look into it.
description: | updated |
Brad Figg (brad-figg) wrote : | #5 |
@nelson,
You saved my butt on that. I don't know how I got those commits crossed but it was all me, no tools involved.
Brad
Changed in linux (Ubuntu Natty): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Dapper): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Hardy): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux (Ubuntu Karmic): | |
assignee: | nobody → Brad Figg (brad-figg) |
status: | New → Fix Committed |
Changed in linux-mvl-dove (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-lts-backport-maverick (Ubuntu Natty): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | New → Confirmed |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | New → Confirmed |
tags: | added: kernel-cve-tracking-bug |
Changed in linux-ti-omap4 (Ubuntu Dapper): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Hardy): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Karmic): | |
status: | Confirmed → Invalid |
Changed in linux-ti-omap4 (Ubuntu Lucid): | |
status: | Confirmed → Invalid |
Changed in linux-mvl-dove (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Karmic): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Lucid): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
assignee: | nobody → Paolo Pisati (p-pisati) |
Paolo Pisati (p-pisati) wrote : | #6 |
maverick/ti-omap4: already fixed in 472dee75
natty/ti-omap4: already fixed in 33dd94ae
Changed in linux-ti-omap4 (Ubuntu Maverick): | |
status: | Confirmed → Fix Released |
Changed in linux-ti-omap4 (Ubuntu Natty): | |
status: | Confirmed → Fix Released |
Paolo Pisati (p-pisati) wrote : | #7 |
lucid/master: fixed in ca59f93c
maverick/master: fixed in 472dee75
Changed in linux (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Maverick): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Karmic): | |
status: | Fix Committed → Fix Released |
Launchpad Janitor (janitor) wrote : | #8 |
This bug was fixed in the package linux - 2.6.24-29.88
---------------
linux (2.6.24-29.88) hardy-proposed; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #736290
[Steve Conklin]
* Ubuntu-2.6.24-29.87
* [Config] Allow insertchanges to work in later version chroots
[Upstream Kernel Changes]
* do_exit(): make sure that we run with get_fs() == USER_DS,
CVE-2010-4258
- LP: #723945
- CVE-2010-4258
* Make the bulkstat_one compat ioctl handling more sane
- LP: #692848
* Fix xfs_bulkstat_one size checks & error handling
- LP: #692848
* xfs: always use iget in bulkstat
- LP: #692848
* x25: Prevent crashing when parsing bad X.25 facilities CVE-2010-4164
- LP: #731199
- CVE-2010-4164
* Revised [CVE-2010-4346 Hardy] install_
security_
- LP: #731971
- CVE-2010-4346
linux (2.6.24-29.87) hardy-proposed; urgency=low
[ Steve Conklin ]
* Release Tracking Bug
- LP: #725138
[Upstream Kernel Changes]
* bluetooth: Fix missing NULL check, CVE-2010-4242
- LP: #714846
- CVE-2010-4242
* NFS: fix the return value of nfs_file_fsync()
- LP: #585657
* bio: take care not overflow page count when mapping/copying user data,
CVE-2010-4162
- LP: #721441
- CVE-2010-4162
* filter: make sure filters dont read uninitialized memory
- LP: #721282
- CVE-2010-4158
* tty: Make tiocgicount a handler, CVE-2010-4076, CVE-2010-4077
- LP: #720189
- CVE-2010-4077
* block: check for proper length of iov entries earlier in
blk_
- LP: #721504
- CVE-2010-4163
-- Brad Figg <email address hidden> Wed, 16 Mar 2011 09:43:35 -0700
Changed in linux (Ubuntu Hardy): | |
status: | Fix Committed → Fix Released |
Changed in linux-mvl-dove (Ubuntu Lucid): | |
status: | New → In Progress |
Paolo Pisati (p-pisati) wrote : | #9 |
karmic is EOL
Changed in linux-fsl-imx51 (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Maverick): | |
status: | New → Invalid |
Changed in linux-fsl-imx51 (Ubuntu Karmic): | |
status: | New → Won't Fix |
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | New → In Progress |
Launchpad Janitor (janitor) wrote : | #10 |
This bug was fixed in the package linux-fsl-imx51 - 2.6.31-609.26
---------------
linux-fsl-imx51 (2.6.31-609.26) lucid; urgency=low
[ Paolo Pisati ]
* Tracking bug
- LP: #795219
* [Config] Disable parport_pc on fsl-imx51
- LP: #601226
[ Upstream Kernel Changes ]
* ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory
- LP: #712723, #712737
* can-bcm: fix minor heap overflow
- LP: #710680
* drivers/
- LP: #712744
* gdth: integer overflow in ioctl
- LP: #711797
* inet_diag: Make sure we actually run the same bytecode we audited, CVE-2010-3880
- LP: #711865
- CVE-2010-3880
* net: fix rds_iovec page count overflow, CVE-2010-3865
- LP: #709153
- CVE-2010-3865
* net: packet: fix information leak to userland, CVE-2010-3876
- LP: #711045
- CVE-2010-3876
* net: tipc: fix information leak to userland, CVE-2010-3877
- LP: #711291
- CVE-2010-3877
* net: Truncate recvfrom and sendto length to INT_MAX.
- LP: #708839
* posix-cpu-timers: workaround to suppress the problems with mt exec
- LP: #712609
* sys_semctl: fix kernel stack leakage
- LP: #712749
* x25: Patch to fix bug 15678 - x25 accesses fields beyond end of packet.
- LP: #709372
* memory corruption in X.25 facilities parsing
- LP: #709372
* net: ax25: fix information leak to userland, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* net: ax25: fix information leak to userland harder, CVE-2010-3875
- LP: #710714
- CVE-2010-3875
* fs/partitions/
- LP: #771382
- CVE-2011-1017
* net: clear heap allocations for privileged ethtool actions
- LP: #771445
* Prevent rt_sigqueueinfo and rt_tgsigqueueinfo from spoofing the signal code
- LP: #772543
* Relax si_code check in rt_sigqueueinfo and rt_tgsigqueueinfo
- LP: #772543
* exec: make argv/envp memory visible to oom-killer
- LP: #768408
* next_pidmap: fix overflow condition
- LP: #784727
* proc: do proper range check on readdir offset
- LP: #784727
* mpt2sas: prevent heap overflows and unchecked reads
- LP: #787145
* agp: fix arbitrary kernel memory writes
- LP: #788684
* can: add missing socket check in can/raw release
- LP: #788694
* agp: fix OOM and buffer overflow
- LP: #788700
* do_exit(): make sure that we run with get_fs() == USER_DS - CVE-2010-4258
- LP: #723945
- CVE-2010-4258
* x25: Prevent crashing when parsing bad X.25 facilities - CVE-2010-4164
- LP: #731199
- CVE-2010-4164
* install_
- LP: #731971
- CVE-2010-4346
* econet: Fix crash in aun_incoming() - CVE-2010-4342
- LP: #736394
- CVE-2010-4342
* sound: Prevent buffer overflow in OSS load_mixer_volumes - CVE-2010-4527
- LP: #737073
- CVE-2010-4527
* irda: prevent integer underflow in IRLMP_ENUMDEVICES, CVE-2010-4529
- LP: #737823
- CVE-2010-4529
* CAN: Use inode instead of kernel address for /proc file - CVE-2010-4565
- LP: #765007...
Changed in linux-fsl-imx51 (Ubuntu Lucid): | |
status: | In Progress → Fix Released |
Changed in linux-lts-backport-maverick (Ubuntu Dapper): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Karmic): | |
status: | New → Won't Fix |
Changed in linux (Ubuntu Dapper): | |
status: | Fix Committed → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Hardy): | |
status: | New → Won't Fix |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Lucid): | |
status: | New → Won't Fix |
Changed in linux-lts-backport-maverick (Ubuntu Maverick): | |
status: | New → Won't Fix |
Rolf Leggewie (r0lf) wrote : | #11 |
lucid has seen the end of its life and is no longer receiving any updates. Marking the lucid task for this ticket as "Won't Fix".
Changed in linux-mvl-dove (Ubuntu Lucid): | |
status: | In Progress → Won't Fix |
@nelson,
Do not change the title on any of the CVE tracking bugs.
Thanks