CVE-2011-1581

Bug #792312 reported by Andy Whitcroft
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Fix Released
Medium
Andy Whitcroft
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned
linux-ec2 (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-lts-backport-maverick (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-lts-backport-natty (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-lts-backport-oneiric (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Invalid
Medium
Unassigned
Oneiric
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
linux-ti-omap4 (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Invalid
Medium
Unassigned
Lucid
Invalid
Medium
Unassigned
Maverick
Invalid
Medium
Unassigned
Natty
Fix Released
Medium
Unassigned
Oneiric
Fix Released
Medium
Unassigned
Precise
Fix Released
Medium
Unassigned

Bug Description

The bond_select_queue function in drivers/net/bonding/bond_main.c in the Linux kernel before 2.6.39, when a network device with a large number of receive queues is installed but the default tx_queues setting is used, does not properly restrict queue indexes, which allows remote attackers to cause a denial of service (BUG and system crash) or possibly have unspecified other impact by sending network traffic.

Break-Fix: - fd0e435b0fe85622f167b84432552885a4856ac8

Andy Whitcroft (apw)
tags: added: kernel-cve-tracking-bug
security vulnerability: no → yes
description: updated
Andy Whitcroft (apw)
Changed in linux (Ubuntu Hardy):
status: New → Invalid
Changed in linux (Ubuntu Lucid):
status: New → Invalid
Changed in linux (Ubuntu Maverick):
status: New → Invalid
Changed in linux (Ubuntu Oneiric):
status: New → Fix Released
Changed in linux (Ubuntu Natty):
assignee: nobody → Andy Whitcroft (apw)
status: New → In Progress
Changed in linux-mvl-dove (Ubuntu Hardy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Maverick):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Natty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Natty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
status: New → Invalid
Revision history for this message
Andy Whitcroft (apw) wrote :

Fixed in mainline v2.6.39, introduced in v2.6.36-rc1. Therefore Oneiric is fixed; Hardy, Lucid, and Maverick are not affected, Natty needs this fix. For ARM fsl-imx51 and mvl-dove are not affected.

Changed in linux-lts-backport-maverick (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
status: New → Invalid
Revision history for this message
Andy Whitcroft (apw) wrote :

Maverick is unaffected therefore the lts-backport is unaffected.

Changed in linux-ti-omap4 (Ubuntu Hardy):
status: New → Incomplete
status: Incomplete → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Natty):
status: New → Confirmed
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: New → Confirmed
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Natty):
status: In Progress → Fix Committed
Changed in linux-ti-omap4 (Ubuntu Natty):
status: Confirmed → Fix Committed
Kees Cook (kees)
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: Confirmed → Fix Committed
description: updated
Kees Cook (kees)
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Hardy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Maverick):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Natty):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: New → Fix Committed
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Hardy):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Maverick):
status: New → Invalid
Changed in linux-lts-backport-natty (Ubuntu Natty):
status: New → Invalid
description: updated
Kees Cook (kees)
Changed in linux-ec2 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-ec2 (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux-lts-backport-natty (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-backport-natty (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-lts-backport-natty (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-lts-backport-natty (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-lts-backport-natty (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-mvl-dove (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-lts-backport-maverick (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Natty):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Lucid):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Oneiric):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Hardy):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Maverick):
importance: Undecided → Medium
Changed in linux-fsl-imx51 (Ubuntu Natty):
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (13.4 KiB)

This bug was fixed in the package linux - 2.6.38-11.48

---------------
linux (2.6.38-11.48) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #818175

  [ Upstream Kernel Changes ]

  * Revert "HID: magicmouse: ignore 'ivalid report id' while switching
    modes"
    - LP: #814250

linux (2.6.38-11.47) natty-proposed; urgency=low

  [Steve Conklin]

  * Release Tracking Bug
    - LP: #811180

  [ Keng-Yu Lin ]

  * SAUCE: Revert: "dell-laptop: Toggle the unsupported hardware
    killswitch"
    - LP: #775281

  [ Ming Lei ]

  * SAUCE: fix yama_ptracer_del lockdep warning
    - LP: #791019

  [ Stefan Bader ]

  * SAUCE: Re-enable RODATA for i386 virtual
    - LP: #809838

  [ Tim Gardner ]

  * [Config] Add grub-efi as a recommended bootloader for server and
    generic
    - LP: #800910
  * SAUCE: rtl8192se: Force a build for a 2.6/3.0 kernel
    - LP: #805494

  [ Upstream Kernel Changes ]

  * Revert "bridge: Forward reserved group addresses if !STP"
    - LP: #793702
  * Fix up ABI directory
  * bonding: Incorrect TX queue offset, CVE-2011-1581
    - LP: #792312
    - CVE-2011-1581
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * usbnet/cdc_ncm: add missing .reset_resume hook
    - LP: #793892
  * ath5k: Disable fast channel switching by default
    - LP: #767192
  * mm: vmscan: correctly check if reclaimer should schedule during
    shrink_slab
    - LP: #755066
  * mm: vmscan: correct use of pgdat_balanced in sleeping_prematurely
    - LP: #755066
  * ALSA: hda - Use LPIB for ATI/AMD chipsets as default
    - LP: #741825
  * ALSA: hda - Enable snoop bit for AMD controllers
    - LP: #741825
  * ALSA: hda - Enable sync_write workaround for AMD generically
    - LP: #741825
  * cpuidle: menu: fixed wrapping timers at 4.294 seconds
    - LP: #774947
  * drm/i915: Fix gen6 (SNB) missed BLT ring interrupts.
    - LP: #761065
  * USB: ehci: remove structure packing from ehci_def
    - LP: #791552
  * drm/i915: disable PCH ports if needed when disabling a CRTC
    - LP: #791752
  * kmemleak: Do not return a pointer to an object that kmemleak did not
    get
    - LP: #793702
  * kmemleak: Initialise kmemleak after debug_objects_mem_init()
    - LP: #793702
  * Fix _OSC UUID in pcc-cpufreq
    - LP: #793702
  * CPU hotplug, re-create sysfs directory and symlinks
    - LP: #793702
  * Fix memory leak in cpufreq_stat
    - LP: #793702
  * net: recvmmsg: Strip MSG_WAITFORONE when calling recvmsg
    - LP: #793702
  * ftrace: Only update the function code on write to filter files
    - LP: #793702
  * qla2xxx: Fix hang during driver unload when vport is active.
    - LP: #793702
  * qla2xxx: Fix virtual port failing to login after chip reset.
    - LP: #793702
  * qla2xxx: Fix vport delete hang when logins are outstanding.
    - LP: #793702
  * powerpc/kdump64: Don't reference freed memory as pacas
    - LP: #793702
  * powerpc/kexec: Fix memory corruption from unallocated slaves
    - LP: #793702
  * x86, cpufeature: Fix cpuid leaf 7 feature detection
    - LP: #793702
  * ath9k_hw: do noise floor calibration only on required chain...

Changed in linux (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (38.0 KiB)

This bug was fixed in the package linux-ti-omap4 - 2.6.38-1209.15

---------------
linux-ti-omap4 (2.6.38-1209.15) natty-proposed; urgency=low

  * Release tracking bug
    - LP: #837761

  [ Paolo Pisati ]

  * [Config] Turn on CONFIG_USER_NS and DEVPTS_MULTIPLE_INSTANCES.
    - LP: #787749

  [ Tim Gardner ]

  * [Config] Add enic/fnic to nic-modules udeb, CVE-2011-1020
    - LP: #801610

  [ Upstream Kernel Changes ]

  * mpt2sas: prevent heap overflows and unchecked reads
    - LP: #780546
  * agp: fix arbitrary kernel memory writes
    - LP: #775809
  * can: add missing socket check in can/raw release
    - LP: #780546
  * agp: fix OOM and buffer overflow
    - LP: #775809
  * bonding: Incorrect TX queue offset, CVE-2011-1581
    - LP: #792312
    - CVE-2011-1581
  * fs/partitions/efi.c: corrupted GUID partition tables can cause kernel
    oops
    - LP: #795418
    - CVE-2011-1577
  * can: Add missing socket check in can/bcm release.
    - LP: #796502
    - CVE-2011-1598
  * USB: ehci: remove structure packing from ehci_def
    - LP: #791552
  * taskstats: don't allow duplicate entries in listener mode,
    CVE-2011-2484
    - LP: #806390
    - CVE-2011-2484
  * ext4: init timer earlier to avoid a kernel panic in __save_error_info,
    CVE-2011-2493
    - LP: #806929
    - CVE-2011-2493
  * dccp: handle invalid feature options length, CVE-2011-1770
    - LP: #806375
    - CVE-2011-1770
  * pagemap: close races with suid execve, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * report errors in /proc/*/*map* sanely, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * close race in /proc/*/environ, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * auxv: require the target to be tracable (or yourself), CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
    - LP: #816550
    - CVE-2011-1493
  * GFS2: make sure fallocate bytes is a multiple of blksize, CVE-2011-2689
    - LP: #819572
    - CVE-2011-2689
  * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
    - LP: #819569
    - CVE-2011-2492
  * Add mount option to check uid of device being mounted = expect uid,
    CVE-2011-1833
    - LP: #732628
    - CVE-2011-1833
  * ipv6: make fragment identifications less predictable, CVE-2011-2699
    - LP: #827685
    - CVE-2011-2699
  * perf: Fix software event overflow, CVE-2011-2918
    - LP: #834121
    - CVE-2011-2918
  * proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020

linux-ti-omap4 (2.6.38-1209.13) natty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #772381

  [ Brad Figg ]

  * Ubuntu-2.6.38-9.43

  [ Bryan Wu ]

  * merge Ubuntu-2.6.38-9.43
  * cherry-pick 6 patches from u2 of 'for-ubuntu' branch
  * [Config] Sync up configs for 2.6.38.4

  [ Herton Ronaldo Krzesinski ]

  * SAUCE: Revert "x86, hibernate: Initialize mmu_cr4_features during boot"
    - LP: #764758

  [ Leann Ogasawara ]

  * [Config] updateconfigs for 2.6.38.4

  [ Paolo Pisati ]

  * [Conf...

Changed in linux-ti-omap4 (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (16.5 KiB)

This bug was fixed in the package linux-lts-backport-natty - 2.6.38-11.50~lucid1

---------------
linux-lts-backport-natty (2.6.38-11.50~lucid1) lucid-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #848588

  [ Upstream Kernel Changes ]

  * Revert "eCryptfs: Handle failed metadata read in lookup"
  * Revert "KVM: fix kvmclock regression due to missing clock update"
  * Revert "ath9k: use split rx buffers to get rid of order-1 skb
    allocations"

linux (2.6.38-11.49) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #836903

  [ Adam Jackson ]

  * SAUCE: drm/i915/pch: Fix integer math bugs in panel fitting
    - LP: #753994

  [ Keng-Yu Lin ]

  * SAUCE: Input: ALPS - Enable Intellimouse mode for Lenovo Zhaoyang E47
    - LP: #632884, #803005

  [ Stefan Bader ]

  * [Config] Force perf to use libiberty for demangling
    - LP: #783660

  [ Tim Gardner ]

  * [Config] Add enic/fnic to udebs
    - LP: #801610

  [ Upstream Kernel Changes ]

  * eeepc-wmi: add keys found on EeePC 1215T
    - LP: #812644
  * eCryptfs: Handle failed metadata read in lookup
    - LP: #509180
  * pagemap: close races with suid execve, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * report errors in /proc/*/*map* sanely, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * close race in /proc/*/environ, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * auxv: require the target to be tracable (or yourself), CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * deal with races in /proc/*/{syscall, stack, personality}, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * vmscan: fix a livelock in kswapd
    - LP: #813797
  * mmc: Add PCI fixup quirks for Ricoh 1180:e823 reader
    - LP: #773524
  * mmc: Added quirks for Ricoh 1180:e823 lower base clock frequency
    - LP: #773524
  * rose: Add length checks to CALL_REQUEST parsing, CVE-2011-1493
    - LP: #816550
    - CVE-2011-1493
  * pata_marvell: Add support for 88SE91A0, 88SE91A4
    - LP: #777325
  * GFS2: make sure fallocate bytes is a multiple of blksize, CVE-2011-2689
    - LP: #819572
    - CVE-2011-2689
  * Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace.
    - LP: #819569
    - CVE-2011-2492
  * drm/nv50-nvc0: work around an evo channel hang that some people see
    - LP: #583760
  * KVM: fix kvmclock regression due to missing clock update
    - LP: #795717
  * Add mount option to check uid of device being mounted = expect uid,
    CVE-2011-1833
    - LP: #732628
    - CVE-2011-1833
  * proc: fix oops on invalid /proc/<pid>/maps access, CVE-2011-1020
    - LP: #813026
    - CVE-2011-1020
  * ipv6: make fragment identifications less predictable, CVE-2011-2699
    - LP: #827685
    - CVE-2011-2699
  * ath9k: use split rx buffers to get rid of order-1 skb allocations
    - LP: #728835
  * perf: Fix software event overflow, CVE-2011-2918
    - LP: #834121
    - CVE-2011-2918

linux (2.6.38-11.48) natty-proposed; urgency=low

  [Herton R. Krzesinski]

  * Release Tracking Bug
    - LP: #818175

  [ Upstream Kernel Changes ]

  * Revert "HID: magicmouse: ignore 'ivalid report id' while switching
   ...

Changed in linux-lts-backport-natty (Ubuntu Lucid):
status: Fix Committed → Fix Released
Changed in linux-lts-backport-oneiric (Ubuntu Oneiric):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-oneiric (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-oneiric (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-oneiric (Ubuntu Hardy):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-oneiric (Ubuntu Maverick):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-backport-oneiric (Ubuntu Natty):
status: New → Invalid
importance: Undecided → Medium
Paolo Pisati (p-pisati)
Changed in linux-ti-omap4 (Ubuntu Oneiric):
status: Fix Committed → Fix Released
Changed in linux-ti-omap4 (Ubuntu Precise):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.