← Back to team overview

kernel-packages team mailing list archive

[Bug 1274754] Re: CVE-2014-0038

 

*** This bug is a duplicate of bug 1274349 ***
    https://bugs.launchpad.net/bugs/1274349

This bug was fixed in the package linux-lts-raring -
3.8.0-36.52~precise1

---------------
linux-lts-raring (3.8.0-36.52~precise1) precise; urgency=low

  [ John Johansen]

  * UBUNTU: [Upstream] x86, x32: Correct invalid use of user timespec in the
    kernel
    - LP: #1274754

  [ Brad Figg ]

  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"
  * Release Tracking Bug
    - LP: #1275862

linux-lts-raring (3.8.0-36.51~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1266582

  [ Brad Figg ]

  * debian.raring/etc/getabis: get the packages from linux-lts-raring in
    the archive
  * debian/scripts/misc/getabis: the abi directory should only be made up
    of the version-abi-bld

  [ Upstream Kernel Changes ]

  * Revert "ima: policy for RAMFS"
    - LP: #1265572
  * ipv6: ip6_dst_check needs to check for expired dst_entries
    - LP: #1265572
  * ipv6: reset dst.expires value when clearing expire flag
    - LP: #1265572
  * cxgb3: Fix length calculation in write_ofld_wr() on 32-bit
    architectures
    - LP: #1265572
  * xen-netback: use jiffies_64 value to calculate credit timeout
    - LP: #1265572
  * virtio-net: correctly handle cpu hotplug notifier during resuming
    - LP: #1265572
  * net: flow_dissector: fail on evil iph->ihl
    - LP: #1265572
  * X.509: Remove certificate date checks
    - LP: #1265572
  * selinux: correct locking in selinux_netlbl_socket_connect)
    - LP: #1265572
  * NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
    - LP: #1265572
  * usb: musb: cancel work on removal
    - LP: #1265572
  * USB: mos7840: fix tiocmget error handling
    - LP: #1265572
  * pinctrl: dove: unset twsi option3 for gconfig as well
    - LP: #1265572
  * usb: Disable USB 2.0 Link PM before device reset.
    - LP: #1265572
  * usb: hub: Clear Port Reset Change during init/resume
    - LP: #1265572
  * rt2400pci: fix RSSI read
    - LP: #1265572
  * rt2x00: check if device is still available on rt2x00mac_flush()
    - LP: #1265572
  * rt2800usb: slow down TX status polling
    - LP: #1265572
  * cfg80211: fix scheduled scan pointer access
    - LP: #1265572
  * ARM: OMAP2+: irq, AM33XX add missing register check
    - LP: #1265572
  * ALSA: hda - Add support of new codec ALC233
    - LP: #1265572
  * ALSA: hda - Add support of ALC255 codecs
    - LP: #1265572
  * USB:add new zte 3g-dongle's pid to option.c
    - LP: #1265572
  * [SCSI] sd: Reduce buffer size for vpd request
    - LP: #1265572
  * libata: Fix display of sata speed
    - LP: #1265572
  * ahci: disabled FBS prior to issuing software reset
    - LP: #1265572
  * drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH
    drive
    - LP: #1265572
  * NFSv4: fix NULL dereference in open recover
    - LP: #1265572
  * ALSA: 6fire: Fix probe of multiple cards
    - LP: #1265572
  * ARM: sa11x0/assabet: ensure CS2 is configured appropriately
    - LP: #1265572
  * usb: wusbcore: set the RPIPE wMaxPacketSize value correctly
    - LP: #1265572
  * usb: wusbcore: change WA_SEGS_MAX to a legal value
    - LP: #1265572
  * powerpc/vio: use strcpy in modalias_show
    - LP: #1265572
  * i2c: mux: gpio: use gpio_set_value_cansleep()
    - LP: #1265572
  * i2c: mux: gpio: use reg value for i2c_add_mux_adapter
    - LP: #1265572
  * s390/vtime: correct idle time calculation
    - LP: #1265572
  * dm: allocate buffer for messages with small number of arguments using
    GFP_NOIO
    - LP: #1265572
  * can: c_can: Fix RX message handling, handle lost message before EOB
    - LP: #1265572
  * can: kvaser_usb: fix usb endpoints detection
    - LP: #1265572
  * dm mpath: fix race condition between multipath_dtr and pg_init_done
    - LP: #1265572
  * ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea()
    - LP: #1265572
  * ASoC: ak4642: prevent un-necessary changes to SG_SL1
    - LP: #1265572
  * drm/radeon/si: fix define for MC_SEQ_TRAIN_WAKEUP_CNTL
    - LP: #1265572
  * drm/radeon: don't share PPLLs on DCE4.1
