← Back to team overview

kernel-packages team mailing list archive

[Bug 1326367] Re: exploitable futex vulnerability

 

This bug was fixed in the package linux-ti-omap4 - 3.2.0-1449.68

---------------
linux-ti-omap4 (3.2.0-1449.68) precise; urgency=low

  * Release Tracking Bug
    - LP: #1326747

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.2.0-64.97

  [ Ubuntu: 3.2.0-64.97 ]

  * futex-prevent-requeue-pi-on-same-futex.patch futex: Forbid uaddr ==
    uaddr2 in futex_requeue(..., requeue_pi=1)
    - LP: #1326367
    - CVE-2014-3153
  * futex: Validate atomic acquisition in futex_lock_pi_atomic()
    - LP: #1326367
    - CVE-2014-3153
  * futex: Always cleanup owner tid in unlock_pi
    - LP: #1326367
    - CVE-2014-3153
  * futex: Make lookup_pi_state more robust
    - LP: #1326367
    - CVE-2014-3153

linux-ti-omap4 (3.2.0-1448.67) precise; urgency=low

  * Release Tracking Bug
    - LP: #1322135

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.2.0-64.96
  * [Config] BLK_DEV_DM_BUILTIN=y

  [ Ubuntu: 3.2.0-64.96 ]

  * Release Tracking Bug
    - LP: #1321792
  * [Config] updateconfigs after Linux v3.2.58 and v3.2.59 updates
  * Revert "sparc64: Fix __copy_{to,from}_user_inatomic defines."
    - LP: #1319885
  * Revert "alpha: fix broken network checksum"
    - LP: #1319885
  * Revert "isci: fix reset timeout handling"
    - LP: #1319885
  * Revert "USB: serial: add usbid for dell wwan card to sierra.c"
    - LP: #1319885
  * mm: try_to_unmap_cluster() should lock_page() before mlocking
    - LP: #1316268
    - CVE-2014-3122
  * net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
    - LP: #1319885
  * bridge: multicast: add sanity check for query source addresses
    - LP: #1319885
  * net: unix: non blocking recvmsg() should not return -EINTR
    - LP: #1319885
  * vlan: Set correct source MAC address with TX VLAN offload enabled
    - LP: #1319885
  * net: socket: error on a negative msg_namelen
    - LP: #1319885
  * ipv6: Avoid unnecessary temporary addresses being generated
    - LP: #1319885
  * ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment
    properly
    - LP: #1319885
  * vhost: validate vhost_get_vq_desc return value
    - LP: #1319885
    - CVE-2014-0055
  * xen-netback: remove pointless clause from if statement
    - LP: #1319885
  * ipv6: some ipv6 statistic counters failed to disable bh
    - LP: #1319885
  * netlink: don't compare the nul-termination in nla_strcmp
    - LP: #1319885
  * isdnloop: Validate NUL-terminated strings from user.
    - LP: #1319885
  * isdnloop: several buffer overflows
    - LP: #1319885
  * sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on
    Simba-bridges
    - LP: #1319885
  * sparc32: fix build failure for arch_jump_label_transform
    - LP: #1319885
  * sparc64: don't treat 64-bit syscall return codes as 32-bit
    - LP: #1319885
  * drm/i915: inverted brightness quirk for Acer Aspire 4736Z
    - LP: #1319885
  * drm/i915: quirk invert brightness for Acer Aspire 5336
    - LP: #1319885
  * w1: fix w1_send_slave dropping a slave id
    - LP: #1319885
  * ARM: mm: introduce present, faulting entries for PAGE_NONE
    - LP: #1319885
  * ARM: 7954/1: mm: remove remaining domain support from ARMv6
    - LP: #1319885
  * matroxfb: restore the registers M_ACCESS and M_PITCH
    - LP: #1319885
  * framebuffer: fix cfb_copyarea
    - LP: #1319885
  * mach64: use unaligned access
    - LP: #1319885
  * mach64: fix cursor when character width is not a multiple of 8 pixels
    - LP: #1319885
  * tgafb: fix data copying
    - LP: #1319885
  * hvc: ensure hvc_init is only ever called once in hvc_console.c
    - LP: #1319885
  * usb: dwc3: fix wrong bit mask in dwc3_event_devt
    - LP: #1319885
  * media: gspca: sn9c20x: add ID for Genius Look 1320 V2
    - LP: #1319885
  * tty: Set correct tty name in 'active' sysfs attribute
    - LP: #1319885
  * uvcvideo: Do not use usb_set_interface on bulk EP
    - LP: #1319885
  * usb: gadget: atmel_usba: fix crashed during stopping when DEBUG is
    enabled
    - LP: #1319885
  * blktrace: fix accounting of partially completed requests
    - LP: #1319885
  * rtlwifi: rtl8192se: Fix too long disable of IRQs
    - LP: #1319885
  * staging:serqt_usb2: Fix sparse warning restricted __le16 degrades to
    integer
    - LP: #1319885
  * Btrfs: skip submitting barrier for missing device
    - LP: #1319885
  * jffs2: remove from wait queue after schedule()
    - LP: #1319885
  * jffs2: avoid soft-lockup in jffs2_reserve_space_gc()
    - LP: #1319885
  * jffs2: Fix segmentation fault found in stress test
    - LP: #1319885
  * jffs2: Fix crash due to truncation of csize
    - LP: #1319885
  * iwlwifi: dvm: take mutex when sending SYNC BT config command
    - LP: #1319885
  * virtio_balloon: don't softlockup on huge balloon changes.
    - LP: #1319885
  * ext4: fix partial cluster handling for bigalloc file systems
    - LP: #1319885
  * ath9k: fix ready time of the multicast buffer queue
    - LP: #1319885
  * IB/ipath: Fix potential buffer overrun in sending diag packet routine
    - LP: #1319885
  * IB/nes: Return an error on ib_copy_from_udata() failure instead of NULL
    - LP: #1319885
  * mfd: Include all drivers in subsystem menu
    - LP: #1319885
  * mfd: max8997: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1319885
  * mfd: max8998: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1319885
  * mfd: max8925: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1319885
  * mfd: 88pm860x: Fix possible NULL pointer dereference on i2c_new_dummy
    error
    - LP: #1319885
  * pid: get pid_t ppid of task in init_pid_ns
    - LP: #1319885
  * audit: convert PPIDs to the inital PID namespace.
    - LP: #1319885
  * Btrfs: fix deadlock with nested trans handles
    - LP: #1319885
  * gpio: mxs: Allow for recursive enable_irq_wake() call
    - LP: #1319885
  * x86, hyperv: Bypass the timer_irq_works() check
    - LP: #1319885
  * nfsd4: buffer-length check for SUPPATTR_EXCLCREAT
    - LP: #1319885
  * nfsd4: session needs room for following op to error out
    - LP: #1319885
  * nfsd: Add fh_{want,drop}_write()
    - LP: #1319885
  * nfsd: notify_change needs elevated write count
    - LP: #1319885
  * drm/i915/tv: fix gen4 composite s-video tv-out
    - LP: #1319885
  * dm thin: fix dangling bio in process_deferred_bios error path
    - LP: #1319885
  * nfsd4: fix setclientid encode size
    - LP: #1319885
  * MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume()
    - LP: #1319885
  * ALSA: hda - Enable beep for ASUS 1015E
    - LP: #1319885
  * IB/mthca: Return an error on ib_copy_to_udata() failure
    - LP: #1319885
  * IB/ehca: Returns an error on ib_copy_to_udata() failure
    - LP: #1319885
  * reiserfs: fix race in readdir
    - LP: #1319885
  * drm/vmwgfx: correct fb_fix_screeninfo.line_length
    - LP: #1319885
  * drm/radeon: call drm_edid_to_eld when we update the edid
    - LP: #1319885
  * sh: fix format string bug in stack tracer
    - LP: #1319885
  * ocfs2: dlm: fix lock migration crash
    - LP: #1319885
  * ocfs2: dlm: fix recovery hung
    - LP: #1319885
  * ocfs2: do not put bh when buffer_uptodate failed
    - LP: #1319885
  * iscsi-target: Fix ERL=2 ASYNC_EVENT connection pointer bug
    - LP: #1319885
  * mm: hugetlb: fix softlockup when a large number of hugepages are freed.
    - LP: #1319885
  * wait: fix reparent_leader() vs EXIT_DEAD->EXIT_ZOMBIE race
    - LP: #1319885
  * ALSA: ice1712: Fix boundary checks in PCM pointer ops
    - LP: #1319885
  * lib/percpu_counter.c: fix bad percpu counter state during suspend
    - LP: #1319885
  * b43: Fix machine check error due to improper access of
    B43_MMIO_PSM_PHY_HDR
    - LP: #1319885
  * x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
    - LP: #1319885
  * target/tcm_fc: Fix use-after-free of ft_tpg
    - LP: #1319885
  * drivers: hv: additional switch to use mb() instead of smp_mb()
    - LP: #1319885
  * Char: ipmi_bt_sm, fix infinite loop
    - LP: #1319885
  * selinux: correctly label /proc inodes in use before the policy is
    loaded
    - LP: #1319885
  * powernow-k6: disable cache when changing frequency
    - LP: #1319885
  * powernow-k6: correctly initialize default parameters
    - LP: #1319885
  * powernow-k6: reorder frequencies
    - LP: #1319885
  * Linux 3.2.58
    - LP: #1319885
  * ext4: FIBMAP ioctl causes BUG_ON due to handle EXT_MAX_BLOCKS
    - LP: #1319885
  * ext4: note the error in ext4_end_bio()
    - LP: #1319885
  * ext4: use i_size_read in ext4_unaligned_aio()
    - LP: #1319885
  * parisc: fix epoll_pwait syscall on compat kernel
    - LP: #1319885
  * locks: allow __break_lease to sleep even when break_time is 0
    - LP: #1319885
  * mlx4_en: don't use napi_synchronize inside mlx4_en_netpoll
    - LP: #1319885
  * staging: r8712u: Fix case where ethtype was never obtained and always
    be checked against 0
    - LP: #1319885
  * USB: serial: ftdi_sio: add id for Brainboxes serial cards
    - LP: #1319885
  * usb: option driver, add support for Telit UE910v2
    - LP: #1319885
  * USB: cp210x: Add 8281 (Nanotec Plug & Drive)
    - LP: #1319885
  * USB: pl2303: add ids for Hewlett-Packard HP POS pole displays
    - LP: #1319885
  * USB: cdc-acm: Remove Motorola/Telit H24 serial interfaces from ACM
    driver
    - LP: #1319885
  * nfsd: set timeparms.to_maxval in setup_callback_client
    - LP: #1319885
  * libata/ahci: accommodate tag ordered controllers
    - LP: #1319885
  * mm/hugetlb.c: add cond_resched_lock() in return_unused_surplus_pages()
    - LP: #1319885
  * dmi: add support for exact DMI matches in addition to substring
    matching
    - LP: #1319885
  * Input: synaptics - add min/max quirk for ThinkPad T431s, L440, L540, S1
    Yoga and X1
    - LP: #1319885
  * mm: make fixup_user_fault() check the vma access rights too
    - LP: #1319885
  * ARM: 8027/1: fix do_div() bug in big-endian systems
    - LP: #1319885
  * USB: serial: fix sysfs-attribute removal deadlock
    - LP: #1319885
  * Btrfs: Don't allocate inode that is already in use
    - LP: #1319885
  * Btrfs: fix inode caching vs tree log
    - LP: #1319885
  * xhci: For streams the css flag most be read from the stream-ctx on ep
    stop
    - LP: #1319885
  * usb: xhci: Prefer endpoint context dequeue pointer over stopped_trb
    - LP: #1319885
  * usb/xhci: fix compilation warning when !CONFIG_PCI && !CONFIG_PM
    - LP: #1319885
  * USB: io_ti: fix firmware download on big-endian machines
    - LP: #1319885
  * usb: option: add Olivetti Olicard 500
    - LP: #1319885
  * usb: option: add Alcatel L800MA
    - LP: #1319885
  * usb: option: add and update a number of CMOTech devices
    - LP: #1319885
  * rtl8192ce: Fix null dereference in watchdog
    - LP: #1319885
  * Linux 3.2.59
    - LP: #1319885

linux-ti-omap4 (3.2.0-1447.66) precise; urgency=low

  * Release Tracking Bug
    - LP: #1320043

  [ Paolo Pisati ]

  * rebased on Ubuntu-3.2.0-63.95

  [ Ubuntu: 3.2.0-63.95 ]

  * Revert "rtlwifi: Set the link state"
    - LP: #1319735
  * Release Tracking Bug
    - re-used previous tracking bug
 -- Paolo Pisati <paolo.pisati@xxxxxxxxxxxxx>   Thu, 05 Jun 2014 13:33:19 +0200

** Changed in: linux-ti-omap4 (Ubuntu Precise)
       Status: New => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0055

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3122

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1326367

Title:
  exploitable futex vulnerability

Status in “linux” package in Ubuntu:
  Confirmed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Released
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  New
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Released
Status in “linux-armadaxp” source package in Precise:
  Fix Released
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Released
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  New
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Confirmed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  If uaddr == uaddr2, then we have broken the rule of only requeueing
  from a non-pi futex to a pi futex with this call. If we attempt this,
  then dangling pointers may be left for rt_waiter resulting in an
  exploitable condition.

  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 -

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1326367/+subscriptions