group.of.nepali.translators team mailing list archive

Thread
Date
[Bug 1672819] Re: exec'ing a setuid binary from a threaded program sometimes fails to setuid

To: group.of.nepali.translators@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1672819@xxxxxxxxxxxxxxxxxx>
Date: Wed, 28 Jun 2017 16:34:43 -0000
Reply-to: Bug 1672819 <1672819@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug was fixed in the package linux - 4.8.0-58.63

---------------
linux (4.8.0-58.63) yakkety; urgency=low

  * linux: 4.8.0-58.63 -proposed tracker (LP: #1700533)

  * CVE-2017-1000364
    - Revert "UBUNTU: SAUCE: mm: Only expand stack if guard area is hit"
    - Revert "mm: do not collapse stack gap into THP"
    - Revert "mm: enlarge stack guard gap"
    - mm: vma_adjust: remove superfluous confusing update in remove_next == 1 case
    - mm: larger stack guard gap, between vmas
    - mm: fix new crash in unmapped_area_topdown()
    - Allow stack to grow up to address space limit

linux (4.8.0-57.62) yakkety; urgency=low

  * linux: 4.8.0-57.62 -proposed tracker (LP: #1699035)

  * CVE-2017-1000364
    - SAUCE: mm: Only expand stack if guard area is hit

  * CVE-2017-7374
    - fscrypt: remove broken support for detecting keyring key revocation

  * CVE-2017-100363
    - char: lp: fix possible integer overflow in lp_setup()

  * CVE-2017-9242
    - ipv6: fix out of bound writes in __ip6_append_data()

  * CVE-2017-9075
    - sctp: do not inherit ipv6_{mc|ac|fl}_list from parent

  * CVE-2017-9074
    - ipv6: Prevent overrun when parsing v6 header options

  * CVE-2017-9076
    - ipv6/dccp: do not inherit ipv6_mc_list from parent

  * CVE-2017-9077
    - ipv6/dccp: do not inherit ipv6_mc_list from parent

  * CVE-2017-8890
    - dccp/tcp: do not inherit mc_list from parent

  * extend-diff-ignore should use exact matches (LP: #1693504)
    - [Packaging] exact extend-diff-ignore matches

  * APST quirk needed for Intel NVMe (LP: #1686592)
    - nvme: Quirk APST on Intel 600P/P3100 devices

  * regression: the 4.8 hwe kernel does not create the
    /sys/block/*/device/enclosure_device:* symlinks (LP: #1691899)
    - scsi: ses: Fix SAS device detection in enclosure

  * datapath: Add missing case OVS_TUNNEL_KEY_ATTR_PAD (LP: #1676679)
    - openvswitch: Add missing case OVS_TUNNEL_KEY_ATTR_PAD

  * connection flood to port 445 on mounting cifs volume under kernel
    (LP: #1686099)
    - cifs: Do not send echoes before Negotiate is complete

  * Support IPMI system interface on Cavium ThunderX (LP: #1688132)
    - i2c: octeon: Rename driver to prepare for split
    - i2c: octeon: Split the driver into two parts
    - [Config] CONFIG_I2C_THUNDERX=m
    - i2c: thunderx: Add i2c driver for ThunderX SOC
    - i2c: thunderx: Add SMBUS alert support
    - i2c: octeon,thunderx: Move register offsets to struct
    - i2c: octeon: Sort include files alphabetically
    - i2c: octeon: Use booleon values for booleon variables
    - i2c: octeon: thunderx: Add MAINTAINERS entry
    - i2c: octeon: Fix set SCL recovery function
    - i2c: octeon: Avoid sending STOP during recovery
    - i2c: octeon: Fix high-level controller status check
    - i2c: octeon: thunderx: TWSI software reset in recovery
    - i2c: octeon: thunderx: Remove double-check after interrupt
    - i2c: octeon: thunderx: Limit register access retries
    - i2c: thunderx: Enable HWMON class probing

  * CVE-2017-5577
    - drm/vc4: Return -EINVAL on the overflow checks failing.

  * Merlin SGMII fail on Ubuntu Xenial HWE kernel (LP: #1686305)
    - net: phy: marvell: fix Marvell 88E1512 used in SGMII mode
    - drivers: net: phy: xgene: Fix mdio write

  * Keyboard backlight control does not work on some dell laptops.
    (LP: #1693126)
    - platform/x86: dell-laptop: Add Latitude 7480 and others to the DMI whitelist
    - platform/x86: dell-laptop: Add keyboard backlight timeout AC settings

  * exec'ing a setuid binary from a threaded program sometimes fails to setuid
    (LP: #1672819)
    - SAUCE: exec: ensure file system accounting in check_unsafe_exec is correct

  * CVE-2017-7294
    - drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()

 -- Stefan Bader <stefan.bader@xxxxxxxxxxxxx>  Mon, 26 Jun 2017 17:31:13
+0200

** Changed in: linux (Ubuntu Yakkety)
       Status: Fix Committed => Fix Released

** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2017-1000364

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-100363

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5577

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7294

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7374

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8890

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9074

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9075

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9076

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9077

** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9242

** Changed in: linux (Ubuntu Xenial)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of नेपाली
भाषा समायोजकहरुको समूह, which is subscribed to Xenial.
Matching subscriptions: Ubuntu 16.04 Bugs
https://bugs.launchpad.net/bugs/1672819

Title:
  exec'ing a setuid binary from a threaded program sometimes fails to
  setuid

Status in Linux:
  Unknown
Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Xenial:
  Fix Released
Status in linux source package in Yakkety:
  Fix Released
Status in linux source package in Zesty:
  Fix Committed

Bug description:
  == SRU REQUEST XENIAL, YAKKETY, ZESTY ==

  Due to two race conditions in check_unsafe_exec(),  exec'ing a setuid
  binary from a threaded program sometimes fails to setuid.

  == Fix ==

  Sauce patch for Xenial, Yakkety + Zesty:

  https://lists.ubuntu.com/archives/kernel-team/2017-May/084102.html

  This fix re-executes the unsafe check if there is a discrepancy
  between the expected fs count and the found count during the racy
  window during thread exec or exit.  This re-check occurs very
  infrequently and saves a lot of addition locking on per thread
  structures that would make performance of fork/exec/exit prohibitively
  expensive.

  == Test case ==

  See the example C code in the patch, https://lists.ubuntu.com/archives
  /kernel-team/2017-May/084102.html

  Run the test code as follows: for i in $(seq 1000); do ./a; done

  With the patch, no messages are emitted, without the patch, one sees a
  message:

  "Failed, got euid 1000 (expecting 0)"

  ..which shows the setuid program failed the check_unsafe_exec()
  because of the race.

  == Regression potential ==

  breaking existing safe exec semantics.

  ====================

  This can be reproduced with
  https://gist.github.com/chipaca/806c90d96c437444f27f45a83d00a813

  With that, and go 1.8, if you run “make” and then

  for i in `seq 99`; do ./a_go; done

  you'll see a variable number of ”GOT 1000” (or whatever your user id
  is). If you don't, add one or two more 9s on there.

  That's a simple go reproducer. You can also use “a_p” instead of
  “a_go” to see one that only uses pthreads. “a_c” is a C version that
  does *not* reproduce the issue.

  But it's not pthreads: if in a_go.go you comment out the “import "C"”,
  you'll still see the “GOT 1000” messages, in a static binary that uses
  no pthreads, just clone(2). You'll also see a bunch of warnings
  because it's not properly handling an EAGAIN from clone, but that's
  unrelated.

  If you pin the process to a single thread using taskset, you don't get
  the issue from a_go; a_p continues to reproduce the issue. In some
  virtualized environments we haven't been able to reproduce the issue
  either (e.g. some aws instances), but kvm works (you need -smp to see
  the issue from a_go).

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: linux-image-4.4.0-64-generic 4.4.0-64.85
  ProcVersionSignature: Ubuntu 4.4.0-64.85-generic 4.4.44
  Uname: Linux 4.4.0-64-generic x86_64
  NonfreeKernelModules: zfs zunicode zcommon znvpair zavl
  ApportVersion: 2.20.1-0ubuntu2.5
  Architecture: amd64
  AudioDevicesInUse:
   USER        PID ACCESS COMMAND
   /dev/snd/pcmC0D0p:   john       2354 F...m pulseaudio
   /dev/snd/controlC0:  john       2354 F.... pulseaudio
  CurrentDesktop: Unity
  Date: Tue Mar 14 17:17:23 2017
  HibernationDevice: RESUME=UUID=b9fd155b-dcbe-4337-ae77-6daa6569beaf
  InstallationDate: Installed on 2014-04-27 (1051 days ago)
  InstallationMedia: Ubuntu 14.04 LTS "Trusty Tahr" - Release amd64 (20140417)
  MachineType: Dell Inc. Latitude E6510
  ProcFB: 0 inteldrmfb
  ProcKernelCmdLine: BOOT_IMAGE=/vmlinuz-4.4.0-64-generic root=/dev/mapper/ubuntu--vg-root ro enable_mtrr_cleanup mtrr_spare_reg_nr=8 mtrr_gran_size=32M mtrr_chunk_size=32M quiet splash
  RelatedPackageVersions:
   linux-restricted-modules-4.4.0-64-generic N/A
   linux-backports-modules-4.4.0-64-generic  N/A
   linux-firmware                            1.157.8
  SourcePackage: linux
  SystemImageInfo: Error: command ['system-image-cli', '-i'] failed with exit code 2:
  UpgradeStatus: Upgraded to xenial on 2015-06-18 (634 days ago)
  dmi.bios.date: 12/05/2013
  dmi.bios.vendor: Dell Inc.
  dmi.bios.version: A16
  dmi.board.vendor: Dell Inc.
  dmi.chassis.type: 9
  dmi.chassis.vendor: Dell Inc.
  dmi.modalias: dmi:bvnDellInc.:bvrA16:bd12/05/2013:svnDellInc.:pnLatitudeE6510:pvr0001:rvnDellInc.:rn:rvr:cvnDellInc.:ct9:cvr:
  dmi.product.name: Latitude E6510
  dmi.product.version: 0001
  dmi.sys.vendor: Dell Inc.

To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1672819/+subscriptions