kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #186220
[Bug 1555338] Re: Linux netfilter IPT_SO_SET_REPLACE memory corruption
This bug was fixed in the package linux-snapdragon - 4.4.0-1019.22
---------------
linux-snapdragon (4.4.0-1019.22) xenial; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1595882
[ Ubuntu: 4.4.0-28.47 ]
* Linux netfilter local privilege escalation issues (LP: #1595350)
- netfilter: x_tables: don't move to non-existent next rule
- netfilter: x_tables: validate targets of jumps
- netfilter: x_tables: add and use xt_check_entry_offsets
- netfilter: x_tables: kill check_entry helper
- netfilter: x_tables: assert minimum target size
- netfilter: x_tables: add compat version of xt_check_entry_offsets
- netfilter: x_tables: check standard target size too
- netfilter: x_tables: check for bogus target offset
- netfilter: x_tables: validate all offsets and sizes in a rule
- netfilter: x_tables: don't reject valid target size on some architectures
- netfilter: arp_tables: simplify translate_compat_table args
- netfilter: ip_tables: simplify translate_compat_table args
- netfilter: ip6_tables: simplify translate_compat_table args
- netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- netfilter: x_tables: do compat validation via translate_table
- netfilter: x_tables: introduce and use xt_copy_counters_from_user
* Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- netfilter: x_tables: validate e->target_offset early
- netfilter: x_tables: make sure e->next_offset covers remaining blob size
- netfilter: x_tables: fix unconditional helper
linux-snapdragon (4.4.0-1018.21) xenial; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1594929
[ Ubuntu: 4.4.0-27.46 ]
* Support Edge Gateway's Bluetooth LED (LP: #1512999)
- Revert "UBUNTU: SAUCE: Bluetooth: Support for LED on Marvell modules"
linux-snapdragon (4.4.0-1017.20) xenial; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1594480
[ Ubuntu: 4.4.0-26.45 ]
* linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
* failures building userspace packages that include ethtool.h (LP: #1592930)
- ethtool.h: define INT_MAX for userland
linux-snapdragon (4.4.0-1016.19) xenial; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1591462
[ Ubuntu: 4.4.0-25.44 ]
* Xenial update to v4.4.13 stable release (LP: #1590455)
- MIPS64: R6: R2 emulation bugfix
- MIPS: math-emu: Fix jalr emulation when rd == $0
- MIPS: MSA: Fix a link error on `_init_msa_upper' with older GCC
- MIPS: Don't unwind to user mode with EVA
- MIPS: Avoid using unwind_stack() with usermode
- MIPS: Fix siginfo.h to use strict posix types
- MIPS: Fix uapi include in exported asm/siginfo.h
- MIPS: Fix watchpoint restoration
- MIPS: Flush highmem pages in __flush_dcache_page
- MIPS: Handle highmem pages in __update_cache
- MIPS: Sync icache & dcache in set_pte_at
- MIPS: ath79: make bootconsole wait for both THRE and TEMT
- MIPS: Reserve nosave data for hibernation
- MIPS: Loongson-3: Reserve 32MB for RS780E integrated GPU
- MIPS: Use copy_s.fmt rather than copy_u.fmt
- MIPS: Fix MSA ld_*/st_* asm macros to use PTR_ADDU
- MIPS: Prevent "restoration" of MSA context in non-MSA kernels
- MIPS: Disable preemption during prctl(PR_SET_FP_MODE, ...)
- MIPS: ptrace: Fix FP context restoration FCSR regression
- MIPS: ptrace: Prevent writes to read-only FCSR bits
- MIPS: Fix sigreturn via VDSO on microMIPS kernel
- MIPS: Build microMIPS VDSO for microMIPS kernels
- MIPS: lib: Mark intrinsics notrace
- MIPS: VDSO: Build with `-fno-strict-aliasing'
- affs: fix remount failure when there are no options changed
- ASoC: ak4642: Enable cache usage to fix crashes on resume
- Input: uinput - handle compat ioctl for UI_SET_PHYS
- ARM: mvebu: fix GPIO config on the Linksys boards
- ARM: dts: at91: fix typo in sama5d2 PIN_PD24 description
- ARM: dts: exynos: Add interrupt line to MAX8997 PMIC on exynos4210-trats
- ARM: dts: imx35: restore existing used clock enumeration
- ath9k: Add a module parameter to invert LED polarity.
- ath9k: Fix LED polarity for some Mini PCI AR9220 MB92 cards.
- ath10k: fix debugfs pktlog_filter write
- ath10k: fix firmware assert in monitor mode
- ath10k: fix rx_channel during hw reconfigure
- ath10k: fix kernel panic, move arvifs list head init before htt init
- ath5k: Change led pin configuration for compaq c700 laptop
- hwrng: exynos - Fix unbalanced PM runtime put on timeout error path
- rtlwifi: rtl8723be: Add antenna select module parameter
- rtlwifi: btcoexist: Implement antenna selection
- rtlwifi: Fix logic error in enter/exit power-save mode
- rtlwifi: pci: use dev_kfree_skb_irq instead of kfree_skb in
rtl_pci_reset_trx_ring
- aacraid: Relinquish CPU during timeout wait
- aacraid: Fix for aac_command_thread hang
- aacraid: Fix for KDUMP driver hang
- hwmon: (ads7828) Enable internal reference
- mfd: intel-lpss: Save register context on suspend
- mfd: intel_soc_pmic_core: Terminate panel control GPIO lookup table
correctly
- PM / Runtime: Fix error path in pm_runtime_force_resume()
- cpuidle: Indicate when a device has been unregistered
- cpuidle: Fix cpuidle_state_is_coupled() argument in cpuidle_enter()
- clk: bcm2835: Fix PLL poweron
- clk: at91: fix check of clk_register() returned value
- clk: bcm2835: pll_off should only update CM_PLL_ANARST
- clk: bcm2835: divider value has to be 1 or more
- pinctrl: exynos5440: Use off-stack memory for pinctrl_gpio_range
- PCI: Disable all BAR sizing for devices with non-compliant BARs
- media: v4l2-compat-ioctl32: fix missing reserved field copy in
put_v4l2_create32
- mm: use phys_addr_t for reserve_bootmem_region() arguments
- wait/ptrace: assume __WALL if the child is traced
- QE-UART: add "fsl,t1040-ucc-uart" to of_device_id
- powerpc/book3s64: Fix branching to OOL handlers in relocatable kernel
- powerpc/eeh: Don't report error in eeh_pe_reset_and_recover()
- powerpc/eeh: Restore initial state in eeh_pe_reset_and_recover()
- xen/events: Don't move disabled irqs
- xen: use same main loop for counting and remapping pages
- sunrpc: fix stripping of padded MIC tokens
- drm/gma500: Fix possible out of bounds read
- drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
- drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
- drm/vmwgfx: Fix order of operation
- drm/amdgpu: use drm_mode_vrefresh() rather than mode->vrefresh
- drm/amdgpu: Fix hdmi deep color support.
