CVE-2016-3135

Bug #1555353 reported by Steve Beattie
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Fix Released
Medium
Tim Gardner
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Fix Released
Medium
Chris J Arges
Xenial
Fix Released
Medium
Tim Gardner
Yakkety
Fix Released
Medium
Tim Gardner
linux-armadaxp (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-flo (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-goldfish (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-raring (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-trusty (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-utopic (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-vivid (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-wily (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-lts-xenial (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Fix Released
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-mako (Ubuntu)
New
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
New
Medium
Unassigned
Xenial
New
Medium
Unassigned
Yakkety
New
Medium
Unassigned
linux-manta (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
New
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned
linux-raspi2 (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Fix Released
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned
linux-snapdragon (Ubuntu)
Fix Released
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Fix Released
Medium
Unassigned
Yakkety
Fix Released
Medium
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Medium
Unassigned
Precise
Invalid
Medium
Unassigned
Trusty
Invalid
Medium
Unassigned
Wily
Invalid
Medium
Unassigned
Xenial
Invalid
Medium
Unassigned
Yakkety
Invalid
Medium
Unassigned

Bug Description

[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

A recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption.

More specifically, the overflow may have been introduced in https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90 ; specifically the bit:

  + size_t sz = sizeof(*info) + size;

(where size is an unsigned int passed from userspace).

This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int).

[Fix]
Upstream proposed fix: http://marc.info/?l=netfilter-devel&m=145757136822750&w=2

[Test Case]
Download v4 code from: https://code.google.com/p/google-security-research/issues/detail?id=758
gcc *v4.c -o v4
./v4
Your machine should _not_ crash. This only affects 32-bit kernels

Steve Beattie (sbeattie)
Changed in linux (Ubuntu):
status: New → Confirmed
Revision history for this message
Steve Beattie (sbeattie) wrote :
information type: Private Security → Public Security
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Tim Gardner (timg-tpi)
status: Confirmed → In Progress
Chris J Arges (arges)
Changed in linux (Ubuntu Wily):
assignee: nobody → Chris J Arges (arges)
status: New → In Progress
Tim Gardner (timg-tpi)
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Chris J Arges (arges)
description: updated
description: updated
Brad Figg (brad-figg)
Changed in linux (Ubuntu Wily):
status: In Progress → Fix Committed
Steve Beattie (sbeattie)
tags: added: kernel-cve-skip-description
Revision history for this message
Steve Beattie (sbeattie) wrote :

This has been assigned CVE-2016-3135 ( http://www.openwall.com/lists/oss-security/2016/03/14/1 ).

Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.7 KiB)

This bug was fixed in the package linux - 4.2.0-34.39

---------------
linux (4.2.0-34.39) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555821

  [ Florian Westphal ]

  * SAUCE: [nf] netfilter: x_tables: check for size overflow
    - LP: #1555353
  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (4.2.0-33.38) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554649

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608
  * cxl: Fix PSL timebase synchronization detection
    - LP: #1532914

linux (4.2.0-32.37) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1550045

  [ Kamal Mostafa ]

  * Merged back Ubuntu-4.2.0-31.36

linux (4.2.0-31.36) wily; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548579

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
    - LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
    - LP: #1540586

  [ Carol L Soto ]

  * SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb
    - LP: #1541326

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Tim Gardner ]

  * Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover
    failure"
    - LP: #1541635
  * Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port
    1"
    - LP: #1541635
  * [Config] ARMV8_DEPRECATED=y
    - LP: #1545542

  [ Upstream Kernel Changes ]

  * x86/xen/p2m: hint at the last populated P2M entry
    - LP: #1542941
  * mm: add dma_pool_zalloc() call to DMA API
    - LP: #1543737
  * sctp: Prevent soft lockup when sctp_accept() is called during a timeout
    event
    - LP: #1543737
  * xen-netback: respect user provided max_queues
    - LP: #1543737
  * xen-netfront: respect user provided max_queues
    - LP: #1543737
  * xen-netfront: update num_queues to real created
    - LP: #1543737
  * iio: adis_buffer: Fix out-of-bounds memory access
    - LP: #1543737
  * KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
    - LP: #1543737
  * KVM: PPC: Fix ONE_REG AltiVec support
    - LP: #1543737
  * x86/irq: Call chip->irq_set_affinity in proper context
    - LP: #1543737
  * drm/amdgpu: fix tonga smu resume
    - LP: #1543737
  * perf kvm record/report: 'unprocessable sample' error while
    recording/reporting guest data
    - LP: #1543737
  * hrtimer: Handle remaining time proper for TIME_LOW_RES
    - LP: #1543737
  * timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
    - LP: #1543737
  * drm/amdgpu: Use drm_calloc_large for VM page_tables array
    - LP: #1543737
  * drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
    - LP: #1543737
  * drm/radeon: properly byte swap vce firmware setup
    - LP: #1543737
  ...

Read more...

Changed in linux (Ubuntu Wily):
status: Fix Committed → Fix Released
Steve Beattie (sbeattie)
Changed in linux-lts-trusty (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-trusty (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Xenial):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Wily):
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-lts-trusty (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-trusty (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-wily (Ubuntu Trusty):
status: New → Fix Released
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Steve Beattie (sbeattie)
Changed in linux (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-xenial (Ubuntu Trusty):
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-manta (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-vivid (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-raspi2 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-mako (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-lts-utopic (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-goldfish (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-flo (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux - 4.4.0-13.29

---------------
linux (4.4.0-13.29) xenial; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
    - s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
    - hv_netvsc: use skb_get_hash() instead of a homegrown implementation
    - hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
    - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
      case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
    - ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
    - cpufreq: powernv: Free 'chips' on module exit
    - cpufreq: powernv: Hot-plug safe the kworker thread
    - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
    - cpufreq: powernv/tracing: Add powernv_throttle tracepoint
    - cpufreq: powernv: Replace pr_info with trace print for throttle event
    - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Config] reconstruct -- update to autoreconstruct output
    - [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
    - use ->d_seq to get coherency between ->d_inode and ->d_flags
    - drivers: sh: Restore legacy clock domain on SuperH platforms
    - Btrfs: fix deadlock running delayed iputs at transaction commit time
    - btrfs: Fix no_space in write and rm loop
    - btrfs: async-thread: Fix a use-after-free error for trace
    - block: Initialize max_dev_sectors to 0
    - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
    - parisc: Fix ptrace syscall number and return value modification
    - mips/kvm: fix ioctl error handling
    - kvm: x86: Update tsc multiplier on change.
    - fbcon: set a default value to blink interval
    - cifs: fix out-of-bounds access in lease parsing
    - CIFS: Fix SMB2+ interim response processing for read requests
    - Fix cifs_uniqueid_to_ino_t() function for s390x
    - vfio: fix ioctl error handling
    - KVM: x86: fix root cause for missed hardware breakpoints
    - arm/arm64: KVM: Fix ioctl error handling
    - iommu/amd: Apply workaround for ATS write permission check
    - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
    - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
    - drm/ast: Fix incorrect register check for DRAM width
    - d...

Read more...

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (7.0 KiB)

This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1

---------------
linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
    - s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
    - hv_netvsc: use skb_get_hash() instead of a homegrown implementation
    - hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
    - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
      case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
    - ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
    - cpufreq: powernv: Free 'chips' on module exit
    - cpufreq: powernv: Hot-plug safe the kworker thread
    - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
    - cpufreq: powernv/tracing: Add powernv_throttle tracepoint
    - cpufreq: powernv: Replace pr_info with trace print for throttle event
    - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Config] reconstruct -- update to autoreconstruct output
    - [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
    - use ->d_seq to get coherency between ->d_inode and ->d_flags
    - drivers: sh: Restore legacy clock domain on SuperH platforms
    - Btrfs: fix deadlock running delayed iputs at transaction commit time
    - btrfs: Fix no_space in write and rm loop
    - btrfs: async-thread: Fix a use-after-free error for trace
    - block: Initialize max_dev_sectors to 0
    - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
    - parisc: Fix ptrace syscall number and return value modification
    - mips/kvm: fix ioctl error handling
    - kvm: x86: Update tsc multiplier on change.
    - fbcon: set a default value to blink interval
    - cifs: fix out-of-bounds access in lease parsing
    - CIFS: Fix SMB2+ interim response processing for read requests
    - Fix cifs_uniqueid_to_ino_t() function for s390x
    - vfio: fix ioctl error handling
    - KVM: x86: fix root cause for missed hardware breakpoints
    - arm/arm64: KVM: Fix ioctl error handling
    - iommu/amd: Apply workaround for ATS write permission check
    - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
    - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
    - drm/ast: Fix incorrect...

Read more...

Changed in linux-lts-xenial (Ubuntu Trusty):
status: New → Fix Released
Steve Beattie (sbeattie)
Changed in linux-raspi2 (Ubuntu Wily):
status: New → Fix Released
Steve Beattie (sbeattie)
Changed in linux-manta (Ubuntu Xenial):
status: New → Invalid
Steve Beattie (sbeattie)
Changed in linux-snapdragon (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Wily):
status: New → Invalid
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Xenial):
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Yakkety):
importance: Undecided → Medium
Changed in linux-snapdragon (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Medium
Steve Beattie (sbeattie)
tags: added: kernel-cve-tracking-bug
Seth Forshee (sforshee)
Changed in linux-snapdragon (Ubuntu Xenial):
status: New → Fix Committed
Mathew Hodson (mhodson)
summary: - integer overflow in xt_alloc_table_info
+ CVE-2016-3135
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1019.25

---------------
linux-raspi2 (4.4.0-1019.25) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1605715

  [ Ubuntu: 4.4.0-33.52 ]

  * Release Tracking Bug
    - LP: #1605709
  * [regression] NFS client: access problems after updating to kernel
    4.4.0-31-generic (LP: #1603719)
    - SAUCE: (namespace) Bypass sget() capability check for nfs

linux-raspi2 (4.4.0-1018.24) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604457

  * Drop superseded namespace mount patches (LP: #1604830)
    - UBUNTU: SAUCE: fs: Ensure the mounter of a filesystem is privileged towards its inodes
    - UBUNTU: SAUCE: quota: Treat superblock owner as privilged
    - UBUNTU: SAUCE: kernfs: Always set super block owner to init_user_ns
    - UBUNTU: SAUCE: proc: Always set super block owner to init_user_ns

  * UBUNTU: [Config] updateconfigs after 4.4.0-32.51 rebase (LP: #1603483)

  [ Kamal Mostafa ]

  * [Debian] embed derivative target name in release tag (LP: #1599924)

  [ Ubuntu: 4.4.0-32.51 ]

  * Release Tracking Bug
    - LP: #1604443
  * thinkpad yoga 260 wacom touchscreen not working (LP: #1603975)
    - HID: wacom: break out parsing of device and registering of input
    - HID: wacom: Initialize hid_data.inputmode to -1
    - HID: wacom: Support switching from vendor-defined device mode on G9 and G11
  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog
  * [Xenial] Include Huawei PCIe SSD hio kernel driver (LP: #1603483)
    - SAUCE: import Huawei ES3000_V2 (2.1.0.23)
    - SAUCE: hio: bio_endio() no longer takes errors arg
    - SAUCE: hio: blk_queue make_request_fn now returns a blk_qc_t
    - SAUCE: hio: use alloc_cpumask_var to avoid -Wframe-larger-than
    - SAUCE: hio: fix mask maybe-uninitialized warning
    - [config] enable CONFIG_HIO (Huawei ES3000_V2 PCIe SSD driver)
    - SAUCE: hio: Makefile and Kconfig
  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump
    - tipc: fix nl compat regression for link statistics
  * CVE-2016-4470
    - KEYS: potential uninitialized variable
  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - netfilter: x_tables: check for size overflow
  * CVE-2016-3135:
    - Revert "UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow"
  * CVE-2016-4440 (LP: #1584192)
    - kvm:vmx: more complete state update on APICv on/off
  * the system hangs in the dma driver when reboot or shutdown on a baytrail-m
    laptop (LP: #1602579)
    - dmaengine: dw: platform: power on device on shutdown
    - ACPI / LPSS: override power state for LPSS DMA device
  * Add proper palm detection support for MS Precision Touchpad (LP: #1593124)
    - Revert "HID: multitouch: enable palm rejection if device implements
      confidence usage"
    - HID: multitouch: enable palm rejection for Windows Precision Touchpad
  * Add support for Intel 8265 Bluetooth ([8087:0A2B]) (LP: #1599068)
    - Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]
  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix synchronization ...

Changed in linux-raspi2 (Ubuntu Yakkety):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package linux-snapdragon - 4.4.0-1022.25

---------------
linux-snapdragon (4.4.0-1022.25) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1605716

  [ Ubuntu: 4.4.0-33.52 ]

  * Release Tracking Bug
    - LP: #1605709
  * [regression] NFS client: access problems after updating to kernel
    4.4.0-31-generic (LP: #1603719)
    - SAUCE: (namespace) Bypass sget() capability check for nfs

linux-snapdragon (4.4.0-1021.24) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604458

  * Drop superseded namespace mount patches (LP: #1604830)
    - UBUNTU: SAUCE: fs: Ensure the mounter of a filesystem is privileged towards its inodes
    - UBUNTU: SAUCE: quota: Treat superblock owner as privilged
    - UBUNTU: SAUCE: kernfs: Always set super block owner to init_user_ns
    - UBUNTU: SAUCE: proc: Always set super block owner to init_user_ns

  * UBUNTU: [Config] updateconfigs after 4.4.0-32.51 rebase (LP: #1603483)

  [ Kamal Mostafa ]

  * [Debian] embed derivative target name in release tag (LP: #1599924)

  [ Ubuntu: 4.4.0-32.51 ]

  * Release Tracking Bug
    - LP: #1604443
  * thinkpad yoga 260 wacom touchscreen not working (LP: #1603975)
    - HID: wacom: break out parsing of device and registering of input
    - HID: wacom: Initialize hid_data.inputmode to -1
    - HID: wacom: Support switching from vendor-defined device mode on G9 and G11
  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog
  * [Xenial] Include Huawei PCIe SSD hio kernel driver (LP: #1603483)
    - SAUCE: import Huawei ES3000_V2 (2.1.0.23)
    - SAUCE: hio: bio_endio() no longer takes errors arg
    - SAUCE: hio: blk_queue make_request_fn now returns a blk_qc_t
    - SAUCE: hio: use alloc_cpumask_var to avoid -Wframe-larger-than
    - SAUCE: hio: fix mask maybe-uninitialized warning
    - [config] enable CONFIG_HIO (Huawei ES3000_V2 PCIe SSD driver)
    - SAUCE: hio: Makefile and Kconfig
  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump
    - tipc: fix nl compat regression for link statistics
  * CVE-2016-4470
    - KEYS: potential uninitialized variable
  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - netfilter: x_tables: check for size overflow
  * CVE-2016-3135:
    - Revert "UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow"
  * CVE-2016-4440 (LP: #1584192)
    - kvm:vmx: more complete state update on APICv on/off
  * the system hangs in the dma driver when reboot or shutdown on a baytrail-m
    laptop (LP: #1602579)
    - dmaengine: dw: platform: power on device on shutdown
    - ACPI / LPSS: override power state for LPSS DMA device
  * Add proper palm detection support for MS Precision Touchpad (LP: #1593124)
    - Revert "HID: multitouch: enable palm rejection if device implements
      confidence usage"
    - HID: multitouch: enable palm rejection for Windows Precision Touchpad
  * Add support for Intel 8265 Bluetooth ([8087:0A2B]) (LP: #1599068)
    - Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]
  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix sync...

Changed in linux-snapdragon (Ubuntu Yakkety):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (15.5 KiB)

This bug was fixed in the package linux-raspi2 - 4.4.0-1019.25

---------------
linux-raspi2 (4.4.0-1019.25) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1605715

  [ Ubuntu: 4.4.0-33.52 ]

  * Release Tracking Bug
    - LP: #1605709
  * [regression] NFS client: access problems after updating to kernel
    4.4.0-31-generic (LP: #1603719)
    - SAUCE: (namespace) Bypass sget() capability check for nfs

linux-raspi2 (4.4.0-1018.24) xenial; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1604457

  * Drop superseded namespace mount patches (LP: #1604830)
    - UBUNTU: SAUCE: fs: Ensure the mounter of a filesystem is privileged towards its inodes
    - UBUNTU: SAUCE: quota: Treat superblock owner as privilged
    - UBUNTU: SAUCE: kernfs: Always set super block owner to init_user_ns
    - UBUNTU: SAUCE: proc: Always set super block owner to init_user_ns

  * UBUNTU: [Config] updateconfigs after 4.4.0-32.51 rebase (LP: #1603483)

  [ Kamal Mostafa ]

  * [Debian] embed derivative target name in release tag (LP: #1599924)

  [ Ubuntu: 4.4.0-32.51 ]

  * Release Tracking Bug
    - LP: #1604443
  * thinkpad yoga 260 wacom touchscreen not working (LP: #1603975)
    - HID: wacom: break out parsing of device and registering of input
    - HID: wacom: Initialize hid_data.inputmode to -1
    - HID: wacom: Support switching from vendor-defined device mode on G9 and G11
  * changelog: add CVEs as first class citizens (LP: #1604344)
    - use CVE numbers in changelog
  * [Xenial] Include Huawei PCIe SSD hio kernel driver (LP: #1603483)
    - SAUCE: import Huawei ES3000_V2 (2.1.0.23)
    - SAUCE: hio: bio_endio() no longer takes errors arg
    - SAUCE: hio: blk_queue make_request_fn now returns a blk_qc_t
    - SAUCE: hio: use alloc_cpumask_var to avoid -Wframe-larger-than
    - SAUCE: hio: fix mask maybe-uninitialized warning
    - [config] enable CONFIG_HIO (Huawei ES3000_V2 PCIe SSD driver)
    - SAUCE: hio: Makefile and Kconfig
  * CVE-2016-5243 (LP: #1589036)
    - tipc: fix an infoleak in tipc_nl_compat_link_dump
    - tipc: fix nl compat regression for link statistics
  * CVE-2016-4470
    - KEYS: potential uninitialized variable
  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - netfilter: x_tables: check for size overflow
  * CVE-2016-3135:
    - Revert "UBUNTU: SAUCE: (noup) netfilter: x_tables: check for size overflow"
  * CVE-2016-4440 (LP: #1584192)
    - kvm:vmx: more complete state update on APICv on/off
  * the system hangs in the dma driver when reboot or shutdown on a baytrail-m
    laptop (LP: #1602579)
    - dmaengine: dw: platform: power on device on shutdown
    - ACPI / LPSS: override power state for LPSS DMA device
  * Add proper palm detection support for MS Precision Touchpad (LP: #1593124)
    - Revert "HID: multitouch: enable palm rejection if device implements
      confidence usage"
    - HID: multitouch: enable palm rejection for Windows Precision Touchpad
  * Add support for Intel 8265 Bluetooth ([8087:0A2B]) (LP: #1599068)
    - Bluetooth: Add support for Intel Bluetooth device 8265 [8087:0a2b]
  * CVE-2016-4794 (LP: #1581871)
    - percpu: fix synchronization ...

Changed in linux-snapdragon (Ubuntu Xenial):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Changed in linux-raspi2 (Ubuntu Xenial):
status: New → Fix Released
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.