← Back to team overview

kernel-packages team mailing list archive

[Bug 1582864] Re: use after free of BOS in usb_reset_and_verify_device

 

This bug was fixed in the package linux - 3.13.0-87.133

---------------
linux (3.13.0-87.133) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1585315

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864

linux (3.13.0-87.132) trusty; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1582398

  [ Kamal Mostafa ]

  * [Config] Drop ozwpan from the ABI

  [ Luis Henriques ]

  * [Config] CONFIG_USB_WPAN_HCD=n
    - LP: #1463740
    - CVE-2015-4004

  [ Prarit Bhargava ]

  * SAUCE: (no-up) ACPICA: Dispatcher: Update thread ID for recursive
    method calls
    - LP: #1577898

  [ Upstream Kernel Changes ]

  * usbnet: cleanup after bind() in probe()
    - LP: #1567191
    - CVE-2016-3951
  * KVM: x86: bit-ops emulation ignores offset on 64-bit
    - LP: #1423672
  * USB: usbip: fix potential out-of-bounds write
    - LP: #1572666
    - CVE-2016-3955
  * x86/mm/32: Enable full randomization on i386 and X86_32
    - LP: #1568523
    - CVE-2016-3672
  * Input: gtco - fix crash on detecting device without endpoints
    - LP: #1575706
    - CVE-2016-2187
  * atl2: Disable unimplemented scatter/gather feature
    - LP: #1561403
    - CVE-2016-2117
  * ALSA: usb-audio: Skip volume controls triggers hangup on Dell USB Dock
    - LP: #1577905
  * fs/pnode.c: treat zero mnt_group_id-s as unequal
    - LP: #1572316
  * propogate_mnt: Handle the first propogated copy being a slave
    - LP: #1572316
  * drm: Balance error path for GEM handle allocation
    - LP: #1579610
  * x86/mm: Add barriers and document switch_mm()-vs-flush synchronization
    - LP: #1538429
    - CVE-2016-2069
  * x86/mm: Improve switch_mm() barrier comments
    - LP: #1538429
    - CVE-2016-2069
  * net: fix infoleak in llc
    - LP: #1578496
    - CVE-2016-4485
  * net: fix infoleak in rtnetlink
    - LP: #1578497
    - CVE-2016-4486

 -- Kamal Mostafa <kamal@xxxxxxxxxxxxx>  Tue, 24 May 2016 11:04:30 -0700

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-4004

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2069

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2117

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-2187

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3672

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3951

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3955

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4485

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4486

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1582864

Title:
  use after free of BOS in usb_reset_and_verify_device

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Committed
Status in linux source package in Wily:
  Fix Committed

Bug description:
  Should be fixed with upstream commit
  e5bdfd50d6f76077bf8441d130c606229e100d40, which reverts upstream
  commit d8f00cd685f5c8e0def8593e520a7fef12c22407.

  With slub_debug enabled this manifests as a deref of 0x6b6b... in
  usb_disable_ltm

  [  218.235302] general protection fault: 0000 [#1] SMP 
  [  218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_codec_realtek snd_hda_intel snd_usb_audio snd_hda_codec snd_usbmidi_lib uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core snd_hwdep snd_seq_midi joydev snd_pcm videodev snd_page_alloc snd_seq_midi_event nfsd snd_rawmidi snd_seq auth_rpcgss parport_pc nfs_acl ppdev nfs lockd sunrpc fscache honeevent(OX) snd_seq_device snd_timer snd drm lp parport sb_edac mei_me hp_wmi sparse_keymap gpio_ich hpuefi(OX) intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm soundcore edac_core mei serio_raw tpm_infineon lpc_ich mac_hid wmi shpchp dm_crypt hid_generic usbhid hid crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse isci e1000e ahci libsas libahci ptp pps_core scsi_transport_sas pata_acpi
  [  218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P           OX 3.13.0-85-generic #129-Ubuntu
  [  218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
  [  218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
  [  218.235421] RIP: 0010:[<ffffffff815444b6>]  [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
  [  218.235437] RSP: 0018:ffff8807effa1cd0  EFLAGS: 00010202
  [  218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
  [  218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
  [  218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
  [  218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
  [  218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
  [  218.235455] FS:  0000000000000000(0000) GS:ffff88101fce0000(0000) knlGS:0000000000000000
  [  218.235458] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
  [  218.235463] Stack:
  [  218.235465]  ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
  [  218.235476]  ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
  [  218.235483]  ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
  [  218.235490] Call Trace:
  [  218.235499]  [<ffffffff81551236>] ? usb_disable_device+0x126/0x290
  [  218.235506]  [<ffffffff81545c4d>] usb_disconnect+0xad/0x200
  [  218.235511]  [<ffffffff815487d3>] hub_port_connect_change+0xd3/0xb20
  [  218.235518]  [<ffffffff8154333d>] ? hub_port_status+0xdd/0x120
  [  218.235523]  [<ffffffff815496f4>] hub_events+0x4d4/0xa20
  [  218.235528]  [<ffffffff81549c75>] hub_thread+0x35/0x160
  [  218.235535]  [<ffffffff810add60>] ? prepare_to_wait_event+0x100/0x100
  [  218.235540]  [<ffffffff81549c40>] ? hub_events+0xa20/0xa20
  [  218.235549]  [<ffffffff8108deb2>] kthread+0xd2/0xf0
  [  218.235554]  [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
  [  218.235564]  [<ffffffff8173c2e8>] ret_from_fork+0x58/0x90
  [  218.235570]  [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
  [  218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41 
  [  218.235618] RIP  [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
  [  218.235624]  RSP <ffff8807effa1cd0>
  [  218.235655] ---[ end trace 954cac763165b767 ]---

  Without slub_debug you end up getting a double free and messing up the
  allocator and apparmor tends to be the first one to notice:

  [  574.027518] hub 4-0:1.0: Cannot enable port 3.  Maybe the USB cable is bad?
  [  574.548076] usb 4-3: USB disconnect, device number 2
  [  576.040995] ------------[ cut here ]------------
  [  576.041003] WARNING: CPU: 17 PID: 11627 at /build/linux-03BQvT/linux-3.13.0/include/linux/kref.h:47 apparmor_file_alloc_security+0x167/0x180()
  [  576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_codec_realtek nvidia(POX) snd_hda_intel parport_pc snd_hda_codec ppdev lp snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd mei_me parport gpio_ich hpuefi(OX) sb_edac edac_core lpc_ich drm mei joydev hp_wmi sparse_keymap tpm_infineon soundcore mac_hid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw serio_raw gf128mul glue_helper ablk_helper cryptd shpchp wmi hid_generic usbhid hid psmouse e1000e isci ahci libsas ptp libahci scsi_transport_sas pps_core pata_acpi
  [  576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P           OX 3.13.0-83-generic #127-Ubuntu
  [  576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
  [  576.041071]  0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
  [  576.041076]  ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
  [  576.041079]  ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
  [  576.041082] Call Trace:
  [  576.041088]  [<ffffffff81725992>] dump_stack+0x45/0x56
  [  576.041091]  [<ffffffff8106790d>] warn_slowpath_common+0x7d/0xa0
  [  576.041094]  [<ffffffff810679ea>] warn_slowpath_null+0x1a/0x20
  [  576.041096]  [<ffffffff81316b67>] apparmor_file_alloc_security+0x167/0x180
  [  576.041100]  [<ffffffff812d9076>] security_file_alloc+0x16/0x20
  [  576.041105]  [<ffffffff811c04e0>] get_empty_filp+0x90/0x180
  [  576.041108]  [<ffffffff811ce00d>] path_openat+0x3d/0x640
  [  576.041111]  [<ffffffff811cd7db>] ? filename_lookup+0x2b/0xc0
  [  576.041114]  [<ffffffff811cf47a>] do_filp_open+0x3a/0x90
  [  576.041116]  [<ffffffff811c83a7>] ? path_get+0x27/0x30
  [  576.041120]  [<ffffffff810fed4d>] ? __audit_getname+0x9d/0xa0
  [  576.041123]  [<ffffffff811dc2d7>] ? __alloc_fd+0xa7/0x130
  [  576.041126]  [<ffffffff811bda09>] do_sys_open+0x129/0x280
  [  576.041128]  [<ffffffff811bdb7e>] SyS_open+0x1e/0x20
  [  576.041131]  [<ffffffff8173659d>] system_call_fastpath+0x1a/0x1f
  [  576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
  [  576.041171] BUG: unable to handle kernel paging request at 000000000000472e
  [  576.041174] IP: [<ffffffff811a38b0>] kmem_cache_alloc_trace+0x80/0x1f0
  [  576.041177] PGD 0 
  [  576.041179] Oops: 0000 [#1] SMP

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1582864/+subscriptions


References