    - LP: #1265572
  * KVM: x86: fix emulation of "movzbl %bpl, %eax"
    - LP: #1265572
  * ALSA: hda - Enable SPDIF for Acer TravelMate 6293
    - LP: #1265572
  * ahci: Add Device IDs for Intel Wildcat Point-LP
    - LP: #1265572
  * edac, highbank: Fix interrupt setup of mem and l2 controller
    - LP: #1265572
  * KVM: IOMMU: hva align mapping page size
    - LP: #1265572
  * audit: printk USER_AVC messages when audit isn't enabled
    - LP: #1265572
  * audit: fix info leak in AUDIT_GET requests
    - LP: #1265572
  * audit: use nlmsg_len() to get message payload length
    - LP: #1265572
  * ALSA: hda - Force buffer alignment for Haswell HDMI controllers
    - LP: #1265572
  * ftrace/x86: skip over the breakpoint for ftrace caller
    - LP: #1265572
  * drm: shmobile: Add dependency on BACKLIGHT_CLASS_DEVICE
    - LP: #1265572
  * powerpc/powernv: Add PE to its own PELTV
    - LP: #1265572
  * drm/ttm: Handle in-memory region copies
    - LP: #1265572
  * drm/ttm: Fix ttm_bo_move_memcpy
    - LP: #1265572
  * drm/ttm: Fix memory type compatibility check
    - LP: #1265572
  * perf/ftrace: Fix paranoid level for enabling function tracer
    - LP: #1265572
  * ARM: entry: move IRQ tracing exit into svc_exit
    - LP: #1265572
  * ARM: entry: move disable_irq_notrace into svc_exit
    - LP: #1265572
  * ARM: 7876/1: clear Thumb-2 IT state on exception handling
    - LP: #1265572
  * PM / hibernate: Avoid overflow in hibernate_preallocate_memory()
    - LP: #1265572
  * ALSA: hda - Add support for CX20952
    - LP: #1265572
  * ALSA: hda - Add pincfg fixup for ASUS W5A
    - LP: #1265572
  * mtd: nand: hack ONFI for non-power-of-2 dimensions
    - LP: #1265572
  * mtd: map: fixed bug in 64-bit systems
    - LP: #1265572
  * mtd: m25p80: fix allocation size
    - LP: #1265572
  * qeth: avoid buffer overflow in snmp ioctl
    - LP: #1265572
  * x86/ioapic/kcrash: Prevent crash_kexec() from deadlocking on
    ioapic_lock
    - LP: #1265572
  * x86/apic: Disable I/O APIC before shutdown of the local APIC
    - LP: #1265572
  * parisc: sticon - unbreak on 64bit kernel
    - LP: #1265572
  * block: fix race between request completion and timeout handling
    - LP: #1265572
  * blk-core: Fix memory corruption if blkcg_init_queue fails
    - LP: #1265572
  * loop: fix crash if blk_alloc_queue fails
    - LP: #1265572
  * block: fix a probe argument to blk_register_region
    - LP: #1265572
  * block: properly stack underlying max_segment_size to DM device
    - LP: #1265572
  * xen/blkback: fix reference counting
    - LP: #1265572
  * loop: fix crash when using unassigned loop device
    - LP: #1265572
  * SUNRPC: Fix a data corruption issue when retransmitting RPC calls
    - LP: #1265572
  * IB/ipath: Convert ipath_user_sdma_pin_pages() to use
    get_user_pages_fast()
    - LP: #1265572
  * IB/qib: Fix txselect regression
    - LP: #1265572
  * IB/srp: Remove target from list before freeing Scsi_Host structure
    - LP: #1265572
  * IB/srp: Avoid offlining operational SCSI devices
    - LP: #1265572
  * IB/srp: Report receive errors correctly
    - LP: #1265572
  * rtlwifi: rtl8192se: Fix wrong assignment
    - LP: #1265572
  * rt2x00: fix HT TX descriptor settings regression
    - LP: #1265572
  * rtlwifi: Fix endian error in extracting packet type
    - LP: #1265572
  * rtlwifi: rtl8192cu: Fix incorrect signal strength for unassociated AP
    - LP: #1265572
  * rtlwifi: rtl8192de: Fix incorrect signal strength for unassociated AP
    - LP: #1265572
  * mwifiex: correct packet length for packets from SDIO interface
    - LP: #1265572
  * mwifiex: fix wrong eth_hdr usage for bridged packets in AP mode
    - LP: #1265572
  * prism54: set netdev type to "wlan"
    - LP: #1265572
  * ALSA: msnd: Avoid duplicated driver name
    - LP: #1265572
  * x86/microcode/amd: Tone down printk(), don't treat a missing firmware
    file as an error
    - LP: #1265572
  * SUNRPC: fix races on PipeFS UMOUNT notifications
    - LP: #1265572
  * SUNRPC: Avoid deep recursion in rpc_release_client
    - LP: #1265572
  * cris: media platform drivers: fix build
    - LP: #1265572
  * mm: ensure get_unmapped_area() returns higher address than
    mmap_min_addr
    - LP: #1265572
  * mm: Only flush TLBs if a transhuge PMD is modified for NUMA pte
    scanning
    - LP: #1265572
  * mm: numa: return the number of base pages altered by protection changes
    - LP: #1265572
  * vsprintf: check real user/group id for %pK
    - LP: #1265572
  * backlight: atmel-pwm-bl: fix reported brightness
    - LP: #1265572
  * backlight: atmel-pwm-bl: fix gpio polarity in remove
    - LP: #1265572
  * coredump: remove redundant defines for dumpable states
    - LP: #1265572
  * exec/ptrace: fix get_dumpable() incorrect tests
    - LP: #1265572
    - CVE-2013-2929
  * devpts: plug the memory leak in kill_sb
    - LP: #1265572
  * ipc: clamp with min()
    - LP: #1265572
  * ipc: separate msg allocation from userspace copy
    - LP: #1265572
  * ipc: tighten msg copy loops
    - LP: #1265572
  * ipc: set EFAULT as default error in load_msg()
    - LP: #1265572
  * ipc, msg: fix message length check for negative values
    - LP: #1265572
  * drm/vmwgfx: Resource evict fixes
    - LP: #1265572
  * ALSA: hda - Don't clear the power state at snd_hda_codec_reset()
    - LP: #1265572
  * ASoC: blackfin: Fix missing break
    - LP: #1265572
  * target: Fix delayed Task Aborted Status (TAS) handling bug
    - LP: #1265572
  * md: fix calculation of stacking limits on level change.
    - LP: #1265572
  * drm/nouveau: when bailing out of a pushbuf ioctl, do not remove
    previous fence
    - LP: #1265572
  * ASoC: fsl: imx-pcm-fiq: omit fiq counter to avoid harm in unbalanced
    situations
    - LP: #1265572
  * ALSA: pcsp: Fix the order of input device unregistration
    - LP: #1265572
  * ASoC: wm8962: Turn on regcache_cache_only before disabling regulator
    - LP: #1265572
  * ARM: integrator_cp: Set LCD{0,1} enable lines when turning on CLCD
    - LP: #1265572
  * hwmon: (lm90) Fix max6696 alarm handling
    - LP: #1265572
  * ASoC: cs42l52: Correct MIC CTL mask
    - LP: #1265572
  * ARM: OMAP2+: omap_device: maintain sane runtime pm status around
    suspend/resume
    - LP: #1265572
  * drm/i915: flush cursors harder
    - LP: #1265572
  * rt2x00: fix a crash bug in the HT descriptor handling fix
    - LP: #1265572
  * rtlwifi: rtl8192cu: Fix more pointer arithmetic errors
    - LP: #1265572
  * radeon/i2c: do not count reg index in number of i2c byte we are
    writing.
    - LP: #1265572
  * radeon: workaround pinning failure on low ram gpu
    - LP: #1265572
  * drm/radeon: add semaphore trace point
    - LP: #1265572
  * ACPI / EC: Ensure lock is acquired before accessing ec struct members
    - LP: #1265572
  * setfacl removes part of ACL when setting POSIX ACLs to Samba
    - LP: #1265572
  * nfsd: split up nfsd_setattr
    - LP: #1265572
  * nfsd: make sure to balance get/put_write_access
    - LP: #1265572
  * ASoC: wm5110: Add post SYSCLK register patch for rev D chip
    - LP: #1265572
  * nfsd4: fix xdr decoding of large non-write compounds
    - LP: #1265572
  * avr32: setup crt for early panic()
    - LP: #1265572
  * avr32: fix out-of-range jump in large kernels
    - LP: #1265572
  * ALSA: hda - Fix unbalanced runtime PM notification at resume
    - LP: #1265572
  * PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove()
    - LP: #1265572
  * powerpc/pseries: Duplicate dtl entries sometimes sent to userspace
    - LP: #1265572
  * powerpc/signals: Mark VSX not saved with small contexts
    - LP: #1265572
  * iscsi-target: fix extract_param to handle buffer length corner case
    - LP: #1265572
  * iscsi-target: chap auth shouldn't match username with trailing garbage
    - LP: #1265572
  * ALSA: hda - Fix the headphone jack detection on Sony VAIO TX
    - LP: #1265572
  * configfs: fix race between dentry put and lookup
    - LP: #1265572
  * ALSA: hda - Provide missing pin configs for VAIO with ALC260
    - LP: #1265572
  * KVM: Fix iommu map/unmap to handle memory slot moves
    - LP: #1265572
  * libertas: potential oops in debugfs
    - LP: #1265572
  * Linux 3.8.13.14
    - LP: #1265572
  * tmp
 -- Brad Figg <brad.figg@xxxxxxxxxxxxx>   Mon, 03 Feb 2014 10:07:27 -0800

** Changed in: linux-lts-raring (Ubuntu Precise)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2013-2929

** Changed in: linux-lts-saucy (Ubuntu Precise)
       Status: New => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1274754

Title:
  CVE-2014-0038

Status in “linux” package in Ubuntu:
  New
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Invalid
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Invalid
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Invalid
Status in “linux-armadaxp” source package in Precise:
  Invalid
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  New
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Invalid
Status in “linux” source package in Quantal:
  New
Status in “linux-armadaxp” source package in Quantal:
  Invalid
Status in “linux-ec2” source package in Quantal:
  Invalid
Status in “linux-fsl-imx51” source package in Quantal:
  Invalid
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux-lts-quantal” source package in Quantal:
  Invalid
Status in “linux-lts-raring” source package in Quantal:
  Invalid
Status in “linux-lts-saucy” source package in Quantal:
  Invalid
Status in “linux-mvl-dove” source package in Quantal:
  Invalid
Status in “linux-ti-omap4” source package in Quantal:
  Invalid
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Invalid
Status in “linux” source package in Trusty:
  New
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid

Bug description:
  The timeout pointer parameter is provided by userland (hence the
  __user annotation) but for x32 syscalls it's simply cast to a kernel
  pointer and is passed to __sys_recvmmsg which will eventually directly
  dereference it for both reading and writing. Other callers to
  __sys_recvmmsg properly copy from userland to the kernel first. The
  impact is a sort of arbitrary kernel write-where-what primitive by
  unprivileged users where the to-be-written area must contain valid
  timespec data initially (the first 64 bit long field must be positive
  and the second one must be < 1G).

  Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 lp1274754

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274754/+subscriptions


References