- drm/i915/fbdev: Fix num_connector references in intel_fb_initial_config()
- drm/fb_helper: Fix references to dev->mode_config.num_connector
- drm/atomic: Verify connector->funcs != NULL when clearing states
- drm/i915: Don't leave old junk in ilk active watermarks on readout
- drm/imx: Match imx-ipuv3-crtc components using device node in platform data
- ext4: fix hang when processing corrupted orphaned inode list
- ext4: clean up error handling when orphan list is corrupted
- ext4: fix oops on corrupted filesystem
- ext4: address UBSAN warning in mb_find_order_for_block()
- ext4: silence UBSAN in ext4_mb_init()
- PM / sleep: Handle failures in device_suspend_late() consistently
- dma-debug: avoid spinlock recursion when disabling dma-debug
- scripts/package/Makefile: rpmbuild add support of RPMOPTS
- gcov: disable tree-loop-im to reduce stack usage
- xfs: disallow rw remount on fs with unknown ro-compat features
- xfs: Don't wrap growfs AGFL indexes
- xfs: xfs_iflush_cluster fails to abort on error
- xfs: fix inode validity check in xfs_iflush_cluster
- xfs: skip stale inodes in xfs_iflush_cluster
- xfs: print name of verifier if it fails
- xfs: handle dquot buffer readahead in log recovery correctly
- Linux 4.4.13
* 168c:001c [HP Compaq Presario C700 Notebook PC] Wireless led button doesn't
switch colors (LP: #972604)
- ath5k: Change led pin configuration for compaq c700 laptop
* Extended statistics from balloon for proper memory management (LP: #1587091)
- mm/page_alloc.c: calculate 'available' memory in a separate function
- virtio_balloon: export 'available' memory to balloon statistics
* CAPI: CGZIP AFU contexts do not receive interrupts after heavy afu
open/close (LP: #1588468)
- misc: cxl: use kobj_to_dev()
- cxl: Move common code away from bare-metal-specific files
- cxl: Move bare-metal specific code to specialized files
- cxl: Define process problem state area at attach time only
- cxl: Introduce implementation-specific API
- cxl: Rename some bare-metal specific functions
- cxl: Isolate a few bare-metal-specific calls
- cxl: Update cxl_irq() prototype
- cxl: IRQ allocation for guests
- powerpc: New possible return value from hcall
- cxl: New hcalls to support cxl adapters
- cxl: Separate bare-metal fields in adapter and AFU data structures
- cxlflash: Simplify PCI registration
- cxlflash: Unmap problem state area before detaching master context
- cxlflash: Split out context initialization
- cxlflash: Simplify attach path error cleanup
- cxlflash: Reorder user context initialization
- cxl: Add guest-specific code
- cxl: sysfs support for guests
- cxl: Support to flash a new image on the adapter from a guest
- cxl: Parse device tree and create cxl device(s) at boot
- cxl: Support the cxl kernel API from a guest
- cxl: Adapter failure handling
- cxl: Add tracepoints around the cxl hcall
- cxlflash: Use new cxl_pci_read_adapter_vpd() API
- cxl: Remove cxl_get_phys_dev() kernel API
- cxl: Ignore probes for virtual afu pci devices
- cxl: Poll for outstanding IRQs when detaching a context
* NVMe max_segments queue parameter gets set to 1 (LP: #1588449)
- nvme: set queue limits for the admin queue
- nvme: fix max_segments integer truncation
- block: fix blk_rq_get_max_sectors for driver private requests
* workaround cavium thunderx silicon erratum 23144 (LP: #1589704)
- irqchip/gicv3-its: numa: Enable workaround for Cavium thunderx erratum 23144
* Xenial update to v4.4.12 stable release (LP: #1588945)
- Btrfs: don't use src fd for printk
- perf/x86/intel/pt: Generate PMI in the STOP region as well
- perf/core: Fix perf_event_open() vs. execve() race
- perf test: Fix build of BPF and LLVM on older glibc libraries
- ext4: iterate over buffer heads correctly in move_extent_per_page()
- arm64: Fix typo in the pmdp_huge_get_and_clear() definition
- arm64: Ensure pmd_present() returns false after pmd_mknotpresent()
- arm64: Implement ptep_set_access_flags() for hardware AF/DBM
- arm64: Implement pmdp_set_access_flags() for hardware AF/DBM
- arm64: cpuinfo: Missing NULL terminator in compat_hwcap_str
- arm/arm64: KVM: Enforce Break-Before-Make on Stage-2 page tables
- kvm: arm64: Fix EC field in inject_abt64
- remove directory incorrectly tries to set delete on close on non-empty
directories
- fs/cifs: correctly to anonymous authentication via NTLMSSP
- fs/cifs: correctly to anonymous authentication for the LANMAN authentication
- fs/cifs: correctly to anonymous authentication for the NTLM(v1)
authentication
- fs/cifs: correctly to anonymous authentication for the NTLM(v2)
authentication
- asix: Fix offset calculation in asix_rx_fixup() causing slow transmissions
- ring-buffer: Use long for nr_pages to avoid overflow failures
- ring-buffer: Prevent overflow of size in ring_buffer_resize()
- crypto: caam - fix caam_jr_alloc() ret code
- crypto: talitos - fix ahash algorithms registration
- crypto: sun4i-ss - Replace spinlock_bh by spin_lock_irq{save|restore}
- clk: qcom: msm8916: Fix crypto clock flags
- sched/loadavg: Fix loadavg artifacts on fully idle and on fully loaded
systems
- mfd: omap-usb-tll: Fix scheduling while atomic BUG
- Input: pwm-beeper - fix - scheduling while atomic
- irqchip/gic: Ensure ordering between read of INTACK and shared data
- irqchip/gic-v3: Configure all interrupts as non-secure Group-1
- can: fix handling of unmodifiable configuration options
- mmc: mmc: Fix partition switch timeout for some eMMCs
- mmc: sdhci-acpi: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
- ACPI / osi: Fix an issue that acpi_osi=!* cannot disable ACPICA internal
strings
- dell-rbtn: Ignore ACPI notifications if device is suspended
- mmc: longer timeout for long read time quirk
- mmc: sdhci-pci: Remove MMC_CAP_BUS_WIDTH_TEST for Intel controllers
- Bluetooth: vhci: fix open_timeout vs. hdev race
- Bluetooth: vhci: purge unhandled skbs
- Bluetooth: vhci: Fix race at creating hci device
- mei: fix NULL dereferencing during FW initiated disconnection
- mei: amthif: discard not read messages
- mei: bus: call mei_cl_read_start under device lock
- USB: serial: mxuport: fix use-after-free in probe error path
- USB: serial: keyspan: fix use-after-free in probe error path
- USB: serial: quatech2: fix use-after-free in probe error path
- USB: serial: io_edgeport: fix memory leaks in attach error path
- USB: serial: io_edgeport: fix memory leaks in probe error path
- USB: serial: option: add support for Cinterion PH8 and AHxx
- USB: serial: option: add more ZTE device ids
- USB: serial: option: add even more ZTE device ids
- usb: gadget: f_fs: Fix EFAULT generation for async read operations
- usb: f_mass_storage: test whether thread is running before starting another
- usb: misc: usbtest: fix pattern tests for scatterlists.
- usb: gadget: udc: core: Fix argument of dev_err() in
usb_gadget_map_request()
- staging: comedi: das1800: fix possible NULL dereference
- KVM: x86: fix ordering of cr0 initialization code in vmx_cpu_reset
- MIPS: KVM: Fix timer IRQ race when freezing timer
- MIPS: KVM: Fix timer IRQ race when writing CP0_Compare
- KVM: x86: mask CPUID(0xD,0x1).EAX against host value
- xen/x86: actually allocate legacy interrupts on PV guests
- tty: vt, return error when con_startup fails
- TTY: n_gsm, fix false positive WARN_ON
- tty/serial: atmel: fix hardware handshake selection
- Fix OpenSSH pty regression on close
- serial: 8250_pci: fix divide error bug if baud rate is 0
- serial: 8250_mid: use proper bar for DNV platform
- serial: 8250_mid: recognize interrupt source in handler
- serial: samsung: Reorder the sequence of clock control when call
s3c24xx_serial_set_termios()
- locking,qspinlock: Fix spin_is_locked() and spin_unlock_wait()
- clk: bcm2835: add locking to pll*_on/off methods
- mcb: Fixed bar number assignment for the gdd
- ALSA: hda/realtek - New codecs support for ALC234/ALC274/ALC294
- ALSA: hda - Fix headphone noise on Dell XPS 13 9360
- ALSA: hda/realtek - Add support for ALC295/ALC3254
- ALSA: hda - Fix headset mic detection problem for one Dell machine
- IB/srp: Fix a debug kernel crash
- thunderbolt: Fix double free of drom buffer
- SIGNAL: Move generic copy_siginfo() to signal.h
- UBI: Fix static volume checks when Fastmap is used
- hpfs: fix remount failure when there are no options changed
- hpfs: implement the show_options method
- scsi: Add intermediate STARGET_REMOVE state to scsi_target_state
- Revert "scsi: fix soft lockup in scsi_remove_target() on module removal"
- kbuild: move -Wunused-const-variable to W=1 warning level
- Linux 4.4.12
* [Hyper-V] fixes for kdump when running on a VM (LP: #1588965)
- clocksource: Allow unregistering the watchdog
* net_admin apparmor denial when using Go (LP: #1465724)
- SAUCE: kernel: Add noaudit variant of ns_capable()
- SAUCE: net: Use ns_capable_noaudit() when determining net sysctl permissions
* [Hyper-V] Put tools/hv/lsvmbus in /usr/sbin (LP: #1585311)
- [Debian] Install lsvmbus in cloud tools
- SAUCE: tools/hv/lsvmbus -- convert to python3
- SAUCE: tools/hv/lsvmbus -- add manual page
* btrfs: file write crashes with false ENOSPC during snapshot creation since
kernel 4.4 - fix available (LP: #1584052)
- btrfs: Continue write in case of can_not_nocow
* boot stalls on USB detection errors (LP: #1437492)
- usb: core: hub: hub_port_init lock controller instead of bus
* [Bug]KNL:Spread MWAIT cache lines over all nodes (LP: #1585850)
- kernek/fork.c: allocate idle task for a CPU always on its local node
* [Hyper-V] PCI Passthrough kernel hang and explicit barriers (LP: #1581243)
- PCI: hv: Report resources release after stopping the bus
- PCI: hv: Add explicit barriers to config space access
* Kernel 4.2.X and 4.4.X - Fix USB3.0 link power management (LPM)
claim/release logic in USBFS (LP: #1577024)
- USB: leave LPM alone if possible when binding/unbinding interface drivers
* STC840.20:tuleta:tul516p01 panic after injecting Leaf EEH (LP: #1581034)
- NVMe: Fix namespace removal deadlock
- NVMe: Requeue requests on suspended queues
- NVMe: Move error handling to failed reset handler
- blk-mq: End unstarted requests on dying queue
* conflicting modules in udebs - arc4.ko (LP: #1582991)
- [Config] Remove arc4 from nic-modules
* CVE-2016-4482 (LP: #1578493)
- USB: usbfs: fix potential infoleak in devio
* mlx5_core kexec fail (LP: #1585978)
- net/mlx5: Add pci shutdown callback
* backport fix for /proc/net issues with containers (LP: #1584953)
- netfilter: Set /proc/net entries owner to root in namespace
* CVE-2016-4951 (LP: #1585365)
- tipc: check nl sock before parsing nested attributes
* CVE-2016-4578 (LP: #1581866)
- ALSA: timer: Fix leak in events via snd_timer_user_ccallback
- ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
* CVE-2016-4569 (LP: #1580379)
- ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
* s390/pci: fix use after free in dma_init (LP: #1584828)
- s390/pci: fix use after free in dma_init
* s390/mm: fix asce_bits handling with dynamic pagetable levels (LP: #1584827)
- s390/mm: fix asce_bits handling with dynamic pagetable levels
* CAPI: CGZIP Wrong CAPI MMIO timeout (256usec desired but 1usec default
setting in cxl.ko driver) (LP: #1584066)
- powerpc: Define PVR value for POWER8NVL processor
- cxl: Configure the PSL for two CAPI ports on POWER8NVL
- cxl: Increase timeout for detection of AFU mmio hang
* ThunderX: soft lockup in cursor_timer_handler() (LP: #1574814)
- SAUCE: tty: vt: Fix soft lockup in fbcon cursor blink timer.
* debian.master/.../getabis bogus warnings "inconsistant compiler versions"
and "not a git repository" (LP: #1584890)
- [debian] getabis: Only git add $abidir if running in local repo
- [debian] getabis: Fix inconsistent compiler versions check
* Backport cxlflash patch related to EEH recovery into Xenial SRU stream
(LP: #1584935)
- cxlflash: Fix to resolve dead-lock during EEH recovery
* Xenial update to 4.4.11 stable release (LP: #1584912)
- decnet: Do not build routes to devices without decnet private data.
- route: do not cache fib route info on local routes with oif
- packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface
- net: sched: do not requeue a NULL skb
- bpf/verifier: reject invalid LD_ABS | BPF_DW instruction
- cdc_mbim: apply "NDP to end" quirk to all Huawei devices
- net: use skb_postpush_rcsum instead of own implementations
- vlan: pull on __vlan_insert_tag error path and fix csum correction
- openvswitch: use flow protocol when recalculating ipv6 checksums
- ipv4/fib: don't warn when primary address is missing if in_dev is dead
- net/mlx4_en: fix spurious timestamping callbacks
- bpf: fix check_map_func_compatibility logic
- samples/bpf: fix trace_output example
- net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
- gre: do not pull header in ICMP error processing
- net_sched: introduce qdisc_replace() helper
- net_sched: update hierarchical backlog too
- sch_htb: update backlog as well
- sch_dsmark: update backlog as well
- netem: Segment GSO packets on enqueue
- net: fec: only clear a queue's work bit if the queue was emptied
- VSOCK: do not disconnect socket when peer has shutdown SEND only
- net: bridge: fix old ioctl unlocked net device walk
- bridge: fix igmp / mld query parsing
- uapi glibc compat: fix compile errors when glibc net/if.h included before
linux/if.h MIME-Version: 1.0
- net: fix a kernel infoleak in x25 module
- net: thunderx: avoid exposing kernel stack
- tcp: refresh skb timestamp at retransmit time
- net/route: enforce hoplimit max value
- ocfs2: revert using ocfs2_acl_chmod to avoid inode cluster lock hang
- ocfs2: fix posix_acl_create deadlock
- zsmalloc: fix zs_can_compact() integer overflow
- crypto: qat - fix invalid pf2vf_resp_wq logic
- crypto: hash - Fix page length clamping in hash walk
- crypto: testmgr - Use kmalloc memory for RSA input
- ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
- ALSA: usb-audio: Yet another Phoneix Audio device quirk
- ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
- ALSA: hda - Fix white noise on Asus UX501VW headset
- ALSA: hda - Fix broken reconfig
- spi: pxa2xx: Do not detect number of enabled chip selects on Intel SPT
- spi: spi-ti-qspi: Fix FLEN and WLEN settings if bits_per_word is overridden
- spi: spi-ti-qspi: Handle truncated frames properly
- pinctrl: at91-pio4: fix pull-up/down logic
- regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
- perf/core: Disable the event on a truncated AUX record
- vfs: add vfs_select_inode() helper
- vfs: rename: check backing inode being equal
- ARM: dts: at91: sam9x5: Fix the memory range assigned to the PMC
- workqueue: fix rebind bound workers warning
- regulator: s2mps11: Fix invalid selector mask and voltages for buck9
- regulator: axp20x: Fix axp22x ldo_io voltage ranges
- atomic_open(): fix the handling of create_error
- qla1280: Don't allocate 512kb of host tags
- tools lib traceevent: Do not reassign parg after collapse_tree()
- get_rock_ridge_filename(): handle malformed NM entries
- Input: max8997-haptic - fix NULL pointer dereference
- Revert "[media] videobuf2-v4l2: Verify planes array in buffer dequeueing"
- drm/radeon: fix PLL sharing on DCE6.1 (v2)
- drm/i915: Bail out of pipe config compute loop on LPT
- drm/i915/bdw: Add missing delay during L3 SQC credit programming
- drm/radeon: fix DP link training issue with second 4K monitor
- nf_conntrack: avoid kernel pointer value leak in slab name
- Linux 4.4.11
* Support Edge Gateway's Bluetooth LED (LP: #1512999)
- SAUCE: Bluetooth: Support for LED on Marvell modules
* Support Edge Gateway's WIFI LED (LP: #1512997)
- SAUCE: mwifiex: Switch WiFi LED state according to the device status
* Marvell wireless driver update for FCC regulation (LP: #1528910)
- mwifiex: parse adhoc start/join result
- mwifiex: handle start AP error paths correctly
- mwifiex: set regulatory info from EEPROM
- mwifiex: don't follow AP if country code received from EEPROM
- mwifiex: correction in region code to country mapping
- mwifiex: update region_code_index array
- mwifiex: use world for unidentified region code
- SAUCE: mwifiex: add iw vendor command support
* Kernel can be oopsed using remap_file_pages (LP: #1558120)
- Revert "UBUNTU: SAUCE: mm/mmap: fix oopsing on remap_file_pages"
- SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap: bugfix,
mainly for linux-4.5-rc5, remap_file_pages(2) emulation
* cgroup namespace update (LP: #1584163)
- Revert "UBUNTU: SAUCE: cgroup mount: ignore nsroot="
- Revert "UBUNTU: SAUCE: (noup) cgroup namespaces: add a 'nsroot=' mountinfo
field"
- cgroup, kernfs: make mountinfo show properly scoped path for cgroup
namespaces
- kernfs: kernfs_sop_show_path: don't return 0 after seq_dentry call
- cgroup: fix compile warning
* Missing libunwind support in perf (LP: #1248289)
- [Config] add binutils-dev to the Build-Depends: to fix perf unwinding
* e1000 Tx Unit Hang (LP: #1582328)
- e1000: Double Tx descriptors needed check for 82544
- e1000: Do not overestimate descriptor counts in Tx pre-check
* Unsharing user and ipc namespaces simultaneously makes mqueue unmountable
(LP: #1582378)
- SAUCE: (namespace) mqueue: Super blocks must be owned by the user ns which
owns the ipc ns
* Pull in the amdgpu/radeon code from Linux 4.5.3 (LP: #1580526)
- drm/radeon: rework fbdev handling on chips with no connectors
- drm/radeon/mst: fix regression in lane/link handling.
- drm/amd/powerplay: add uvd/vce dpm enabling flag to fix the performance
issue for CZ
- drm/amd/powerplay: fix segment fault issue in multi-display case.
- drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail
* aufs CONFIG_AUFS_EXPORT build option should be enabled (LP: #1121699)
- [Config] enable CONFIG_AUFS_EXPORT
* promote *_diag modules from linux-image-extra to linux-image (LP: #1580355)
- [Config] Update inclusion list for CRIU
* [Xenial] net: updates to ethtool and virtio_net for speed/duplex support
(LP: #1581132)
- ethtool: add speed/duplex validation functions
- ethtool: make validate_speed accept all speeds between 0 and INT_MAX
- virtio_net: add ethtool support for set and get of settings
- virtio_net: validate ethtool port setting and explain the user validation
* perf tool: Display event codes for Generic HW (PMU) events (LP: #1578211)
- powerpc/perf: Remove PME_ prefix for power7 events
- powerpc/perf: Export Power8 generic and cache events to sysfs
* Mellanox ConnectX4 MTU limits: max and min (LP: #1528466)
- net/mlx5: Introduce a new header file for physical port functions
- net/mlx5e: Device's mtu field is u16 and not int
- net/mlx5e: Fix minimum MTU
* Miscellaneous Ubuntu changes
- [Config] CONFIG_CAVIUM_ERRATUM_23144=y
-- Kamal Mostafa <kamal@xxxxxxxxxxxxx> Fri, 24 Jun 2016 08:22:41 -0700
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555338
Title:
Linux netfilter IPT_SO_SET_REPLACE memory corruption
Status in linux package in Ubuntu:
Fix Released
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-flo package in Ubuntu:
New
Status in linux-goldfish package in Ubuntu:
New
Status in linux-keystone package in Ubuntu:
Invalid
Status in linux-lts-quantal package in Ubuntu:
Invalid
Status in linux-lts-raring package in Ubuntu:
Invalid
Status in linux-lts-saucy package in Ubuntu:
Invalid
Status in linux-lts-trusty package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux-lts-vivid package in Ubuntu:
Invalid
Status in linux-lts-wily package in Ubuntu:
Invalid
Status in linux-lts-xenial package in Ubuntu:
Invalid
Status in linux-mako package in Ubuntu:
New
Status in linux-manta package in Ubuntu:
Invalid
Status in linux-raspi2 package in Ubuntu:
Invalid
Status in linux-snapdragon package in Ubuntu:
Fix Released
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Precise:
Fix Released
Status in linux-armadaxp source package in Precise:
Fix Released
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-keystone source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
Fix Released
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-snapdragon source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-keystone source package in Trusty:
Fix Released
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
Fix Released
Status in linux-lts-vivid source package in Trusty:
Fix Released
Status in linux-lts-wily source package in Trusty:
Fix Released
Status in linux-lts-xenial source package in Trusty:
Fix Released
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-snapdragon source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux source package in Vivid:
Fix Released
Status in linux-armadaxp source package in Vivid:
Invalid
Status in linux-flo source package in Vivid:
New
Status in linux-goldfish source package in Vivid:
New
Status in linux-keystone source package in Vivid:
Invalid
Status in linux-lts-quantal source package in Vivid:
New
Status in linux-lts-raring source package in Vivid:
New
Status in linux-lts-saucy source package in Vivid:
New
Status in linux-lts-trusty source package in Vivid:
New
Status in linux-lts-utopic source package in Vivid:
Invalid
Status in linux-lts-vivid source package in Vivid:
New
Status in linux-lts-wily source package in Vivid:
New
Status in linux-lts-xenial source package in Vivid:
New
Status in linux-mako source package in Vivid:
New
Status in linux-manta source package in Vivid:
New
Status in linux-raspi2 source package in Vivid:
New
Status in linux-snapdragon source package in Vivid:
New
Status in linux-ti-omap4 source package in Vivid:
Invalid
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
New
Status in linux-keystone source package in Wily:
Invalid
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
Fix Released
Status in linux-snapdragon source package in Wily:
Invalid
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
New
Status in linux-keystone source package in Xenial:
Invalid
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
Invalid
Status in linux-raspi2 source package in Xenial:
Fix Released
Status in linux-snapdragon source package in Xenial:
Fix Released
Status in linux-ti-omap4 source package in Xenial:
Invalid
Status in linux source package in Yakkety:
Fix Released
Status in linux-armadaxp source package in Yakkety:
Invalid
Status in linux-flo source package in Yakkety:
New
Status in linux-goldfish source package in Yakkety:
New
Status in linux-keystone source package in Yakkety:
Invalid
Status in linux-lts-quantal source package in Yakkety:
Invalid
Status in linux-lts-raring source package in Yakkety:
Invalid
Status in linux-lts-saucy source package in Yakkety:
Invalid
Status in linux-lts-trusty source package in Yakkety:
Invalid
Status in linux-lts-utopic source package in Yakkety:
Invalid
Status in linux-lts-vivid source package in Yakkety:
Invalid
Status in linux-lts-wily source package in Yakkety:
Invalid
Status in linux-lts-xenial source package in Yakkety:
Invalid
Status in linux-mako source package in Yakkety:
New
Status in linux-manta source package in Yakkety:
Invalid
Status in linux-raspi2 source package in Yakkety:
Invalid
Status in linux-snapdragon source package in Yakkety:
Fix Released
Status in linux-ti-omap4 source package in Yakkety:
Invalid
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758 ]
A memory corruption vulnerability exists in the IPT_SO_SET_REPLACE
ioctl in the netfilter code for iptables support. This ioctl is can be
triggered by an unprivileged user on PF_INET sockets when unprivileged
user namespaces are available (CONFIG_USER_NS=y). Android does not
enable this option, but desktop/server distributions and Chrome OS
will commonly enable this to allow for containers support or
sandboxing.
In the mark_source_chains function (net/ipv4/netfilter/ip_tables.c) it
is possible for a user-supplied ipt_entry structure to have a large
next_offset field. This field is not bounds checked prior to writing a
counter value at the supplied offset:
newpos = pos + e->next_offset;
...
e = (struct ipt_entry *) (entry0 + newpos);
e->counters.pcnt = pos;
This means that an out of bounds 32-bit write can occur in a 64kb
range from the allocated heap entry, with a controlled offset and a
partially controlled write value ("pos") or zero. The attached proof-
of-concept (netfilter_setsockopt_v3.c) triggers the corruption
multiple times to set adjacent heap structures to zero.
This issue affects (at least) kernel versions 3.10, 3.18 and 4.4. It
appears that a similar codepath is accessible via
arp_tables.c/ARPT_SO_SET_REPLACE as well.
[Fix]
http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/62150
[Test Case]
Download v3 testcase from https://code.google.com/p/google-security-research/issues/detail?id=758
gcc net*v3.c -o v3
./v3
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555338/+subscriptions