← Back to team overview

kernel-packages team mailing list archive

[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption

 

This bug was fixed in the package linux-lts-xenial - 4.4.0-13.29~14.04.1

---------------
linux-lts-xenial (4.4.0-13.29~14.04.1) trusty; urgency=low

  [ Tim Gardner ]

  * Release Tracking Bug
    - LP: #1556247

  * s390/mm: four page table levels vs. fork (LP: #1556141)
    - s390/mm: four page table levels vs. fork

  * [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
    - hv_netvsc: use skb_get_hash() instead of a homegrown implementation
    - hv_netvsc: cleanup netdev feature flags for netvsc

  * fails to boot on megaraid (LP: #1552903)
    - SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers in
      case of PD list DCMD failure

  * ALSA: hda - add codec support for Kabylake display audio codec (LP: #1556002)
    - ALSA: hda - add codec support for Kabylake display audio codec

  * Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
    - cpufreq: powernv: Free 'chips' on module exit
    - cpufreq: powernv: Hot-plug safe the kworker thread
    - cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
    - cpufreq: powernv/tracing: Add powernv_throttle tracepoint
    - cpufreq: powernv: Replace pr_info with trace print for throttle event
    - SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}

  * Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
    - SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace

  * integer overflow in xt_alloc_table_info (LP: #1555353)
    - SAUCE: (noup) netfilter: x_tables: check for size overflow

  * linux: auto-generate the reconstruct information from the git tag (LP: #1555543)
    - [Packaging] reconstruct -- automatically reconstruct against base tag
    - [Config] reconstruct -- update to autoreconstruct output
    - [Packaging] reconstruct -- update when inserting final changes

  * Xenial update to v4.4.5 stable release (LP: #1555640)
    - use ->d_seq to get coherency between ->d_inode and ->d_flags
    - drivers: sh: Restore legacy clock domain on SuperH platforms
    - Btrfs: fix deadlock running delayed iputs at transaction commit time
    - btrfs: Fix no_space in write and rm loop
    - btrfs: async-thread: Fix a use-after-free error for trace
    - block: Initialize max_dev_sectors to 0
    - PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
    - parisc: Fix ptrace syscall number and return value modification
    - mips/kvm: fix ioctl error handling
    - kvm: x86: Update tsc multiplier on change.
    - fbcon: set a default value to blink interval
    - cifs: fix out-of-bounds access in lease parsing
    - CIFS: Fix SMB2+ interim response processing for read requests
    - Fix cifs_uniqueid_to_ino_t() function for s390x
    - vfio: fix ioctl error handling
    - KVM: x86: fix root cause for missed hardware breakpoints
    - arm/arm64: KVM: Fix ioctl error handling
    - iommu/amd: Apply workaround for ATS write permission check
    - iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
    - iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
    - target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
    - drm/ast: Fix incorrect register check for DRAM width
    - drm/radeon/pm: update current crtc info after setting the powerstate
    - drm/amdgpu/pm: update current crtc info after setting the powerstate
    - drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well
    - drm/amdgpu/gfx8: specify which engine to wait before vm flush
    - drm/amdgpu: return from atombios_dp_get_dpcd only when error
    - libata: fix HDIO_GET_32BIT ioctl
    - libata: Align ata_device's id on a cacheline
    - block: bio: introduce helpers to get the 1st and last bvec
    - writeback: flush inode cgroup wb switches instead of pinning super_block
    - Adding Intel Lewisburg device IDs for SATA
    - arm64: vmemmap: use virtual projection of linear region
    - PM / sleep / x86: Fix crash on graph trace through x86 suspend
    - ata: ahci: don't mark HotPlugCapable Ports as external/removable
    - tracing: Do not have 'comm' filter override event 'comm' field
    - pata-rb532-cf: get rid of the irq_to_gpio() call
    - Btrfs: fix loading of orphan roots leading to BUG_ON
    - Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
    - jffs2: Fix page lock / f->sem deadlock
    - Fix directory hardlinks from deleted directories
    - dmaengine: pxa_dma: fix cyclic transfers
    - adv7604: fix tx 5v detect regression
    - ALSA: usb-audio: Add a quirk for Plantronics DA45
    - ALSA: ctl: Fix ioctls for X32 ABI
    - ALSA: hda - Fix mic issues on Acer Aspire E1-472
    - ALSA: rawmidi: Fix ioctls X32 ABI
    - ALSA: timer: Fix ioctls for X32 ABI
    - ALSA: pcm: Fix ioctls for X32 ABI
    - ALSA: seq: oss: Don't drain at closing a client
    - ALSA: hdspm: Fix wrong boolean ctl value accesses
    - ALSA: hdsp: Fix wrong boolean ctl value accesses
    - ALSA: hdspm: Fix zero-division
    - ALSA: timer: Fix broken compat timer user status ioctl
    - usb: chipidea: otg: change workqueue ci_otg as freezable
    - USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder
    - USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)
    - USB: qcserial: add Sierra Wireless EM74xx device ID
    - USB: serial: option: add support for Telit LE922 PID 0x1045
    - USB: serial: option: add support for Quectel UC20
    - MIPS: scache: Fix scache init with invalid line size.
    - MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp'
    - ubi: Fix out of bounds write in volume update code
    - i2c: brcmstb: allocate correct amount of memory for regmap
    - thermal: cpu_cooling: fix out of bounds access in time_in_idle
    - block: check virt boundary in bio_will_gap()
    - block: get the 1st and last bvec via helpers
    - drm/i915: more virtual south bridge detection
    - drm/i915: refine qemu south bridge detection
    - modules: fix longstanding /proc/kallsyms vs module insertion race.
    - drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable
    - Linux 4.4.5

  * QEMU: causes vCPU steal time overflow on live migration (LP: #1494350)
    - x86/mm: Fix slow_virt_to_phys() for X86_PAE again

  * TPM2.0 trusted keys fixes (LP: #1398274)
    - tpm_tis: further simplify calculation of ordinal duration
    - tpm_tis: Use devm_free_irq not free_irq
    - tpm_tis: Ensure interrupts are disabled when the driver starts
    - tpm: rework tpm_get_timeouts()
    - tpm_tis: Get rid of the duplicate IRQ probing code
    - tpm_tis: Refactor the interrupt setup
    - tpm_tis: Tighten IRQ auto-probing
    - tpm_ibmvtpm: properly handle interrupted packet receptions

  * linux: review all versioned depends/conflicts/replaces/breaks for validility (LP: #1555033)
    - [Config] control.stub.in -- review versioned Build-Depends:
    - [Config] control.stub.in -- review versioned
      Depends/Breaks/Conflicts/Replaces
    - [Config] flavour-control.stub -- review versioned Breaks/Conflicts/Replaces
    - [Config] x86 vars.* -- review versioned Breaks/Conflicts/Replaces

 -- Tim Gardner <tim.gardner@xxxxxxxxxxxxx>  Wed, 09 Mar 2016 05:11:51
-0700

** Changed in: linux-lts-xenial (Ubuntu Trusty)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338

Title:
  Linux netfilter IPT_SO_SET_REPLACE memory corruption

Status in linux package in Ubuntu:
  Fix Released
Status in linux-armadaxp package in Ubuntu:
  Invalid
Status in linux-flo package in Ubuntu:
  New
Status in linux-goldfish package in Ubuntu:
  New
Status in linux-keystone package in Ubuntu:
  Invalid
Status in linux-lts-quantal package in Ubuntu:
  Invalid
Status in linux-lts-raring package in Ubuntu:
  Invalid
Status in linux-lts-saucy package in Ubuntu:
  Invalid
Status in linux-lts-trusty package in Ubuntu:
  Invalid
Status in linux-lts-utopic package in Ubuntu:
  Invalid
Status in linux-lts-vivid package in Ubuntu:
  Invalid
Status in linux-lts-wily package in Ubuntu:
  Invalid
Status in linux-lts-xenial package in Ubuntu:
  Invalid
Status in linux-mako package in Ubuntu:
  New
Status in linux-manta package in Ubuntu:
  New
Status in linux-raspi2 package in Ubuntu:
  New
Status in linux-ti-omap4 package in Ubuntu:
  Invalid
Status in linux source package in Precise:
  Fix Released
Status in linux-armadaxp source package in Precise:
  Fix Released
Status in linux-flo source package in Precise:
  Invalid
Status in linux-goldfish source package in Precise:
  Invalid
Status in linux-keystone source package in Precise:
  Invalid
Status in linux-lts-quantal source package in Precise:
  Invalid
Status in linux-lts-raring source package in Precise:
  Invalid
Status in linux-lts-saucy source package in Precise:
  Invalid
Status in linux-lts-trusty source package in Precise:
  Fix Released
Status in linux-lts-utopic source package in Precise:
  Invalid
Status in linux-lts-vivid source package in Precise:
  Invalid
Status in linux-lts-wily source package in Precise:
  Invalid
Status in linux-lts-xenial source package in Precise:
  Invalid
Status in linux-mako source package in Precise:
  Invalid
Status in linux-manta source package in Precise:
  Invalid
Status in linux-raspi2 source package in Precise:
  Invalid
Status in linux-ti-omap4 source package in Precise:
  Fix Released
Status in linux source package in Trusty:
  Fix Released
Status in linux-armadaxp source package in Trusty:
  Invalid
Status in linux-flo source package in Trusty:
  Invalid
Status in linux-goldfish source package in Trusty:
  Invalid
Status in linux-keystone source package in Trusty:
  Fix Released
Status in linux-lts-quantal source package in Trusty:
  Invalid
Status in linux-lts-raring source package in Trusty:
  Invalid
Status in linux-lts-saucy source package in Trusty:
  Invalid
Status in linux-lts-trusty source package in Trusty:
  Invalid
Status in linux-lts-utopic source package in Trusty:
  Fix Released
Status in linux-lts-vivid source package in Trusty:
  Fix Released
Status in linux-lts-wily source package in Trusty:
  Fix Released
Status in linux-lts-xenial source package in Trusty:
  Fix Released
Status in linux-mako source package in Trusty:
  Invalid
Status in linux-manta source package in Trusty:
  Invalid
Status in linux-raspi2 source package in Trusty:
  Invalid
Status in linux-ti-omap4 source package in Trusty:
  Invalid
Status in linux source package in Vivid:
  Fix Released
Status in linux-armadaxp source package in Vivid:
  Invalid
Status in linux-flo source package in Vivid:
  New
Status in linux-goldfish source package in Vivid:
  New
Status in linux-keystone source package in Vivid:
  Invalid
Status in linux-lts-quantal source package in Vivid:
  New
Status in linux-lts-raring source package in Vivid:
  New
Status in linux-lts-saucy source package in Vivid:
  New
Status in linux-lts-trusty source package in Vivid:
  New
Status in linux-lts-utopic source package in Vivid:
  Invalid
Status in linux-lts-vivid source package in Vivid:
  New
Status in linux-lts-wily source package in Vivid:
  New
Status in linux-lts-xenial source package in Vivid:
  New
Status in linux-mako source package in Vivid:
  New
Status in linux-manta source package in Vivid:
  New
Status in linux-raspi2 source package in Vivid:
  New
Status in linux-ti-omap4 source package in Vivid:
  Invalid
Status in linux source package in Wily:
  Fix Released
Status in linux-armadaxp source package in Wily:
  Invalid
Status in linux-flo source package in Wily:
  New
Status in linux-goldfish source package in Wily:
  New
Status in linux-keystone source package in Wily:
  Invalid
Status in linux-lts-quantal source package in Wily:
  Invalid
Status in linux-lts-raring source package in Wily:
  Invalid
Status in linux-lts-saucy source package in Wily:
  Invalid
Status in linux-lts-trusty source package in Wily:
  Invalid
Status in linux-lts-utopic source package in Wily:
  Invalid
Status in linux-lts-vivid source package in Wily:
  Invalid
Status in linux-lts-wily source package in Wily:
  Invalid
Status in linux-lts-xenial source package in Wily:
  Invalid
Status in linux-mako source package in Wily:
  New
Status in linux-manta source package in Wily:
  New
Status in linux-raspi2 source package in Wily:
  New
Status in linux-ti-omap4 source package in Wily:
  Invalid
Status in linux source package in Xenial:
  Fix Released
Status in linux-armadaxp source package in Xenial:
  Invalid
Status in linux-flo source package in Xenial:
  New
Status in linux-goldfish source package in Xenial:
  New
Status in linux-keystone source package in Xenial:
  Invalid
Status in linux-lts-quantal source package in Xenial:
  Invalid
Status in linux-lts-raring source package in Xenial:
  Invalid
Status in linux-lts-saucy source package in Xenial:
  Invalid
Status in linux-lts-trusty source package in Xenial:
  Invalid
Status in linux-lts-utopic source package in Xenial:
  Invalid
Status in linux-lts-vivid source package in Xenial:
  Invalid
Status in linux-lts-wily source package in Xenial:
  Invalid
Status in linux-lts-xenial source package in Xenial:
  Invalid
Status in linux-mako source package in Xenial:
  New
Status in linux-manta source package in Xenial:
  New
Status in linux-raspi2 source package in Xenial:
  New
Status in linux-ti-omap4 source package in Xenial:
  Invalid

Bug description:
  [Impact]
  [From https://code.google.com/p/google-security-research/issues/detail?id=758 ]

  A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
  ioctl in the netfilter code for iptables support. This ioctl is can be
  triggered by an unprivileged user on PF_INET sockets when unprivileged
  user namespaces are available (CONFIG_USER_NS=y). Android does not
  enable this option, but desktop/server distributions and Chrome OS
  will commonly enable this to allow for containers support or
  sandboxing.

  In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
  is possible for a user-supplied ipt_entry structure to have a large
  next_offset field. This field is not bounds checked prior to writing a
  counter value at the supplied offset:

  newpos = pos + e->next_offset;
  ...
  e = (struct ipt_entry *) (entry0 + newpos);
  e->counters.pcnt = pos;

  This means that an out of bounds 32-bit write can occur in a 64kb
  range from the allocated heap entry, with a controlled offset and a
  partially controlled write value ("pos") or zero. The attached proof-
  of-concept (netfilter_setsockopt_v3.c) triggers the corruption
  multiple times to set adjacent heap structures to zero.

  This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
  appears that a similar codepath is accessible via
  arp_tables.c/ARPT_SO_SET_REPLACE as well.

  [Fix]
  http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150

  [Test Case]
  Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
  gcc net*v3.c -o v3
  ./v3

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions