← Back to team overview

kernel-packages team mailing list archive

  1. kernel-packages team
  2. Mailing list archive
  3. Message #59299

[Bug 1316735] [NEW] CVE-2014-1738

  Thread PreviousDate PreviousThread Next 
*** This bug is a security vulnerability ***

Public security bug reported:

There is also another issue which greatly helps in the exploitation of
this other issue. In raw_cmd_copyout, the entire floppy_raw_cmd
structure is copy_to_user'd back to userspace after raw command
processing. The issue is that the entire structure is copied back, which
leaks to userspace the address of the allocated DMA pages, if any, and
the address of the next-in-list command structure, if any. A malicious
user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set and, upon
inspecting the result in the command argument, find the address of the
last floppy_raw_cmd allocation on the kmalloc-nnn slab.

Break-Fix: - 2145e15e0557a01b9195d1c7199a1b92cb9be81f

** Affects: linux (Ubuntu)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Lucid)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Lucid)
     Importance: High
         Status: New

** Affects: linux-fsl-imx51 (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Lucid)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Lucid)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Lucid)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-ec2 (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Precise)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-lts-raring (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-lts-saucy (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux-mvl-dove (Ubuntu Precise)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Precise)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux-ec2 (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Quantal)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Quantal)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Quantal)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Quantal)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Saucy)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Saucy)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Saucy)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Saucy)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Saucy)
     Importance: High
         Status: New

** Affects: linux (Ubuntu Trusty)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Trusty)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Trusty)
     Importance: High
         Status: Invalid

** Affects: linux (Ubuntu Utopic)
     Importance: High
         Status: New

** Affects: linux-armadaxp (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-ec2 (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-fsl-imx51 (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-backport-maverick (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: linux-lts-backport-natty (Ubuntu Utopic)
     Importance: Undecided
         Status: New

** Affects: linux-lts-quantal (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-raring (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-lts-saucy (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-mvl-dove (Ubuntu Utopic)
     Importance: High
         Status: Invalid

** Affects: linux-ti-omap4 (Ubuntu Utopic)
     Importance: High
         Status: Invalid


** Tags: kernel-cve-tracking-bug

** Tags added: kernel-cve-tracking-bug

** Information type changed from Public to Public Security

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-1738

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1316735

Title:
  CVE-2014-1738

Status in “linux” package in Ubuntu:
  New
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  New
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  New
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  New
Status in “linux-armadaxp” source package in Precise:
  New
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  New
Status in “linux-lts-raring” source package in Precise:
  New
Status in “linux-lts-saucy” source package in Precise:
  New
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  New
Status in “linux” source package in Quantal:
  New
Status in “linux-armadaxp” source package in Quantal:
  New
Status in “linux-ec2” source package in Quantal:
  Invalid
Status in “linux-fsl-imx51” source package in Quantal:
  Invalid
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux-lts-quantal” source package in Quantal:
  Invalid
Status in “linux-lts-raring” source package in Quantal:
  Invalid
Status in “linux-lts-saucy” source package in Quantal:
  Invalid
Status in “linux-mvl-dove” source package in Quantal:
  Invalid
Status in “linux-ti-omap4” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  New
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  New
Status in “linux” source package in Trusty:
  New
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  New
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  There is also another issue which greatly helps in the exploitation of
  this other issue. In raw_cmd_copyout, the entire floppy_raw_cmd
  structure is copy_to_user'd back to userspace after raw command
  processing. The issue is that the entire structure is copied back,
  which leaks to userspace the address of the allocated DMA pages, if
  any, and the address of the next-in-list command structure, if any. A
  malicious user can send a FDRAWCMD ioctl with the FD_RAW_MORE flag set
  and, upon inspecting the result in the command argument, find the
  address of the last floppy_raw_cmd allocation on the kmalloc-nnn slab.

  Break-Fix: - 2145e15e0557a01b9195d1c7199a1b92cb9be81f

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316735/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next