← Back to team overview

kernel-packages team mailing list archive

[Bug 1582864] Re: use after free of BOS in usb_reset_and_verify_device

 

This bug was fixed in the package linux - 4.2.0-41.48

---------------
linux (4.2.0-41.48) wily; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1595914

  [ Upstream Kernel Changes ]

  * netfilter: x_tables: validate e->target_offset early
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: make sure e->next_offset covers remaining blob
    size
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: fix unconditional helper
    - LP: #1555338
    - CVE-2016-3134
  * netfilter: x_tables: don't move to non-existent next rule
    - LP: #1595350
  * netfilter: x_tables: validate targets of jumps
    - LP: #1595350
  * netfilter: x_tables: add and use xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: kill check_entry helper
    - LP: #1595350
  * netfilter: x_tables: assert minimum target size
    - LP: #1595350
  * netfilter: x_tables: add compat version of xt_check_entry_offsets
    - LP: #1595350
  * netfilter: x_tables: check standard target size too
    - LP: #1595350
  * netfilter: x_tables: check for bogus target offset
    - LP: #1595350
  * netfilter: x_tables: validate all offsets and sizes in a rule
    - LP: #1595350
  * netfilter: x_tables: don't reject valid target size on some
    architectures
    - LP: #1595350
  * netfilter: arp_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: ip6_tables: simplify translate_compat_table args
    - LP: #1595350
  * netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
    - LP: #1595350
  * netfilter: x_tables: do compat validation via translate_table
    - LP: #1595350
  * netfilter: x_tables: introduce and use xt_copy_counters_from_user
    - LP: #1595350

linux (4.2.0-40.47) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1595725

  [ Serge Hallyn ]

  * SAUCE: add a sysctl to disable unprivileged user namespace unsharing
    - LP: #1555338, #1595350

linux (4.2.0-39.46) wily; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1591301

  [ J. R. Okajima ]

  * SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap:
    bugfix, mainly for linux-4.5-rc5, remap_file_pages(2) emulation
    - LP: #1558120

  [ Kamal Mostafa ]

  * [debian] getabis: Only git add $abidir if running in local repo
    - LP: #1584890
  * [debian] getabis: Fix inconsistent compiler versions check
    - LP: #1584890

  [ Tim Gardner ]

  * Revert "SAUCE: mm/mmap: fix oopsing on remap_file_pages"
    - LP: #1558120
  * [Config] Remove arc4 from nic-modules
    - LP: #1582991

  [ Upstream Kernel Changes ]

  * Revert "usb: hub: do not clear BOS field during reset device"
    - LP: #1582864
  * hpsa: move lockup_detected attribute to host attr
    - LP: #1581169
  * ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
    - LP: #1580379
    - CVE-2016-4569
  * ALSA: timer: Fix leak in events via snd_timer_user_ccallback
    - LP: #1581866
    - CVE-2016-4578
  * ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
    - LP: #1581866
    - CVE-2016-4578
  * net: fix a kernel infoleak in x25 module
    - LP: #1585366
    - CVE-2016-4580
  * get_rock_ridge_filename(): handle malformed NM entries
    - LP: #1583962
    - CVE-2016-4913
  * tipc: check nl sock before parsing nested attributes
    - LP: #1585365
    - CVE-2016-4951
  * netfilter: Set /proc/net entries owner to root in namespace
    - LP: #1584953
  * USB: usbfs: fix potential infoleak in devio
    - LP: #1578493
    - CVE-2016-4482
  * USB: leave LPM alone if possible when binding/unbinding interface
    drivers
    - LP: #1577024
  * [4.2-stable only] fix backport "IB/security: restrict use of the
    write() interface"
    - LP: #1586447
  * regulator: s2mps11: Fix invalid selector mask and voltages for buck9
    - LP: #1586447
  * regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
    - LP: #1586447
  * ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
    - LP: #1586447
  * atomic_open(): fix the handling of create_error
    - LP: #1586447
  * drm/i915/bdw: Add missing delay during L3 SQC credit programming
    - LP: #1586447
  * crypto: hash - Fix page length clamping in hash walk
    - LP: #1586447
  * drm/radeon: fix DP link training issue with second 4K monitor
    - LP: #1586447
  * drm/radeon: fix PLL sharing on DCE6.1 (v2)
    - LP: #1586447
  * ALSA: hda - Fix white noise on Asus UX501VW headset
    - LP: #1586447
  * Input: max8997-haptic - fix NULL pointer dereference
    - LP: #1586447
  * drm/i915: Bail out of pipe config compute loop on LPT
    - LP: #1586447
  * ALSA: hda - Fix broken reconfig
    - LP: #1586447
  * ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
    - LP: #1586447
  * vfs: add vfs_select_inode() helper
    - LP: #1586447
  * vfs: rename: check backing inode being equal
    - LP: #1586447
  * ALSA: usb-audio: Yet another Phoneix Audio device quirk
    - LP: #1586447
  * perf/x86: Fix undefined shift on 32-bit kernels
    - LP: #1586447
  * perf/x86/intel/pt: Generate PMI in the STOP region as well
    - LP: #1586447
  * perf/core: Disable the event on a truncated AUX record
    - LP: #1586447
  * tools lib traceevent: Do not reassign parg after collapse_tree()
    - LP: #1586447
  * workqueue: fix rebind bound workers warning
    - LP: #1586447
  * ocfs2: fix posix_acl_create deadlock
    - LP: #1586447
  * nf_conntrack: avoid kernel pointer value leak in slab name
    - LP: #1586447
  * macvtap: segmented packet is consumed
    - LP: #1586447
  * regulator: axp20x: Fix axp22x ldo_io voltage ranges
    - LP: #1586447
  * arm64: bpf: jit JMP_JSET_{X,K}
    - LP: #1586447
  * bridge: fix igmp / mld query parsing
    - LP: #1586447
  * net/mlx4_en: Fix endianness bug in IPV6 csum calculation
    - LP: #1586447
  * net: fec: only clear a queue's work bit if the queue was emptied
    - LP: #1586447
  * tcp: refresh skb timestamp at retransmit time
    - LP: #1586447
  * net/route: enforce hoplimit max value
    - LP: #1586447
  * decnet: Do not build routes to devices without decnet private data.
    - LP: #1586447
  * route: do not cache fib route info on local routes with oif
    - LP: #1586447
  * net: use skb_postpush_rcsum instead of own implementations
    - LP: #1586447
  * vlan: pull on __vlan_insert_tag error path and fix csum correction
    - LP: #1586447
  * ipv4/fib: don't warn when primary address is missing if in_dev is dead
    - LP: #1586447
  * bpf: fix double-fdput in replace_map_fd_with_map_ptr()
    - LP: #1586447
  * net_sched: introduce qdisc_replace() helper
    - LP: #1586447
  * net_sched: update hierarchical backlog too
    - LP: #1586447
  * sch_htb: update backlog as well
    - LP: #1586447
  * sch_dsmark: update backlog as well
    - LP: #1586447
  * netem: Segment GSO packets on enqueue
    - LP: #1586447
  * VSOCK: do not disconnect socket when peer has shutdown SEND only
    - LP: #1586447
  * net: bridge: fix old ioctl unlocked net device walk
    - LP: #1586447
  * cdc_mbim: apply "NDP to end" quirk to all Huawei devices
    - LP: #1586447
  * soreuseport: fix ordering for mixed v4/v6 sockets
    - LP: #1586447
  * uapi glibc compat: fix compile errors when glibc net/if.h included
    before linux/if.h
    - LP: #1586447
  * Linux 4.2.8-ckt11
    - LP: #1586447
  * usb: core: hub: hub_port_init lock controller instead of bus
    - LP: #1437492

 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>  Fri, 24 Jun 2016
11:46:57 +0100

** Changed in: linux (Ubuntu Wily)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3134

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4482

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4569

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4578

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4580

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4913

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4951

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1582864

Title:
  use after free of BOS in usb_reset_and_verify_device

Status in linux package in Ubuntu:
  Fix Committed
Status in linux source package in Trusty:
  Fix Released
Status in linux source package in Vivid:
  Fix Released
Status in linux source package in Wily:
  Fix Released

Bug description:
  Should be fixed with upstream commit
  e5bdfd50d6f76077bf8441d130c606229e100d40, which reverts upstream
  commit d8f00cd685f5c8e0def8593e520a7fef12c22407.

  With slub_debug enabled this manifests as a deref of 0x6b6b... in
  usb_disable_ltm

  [  218.235302] general protection fault: 0000 [#1] SMP 
  [  218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_codec_realtek snd_hda_intel snd_usb_audio snd_hda_codec snd_usbmidi_lib uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core snd_hwdep snd_seq_midi joydev snd_pcm videodev snd_page_alloc snd_seq_midi_event nfsd snd_rawmidi snd_seq auth_rpcgss parport_pc nfs_acl ppdev nfs lockd sunrpc fscache honeevent(OX) snd_seq_device snd_timer snd drm lp parport sb_edac mei_me hp_wmi sparse_keymap gpio_ich hpuefi(OX) intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm soundcore edac_core mei serio_raw tpm_infineon lpc_ich mac_hid wmi shpchp dm_crypt hid_generic usbhid hid crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse isci e1000e ahci libsas libahci ptp pps_core scsi_transport_sas pata_acpi
  [  218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P           OX 3.13.0-85-generic #129-Ubuntu
  [  218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
  [  218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
  [  218.235421] RIP: 0010:[<ffffffff815444b6>]  [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
  [  218.235437] RSP: 0018:ffff8807effa1cd0  EFLAGS: 00010202
  [  218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
  [  218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
  [  218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
  [  218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
  [  218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
  [  218.235455] FS:  0000000000000000(0000) GS:ffff88101fce0000(0000) knlGS:0000000000000000
  [  218.235458] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  [  218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
  [  218.235463] Stack:
  [  218.235465]  ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
  [  218.235476]  ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
  [  218.235483]  ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
  [  218.235490] Call Trace:
  [  218.235499]  [<ffffffff81551236>] ? usb_disable_device+0x126/0x290
  [  218.235506]  [<ffffffff81545c4d>] usb_disconnect+0xad/0x200
  [  218.235511]  [<ffffffff815487d3>] hub_port_connect_change+0xd3/0xb20
  [  218.235518]  [<ffffffff8154333d>] ? hub_port_status+0xdd/0x120
  [  218.235523]  [<ffffffff815496f4>] hub_events+0x4d4/0xa20
  [  218.235528]  [<ffffffff81549c75>] hub_thread+0x35/0x160
  [  218.235535]  [<ffffffff810add60>] ? prepare_to_wait_event+0x100/0x100
  [  218.235540]  [<ffffffff81549c40>] ? hub_events+0xa20/0xa20
  [  218.235549]  [<ffffffff8108deb2>] kthread+0xd2/0xf0
  [  218.235554]  [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
  [  218.235564]  [<ffffffff8173c2e8>] ret_from_fork+0x58/0x90
  [  218.235570]  [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
  [  218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41 
  [  218.235618] RIP  [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
  [  218.235624]  RSP <ffff8807effa1cd0>
  [  218.235655] ---[ end trace 954cac763165b767 ]---

  Without slub_debug you end up getting a double free and messing up the
  allocator and apparmor tends to be the first one to notice:

  [  574.027518] hub 4-0:1.0: Cannot enable port 3.  Maybe the USB cable is bad?
  [  574.548076] usb 4-3: USB disconnect, device number 2
  [  576.040995] ------------[ cut here ]------------
  [  576.041003] WARNING: CPU: 17 PID: 11627 at /build/linux-03BQvT/linux-3.13.0/include/linux/kref.h:47 apparmor_file_alloc_security+0x167/0x180()
  [  576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_codec_realtek nvidia(POX) snd_hda_intel parport_pc snd_hda_codec ppdev lp snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd mei_me parport gpio_ich hpuefi(OX) sb_edac edac_core lpc_ich drm mei joydev hp_wmi sparse_keymap tpm_infineon soundcore mac_hid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw serio_raw gf128mul glue_helper ablk_helper cryptd shpchp wmi hid_generic usbhid hid psmouse e1000e isci ahci libsas ptp libahci scsi_transport_sas pps_core pata_acpi
  [  576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P           OX 3.13.0-83-generic #127-Ubuntu
  [  576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
  [  576.041071]  0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
  [  576.041076]  ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
  [  576.041079]  ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
  [  576.041082] Call Trace:
  [  576.041088]  [<ffffffff81725992>] dump_stack+0x45/0x56
  [  576.041091]  [<ffffffff8106790d>] warn_slowpath_common+0x7d/0xa0
  [  576.041094]  [<ffffffff810679ea>] warn_slowpath_null+0x1a/0x20
  [  576.041096]  [<ffffffff81316b67>] apparmor_file_alloc_security+0x167/0x180
  [  576.041100]  [<ffffffff812d9076>] security_file_alloc+0x16/0x20
  [  576.041105]  [<ffffffff811c04e0>] get_empty_filp+0x90/0x180
  [  576.041108]  [<ffffffff811ce00d>] path_openat+0x3d/0x640
  [  576.041111]  [<ffffffff811cd7db>] ? filename_lookup+0x2b/0xc0
  [  576.041114]  [<ffffffff811cf47a>] do_filp_open+0x3a/0x90
  [  576.041116]  [<ffffffff811c83a7>] ? path_get+0x27/0x30
  [  576.041120]  [<ffffffff810fed4d>] ? __audit_getname+0x9d/0xa0
  [  576.041123]  [<ffffffff811dc2d7>] ? __alloc_fd+0xa7/0x130
  [  576.041126]  [<ffffffff811bda09>] do_sys_open+0x129/0x280
  [  576.041128]  [<ffffffff811bdb7e>] SyS_open+0x1e/0x20
  [  576.041131]  [<ffffffff8173659d>] system_call_fastpath+0x1a/0x1f
  [  576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
  [  576.041171] BUG: unable to handle kernel paging request at 000000000000472e
  [  576.041174] IP: [<ffffffff811a38b0>] kmem_cache_alloc_trace+0x80/0x1f0
  [  576.041177] PGD 0 
  [  576.041179] Oops: 0000 [#1] SMP

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1582864/+subscriptions


References