Prevent speculation on user controlled pointer
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | linux (Ubuntu) |
Undecided
|
Unassigned | ||
| | Precise |
Undecided
|
Unassigned | ||
| | Trusty |
Undecided
|
Unassigned | ||
| | Xenial |
Undecided
|
Unassigned | ||
Bug Description
== SRU Justification ==
Upstream's Spectre v1 mitigation prevents speculation on a user controlled pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for unknown reasons) so Xenial/
== Fix ==
Backport the following patches:
x86/uaccess: Use __uaccess_
x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
x86: Introduce __uaccess_
== Regression Potential ==
Low. Patches have been in upstream (and other distro kernels) for quite a while now and the changes only introduce a barrier on copy_from_user operations.
== Test Case ==
TBD.
CVE References
- 2016-10208
- 2017-11472
- 2017-11473
- 2017-14991
- 2017-15649
- 2017-16526
- 2017-16527
- 2017-16529
- 2017-16531
- 2017-16532
- 2017-16533
- 2017-16535
- 2017-16536
- 2017-16537
- 2017-16538
- 2017-16643
- 2017-16644
- 2017-16645
- 2017-16650
- 2017-16911
- 2017-16912
- 2017-16913
- 2017-16914
- 2017-17558
- 2017-18255
- 2017-18270
- 2017-2583
- 2017-2584
- 2017-2671
- 2017-5549
- 2017-5715
- 2017-5897
- 2017-6345
- 2017-6348
- 2017-7518
- 2017-7645
- 2017-8831
- 2017-9984
- 2018-1000204
- 2018-10021
- 2018-10087
- 2018-10124
- 2018-10323
- 2018-10675
- 2018-10877
- 2018-10881
- 2018-1092
- 2018-1093
- 2018-10940
- 2018-12233
- 2018-13094
- 2018-13405
- 2018-13406
- 2018-3639
- 2018-3665
- 2018-7755
| Changed in linux (Ubuntu): | |
| status: | New → Incomplete |
| description: | updated |
| Changed in linux (Ubuntu Xenial): | |
| status: | New → Fix Committed |
| Brad Figg (brad-figg) wrote : | #2 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-xenial |
| tags: |
added: verification-done-xenial removed: verification-needed-xenial |
| Launchpad Janitor (janitor) wrote : | #3 |
This bug was fixed in the package linux - 4.4.0-130.156
---------------
linux (4.4.0-130.156) xenial; urgency=medium
* linux: 4.4.0-130.156 -proposed tracker (LP: #1776822)
* CVE-2018-3665 (x86)
- x86/fpu: Fix early FPU command-line parsing
- x86/fpu: Fix 'no387' regression
- x86/fpu: Disable MPX when eagerfpu is off
- x86/fpu: Default eagerfpu=on on all CPUs
- x86/fpu: Fix FNSAVE usage in eagerfpu mode
- x86/fpu: Fix math emulation in eager fpu mode
- x86/fpu: Fix eager-FPU handling on legacy FPU machines
linux (4.4.0-129.155) xenial; urgency=medium
* linux: 4.4.0-129.155 -proposed tracker (LP: #1776352)
* Xenial update to 4.4.134 stable release (LP: #1775771)
- MIPS: ptrace: Expose FIR register through FP regset
- MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs
- KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable"
- affs_lookup(): close a race with affs_remove_link()
- aio: fix io_destroy(2) vs. lookup_ioctx() race
- ALSA: timer: Fix pause event notification
- mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register
- libata: Blacklist some Sandisk SSDs for NCQ
- libata: blacklist Micron 500IT SSD with MU01 firmware
- xen-swiotlb: fix the check condition for xen_swiotlb_
- Revert "ipc/shm: Fix shmat mmap nil-page protection"
- ipc/shm: fix shmat() nil address after round-down when remapping
- kasan: fix memory hotplug during boot
- kernel/sys.c: fix potential Spectre v1 issue
- kernel/signal.c: avoid undefined behaviour in kill_something_info
- xfs: remove racy hasattr check from attr ops
- do d_instantiate/
- firewire-ohci: work around oversized DMA reads on JMicron controllers
- NFSv4: always set NFS_LOCK_LOST when a lock is lost.
- ALSA: hda - Use IS_REACHABLE() for dependency on input
- ASoC: au1x: Fix timeout tests in au1xac97c_
- kvm: x86: fix KVM_XEN_HVM_CONFIG ioctl
- tracing/hrtimer: Fix tracing bugs by taking all clock bases and modes into
account
- PCI: Add function 1 DMA alias quirk for Marvell 9128
- tools lib traceevent: Simplify pointer print logic and fix %pF
- perf callchain: Fix attr.sample_
- tools lib traceevent: Fix get_field_str() for dynamic strings
- dm thin: fix documentation relative to low water mark threshold
- nfs: Do not convert nfs_idmap_
- watchdog: sp5100_tco: Fix watchdog disable bit
- kconfig: Don't leak main menus during parsing
- kconfig: Fix automatic menu creation mem leak
- kconfig: Fix expr_free() E_NOT leak
- ipmi/powernv: Fix error return code in ipmi_powernv_
- Btrfs: set plug for fsync
- btrfs: Fix out of bounds access in btrfs_search_slot
- Btrfs: fix scrub to repair raid6 corruption
- scsi: fas216: fix sense buffer initialization
- HID: roccat: prevent an out of bounds read in kovaplus_
- jffs2: Fix use-after-free bug in jffs2_iget()'s error handling path
- powerpc/numa: Use ibm,max-
| Changed in linux (Ubuntu Xenial): | |
| status: | Fix Committed → Fix Released |
| Changed in linux (Ubuntu Trusty): | |
| status: | New → Fix Committed |
| Brad Figg (brad-figg) wrote : | #4 |
This bug is awaiting verification that the kernel in -proposed solves the problem. Please test the kernel and update this bug with the results. If the problem is solved, change the tag 'verification-
If verification is not done by 5 working days from today, this fix will be dropped from the source code, and this bug will be closed.
See https:/
| tags: | added: verification-needed-trusty |
| tags: |
added: verification-done-trusty removed: verification-needed-trusty |
| Launchpad Janitor (janitor) wrote : | #5 |
This bug was fixed in the package linux - 3.13.0-157.207
---------------
linux (3.13.0-157.207) trusty; urgency=medium
* linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)
* CVE-2017-5715 (Spectre v2 retpoline)
- SAUCE: Fix "x86/retpoline/
* CVE-2017-2583
- KVM: x86: fix emulation of "MOV SS, null selector"
* CVE-2017-7518
- KVM: x86: fix singlestepping over syscall
* CVE-2017-18270
- KEYS: prevent creating a different user's keyrings
* Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
- Documentation: Document array_index_nospec
- array_index_nospec: Sanitize speculative array de-references
- x86: Implement array_index_
- x86: Introduce barrier_nospec
- x86/get_user: Use pointer masking to limit speculation
- x86/syscall: Sanitize syscall table de-references under speculation
- vfs, fdtable: Prevent bounds-check bypass via speculative execution
- nl80211: Sanitize array index in parse_txq_params
- x86/spectre: Report get_user mitigation for spectre_v1
- x86/kvm: Update spectre-v1 mitigation
- nospec: Allow index argument to have const-qualified type
- nospec: Move array_index_
- nospec: Kill array_index_
- SAUCE: Replace osb() calls with array_index_
- SAUCE: Rename osb() to barrier_nospec()
- SAUCE: x86: Use barrier_nospec in arch/x86/
* Prevent speculation on user controlled pointer (LP: #1775137)
- x86: reorganize SMAP handling in user space accesses
- x86: fix SMAP in 32-bit environments
- x86: Introduce __uaccess_
- x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
- x86/uaccess: Use __uaccess_
* CVE-2016-10208
- ext4: validate s_first_meta_bg at mount time
- ext4: fix fencepost in s_first_meta_bg validation
* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_
* CVE-2017-16911
- usbip: prevent vhci_hcd driver from leaking a socket pointer address
* CVE-2018-13406
- video: uvesafb: Fix integer overflow in allocation
* CVE-2018-10877
- ext4: verify the depth of extent tree in ext4_find_extent()
* CVE-2018-10881
- ext4: clear i_data in ext4_inode_info when removing inline data
* CVE-2018-1092
- ext4: fail ext4_iget for root directory if unallocated
* CVE-2018-1093
- ext4: fix block bitmap validation when bigalloc, ^flex_bg
- ext4: add validity checks for bitmap block numbers
* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size
* CVE-2017-16912
- usbip: fix stub_rx: get_pipe() to validate endpoint number
* CVE-2018-10675
- mm/mempolicy: fix use after free when calling get_mempolicy
* CVE-2017-8831
- saa7164: fix sparse warnings
- saa7164: fix double fetch PCIe access condition
* CVE-2017-16533
- HID: usbhid: fix out-of-bounds bug
* CVE-2017-16538
- media: dvb-usb-v2: lmedm04: move ts2...
| Changed in linux (Ubuntu Trusty): | |
| status: | Fix Committed → Fix Released |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1775137
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.