← Back to team overview

kernel-packages team mailing list archive

[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

 

This bug was fixed in the package linux - 3.13.0-83.127

---------------
linux (3.13.0-83.127) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1555839

  [ Florian Westphal ]

  * SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving
    userspace
    - LP: #1555338

linux (3.13.0-82.126) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1554732

  [ Upstream Kernel Changes ]

  * Revert "drm/radeon: call hpd_irq_event on resume"
    - LP: #1554608
  * net: generic dev_disable_lro() stacked device handling
    - LP: #1547680

linux (3.13.0-81.125) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1552316

  [ Upstream Kernel Changes ]

  * Revert "firmware: dmi_scan: Fix UUID endianness for SMBIOS >= 2.6"
    - LP: #1551419
  * bcache: Fix a lockdep splat in an error path
    - LP: #1551327

linux (3.13.0-80.124) trusty; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1548519

  [ Andy Whitcroft ]

  * [Debian] hv: hv_set_ifconfig -- convert to python3
    - LP: #1506521
  * [Debian] hv: hv_set_ifconfig -- switch to approved indentation
    - LP: #1540586
  * [Debian] hv: hv_set_ifconfig -- fix numerous parameter handling issues
    - LP: #1540586

  [ Dan Streetman ]

  * SAUCE: nbd: ratelimit error msgs after socket close
    - LP: #1505564

  [ Upstream Kernel Changes ]

