← Back to team overview

kernel-packages team mailing list archive

[Bug 1326367] Re: exploitable futex vulnerability

 

** Description changed:

- If uaddr == uaddr2, then we have broken the rule of only requeueing from
- a non-pi futex to a pi futex with this call. If we attempt this, then
- dangling pointers may be left for rt_waiter resulting in an exploitable
- condition.
+ The futex_requeue function in kernel/futex.c in the Linux kernel through
+ 3.14.5 does not ensure that calls have two different futex addresses,
+ which allows local users to gain privileges via a crafted FUTEX_REQUEUE
+ command that facilitates unsafe waiter modification.
  
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 54a217887a7b658e2650c3feff22756ab80c7339
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 e9c243a5a6de0be8e584c604d353412584b592f8

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1326367

Title:
  exploitable futex vulnerability

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Released
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Released
Status in “linux-armadaxp” source package in Precise:
  Fix Released
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Released
Status in “linux” source package in Saucy:
  Fix Released
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  New
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The futex_requeue function in kernel/futex.c in the Linux kernel
  through 3.14.5 does not ensure that calls have two different futex
  addresses, which allows local users to gain privileges via a crafted
  FUTEX_REQUEUE command that facilitates unsafe waiter modification.

  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 54a217887a7b658e2650c3feff22756ab80c7339
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 13fbca4c6ecd96ec1a1cfa2e4f2ce191fe928a5e
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 b3eaa9fc5cd0a4d74b18f6b8dc617aeaf1873270
  Break-Fix: 52400ba946759af28442dee6265c5c0180ac7122 e9c243a5a6de0be8e584c604d353412584b592f8

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1326367/+subscriptions