kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #186239
[Bug 1582864] Re: use after free of BOS in usb_reset_and_verify_device
This bug was fixed in the package linux - 4.2.0-41.48
---------------
linux (4.2.0-41.48) wily; urgency=low
[ Luis Henriques ]
* Release Tracking Bug
- LP: #1595914
[ Upstream Kernel Changes ]
* netfilter: x_tables: validate e->target_offset early
- LP: #1555338
- CVE-2016-3134
* netfilter: x_tables: make sure e->next_offset covers remaining blob
size
- LP: #1555338
- CVE-2016-3134
* netfilter: x_tables: fix unconditional helper
- LP: #1555338
- CVE-2016-3134
* netfilter: x_tables: don't move to non-existent next rule
- LP: #1595350
* netfilter: x_tables: validate targets of jumps
- LP: #1595350
* netfilter: x_tables: add and use xt_check_entry_offsets
- LP: #1595350
* netfilter: x_tables: kill check_entry helper
- LP: #1595350
* netfilter: x_tables: assert minimum target size
- LP: #1595350
* netfilter: x_tables: add compat version of xt_check_entry_offsets
- LP: #1595350
* netfilter: x_tables: check standard target size too
- LP: #1595350
* netfilter: x_tables: check for bogus target offset
- LP: #1595350
* netfilter: x_tables: validate all offsets and sizes in a rule
- LP: #1595350
* netfilter: x_tables: don't reject valid target size on some
architectures
- LP: #1595350
* netfilter: arp_tables: simplify translate_compat_table args
- LP: #1595350
* netfilter: ip_tables: simplify translate_compat_table args
- LP: #1595350
* netfilter: ip6_tables: simplify translate_compat_table args
- LP: #1595350
* netfilter: x_tables: xt_compat_match_from_user doesn't need a retval
- LP: #1595350
* netfilter: x_tables: do compat validation via translate_table
- LP: #1595350
* netfilter: x_tables: introduce and use xt_copy_counters_from_user
- LP: #1595350
linux (4.2.0-40.47) wily; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1595725
[ Serge Hallyn ]
* SAUCE: add a sysctl to disable unprivileged user namespace unsharing
- LP: #1555338, #1595350
linux (4.2.0-39.46) wily; urgency=low
[ Kamal Mostafa ]
* Release Tracking Bug
- LP: #1591301
[ J. R. Okajima ]
* SAUCE: AUFS: mm/mmap: fix oopsing on remap_file_pages aufs mmap:
bugfix, mainly for linux-4.5-rc5, remap_file_pages(2) emulation
- LP: #1558120
[ Kamal Mostafa ]
* [debian] getabis: Only git add $abidir if running in local repo
- LP: #1584890
* [debian] getabis: Fix inconsistent compiler versions check
- LP: #1584890
[ Tim Gardner ]
* Revert "SAUCE: mm/mmap: fix oopsing on remap_file_pages"
- LP: #1558120
* [Config] Remove arc4 from nic-modules
- LP: #1582991
[ Upstream Kernel Changes ]
* Revert "usb: hub: do not clear BOS field during reset device"
- LP: #1582864
* hpsa: move lockup_detected attribute to host attr
- LP: #1581169
* ALSA: timer: Fix leak in SNDRV_TIMER_IOCTL_PARAMS
- LP: #1580379
- CVE-2016-4569
* ALSA: timer: Fix leak in events via snd_timer_user_ccallback
- LP: #1581866
- CVE-2016-4578
* ALSA: timer: Fix leak in events via snd_timer_user_tinterrupt
- LP: #1581866
- CVE-2016-4578
* net: fix a kernel infoleak in x25 module
- LP: #1585366
- CVE-2016-4580
* get_rock_ridge_filename(): handle malformed NM entries
- LP: #1583962
- CVE-2016-4913
* tipc: check nl sock before parsing nested attributes
- LP: #1585365
- CVE-2016-4951
* netfilter: Set /proc/net entries owner to root in namespace
- LP: #1584953
* USB: usbfs: fix potential infoleak in devio
- LP: #1578493
- CVE-2016-4482
* USB: leave LPM alone if possible when binding/unbinding interface
drivers
- LP: #1577024
* [4.2-stable only] fix backport "IB/security: restrict use of the
write() interface"
- LP: #1586447
* regulator: s2mps11: Fix invalid selector mask and voltages for buck9
- LP: #1586447
* regmap: spmi: Fix regmap_spmi_ext_read in multi-byte case
- LP: #1586447
* ALSA: usb-audio: Quirk for yet another Phoenix Audio devices (v2)
- LP: #1586447
* atomic_open(): fix the handling of create_error
- LP: #1586447
* drm/i915/bdw: Add missing delay during L3 SQC credit programming
- LP: #1586447
* crypto: hash - Fix page length clamping in hash walk
- LP: #1586447
* drm/radeon: fix DP link training issue with second 4K monitor
- LP: #1586447
* drm/radeon: fix PLL sharing on DCE6.1 (v2)
- LP: #1586447
* ALSA: hda - Fix white noise on Asus UX501VW headset
- LP: #1586447
* Input: max8997-haptic - fix NULL pointer dereference
- LP: #1586447
* drm/i915: Bail out of pipe config compute loop on LPT
- LP: #1586447
* ALSA: hda - Fix broken reconfig
- LP: #1586447
* ALSA: hda - Fix subwoofer pin on ASUS N751 and N551
- LP: #1586447
* vfs: add vfs_select_inode() helper
- LP: #1586447
* vfs: rename: check backing inode being equal
- LP: #1586447
* ALSA: usb-audio: Yet another Phoneix Audio device quirk
- LP: #1586447
* perf/x86: Fix undefined shift on 32-bit kernels
- LP: #1586447
* perf/x86/intel/pt: Generate PMI in the STOP region as well
- LP: #1586447
* perf/core: Disable the event on a truncated AUX record
- LP: #1586447
* tools lib traceevent: Do not reassign parg after collapse_tree()
- LP: #1586447
* workqueue: fix rebind bound workers warning
- LP: #1586447
* ocfs2: fix posix_acl_create deadlock
- LP: #1586447
* nf_conntrack: avoid kernel pointer value leak in slab name
- LP: #1586447
* macvtap: segmented packet is consumed
- LP: #1586447
* regulator: axp20x: Fix axp22x ldo_io voltage ranges
- LP: #1586447
* arm64: bpf: jit JMP_JSET_{X,K}
- LP: #1586447
* bridge: fix igmp / mld query parsing
- LP: #1586447
* net/mlx4_en: Fix endianness bug in IPV6 csum calculation
- LP: #1586447
* net: fec: only clear a queue's work bit if the queue was emptied
- LP: #1586447
* tcp: refresh skb timestamp at retransmit time
- LP: #1586447
* net/route: enforce hoplimit max value
- LP: #1586447
* decnet: Do not build routes to devices without decnet private data.
- LP: #1586447
* route: do not cache fib route info on local routes with oif
- LP: #1586447
* net: use skb_postpush_rcsum instead of own implementations
- LP: #1586447
* vlan: pull on __vlan_insert_tag error path and fix csum correction
- LP: #1586447
* ipv4/fib: don't warn when primary address is missing if in_dev is dead
- LP: #1586447
* bpf: fix double-fdput in replace_map_fd_with_map_ptr()
- LP: #1586447
* net_sched: introduce qdisc_replace() helper
- LP: #1586447
* net_sched: update hierarchical backlog too
- LP: #1586447
* sch_htb: update backlog as well
- LP: #1586447
* sch_dsmark: update backlog as well
- LP: #1586447
* netem: Segment GSO packets on enqueue
- LP: #1586447
* VSOCK: do not disconnect socket when peer has shutdown SEND only
- LP: #1586447
* net: bridge: fix old ioctl unlocked net device walk
- LP: #1586447
* cdc_mbim: apply "NDP to end" quirk to all Huawei devices
- LP: #1586447
* soreuseport: fix ordering for mixed v4/v6 sockets
- LP: #1586447
* uapi glibc compat: fix compile errors when glibc net/if.h included
before linux/if.h
- LP: #1586447
* Linux 4.2.8-ckt11
- LP: #1586447
* usb: core: hub: hub_port_init lock controller instead of bus
- LP: #1437492
-- Luis Henriques <luis.henriques@xxxxxxxxxxxxx> Fri, 24 Jun 2016
11:46:57 +0100
** Changed in: linux (Ubuntu Wily)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3134
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4482
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4569
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4578
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4580
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4913
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-4951
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1582864
Title:
use after free of BOS in usb_reset_and_verify_device
Status in linux package in Ubuntu:
Fix Committed
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Released
Status in linux source package in Wily:
Fix Released
Bug description:
Should be fixed with upstream commit
e5bdfd50d6f76077bf8441d130c606229e100d40, which reverts upstream
commit d8f00cd685f5c8e0def8593e520a7fef12c22407.
With slub_debug enabled this manifests as a deref of 0x6b6b... in
usb_disable_ltm
[ 218.235302] general protection fault: 0000 [#1] SMP
[ 218.235311] Modules linked in: usb_storage tcp_diag inet_diag iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables autofs4 rpcsec_gss_krb5 rfcomm bnep bluetooth snd_hda_codec_hdmi binfmt_misc nvidia(POX) snd_hda_codec_realtek snd_hda_intel snd_usb_audio snd_hda_codec snd_usbmidi_lib uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core snd_hwdep snd_seq_midi joydev snd_pcm videodev snd_page_alloc snd_seq_midi_event nfsd snd_rawmidi snd_seq auth_rpcgss parport_pc nfs_acl ppdev nfs lockd sunrpc fscache honeevent(OX) snd_seq_device snd_timer snd drm lp parport sb_edac mei_me hp_wmi sparse_keymap gpio_ich hpuefi(OX) intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm soundcore edac_core mei serio_raw tpm_infineon lpc_ich mac_hid wmi shpchp dm_crypt hid_generic usbhid hid crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw gf128mul glue_helper ablk_helper cryptd psmouse isci e1000e ahci libsas libahci ptp pps_core scsi_transport_sas pata_acpi
[ 218.235410] CPU: 15 PID: 243 Comm: khubd Tainted: P OX 3.13.0-85-generic #129-Ubuntu
[ 218.235414] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 218.235418] task: ffff8807eff98000 ti: ffff8807effa0000 task.ti: ffff8807effa0000
[ 218.235421] RIP: 0010:[<ffffffff815444b6>] [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235437] RSP: 0018:ffff8807effa1cd0 EFLAGS: 00010202
[ 218.235440] RAX: 0000000000000000 RBX: ffff8807ea532e68 RCX: 0000000000000000
[ 218.235443] RDX: 6b6b6b6b6b6b6b6b RSI: 0000000000300021 RDI: ffff8807ea532e68
[ 218.235446] RBP: ffff8807effa1d08 R08: 0000000000000000 R09: 0000000000000000
[ 218.235449] R10: ffff8807ff804240 R11: ffffffff8136d2a1 R12: 0000000000000000
[ 218.235451] R13: ffff8807ebddd480 R14: 0000000000000001 R15: 0000000000000012
[ 218.235455] FS: 0000000000000000(0000) GS:ffff88101fce0000(0000) knlGS:0000000000000000
[ 218.235458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 218.235461] CR2: 00000000013b1c08 CR3: 0000000001c0e000 CR4: 00000000000407e0
[ 218.235463] Stack:
[ 218.235465] ffffffff81551236 ffff8807ea532ef0 0000000000000000 ffff8807ea532e68
[ 218.235476] ffff8807ea532ef0 ffff8807ebddbf60 0000000000000000 ffff8807effa1d48
[ 218.235483] ffffffff81545c4d ffff8807ea532f50 ffff8807ebddb4d0 00000000000002a0
[ 218.235490] Call Trace:
[ 218.235499] [<ffffffff81551236>] ? usb_disable_device+0x126/0x290
[ 218.235506] [<ffffffff81545c4d>] usb_disconnect+0xad/0x200
[ 218.235511] [<ffffffff815487d3>] hub_port_connect_change+0xd3/0xb20
[ 218.235518] [<ffffffff8154333d>] ? hub_port_status+0xdd/0x120
[ 218.235523] [<ffffffff815496f4>] hub_events+0x4d4/0xa20
[ 218.235528] [<ffffffff81549c75>] hub_thread+0x35/0x160
[ 218.235535] [<ffffffff810add60>] ? prepare_to_wait_event+0x100/0x100
[ 218.235540] [<ffffffff81549c40>] ? hub_events+0xa20/0xa20
[ 218.235549] [<ffffffff8108deb2>] kthread+0xd2/0xf0
[ 218.235554] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235564] [<ffffffff8173c2e8>] ret_from_fork+0x58/0x90
[ 218.235570] [<ffffffff8108dde0>] ? kthread_create_on_node+0x1c0/0x1c0
[ 218.235572] Code: e9 48 8b 52 10 48 85 d2 74 e0 f6 42 03 02 74 da 83 7f 1c 05 75 d4 48 8b 97 40 03 00 00 48 85 d2 74 c8 48 8b 52 10 48 85 d2 74 bf <f6> 42 03 02 74 b9 48 83 bf 50 03 00 00 00 74 af 55 45 31 c9 41
[ 218.235618] RIP [<ffffffff815444b6>] usb_disable_ltm+0x56/0xb0
[ 218.235624] RSP <ffff8807effa1cd0>
[ 218.235655] ---[ end trace 954cac763165b767 ]---
Without slub_debug you end up getting a double free and messing up the
allocator and apparmor tends to be the first one to notice:
[ 574.027518] hub 4-0:1.0: Cannot enable port 3. Maybe the USB cable is bad?
[ 574.548076] usb 4-3: USB disconnect, device number 2
[ 576.040995] ------------[ cut here ]------------
[ 576.041003] WARNING: CPU: 17 PID: 11627 at /build/linux-03BQvT/linux-3.13.0/include/linux/kref.h:47 apparmor_file_alloc_security+0x167/0x180()
[ 576.041005] Modules linked in: tcp_diag inet_diag xt_u32 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables xt_NFLOG xt_tcpudp xt_comment ipt_REJECT xt_multiport xt_connmark xt_conntrack xt_mark iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables pci_stub vboxpci(OX) vboxnetadp(OX) vboxnetflt(OX) vboxdrv(OX) nfnetlink_log nfnetlink autofs4 rfcomm bnep bluetooth binfmt_misc honeevent(OX) rpcsec_gss_krb5 nfsd auth_rpcgss nfs_acl nfs lockd sunrpc fscache snd_hda_codec_hdmi snd_hda_codec_realtek nvidia(POX) snd_hda_intel parport_pc snd_hda_codec ppdev lp snd_hwdep snd_pcm snd_page_alloc snd_seq_midi snd_seq_midi_event snd_rawmidi snd_seq snd_seq_device snd_timer snd mei_me parport gpio_ich hpuefi(OX) sb_edac edac_core lpc_ich drm mei joydev hp_wmi sparse_keymap tpm_infineon soundcore mac_hid intel_rapl x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm crct10dif_pclmul crc32_pclmul aesni_intel aes_x86_64 lrw serio_raw gf128mul glue_helper ablk_helper cryptd shpchp wmi hid_generic usbhid hid psmouse e1000e isci ahci libsas ptp libahci scsi_transport_sas pps_core pata_acpi
[ 576.041068] CPU: 17 PID: 11627 Comm: at-spi-bus-laun Tainted: P OX 3.13.0-83-generic #127-Ubuntu
[ 576.041070] Hardware name: Hewlett-Packard HP Z620 Workstation/158A, BIOS J61 v03.87 02/09/2015
[ 576.041071] 0000000000000009 ffff880efd08fcf0 ffffffff81725992 0000000000000000
[ 576.041076] ffff880efd08fd28 ffffffff8106790d ffff8807ff810430 ffff880035d22a00
[ 576.041079] ffff880f63216000 ffff880efd08ff2c 00000000ffffff9c ffff880efd08fd38
[ 576.041082] Call Trace:
[ 576.041088] [<ffffffff81725992>] dump_stack+0x45/0x56
[ 576.041091] [<ffffffff8106790d>] warn_slowpath_common+0x7d/0xa0
[ 576.041094] [<ffffffff810679ea>] warn_slowpath_null+0x1a/0x20
[ 576.041096] [<ffffffff81316b67>] apparmor_file_alloc_security+0x167/0x180
[ 576.041100] [<ffffffff812d9076>] security_file_alloc+0x16/0x20
[ 576.041105] [<ffffffff811c04e0>] get_empty_filp+0x90/0x180
[ 576.041108] [<ffffffff811ce00d>] path_openat+0x3d/0x640
[ 576.041111] [<ffffffff811cd7db>] ? filename_lookup+0x2b/0xc0
[ 576.041114] [<ffffffff811cf47a>] do_filp_open+0x3a/0x90
[ 576.041116] [<ffffffff811c83a7>] ? path_get+0x27/0x30
[ 576.041120] [<ffffffff810fed4d>] ? __audit_getname+0x9d/0xa0
[ 576.041123] [<ffffffff811dc2d7>] ? __alloc_fd+0xa7/0x130
[ 576.041126] [<ffffffff811bda09>] do_sys_open+0x129/0x280
[ 576.041128] [<ffffffff811bdb7e>] SyS_open+0x1e/0x20
[ 576.041131] [<ffffffff8173659d>] system_call_fastpath+0x1a/0x1f
[ 576.041133] ---[ end trace 5de8dc1cac0eb1c6 ]---
[ 576.041171] BUG: unable to handle kernel paging request at 000000000000472e
[ 576.041174] IP: [<ffffffff811a38b0>] kmem_cache_alloc_trace+0x80/0x1f0
[ 576.041177] PGD 0
[ 576.041179] Oops: 0000 [#1] SMP
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1582864/+subscriptions
References
