s390/mm: four page table levels vs. fork
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
linux (Ubuntu) |
Fix Released
|
Medium
|
Tim Gardner | |||
Xenial |
Fix Released
|
Medium
|
Tim Gardner | |||
linux-armadaxp (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-flo (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-goldfish (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-quantal (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-raring (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-saucy (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-trusty (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-utopic (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-vivid (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-wily (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-lts-xenial (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Fix Released
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-mako (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-manta (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-raspi2 (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-snapdragon (Ubuntu) |
Invalid
|
Undecided
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned | |||
linux-ti-omap4 (Ubuntu) | ||||||
Precise |
Invalid
|
Medium
|
Unassigned | |||
Trusty |
Invalid
|
Medium
|
Unassigned | |||
Wily |
Invalid
|
Medium
|
Unassigned | |||
Xenial |
Invalid
|
Medium
|
Unassigned |
Bug Description
== Comment: #0 - Hendrik Brueckner <email address hidden> - 2016-03-11 08:30:57 ==
Please backport:
s390/mm: four page table levels vs. fork
The fork of a process with four page table levels is broken since
git commit 6252d702c5311ce9 "[S390] dynamic page tables."
All new mm contexts are created with three page table levels and
an asce limit of 4TB. If the parent has four levels dup_mmap will
add vmas to the new context which are outside of the asce limit.
The subsequent call to copy_page_range will walk the three level
page table structure of the new process with non-zero pgd and pud
indexes. This leads to memory clobbers as the pgd_index *and* the
pud_index is added to the mm->pgd pointer without a pgd_deref
in between.
The init_new_context() function is selecting the number of page
table levels for a new context. The function is used by mm_init()
which in turn is called by dup_mm() and mm_alloc(). These two are
used by fork() and exec(). The init_new_context() function can
distinguish the two cases by looking at mm->context.
for fork() the mm struct has been copied and the number of page
table levels may not change. For exec() the mm_alloc() function
set the new mm structure to zero, in this case a three-level page
table is created as the temporary stack space is located at
STACK_TOP_MAX = 4TB.
This fixes CVE-2016-2143.
Reported-by: Marcin Ko?cielnicki <koriakin@0x04.net>
Reviewed-by: Heiko Carstens <email address hidden>
Cc: <email address hidden>
Signed-off-by: Martin Schwidefsky <email address hidden>
Related branches
CVE References
tags: | added: architecture-s39064 bugnameltc-138862 severity-critical targetmilestone-inin1604 |
Changed in ubuntu: | |
assignee: | nobody → Skipper Bug Screeners (skipper-screen-team) |
affects: | ubuntu → linux (Ubuntu) |
Changed in linux (Ubuntu Xenial): | |
assignee: | Skipper Bug Screeners (skipper-screen-team) → Tim Gardner (timg-tpi) |
status: | New → Fix Committed |
tags: | added: kernel-cve-skip-description |
Changed in linux-lts-trusty (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-trusty (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-wily (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-quantal (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-ti-omap4 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-raring (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Precise): | |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-armadaxp (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-saucy (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-manta (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-vivid (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-raspi2 (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-mako (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Wily): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-goldfish (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Precise): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Wily): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Xenial): | |
importance: | Undecided → Medium |
Changed in linux-flo (Ubuntu Trusty): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux (Ubuntu Xenial): | |
status: | Fix Released → New |
no longer affects: | linux (Ubuntu Precise) |
no longer affects: | linux (Ubuntu Trusty) |
no longer affects: | linux (Ubuntu Wily) |
no longer affects: | linux-armadaxp (Ubuntu) |
no longer affects: | linux-flo (Ubuntu) |
no longer affects: | linux-goldfish (Ubuntu) |
no longer affects: | linux-lts-quantal (Ubuntu) |
no longer affects: | linux-lts-raring (Ubuntu) |
no longer affects: | linux-lts-saucy (Ubuntu) |
no longer affects: | linux-lts-trusty (Ubuntu) |
no longer affects: | linux-lts-utopic (Ubuntu) |
no longer affects: | linux-lts-vivid (Ubuntu) |
no longer affects: | linux-lts-wily (Ubuntu) |
no longer affects: | linux-lts-xenial (Ubuntu) |
no longer affects: | linux-mako (Ubuntu) |
no longer affects: | linux-manta (Ubuntu) |
no longer affects: | linux-raspi2 (Ubuntu) |
no longer affects: | linux-ti-omap4 (Ubuntu) |
Changed in linux-armadaxp (Ubuntu Precise): | |
status: | New → Invalid |
Changed in linux-goldfish (Ubuntu Wily): | |
status: | New → Invalid |
Changed in linux-goldfish (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-ti-omap4 (Ubuntu Precise): | |
status: | New → Invalid |
Changed in linux-raspi2 (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-raspi2 (Ubuntu Wily): | |
status: | New → Invalid |
Changed in linux-lts-trusty (Ubuntu Precise): | |
status: | New → Invalid |
Changed in linux-lts-wily (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-lts-xenial (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-manta (Ubuntu Wily): | |
status: | New → Invalid |
Changed in linux-manta (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-lts-vivid (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-mako (Ubuntu Wily): | |
status: | New → Invalid |
Changed in linux-mako (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-lts-utopic (Ubuntu Trusty): | |
status: | New → Invalid |
Changed in linux-flo (Ubuntu Wily): | |
status: | New → Invalid |
Changed in linux-flo (Ubuntu Xenial): | |
status: | New → Invalid |
Changed in linux-snapdragon (Ubuntu Xenial): | |
status: | New → Invalid |
importance: | Undecided → Medium |
Changed in linux-snapdragon (Ubuntu): | |
status: | New → Invalid |
This bug was fixed in the package linux - 4.4.0-13.29
---------------
linux (4.4.0-13.29) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1556247
* s390/mm: four page table levels vs. fork (LP: #1556141)
- s390/mm: four page table levels vs. fork
* [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
- hv_netvsc: use skb_get_hash() instead of a homegrown implementation
- hv_netvsc: cleanup netdev feature flags for netvsc
* fails to boot on megaraid (LP: #1552903)
- SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
case of PD list DCMD failure
* ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
- ALSA: hda - add codec support for Kabylake display audio codec
* Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765) cpufreq_ {init/exit}
- cpufreq: powernv: Free 'chips' on module exit
- cpufreq: powernv: Hot-plug safe the kworker thread
- cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
- cpufreq: powernv/tracing: Add powernv_throttle tracepoint
- cpufreq: powernv: Replace pr_info with trace print for throttle event
- SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_
* Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace
* integer overflow in xt_alloc_table_info (LP: #1555353)
- SAUCE: (noup) netfilter: x_tables: check for size overflow
* linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Config] reconstruct -- update to autoreconstruct output
- [Packaging] reconstruct -- update when inserting final changes
* Xenial update to v4.4.5 stable release (LP: #1555640) to_ino_ t() function for s390x REMOVED_ DEVICE in hotplug path
- use ->d_seq to get coherency between ->d_inode and ->d_flags
- drivers: sh: Restore legacy clock domain on SuperH platforms
- Btrfs: fix deadlock running delayed iputs at transaction commit time
- btrfs: Fix no_space in write and rm loop
- btrfs: async-thread: Fix a use-after-free error for trace
- block: Initialize max_dev_sectors to 0
- PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
- parisc: Fix ptrace syscall number and return value modification
- mips/kvm: fix ioctl error handling
- kvm: x86: Update tsc multiplier on change.
- fbcon: set a default value to blink interval
- cifs: fix out-of-bounds access in lease parsing
- CIFS: Fix SMB2+ interim response processing for read requests
- Fix cifs_uniqueid_
- vfio: fix ioctl error handling
- KVM: x86: fix root cause for missed hardware breakpoints
- arm/arm64: KVM: Fix ioctl error handling
- iommu/amd: Apply workaround for ATS write permission check
- iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
- iommu/vt-d: Use BUS_NOTIFY_
- target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- drm/ast: Fix incorrect register check for DRAM width
- d...