kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #167533
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1
---------------
linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1556247
* s390/mm: four page table levels vs. fork (LP: #1556141)
- s390/mm: four page table levels vs. fork
* [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
- hv_netvsc: use skb_get_hash() instead of a homegrown implementation
- hv_netvsc: cleanup netdev feature flags for netvsc
* fails to boot on megaraid (LP: #1552903)
- SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
case of PD list DCMD failure
* ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
- ALSA: hda - add codec support for Kabylake display audio codec
* Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Free 'chips' on module exit
- cpufreq: powernv: Hot-plug safe the kworker thread
- cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
- cpufreq: powernv/tracing: Add powernv_throttle tracepoint
- cpufreq: powernv: Replace pr_info with trace print for throttle event
- SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}
* Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace
* integer overflow in xt_alloc_table_info (LP: #1555353)
- SAUCE: (noup) netfilter: x_tables: check for size overflow
* linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Config] reconstruct -- update to autoreconstruct output
- [Packaging] reconstruct -- update when inserting final changes
* Xenial update to v4.4.5 stable release (LP: #1555640)
- use ->d_seq to get coherency between ->d_inode and ->d_flags
- drivers: sh: Restore legacy clock domain on SuperH platforms
- Btrfs: fix deadlock running delayed iputs at transaction commit time
- btrfs: Fix no_space in write and rm loop
- btrfs: async-thread: Fix a use-after-free error for trace
- block: Initialize max_dev_sectors to 0
- PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
- parisc: Fix ptrace syscall number and return value modification
- mips/kvm: fix ioctl error handling
- kvm: x86: Update tsc multiplier on change.
- fbcon: set a default value to blink interval
- cifs: fix out-of-bounds access in lease parsing
- CIFS: Fix SMB2+ interim response processing for read requests
- Fix cifs_uniqueid_to_ino_t() function for s390x
- vfio: fix ioctl error handling
- KVM: x86: fix root cause for missed hardware breakpoints
- arm/arm64: KVM: Fix ioctl error handling
- iommu/amd: Apply workaround for ATS write permission check
- iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
- iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
- target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- drm/ast: Fix incorrect register check for DRAM width
- drm/radeon/pm: update current crtc info after setting the powerstate
- drm/amdgpu/pm: update current crtc info after setting the powerstate
- drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well
- drm/amdgpu/gfx8: specify which engine to wait before vm flush
- drm/amdgpu: return from atombios_dp_get_dpcd only when error
- libata: fix HDIO_GET_32BIT ioctl
- libata: Align ata_device's id on a cacheline
- block: bio: introduce helpers to get the 1st and last bvec
- writeback: flush inode cgroup wb switches instead of pinning super_block
- Adding Intel Lewisburg device IDs for SATA
- arm64: vmemmap: use virtual projection of linear region
- PM / sleep / x86: Fix crash on graph trace through x86 suspend
- ata: ahci: don't mark HotPlugCapable Ports as external/removable
- tracing: Do not have 'comm' filter override event 'comm' field
- pata-rb532-cf: get rid of the irq_to_gpio() call
- Btrfs: fix loading of orphan roots leading to BUG_ON
- Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
- jffs2: Fix page lock / f->sem deadlock
- Fix directory hardlinks from deleted directories
- dmaengine: pxa_dma: fix cyclic transfers
- adv7604: fix tx 5v detect regression
- ALSA: usb-audio: Add a quirk for Plantronics DA45
- ALSA: ctl: Fix ioctls for X32 ABI
- ALSA: hda - Fix mic issues on Acer Aspire E1-472
- ALSA: rawmidi: Fix ioctls X32 ABI
- ALSA: timer: Fix ioctls for X32 ABI
- ALSA: pcm: Fix ioctls for X32 ABI
- ALSA: seq: oss: Don't drain at closing a client
- ALSA: hdspm: Fix wrong boolean ctl value accesses
- ALSA: hdsp: Fix wrong boolean ctl value accesses
- ALSA: hdspm: Fix zero-division
- ALSA: timer: Fix broken compat timer user status ioctl
- usb: chipidea: otg: change workqueue ci_otg as freezable
- USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder
- USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)
- USB: qcserial: add Sierra Wireless EM74xx device ID
- USB: serial: option: add support for Telit LE922 PID 0x1045
- USB: serial: option: add support for Quectel UC20
- MIPS: scache: Fix scache init with invalid line size.
- MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp'
- ubi: Fix out of bounds write in volume update code
- i2c: brcmstb: allocate correct amount of memory for regmap
- thermal: cpu_cooling: fix out of bounds access in time_in_idle
- block: check virt boundary in bio_will_gap()
- block: get the 1st and last bvec via helpers
- drm/i915: more virtual south bridge detection
- drm/i915: refine qemu south bridge detection
- modules: fix longstanding /proc/kallsyms vs module insertion race.
- drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable
- Linux 4.4.5
* QEMU: causes vCPU steal time overflow on live migration (LP: #1494350)
- x86/mm: Fix slow_virt_to_phys() for X86_PAE again
* TPM2.0 trusted keys fixes (LP: #1398274)
- tpm_tis: further simplify calculation of ordinal duration
- tpm_tis: Use devm_free_irq not free_irq
- tpm_tis: Ensure interrupts are disabled when the driver starts
- tpm: rework tpm_get_timeouts()
- tpm_tis: Get rid of the duplicate IRQ probing code
- tpm_tis: Refactor the interrupt setup
- tpm_tis: Tighten IRQ auto-probing
- tpm_ibmvtpm: properly handle interrupted packet receptions
* linux: review all versioned depends/conflicts/replaces/breaks for validility (LP: #1555033)
- [Config] control.stub.in -- review versioned Build-Depends:
- [Config] control.stub.in -- review versioned
Depends/Breaks/Conflicts/Replaces
- [Config] flavour-control.stub -- review versioned Breaks/Conflicts/Replaces
- [Config] x86 vars.* -- review versioned Breaks/Conflicts/Replaces
-- Tim Gardner <tim.gardner@xxxxxxxxxxxxx> Wed, 09 Mar 2016 05:11:51
-0700
** Changed in: linux-lts-xenial (Ubuntu Trusty)
Status: New => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338
Title:
Linux netfilter IPT_SO_SET_REPLACE memory corruption
Status in linux package in Ubuntu:
Fix Released
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-flo package in Ubuntu:
New
Status in linux-goldfish package in Ubuntu:
New
Status in linux-keystone package in Ubuntu:
Invalid
Status in linux-lts-quantal package in Ubuntu:
Invalid
Status in linux-lts-raring package in Ubuntu:
Invalid
Status in linux-lts-saucy package in Ubuntu:
Invalid
Status in linux-lts-trusty package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux-lts-vivid package in Ubuntu:
Invalid
Status in linux-lts-wily package in Ubuntu:
Invalid
Status in linux-lts-xenial package in Ubuntu:
Invalid
Status in linux-mako package in Ubuntu:
New
Status in linux-manta package in Ubuntu:
New
Status in linux-raspi2 package in Ubuntu:
New
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Precise:
Fix Released
Status in linux-armadaxp source package in Precise:
Fix Released
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-keystone source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
Fix Released
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-keystone source package in Trusty:
Fix Released
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
Fix Released
Status in linux-lts-vivid source package in Trusty:
Fix Released
Status in linux-lts-wily source package in Trusty:
Fix Released
Status in linux-lts-xenial source package in Trusty:
Fix Released
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux source package in Vivid:
Fix Released
Status in linux-armadaxp source package in Vivid:
Invalid
Status in linux-flo source package in Vivid:
New
Status in linux-goldfish source package in Vivid:
New
Status in linux-keystone source package in Vivid:
Invalid
Status in linux-lts-quantal source package in Vivid:
New
Status in linux-lts-raring source package in Vivid:
New
Status in linux-lts-saucy source package in Vivid:
New
Status in linux-lts-trusty source package in Vivid:
New
Status in linux-lts-utopic source package in Vivid:
Invalid
Status in linux-lts-vivid source package in Vivid:
New
Status in linux-lts-wily source package in Vivid:
New
Status in linux-lts-xenial source package in Vivid:
New
Status in linux-mako source package in Vivid:
New
Status in linux-manta source package in Vivid:
New
Status in linux-raspi2 source package in Vivid:
New
Status in linux-ti-omap4 source package in Vivid:
Invalid
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
New
Status in linux-keystone source package in Wily:
Invalid
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
New
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
New
Status in linux-keystone source package in Xenial:
Invalid
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
New
Status in linux-raspi2 source package in Xenial:
New
Status in linux-ti-omap4 source package in Xenial:
Invalid
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
ioctl in the netfilter code for iptables support. This ioctl is can be
triggered by an unprivileged user on PF_INET sockets when unprivileged
user namespaces are available (CONFIG_USER_NS=y). Android does not
enable this option, but desktop/server distributions and Chrome OS
will commonly enable this to allow for containers support or
sandboxing.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset:
newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;
This means that an out of bounds 32-bit write can occur in a 64kb
range from the allocated heap entry, with a controlled offset and a
partially controlled write value ("pos") or zero. The attached proof-
of-concept (netfilter_setsockopt_v3.c) triggers the corruption
multiple times to set adjacent heap structures to zero.
This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
appears that a similar codepath is accessible via
arp_tables.c/ARPT_SO_SET_REPLACE as well.
[Fix]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
[Test Case]
Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
gcc net*v3.c -o v3
./v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions
