kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #167138
[Bug 1555353] Re: integer overflow in xt_alloc_table_info
This bug was fixed in the package linux - 4.2.0-34.39
---------------
linux (4.2.0-34.39) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1555821
[ Florian Westphal ]
* SAUCE: [nf] netfilter: x_tables: check for size overflow
- LP: #1555353
* SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
userspace
- LP: #1555338
linux (4.2.0-33.38) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1554649
[ Upstream Kernel Changes ]
* Revert "drm/radeon: call hpd_irq_event on resume"
- LP: #1554608
* cxl: Fix PSL timebase synchronization detection
- LP: #1532914
linux (4.2.0-32.37) wily; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1550045
[ Kamal Mostafa ]
* Merged back Ubuntu-4.2.0-31.36
linux (4.2.0-31.36) wily; urgency=low
[ Brad Figg ]
* Release Tracking Bug
- LP: #1548579
[ Andy Whitcroft ]
* [Debian] hv: hv_set_ifconfig -- convert to python3
- LP: #1506521
* [Debian] hv: hv_set_ifconfig -- switch to approved indentation
- LP: #1540586
* [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
- LP: #1540586
[ Carol L Soto ]
* SAUCE: IB/IPoIB: Do not set skb truesize since using one linearskb
- LP: #1541326
[ Dan Streetman ]
* SAUCE: nbd: ratelimit error msgs after socket close
- LP: #1505564
[ Tim Gardner ]
* Revert "SAUCE: (noup) cxlflash: Fix to avoid virtual LUN failover
failure"
- LP: #1541635
* Revert "SAUCE: (noup) cxlflash: Fix to escalate LINK_RESET also on port
1"
- LP: #1541635
* [Config] ARMV8_DEPRECATED=y
- LP: #1545542
[ Upstream Kernel Changes ]
* x86/xen/p2m: hint at the last populated P2M entry
- LP: #1542941
* mm: add dma_pool_zalloc() call to DMA API
- LP: #1543737
* sctp: Prevent soft lockup when sctp_accept() is called during a timeout
event
- LP: #1543737
* xen-netback: respect user provided max_queues
- LP: #1543737
* xen-netfront: respect user provided max_queues
- LP: #1543737
* xen-netfront: update num_queues to real created
- LP: #1543737
* iio: adis_buffer: Fix out-of-bounds memory access
- LP: #1543737
* KVM: PPC: Fix emulation of H_SET_DABR/X on POWER8
- LP: #1543737
* KVM: PPC: Fix ONE_REG AltiVec support
- LP: #1543737
* x86/irq: Call chip->irq_set_affinity in proper context
- LP: #1543737
* drm/amdgpu: fix tonga smu resume
- LP: #1543737
* perf kvm record/report: 'unprocessable sample' error while
recording/reporting guest data
- LP: #1543737
* hrtimer: Handle remaining time proper for TIME_LOW_RES
- LP: #1543737
* timerfd: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* posix-timers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* itimers: Handle relative timers with CONFIG_TIME_LOW_RES proper
- LP: #1543737
* drm/amdgpu: Use drm_calloc_large for VM page_tables array
- LP: #1543737
* drm/amdgpu: fix amdgpu_bo_pin_restricted VRAM placing v2
- LP: #1543737
* drm/radeon: properly byte swap vce firmware setup
- LP: #1543737
* ACPI: Revert "ACPI / video: Add Dell Inspiron 5737 to the blacklist"
- LP: #1543737
* ACPI / PCI / hotplug: unlock in error path in acpiphp_enable_slot()
- LP: #1543737
* hwmon: (dell-smm) Blacklist Dell Studio XPS 8000
- LP: #1543737
* usb: cdc-acm: handle unlinked urb in acm read callback
- LP: #1543737
* usb: cdc-acm: send zero packet for intel 7260 modem
- LP: #1543737
* cdc-acm:exclude Samsung phone 04e8:685d
- LP: #1543737
* usb: hub: do not clear BOS field during reset device
- LP: #1543737
* USB: cp210x: add ID for IAI USB to RS485 adaptor
- LP: #1543737
* USB: visor: fix null-deref at probe
- LP: #1543737
* USB: serial: visor: fix crash on detecting device without write_urbs
- LP: #1543737
* USB: serial: option: Adding support for Telit LE922
- LP: #1543737
* ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
- LP: #1543737
* ALSA: seq: Degrade the error message for too many opens
- LP: #1543737
* USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
- LP: #1543737
* arm64: kernel: fix architected PMU registers unconditional access
- LP: #1543737
* USB: option: fix Cinterion AHxx enumeration
- LP: #1543737
* ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
- LP: #1543737
* ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
- LP: #1543737
* virtio_pci: fix use after free on release
- LP: #1543737
* ALSA: bebob: Use a signed return type for get_formation_index
- LP: #1543737
* arm64: errata: Add -mpc-relative-literal-loads to build flags
- LP: #1533009, #1543737
* arm64: mm: avoid calling apply_to_page_range on empty range
- LP: #1543737
* x86/mm: Fix types used in pgprot cacheability flags translations
- LP: #1543737
* powerpc/eeh: Fix PE location code
- LP: #1543737
* SCSI: fix crashes in sd and sr runtime PM
- LP: #1543737
* tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
- LP: #1543737
* n_tty: Fix unsafe reference to "other" ldisc
- LP: #1543737
* staging/speakup: Use tty_ldisc_ref() for paste kworker
- LP: #1543737
* tick/nohz: Set the correct expiry when switching to nohz/lowres mode
- LP: #1543737
* irqchip/atmel-aic: Fix wrong bit operation for IRQ priority
- LP: #1543737
* seccomp: always propagate NO_NEW_PRIVS on tsync
- LP: #1543737
* drm/radeon: cleaned up VCO output settings for DP audio
- LP: #1543737
* drm/radeon: Add a common function for DFS handling
- LP: #1543737
* drm/radeon: fix DP audio support for APU with DCE4.1 display engine
- LP: #1543737
* cpufreq: Fix NULL reference crash while accessing policy->governor_data
- LP: #1543737
* cpufreq: pxa2xx: fix pxa_cpufreq_change_voltage prototype
- LP: #1543737
* ALSA: dummy: Disable switching timer backend via sysfs
- LP: #1543737
* drm/vmwgfx: respect 'nomodeset'
- LP: #1543737
* Staging: speakup: Fix getting port information
- LP: #1543737
* x86/mm/pat: Avoid truncation when converting cpa->numpages to address
- LP: #1543737
* serial: 8250_pci: Add Intel Broadwell ports
- LP: #1543737
* perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed
- LP: #1543737
* perf hists: Fix HISTC_MEM_DCACHELINE width setting
- LP: #1543737
* powerpc/perf: Remove PPMU_HAS_SSLOT flag for Power8
- LP: #1543737
* Linux 4.2.8-ckt4
- LP: #1543737
* cxlflash: Resolve oops in wait_port_offline
- LP: #1541635
* cxlflash: Fix to resolve cmd leak after host reset
- LP: #1541635
* cxlflash: Removed driver date print
- LP: #1541635
* cxlflash: drop unlikely before IS_ERR_OR_NULL
- LP: #1541635
* powerpc/powernv: Panic on unhandled Machine Check
- LP: #1541635
* cxlflash: Fix to avoid virtual LUN failover failure
- LP: #1541635
* cxlflash: Fix to escalate LINK_RESET also on port 1
- LP: #1541635
* IB/ipoib: Suppress warning for send only join failures
- LP: #1542444
* IB/ipoib: Expire sendonly multicast joins
- LP: #1542444
* IB/ipoib: increase the max mcast backlog queue
- LP: #1542444
* IB/ipoib: For sendonly join free the multicast group on leave
- LP: #1542444
* qeth: initialize net_device with carrier off
- LP: #1541907
* mwifiex: remove USB8897 chipset support
- LP: #1494593
* powerpc/powernv: Fix stale PE primary bus
- LP: #1546145
* ALSA: usb-audio: avoid freeing umidi object twice
- LP: #1546177
- CVE-2016-2384
-- Brad Figg <brad.figg@xxxxxxxxxxxxx> Thu, 10 Mar 2016 13:46:44 -0800
** Changed in: linux (Ubuntu Wily)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2384
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1555353
Title:
integer overflow in xt_alloc_table_info
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Wily:
Fix Released
Status in linux source package in Xenial:
Fix Committed
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A recent refactoring cof this codepath
(https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc)
introduced an integer overflow in xt_alloc_table_info, which on 32-bit
systems can lead to small structure allocation and a copy_from_user
based heap corruption.
More specifically, the overflow may have been introduced in
https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90
; specifically the bit:
+ size_t sz = sizeof(*info) + size;
(where size is an unsigned int passed from userspace).
This issue should only affect 32bit platforms (xt_table_info.size is
an unsigned int).
[Fix]
Upstream proposed fix: http://marc.info/?l=netfilter-devel&m=145757136822750&w=2
[Test Case]
Download v4 code from: https://code.google.com/p/google-security-research/issues/detail?id=758
gcc *v4.c -o v4
./v4
Your machine should _not_ crash. This only affects 32-bit kernels
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555353/+subscriptions