mlock on stack will create guard page gap
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Jaunty |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Unassigned | |||
linux-mvl-dove (Ubuntu) |
Undecided
|
Unassigned | |||
Dapper |
Undecided
|
Unassigned | |||
Hardy |
Undecided
|
Unassigned | |||
Jaunty |
Undecided
|
Unassigned | |||
Karmic |
Undecided
|
Unassigned | |||
Lucid |
Undecided
|
Unassigned | |||
Maverick |
Undecided
|
Unassigned |
Bug Description
Calling mlock on a portion of the stack will cause the kernel to incorrectly show a gap in /proc/$pid/maps between the old stack and the mlock region. This can confuse applications.
CVE References
- 2009-4895
- 2010-0435
- 2010-2066
- 2010-2226
- 2010-2248
- 2010-2478
- 2010-2495
- 2010-2521
- 2010-2524
- 2010-2798
- 2010-2942
- 2010-2943
- 2010-2946
- 2010-2954
- 2010-2955
- 2010-2960
- 2010-2962
- 2010-2963
- 2010-3015
- 2010-3067
- 2010-3078
- 2010-3080
- 2010-3081
- 2010-3084
- 2010-3301
- 2010-3310
- 2010-3432
- 2010-3437
- 2010-3442
- 2010-3477
- 2010-3705
- 2010-3848
- 2010-3849
- 2010-3850
- 2010-3861
- 2010-3865
- 2010-3875
- 2010-3876
- 2010-3877
- 2010-3880
- 2010-3904
- 2010-4072
- 2010-4073
- 2010-4076
- 2010-4077
- 2010-4158
- 2010-4163
- 2010-4165
- 2010-4169
- 2010-4175
Stefan Bader (smb) wrote : | #2 |
This should be fixed in Hardy. Those changes were part of the emergency fix to unbreak Xen.
Changed in linux (Ubuntu Hardy): | |
status: | New → Fix Released |
Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package linux - 2.6.32-25.45
---------------
linux (2.6.32-25.45) lucid-security; urgency=low
[ Upstream Kernel Changes ]
* v4l: disable dangerous buggy compat function
- CVE-2010-2963
* Local privilege escalation vulnerability in RDS sockets
- CVE-2010-3904
* mm: (pre-stable) Move vma_stack_continue into mm.h
- LP: #646114
* net sched: fix some kernel memory leaks
- CVE-2010-2942
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
- CVE-2010-2954
* wireless extensions: fix kernel heap content leak
- CVE-2010-2955
* KEYS: Fix RCU no-lock warning in keyctl_
- CVE-2010-2960
* KEYS: Fix bug in keyctl_
keyring
- CVE-2010-2960
* aio: check for multiplication overflow in do_io_submit
- CVE-2010-3067
* xfs: prevent reading uninitialized stack memory
- CVE-2010-3078
* ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
- CVE-2010-3080
* niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
- CVE-2010-3084
* rose: Fix signedness issues wrt. digi count.
- CVE-2010-3310
* sctp: Do not reset the packet during sctp_packet_
- CVE-2010-3432
* Fix pktcdvd ioctl dev_minor range check
- CVE-2010-3437
* ALSA: prevent heap corruption in snd_ctl_new()
- CVE-2010-3442
* net sched: fix kernel leak in act_police
- CVE-2010-3477
* Fix out-of-bounds reading in sctp_asoc_
- CVE-2010-3705
* ocfs2: Don't walk off the end of fast symlinks.