  * Revert "workqueue: make sure delayed work run in local cpu"
    - LP: #1546320
  * [media] gspca: ov534/topro: prevent a division by 0
    - LP: #1542497
  * [media] media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
    - LP: #1542497
  * tools lib traceevent: Fix output of %llu for 64 bit values read on 32
    bit machines
    - LP: #1542497
  * KVM: x86: correctly print #AC in traces
    - LP: #1542497
  * drm/radeon: call hpd_irq_event on resume
    - LP: #1542497
  * xhci: refuse loading if nousb is used
    - LP: #1542497
  * arm64: Clear out any singlestep state on a ptrace detach operation
    - LP: #1542497
  * time: Avoid signed overflow in timekeeping_get_ns()
    - LP: #1542497
  * rtlwifi: fix memory leak for USB device
    - LP: #1542497
  * wlcore/wl12xx: spi: fix oops on firmware load
    - LP: #1542497
  * EDAC, mc_sysfs: Fix freeing bus' name
    - LP: #1542497
  * EDAC: Don't try to cancel workqueue when it's never setup
    - LP: #1542497
  * EDAC: Robustify workqueues destruction
    - LP: #1542497
  * powerpc: Make value-returning atomics fully ordered
    - LP: #1542497
  * powerpc: Make {cmp}xchg* and their atomic_ versions fully ordered
    - LP: #1542497
  * dm space map metadata: remove unused variable in brb_pop()
    - LP: #1542497
  * dm thin: fix race condition when destroying thin pool workqueue
    - LP: #1542497
  * futex: Drop refcount if requeue_pi() acquired the rtmutex
    - LP: #1542497
  * drm/radeon: clean up fujitsu quirks
    - LP: #1542497
  * mmc: sdio: Fix invalid vdd in voltage switch power cycle
    - LP: #1542497
  * mmc: sdhci: Fix sdhci_runtime_pm_bus_on/off()
    - LP: #1542497
  * udf: limit the maximum number of indirect extents in a row
    - LP: #1542497
  * nfs: Fix race in __update_open_stateid()
    - LP: #1542497
  * USB: cp210x: add ID for ELV Marble Sound Board 1
    - LP: #1542497
  * NFSv4: Don't perform cached access checks before we've OPENed the file
    - LP: #1542497
  * NFS: Fix attribute cache revalidation
    - LP: #1542497
  * posix-clock: Fix return code on the poll method's error path
    - LP: #1542497
  * rtlwifi: rtl8192de: Fix incorrect module parameter descriptions
    - LP: #1542497
  * rtlwifi: rtl8192se: Fix module parameter initialization
    - LP: #1542497
  * rtlwifi: rtl8192ce: Fix handling of module parameters
    - LP: #1542497
  * rtlwifi: rtl8192cu: Add missing parameter setup
    - LP: #1542497
  * bcache: fix a livelock when we cause a huge number of cache misses
    - LP: #1542497
  * bcache: Add a cond_resched() call to gc
    - LP: #1542497
  * bcache: clear BCACHE_DEV_UNLINK_DONE flag when attaching a backing
    device
    - LP: #1542497
  * bcache: fix a leak in bch_cached_dev_run()
    - LP: #1542497
  * bcache: unregister reboot notifier if bcache fails to unregister device
    - LP: #1542497
  * bcache: add mutex lock for bch_is_open
    - LP: #1542497
  * bcache: allows use of register in udev to avoid "device_busy" error.
    - LP: #1542497
  * bcache: Change refill_dirty() to always scan entire disk if necessary
    - LP: #1542497
  * wlcore/wl12xx: spi: fix NULL pointer dereference (Oops)
    - LP: #1542497
  * Input: i8042 - add Fujitsu Lifebook U745 to the nomux list
    - LP: #1542497
  * libxfs: pack the agfl header structure so XFS_AGFL_SIZE is correct
    - LP: #1542497
  * x86/xen: don't reset vcpu_info on a cancelled suspend
    - LP: #1542497
  * udf: Prevent buffer overrun with multi-byte characters
    - LP: #1542497
  * udf: Check output buffer length when converting name to CS0
    - LP: #1542497
  * PCI: host: Mark PCIe/PCI (MSI) IRQ cascade handlers as IRQF_NO_THREAD
    - LP: #1542497
  * iwlwifi: update and fix 7265 series PCI IDs
    - LP: #1542497
  * locks: fix unlock when fcntl_setlk races with a close
    - LP: #1542497
  * ASoC: compress: Fix compress device direction check
    - LP: #1542497
  * dm snapshot: fix hung bios when copy error occurs
    - LP: #1542497
  * uml: fix hostfs mknod()
    - LP: #1542497
  * uml: flush stdout before forking
    - LP: #1542497
  * drm/nouveau/kms: take mode_config mutex in connector hotplug path
    - LP: #1542497
  * x86/boot: Double BOOT_HEAP_SIZE to 64KB
    - LP: #1542497
  * s390: fix normalization bug in exception table sorting
    - LP: #1542497
  * xfs: inode recovery readahead can race with inode buffer creation
    - LP: #1542497
  * clocksource/drivers/vt8500: Increase the minimum delta
    - LP: #1542497
  * Input: elantech - mark protocols v2 and v3 as semi-mt
    - LP: #1542497
  * x86/reboot/quirks: Add iMac10,1 to pci_reboot_dmi_table[]
    - LP: #1542497
  * ALSA: seq: Fix missing NULL check at remove_events ioctl
    - LP: #1542497
  * ALSA: seq: Fix race at timer setup and close
    - LP: #1542497
  * virtio_balloon: fix race by fill and leak
    - LP: #1542497
  * virtio_balloon: fix race between migration and ballooning
    - LP: #1542497
  * parisc: Fix __ARCH_SI_PREAMBLE_SIZE
    - LP: #1542497
  * scripts/recordmcount.pl: support data in text section on powerpc
    - LP: #1542497
  * powerpc/module: Handle R_PPC64_ENTRY relocations
    - LP: #1542497
  * ALSA: timer: Fix double unlink of active_list
    - LP: #1542497
  * dmaengine: dw: fix cyclic transfer setup
    - LP: #1542497
  * dmaengine: dw: fix cyclic transfer callbacks
    - LP: #1542497
  * mmc: mmci: fix an ages old detection error
    - LP: #1542497
  * ALSA: timer: Fix race among timer ioctls
    - LP: #1542497
  * sparc64: fix incorrect sign extension in sys_sparc64_personality
    - LP: #1542497
  * cifs: Ratelimit kernel log messages
    - LP: #1542497
  * cifs: fix race between call_async() and reconnect()
    - LP: #1542497
  * cifs_dbg() outputs an uninitialized buffer in cifs_readdir()
    - LP: #1542497
  * m32r: fix m32104ut_defconfig build fail
    - LP: #1542497
  * dma-debug: switch check from _text to _stext
    - LP: #1542497
  * scripts/bloat-o-meter: fix python3 syntax error
    - LP: #1542497
  * ocfs2/dlm: ignore cleaning the migration mle that is inuse
    - LP: #1542497
  * ALSA: timer: Harden slave timer list handling
    - LP: #1542497
  * mm: soft-offline: check return value in second __get_any_page() call
    - LP: #1542497
  * memcg: only free spare array when readers are done
    - LP: #1542497
  * panic: release stale console lock to always get the logbuf printed out
    - LP: #1542497
  * kernel/panic.c: turn off locks debug before releasing console lock
    - LP: #1542497
  * printk: do cond_resched() between lines while outputting to consoles
    - LP: #1542497
  * ALSA: hda - Fix bass pin fixup for ASUS N550JX
    - LP: #1542497
  * crypto: af_alg - Disallow bind/setkey/... after accept(2)
    - LP: #1542497
  * crypto: af_alg - Fix socket double-free when accept fails
    - LP: #1542497
  * crypto: af_alg - Add nokey compatibility path
    - LP: #1542497
  * crypto: hash - Add crypto_ahash_has_setkey
    - LP: #1542497
  * crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey
    path
    - LP: #1542497
  * crypto: af_alg - Forbid bind(2) when nokey child sockets are present
    - LP: #1542497
  * ALSA: hrtimer: Fix stall by hrtimer_cancel()
    - LP: #1542497
  * ALSA: pcm: Fix snd_pcm_hw_params struct copy in compat mode
    - LP: #1542497
  * ALSA: seq: Fix snd_seq_call_port_info_ioctl in compat mode
    - LP: #1542497
  * ALSA: control: Avoid kernel warnings from tlv ioctl with numid 0
    - LP: #1542497
  * crypto: algif_skcipher - Load TX SG list after waiting
    - LP: #1542497
  * crypto: crc32c - Fix crc32c soft dependency
    - LP: #1542497
  * IB/qib: fix mcast detach when qp not attached
    - LP: #1542497
  * iscsi-target: Fix potential dead-lock during node acl delete
    - LP: #1542497
  * ocfs2: NFS hangs in __ocfs2_cluster_lock due to race with
    ocfs2_unblock_lock
    - LP: #1542497
  * [media] rc: allow rc modules to be loaded if rc-main is not a module
    - LP: #1542497
  * SCSI: initio: remove duplicate module device table
    - LP: #1542497
  * clk: xgene: Fix divider with non-zero shift value
    - LP: #1542497
  * ath9k_htc: check for underflow in ath9k_htc_rx_msg()
    - LP: #1542497
  * mtd: nand: fix ONFI parameter page layout
    - LP: #1542497
  * ALSA: fm801: propagate TUNER_ONLY bit when autodetected
    - LP: #1542497
  * pinctrl: bcm2835: Fix memory leak in error path
    - LP: #1542497
  * kconfig: return 'false' instead of 'no' in bool function
    - LP: #1542497
  * perf/x86: Fix filter_events() bug with event mappings
    - LP: #1542497
  * power: test_power: correctly handle empty writes
    - LP: #1542497
  * firmware: actually return NULL on failed request_firmware_nowait()
    - LP: #1542497
  * mmc: sd: limit SD card power limit according to cards capabilities
    - LP: #1542497
  * Btrfs: clean up an error code in btrfs_init_space_info()
    - LP: #1542497
  * batman-adv: Avoid recursive call_rcu for batadv_bla_claim
    - LP: #1542497
  * batman-adv: Avoid recursive call_rcu for batadv_nc_node
    - LP: #1542497
  * batman-adv: Drop immediate orig_node free function
    - LP: #1542497
  * printk: help pr_debug and pr_devel to optimize out arguments
    - LP: #1542497
  * mmc: debugfs: correct wrong voltage value
    - LP: #1542497
  * IB/mlx4: Initialize hop_limit when creating address handle
    - LP: #1542497
  * veth: don’t modify ip_summed; doing so treats packets with bad
    checksums as good.
    - LP: #1542497
  * sctp: sctp should release assoc when sctp_make_abort_user return NULL
    in sctp_close
    - LP: #1542497
  * connector: bump skb->users before callback invocation
    - LP: #1542497
  * unix: properly account for FDs passed over unix sockets
    - LP: #1542497
  * bridge: Only call /sbin/bridge-stp for the initial network namespace
    - LP: #1542497
  * net: sctp: prevent writes to cookie_hmac_alg from accessing invalid
    memory
    - LP: #1542497
  * tcp_yeah: don't set ssthresh below 2
    - LP: #1542497
  * bonding: Prevent IPv6 link local address on enslaved devices
    - LP: #1542497
  * phonet: properly unshare skbs in phonet_rcv()
    - LP: #1542497
  * ipv6: update skb->csum when CE mark is propagated
    - LP: #1542497
  * team: Replace rcu_read_lock with a mutex in team_vlan_rx_kill_vid
    - LP: #1542497
  * Linux 3.13.11-ckt34
    - LP: #1542497
  * qeth: initialize net_device with carrier off
    - LP: #1541907
  * umount: Do not allow unmounting rootfs.
    - LP: #1541313
  * [media] usbvision fix overflow of interfaces array
    - LP: #1546273
  * [media] usbvision: fix leak of usb_dev on failure paths in
    usbvision_probe()
    - LP: #1546273
  * [media] usbvision: fix crash on detecting device with invalid
    configuration
    - LP: #1546273
  * tty: Fix unsafe ldisc reference via ioctl(TIOCGETD)
    - LP: #1546273
  * USB: serial: visor: fix crash on detecting device without write_urbs
    - LP: #1546273
  * ASN.1: Fix non-match detection failure on data overrun
    - LP: #1546273
  * iio: adis_buffer: Fix out-of-bounds memory access
    - LP: #1546273
  * x86/irq: Call chip->irq_set_affinity in proper context
    - LP: #1546273
  * usb: cdc-acm: handle unlinked urb in acm read callback
    - LP: #1546273
  * usb: cdc-acm: send zero packet for intel 7260 modem
    - LP: #1546273
  * cdc-acm:exclude Samsung phone 04e8:685d
    - LP: #1546273
  * usb: hub: do not clear BOS field during reset device
    - LP: #1546273
  * USB: cp210x: add ID for IAI USB to RS485 adaptor
    - LP: #1546273
  * USB: visor: fix null-deref at probe
    - LP: #1546273
  * USB: serial: option: Adding support for Telit LE922
    - LP: #1546273
  * ALSA: seq: Fix incorrect sanity check at snd_seq_oss_synth_cleanup()
    - LP: #1546273
  * ALSA: seq: Degrade the error message for too many opens
    - LP: #1546273
  * USB: serial: ftdi_sio: add support for Yaesu SCU-18 cable
    - LP: #1546273
  * USB: option: fix Cinterion AHxx enumeration
    - LP: #1546273
  * ALSA: compress: Disable GET_CODEC_CAPS ioctl for some architectures
    - LP: #1546273
  * ALSA: usb-audio: Fix TEAC UD-501/UD-503/NT-503 usb delay
    - LP: #1546273
  * arm64: errata: Add -mpc-relative-literal-loads to build flags
    - LP: #1533009, #1546273
  * SCSI: fix crashes in sd and sr runtime PM
    - LP: #1546273
  * n_tty: Fix unsafe reference to "other" ldisc
    - LP: #1546273
  * ALSA: dummy: Disable switching timer backend via sysfs
    - LP: #1546273
  * drm/vmwgfx: respect 'nomodeset'
    - LP: #1546273
  * x86/mm/pat: Avoid truncation when converting cpa->numpages to address
    - LP: #1546273
  * perf annotate browser: Fix behaviour of Shift-Tab with nothing focussed
    - LP: #1546273
  * powerpc/perf: Remove PPMU_HAS_SSLOT flag for Power8
    - LP: #1546273
  * Linux 3.13.11-ckt35
    - LP: #1546273
  * netfilter: bridge: don't use nf_bridge_info data to store mac header
    - LP: #1463911
  * netfilter: bridge: restore vlan tag when refragmenting
    - LP: #1463911
  * netfilter: bridge: forward IPv6 fragmented packets
    - LP: #1463911
  * netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in
    br_validate_ipv6
    - LP: #1463911
  * ALSA: usb-audio: avoid freeing umidi object twice
    - LP: #1546177
    - CVE-2016-2384
  * vmstat: explicitly schedule per-cpu work on the CPU we need it to run
    on
    - LP: #1546320

 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>  Thu, 10 Mar 2016 14:41:56 -0800

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** Changed in: linux-lts-utopic (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Committed
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Committed
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Committed
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Committed
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions