kernel-packages team mailing list archive

Thread
Date
[Bug 1274349] Missing required logs.

To: kernel-packages@xxxxxxxxxxxxxxxxxxx
From: Brad Figg <brad.figg@xxxxxxxxxxxxx>
Date: Fri, 31 Jan 2014 13:30:08 -0000
Reply-to: Bug 1274349 <1274349@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
This bug is missing log files that will aid in diagnosing the problem.
>From a terminal window please run:

apport-collect 1274349

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable
to run this command, please add a comment stating that fact and change
the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the
Ubuntu Kernel Team.

** Changed in: linux (Ubuntu)
       Status: New => Incomplete

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1274349

Title:
  Fix-compat_sys_recvmsg-on-x32-archs

Status in “linux” package in Ubuntu:
  Incomplete
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux” source package in Precise:
  Invalid
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  Incomplete
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid

Bug description:
  Reported by pageexec

  asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user *mmsg,
                                      unsigned int vlen, unsigned int flags,
                                      struct compat_timespec __user *timeout)
  {
          int datagrams;
          struct timespec ktspec;

          if (flags & MSG_CMSG_COMPAT)
                  return -EINVAL;

          if (COMPAT_USE_64BIT_TIME)
                  return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
                                        flags | MSG_CMSG_COMPAT,
                                        (struct timespec *) timeout);
  /*...*/

  The timeout pointer parameter is provided by userland (hence the
  __user annotation) but for x32 syscalls it's simply cast to a kernel
  pointer and is passed to __sys_recvmmsg which will eventually directly
  dereference it for both reading and writing. Other callers to
  __sys_recvmmsg properly copy from userland to the kernel first.

  The impact is a sort of arbitrary kernel write-where-what primitive by
  unprivileged users where the to-be-written area must contain valid
  timespec data initially (the first 64 bit long field must be positive
  and the second one must be < 1G).

  The bug was introduced by commit
  http://git.kernel.org/linus/ee4fa23c4b (other uses of
  COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
  3.4 (and perhaps vendor kernels if they backported x32 support along
  with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
  time and only if CONFIG_X86_X32 is enabled and ld can build x32
  executables.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions