kernel-packages team mailing list archive
-
kernel-packages team
-
Mailing list archive
-
Message #69015
[Bug 1335313] Re: CVE-2014-4608
CVE-2014-4608
** Also affects: linux (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-ec2 (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-maverick (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-natty (Ubuntu Utopic)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-ec2 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-maverick (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-natty (Ubuntu Trusty)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-ec2 (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-maverick (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-natty (Ubuntu Saucy)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-ec2 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-maverick (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-natty (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-fsl-imx51 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-mvl-dove (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-ec2 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-ti-omap4 (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-maverick (Ubuntu Lucid)
Importance: Undecided
Status: New
** Also affects: linux-lts-backport-natty (Ubuntu Lucid)
Importance: Undecided
Status: New
** Changed in: linux-armadaxp (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-armadaxp (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-armadaxp (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-armadaxp (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-ec2 (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-ec2 (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-ec2 (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-ec2 (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-lts-quantal (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-lts-quantal (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-lts-quantal (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-lts-quantal (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-mvl-dove (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-mvl-dove (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-mvl-dove (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-mvl-dove (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-ti-omap4 (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-ti-omap4 (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-ti-omap4 (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-fsl-imx51 (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-fsl-imx51 (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-fsl-imx51 (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-fsl-imx51 (Ubuntu Utopic)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Utopic)
Status: New => Invalid
** Description changed:
- Placeholder
+ All versions of the Linux kernel (3x/2x) with LZO support (lib/lzo) that
+ set the HAVE_EFFICIENT_UNALIGNED_ACCESS configuration option. Currently,
+ this seems to include PowerPC and i386. Vulnerability Tested: -
+ Via btrfs - Stand alone Functions Affected:
+ lib/lzo/lzo1x_decompress_safe.c:lzo1x_decompress_safe Criticality
+ Reasoning --------------------- While some variants of this LZO
+ algorithm flaw result in Remote Code Execution (RCE), it is unlikely
+ that the Linux kernel variant can. This is due to the fact that control
+ of the memory region that is overwritten can not be controlled in a
+ fashion that will result in the overwrite of objects critical to the
+ flow of execution. However, it may be possible to overwrite "business
+ logic" data in certain circumstances, by corrupting adjacent objects in
+ memory. Linux's guard pages should mitigate this, however. Because RCE
+ is impractical, Object Over Write (OOM) is only practical in constrained
+ scenarios (read: impractical), and DoS is practical, the criticality
+ level of this issue should be defined as Moderate. Furthermore, a
+ Moderate definition is needed because of the use of LZO in btrfs, and
+ the potential use of LZO in networking, opening up the potential for
+ remote instrumentation of this vulnerability. It is notable that SuSE
+ recently reported that they will start using btrfs by default later this
+ year. Lastly, only certain platforms are affected, decreasing impact.
+ Vulnerability Description ------------------------- An integer overflow
+ can occur when processing any variant of a "literal run" in the
+ lzo1x_decompress_safe function. Each of these three locations is subject
+ to an integer overflow when processing zero bytes. The following code
+ depicts how the size of the literal array is generated:
+ if (likely(state == 0)) { if (unlikely(t
+ == 0)) { while (unlikely(*ip ==
+ 0)) { t += 255;
+ ip++; NEED_IP(1);
+ } t += 15 + *ip++;
+ } t += 3; As long as a zero byte (0x00)
+ is encountered, the variable 't' will be incremented by 255. Using
+ approximately sixteen megabytes of zeros, 't' will accumulate to a
+ maximum unsigned integer value on a 32bit architecture. In combination
+ with the following code, the value of 't' will overflow:
+ copy_literal_run: #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
+ if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
+ const unsigned char *ie = ip + t;
+ unsigned char *oe = op + t; do {
+ COPY8(op, ip); op += 8;
+ ip += 8; COPY8(op, ip);
+ op += 8; ip += 8;
+ } while (ip < ie); ip = ie;
+ op = oe; The HAVE_OP() check will always pass in this case, because the
+ size check within the macro will evaluate based on the overflown
+ integer, not the value of 't'. This exposes the code that copies
+ literals to memory corruption. An interesting side effect of the
+ vulnerable code shown above is that the value of 'op' can point to a
+ region of memory just before the start of 'out'. It should be noted that
+ the following code unintentionally saves all other architectures from
+ exposure: #endif {
+ NEED_OP(t); NEED_IP(t + 3);
+ do { *op++ = *ip++;
+ } while (--t > 0); } NEED_OP() correctly
+ tests the value of 't' here, disallowing the potential for overflow. It
+ should be noted that if 't' is a 64bit integer, the overflow is still
+ possible, but impractical. An overflow would require so much input data
+ that an attack would obviously be infeasible even on modern computers.
+
+ Break-Fix: 64c70b1cf43de158282bc1675918d503e5b15cc1
+ 206a81c18401c0cde6e579164f752c4b147324ce
** Changed in: linux-armadaxp (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-armadaxp (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-armadaxp (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-armadaxp (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-armadaxp (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-ec2 (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-ec2 (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-ec2 (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-ec2 (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-ec2 (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-lts-quantal (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-lts-quantal (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-lts-quantal (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-lts-quantal (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-lts-quantal (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-mvl-dove (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-mvl-dove (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-mvl-dove (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-mvl-dove (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-mvl-dove (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-mvl-dove (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-lts-saucy (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-lts-saucy (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-lts-saucy (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-lts-saucy (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-lts-saucy (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-ti-omap4 (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-ti-omap4 (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-ti-omap4 (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-ti-omap4 (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-ti-omap4 (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-fsl-imx51 (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-fsl-imx51 (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-fsl-imx51 (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-fsl-imx51 (Ubuntu Lucid)
Status: New => Invalid
** Changed in: linux-fsl-imx51 (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-fsl-imx51 (Ubuntu Utopic)
Importance: Undecided => Medium
** Changed in: linux-lts-raring (Ubuntu Precise)
Importance: Undecided => Medium
** Changed in: linux-lts-raring (Ubuntu Saucy)
Importance: Undecided => Medium
** Changed in: linux-lts-raring (Ubuntu Trusty)
Importance: Undecided => Medium
** Changed in: linux-lts-raring (Ubuntu Lucid)
Importance: Undecided => Medium
** Changed in: linux-lts-raring (Ubuntu Utopic)
Importance: Undecided => Medium
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1335313
Title:
CVE-2014-4608
Status in “linux” package in Ubuntu:
New
Status in “linux-armadaxp” package in Ubuntu:
Invalid
Status in “linux-ec2” package in Ubuntu:
Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
New
Status in “linux-lts-backport-natty” package in Ubuntu:
New
Status in “linux-lts-quantal” package in Ubuntu:
Invalid
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux-mvl-dove” package in Ubuntu:
Invalid
Status in “linux-ti-omap4” package in Ubuntu:
Invalid
Status in “linux” source package in Lucid:
New
Status in “linux-armadaxp” source package in Lucid:
Invalid
Status in “linux-ec2” source package in Lucid:
New
Status in “linux-fsl-imx51” source package in Lucid:
Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
New
Status in “linux-lts-backport-natty” source package in Lucid:
New
Status in “linux-lts-quantal” source package in Lucid:
Invalid
Status in “linux-lts-raring” source package in Lucid:
Invalid
Status in “linux-lts-saucy” source package in Lucid:
Invalid
Status in “linux-mvl-dove” source package in Lucid:
Invalid
Status in “linux-ti-omap4” source package in Lucid:
Invalid
Status in “linux” source package in Precise:
New
Status in “linux-armadaxp” source package in Precise:
New
Status in “linux-ec2” source package in Precise:
Invalid
Status in “linux-fsl-imx51” source package in Precise:
Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
New
Status in “linux-lts-backport-natty” source package in Precise:
New
Status in “linux-lts-quantal” source package in Precise:
New
Status in “linux-lts-raring” source package in Precise:
New
Status in “linux-lts-saucy” source package in Precise:
New
Status in “linux-mvl-dove” source package in Precise:
Invalid
Status in “linux-ti-omap4” source package in Precise:
New
Status in “linux” source package in Saucy:
New
Status in “linux-armadaxp” source package in Saucy:
Invalid
Status in “linux-ec2” source package in Saucy:
Invalid
Status in “linux-fsl-imx51” source package in Saucy:
Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
New
Status in “linux-lts-backport-natty” source package in Saucy:
New
Status in “linux-lts-quantal” source package in Saucy:
Invalid
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux-mvl-dove” source package in Saucy:
Invalid
Status in “linux-ti-omap4” source package in Saucy:
New
Status in “linux” source package in Trusty:
New
Status in “linux-armadaxp” source package in Trusty:
Invalid
Status in “linux-ec2” source package in Trusty:
Invalid
Status in “linux-fsl-imx51” source package in Trusty:
Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
New
Status in “linux-lts-backport-natty” source package in Trusty:
New
Status in “linux-lts-quantal” source package in Trusty:
Invalid
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Status in “linux-mvl-dove” source package in Trusty:
Invalid
Status in “linux-ti-omap4” source package in Trusty:
Invalid
Status in “linux” source package in Utopic:
New
Status in “linux-armadaxp” source package in Utopic:
Invalid
Status in “linux-ec2” source package in Utopic:
Invalid
Status in “linux-fsl-imx51” source package in Utopic:
Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
New
Status in “linux-lts-backport-natty” source package in Utopic:
New
Status in “linux-lts-quantal” source package in Utopic:
Invalid
Status in “linux-lts-raring” source package in Utopic:
Invalid
Status in “linux-lts-saucy” source package in Utopic:
Invalid
Status in “linux-mvl-dove” source package in Utopic:
Invalid
Status in “linux-ti-omap4” source package in Utopic:
Invalid
Bug description:
All versions of the Linux kernel (3x/2x) with LZO support (lib/lzo)
that set the HAVE_EFFICIENT_UNALIGNED_ACCESS configuration option.
Currently, this seems to include PowerPC and i386. Vulnerability
Tested: - Via btrfs - Stand alone Functions Affected:
lib/lzo/lzo1x_decompress_safe.c:lzo1x_decompress_safe Criticality
Reasoning --------------------- While some variants of this LZO
algorithm flaw result in Remote Code Execution (RCE), it is unlikely
that the Linux kernel variant can. This is due to the fact that
control of the memory region that is overwritten can not be controlled
in a fashion that will result in the overwrite of objects critical to
the flow of execution. However, it may be possible to overwrite
"business logic" data in certain circumstances, by corrupting adjacent
objects in memory. Linux's guard pages should mitigate this, however.
Because RCE is impractical, Object Over Write (OOM) is only practical
in constrained scenarios (read: impractical), and DoS is practical,
the criticality level of this issue should be defined as Moderate.
Furthermore, a Moderate definition is needed because of the use of LZO
in btrfs, and the potential use of LZO in networking, opening up the
potential for remote instrumentation of this vulnerability. It is
notable that SuSE recently reported that they will start using btrfs
by default later this year. Lastly, only certain platforms are
affected, decreasing impact. Vulnerability Description
------------------------- An integer overflow can occur when
processing any variant of a "literal run" in the lzo1x_decompress_safe
function. Each of these three locations is subject to an integer
overflow when processing zero bytes. The following code depicts how
the size of the literal array is generated: if
(likely(state == 0)) { if (unlikely(t
== 0)) { while (unlikely(*ip ==
0)) { t += 255;
ip++; NEED_IP(1);
} t += 15 + *ip++;
} t += 3; As long as a zero byte (0x00)
is encountered, the variable 't' will be incremented by 255. Using
approximately sixteen megabytes of zeros, 't' will accumulate to a
maximum unsigned integer value on a 32bit architecture. In combination
with the following code, the value of 't' will overflow:
copy_literal_run: #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)
if (likely(HAVE_IP(t + 15) && HAVE_OP(t + 15))) {
const unsigned char *ie = ip + t;
unsigned char *oe = op + t; do
{ COPY8(op, ip);
op += 8; ip += 8;
COPY8(op, ip); op += 8;
ip += 8; } while (ip < ie);
ip = ie; op = oe; The HAVE_OP()
check will always pass in this case, because the size check within the
macro will evaluate based on the overflown integer, not the value of
't'. This exposes the code that copies literals to memory corruption.
An interesting side effect of the vulnerable code shown above is that
the value of 'op' can point to a region of memory just before the
start of 'out'. It should be noted that the following code
unintentionally saves all other architectures from exposure: #endif
{ NEED_OP(t);
NEED_IP(t + 3); do {
*op++ = *ip++; } while (--t >
0); } NEED_OP() correctly tests the
value of 't' here, disallowing the potential for overflow. It should
be noted that if 't' is a 64bit integer, the overflow is still
possible, but impractical. An overflow would require so much input
data that an attack would obviously be infeasible even on modern
computers.
Break-Fix: 64c70b1cf43de158282bc1675918d503e5b15cc1
206a81c18401c0cde6e579164f752c4b147324ce
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1335313/+subscriptions
References