- CVE-2010-NNN2
-- Steve Conklin <email address hidden> Wed, 06 Oct 2010 16:16:20 +0100
Launchpad Janitor (janitor) wrote : | #4 |
This bug was fixed in the package linux - 2.6.31-22.67
---------------
linux (2.6.31-22.67) karmic-security; urgency=low
[ Upstream Kernel Changes ]
* Local privilege escalation vulnerability in RDS sockets
- CVE-2010-3904
* v4l: disable dangerous buggy compat function
- CVE-2010-2963
* mm: Do not assume ENOMEM when looking at a split stack vma
- LP: #646114
* mm: Use helper to find real vma with stack guard page
- LP: #646114
* Fix race in tty_fasync() properly
- CVE-2009-4895
* ext4: Make sure the MOVE_EXT ioctl can't overwrite append-only files
- CVE-2010-2066
* xfs: prevent swapext from operating on write-only files
- CVE-2010-2226
* cifs: Fix a kernel BUG with remote OS/2 server (try #3)
- CVE-2010-2248
* ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH
- CVE-2010-2478
* l2tp: Fix oops in pppol2tp_xmit
- CVE-2010-2495
* nfsd4: bug in read_buf
- CVE-2010-2521
* CIFS: Fix a malicious redirect problem in the DNS lookup code
- CVE-2010-2524
* GFS2: rename causes kernel Oops
- CVE-2010-2798
* net sched: fix some kernel memory leaks
- CVE-2010-2942
* jfs: don't allow os2 xattr namespace overlap with others
- CVE-2010-2946
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
- CVE-2010-2954
* wireless extensions: fix kernel heap content leak
- CVE-2010-2955
* ext4: consolidate in_range() definitions
- CVE-2010-3015
* aio: check for multiplication overflow in do_io_submit
- CVE-2010-3067
* xfs: prevent reading uninitialized stack memory
- CVE-2010-3078
* ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
- CVE-2010-3080
* niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL
- CVE-2010-3084
* rose: Fix signedness issues wrt. digi count.
- CVE-2010-3310
* sctp: Do not reset the packet during sctp_packet_
- CVE-2010-3432
* Fix pktcdvd ioctl dev_minor range check
- CVE-2010-3437
* ALSA: prevent heap corruption in snd_ctl_new()
- CVE-2010-3442
* net sched: fix kernel leak in act_police
- CVE-2010-3477
* Fix out-of-bounds reading in sctp_asoc_
- CVE-2010-3705
* ocfs2: Don't walk off the end of fast symlinks.
- CVE-2010-NNN2
-- Steve Conklin <email address hidden> Wed, 06 Oct 2010 16:05:21 +0100
Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux - 2.6.28-19.66
---------------
linux (2.6.28-19.66) jaunty-security; urgency=low
[ Stefan Bader ]
* Revert "SAUCE: (no-up) Modularize vesafb -- fix initialization"
* mm: Use helper to find real vma with stack guard page
- LP: #646114
* mm: Do not assume ENOMEM when looking at a split stack vma
- LP: #646114
[ Upstream Kernel Changes ]
* x86-64, compat: Test %rax for the syscall number, not %eax
- CVE-2010-3301
* x86-64, compat: Retruncate rax after ia32 syscall entry tracing
- CVE-2010-3301
* compat: Make compat_
- CVE-2010-3081
* Fix race in tty_fasync() properly
- CVE-2009-4895
* xfs: prevent swapext from operating on write-only files
- CVE-2010-2226
* cifs: Fix a kernel BUG with remote OS/2 server (try #3)
- CVE-2010-2248
* nfsd4: bug in read_buf
- CVE-2010-2521
* GFS2: rename causes kernel Oops
- CVE-2010-2798
* net sched: fix some kernel memory leaks
- CVE-2010-2942
* jfs: don't allow os2 xattr namespace overlap with others
- CVE-2010-2946
* irda: Correctly clean up self->ias_obj on irda_bind() failure.
- CVE-2010-2954
* wireless extensions: fix kernel heap content leak
- CVE-2010-2955
* ext4: consolidate in_range() definitions
- CVE-2010-3015
* aio: check for multiplication overflow in do_io_submit
- CVE-2010-3067
* xfs: prevent reading uninitialized stack memory
- CVE-2010-3078
* ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open()
- CVE-2010-3080
* rose: Fix signedness issues wrt. digi count.
- CVE-2010-3310
* sctp: Do not reset the packet during sctp_packet_
- CVE-2010-3432
* Fix pktcdvd ioctl dev_minor range check
- CVE-2010-3437
* ALSA: prevent heap corruption in snd_ctl_new()
- CVE-2010-3442
* net sched: fix kernel leak in act_police
- CVE-2010-3477
* Fix out-of-bounds reading in sctp_asoc_
- CVE-2010-3705
* v4l: disable dangerous buggy compat function
-- Steve Conklin <email address hidden> Fri, 15 Oct 2010 16:26:53 -0500
Changed in linux (Ubuntu Jaunty): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Karmic): | |
status: | New → Fix Released |
Changed in linux (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in linux-mvl-dove (Ubuntu): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Dapper): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Hardy): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Jaunty): | |
status: | New → Invalid |
Changed in linux-mvl-dove (Ubuntu Karmic): | |
status: | New → Invalid |
Launchpad Janitor (janitor) wrote : | #6 |
This bug was fixed in the package linux-mvl-dove - 2.6.32-216.33
---------------
linux-mvl-dove (2.6.32-216.33) lucid-proposed; urgency=low
[ Ubuntu: 2.6.32-31.60 ]
* Release Tracking Bug
- LP: #734950
* SAUCE: Clear new_profile in error path
- LP: #732700
* [Config] CONFIG_
- LP: #733191
* Revert "drm/radeon/bo: add some fallback placements for VRAM only
objects."
- LP: #652934
* drm/radeon: fall back to GTT if bo creation/validation in VRAM fails.
- LP: #652934
* drm/radeon/kms: Fix retrying ttm_bo_init() after it failed once.
- LP: #652934
* xfs: always use iget in bulkstat
- LP: #692848
* drm/radeon/kms: make the mac rv630 quirk generic
- LP: #728687
* drm/radeon/kms: add pll debugging output
- LP: #728687
* drm/radeon: remove 0x4243 pci id
- LP: #728687
* drm/radeon/kms: fix s/r issues with bios scratch regs
- LP: #728687
* drm/i915/lvds: Add AOpen i915GMm-HFS to the list of false-positive LVDS
- LP: #728687
* drm/i915: Add dependency on CONFIG_TMPFS
- LP: #728687
* Linux 2.6.32.29+drm33.14
- LP: #728687
* NFSD: memory corruption due to writing beyond the stat array
- LP: #728687
* mptfusion: mptctl_release is required in mptctl.c
- LP: #728687
* mptfusion: Fix Incorrect return value in mptscsih_dev_reset
- LP: #728687
* ocfs2_connectio
- LP: #728687
* x25: decrement netdev reference counts on unload
- LP: #728687
* x86, hpet: Disable per-cpu hpet timer if ARAT is supported
- LP: #728687
* OHCI: work around for nVidia shutdown problem
- LP: #728687
* x86/pvclock: Zero last_value on resume
- LP: #728687
* av7110: check for negative array offset
- LP: #728687
* CRED: Fix get_task_cred() and task_state() to not resurrect dead
credentials
- LP: #728687
* bonding/vlan: Avoid mangled NAs on slaves without VLAN tag insertion
- LP: #728687
* CRED: Fix kernel panic upon security_
- LP: #728687
* CRED: Fix BUG() upon security_
- LP: #728687
* CRED: Fix memory and refcount leaks upon security_
failure
- LP: #728687
* sendfile(): check f_op.splice_write() rather than f_op.sendpage()
- LP: #728687
* isdn: hisax: Replace the bogus access to irq stats
- LP: #728687
* ixgbe: add support for 82599 based Express Module X520-P2
- LP: #728687
* ixgbe: prevent speculative processing of descriptors before ready
- LP: #728687
* scsi_dh_alua: add netapp to dev list
- LP: #728687
* scsi_dh_alua: Add IBM Power Virtual SCSI ALUA device to dev list
- LP: #728687
* dm raid1: fail writes if errors are not handled and log fails
- LP: #728687
* GFS2: Fix bmap allocation corner-case bug
- LP: #728687
* dm raid1: fix null pointer dereference in suspend
- LP: #728687
* sunrpc/cache: fix module refcnt leak in a failure path
- LP: #728687
* be2net: Maintain tx and rx counters in driver
- LP: #728687
* tcp: Make TCP_MAXSEG minimum more correct.
- LP: #728687
* nfsd: correctly handle return value from ...
Changed in linux-mvl-dove (Ubuntu Lucid): | |
status: | New → Fix Released |
Changed in linux-mvl-dove (Ubuntu Maverick): | |
status: | New → Fix Released |
Julian Wiedmann (jwiedmann) wrote : | #7 |
Dapper reached EOL a long while ago.
Changed in linux (Ubuntu Dapper): | |
status: | New → Invalid |
Test-case:
http:// bazaar. launchpad. net/~ubuntu- bugcontrol/ qa-regression- testing/ master/ annotate/ head%3A/ scripts/ kernel/ guard-page/ split-stack. c