← Back to team overview

kernel-packages team mailing list archive

[Bug 1371591] Re: file not initialized to 0s under some conditions

 

This bug was fixed in the package linux - 3.13.0-39.66

---------------
linux (3.13.0-39.66) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1386629

  [ Upstream Kernel Changes ]

  * KVM: x86: Check non-canonical addresses upon WRMSR
    - LP: #1384539
    - CVE-2014-3610
  * KVM: x86: Prevent host from panicking on shared MSR writes.
    - LP: #1384539
    - CVE-2014-3610
  * KVM: x86: Improve thread safety in pit
    - LP: #1384540
    - CVE-2014-3611
  * KVM: x86: Fix wrong masking on relative jump/call
    - LP: #1384545
    - CVE-2014-3647
  * KVM: x86: Warn if guest virtual address space is not 48-bits
    - LP: #1384545
    - CVE-2014-3647
  * KVM: x86: Emulator fixes for eip canonical checks on near branches
    - LP: #1384545
    - CVE-2014-3647
  * KVM: x86: emulating descriptor load misses long-mode case
    - LP: #1384545
    - CVE-2014-3647
  * KVM: x86: Handle errors when RIP is set during far jumps
    - LP: #1384545
    - CVE-2014-3647
  * kvm: vmx: handle invvpid vm exit gracefully
    - LP: #1384544
    - CVE-2014-3646
  * Input: synaptics - gate forcepad support by DMI check
    - LP: #1381815

linux (3.13.0-38.65) trusty; urgency=low

  [ Luis Henriques ]

  * Release Tracking Bug
    - LP: #1379244

  [ Andy Whitcroft ]

  * Revert "SAUCE: scsi: hyper-v storsvc switch up to SPC-3"
    - LP: #1354397
  * [Config] linux-image-extra is additive to linux-image
    - LP: #1375310
  * [Config] linux-image-extra postrm is not needed on purge
    - LP: #1375310

  [ Upstream Kernel Changes ]

  * Revert "KVM: x86: Increase the number of fixed MTRR regs to 10"
    - LP: #1377564
  * Revert "USB: option,zte_ev: move most ZTE CDMA devices to zte_ev"
    - LP: #1377564
  * aufs: bugfix, stop calling security_mmap_file() again
    - LP: #1371316
  * ipvs: fix ipv6 hook registration for local replies
    - LP: #1349768
  * Drivers: add blist flags
    - LP: #1354397
  * sd: fix a bug in deriving the FLUSH_TIMEOUT from the basic I/O timeout
    - LP: #1354397
  * drm/i915/bdw: Add 42ms delay for IPS disable
    - LP: #1374389
  * drm/i915: add null render states for gen6, gen7 and gen8
    - LP: #1374389
  * drm/i915/bdw: 3D_CHICKEN3 has write mask bits
    - LP: #1374389
  * drm/i915/bdw: Disable idle DOP clock gating
    - LP: #1374389
  * drm/i915: call lpt_init_clock_gating on BDW too
    - LP: #1374389
  * drm/i915: shuffle panel code
    - LP: #1374389
  * drm/i915: extract backlight minimum brightness from VBT
    - LP: #1374389
  * drm/i915: respect the VBT minimum backlight brightness
    - LP: #1374389
  * drm/i915/bdw: Apply workarounds in render ring init function
    - LP: #1374389
  * drm/i915/bdw: Cleanup pre prod workarounds
    - LP: #1374389
  * drm/i915: Replace hardcoded cacheline size with macro
    - LP: #1374389
  * drm/i915: Refactor Broadwell PIPE_CONTROL emission into a helper.
    - LP: #1374389
  * drm/i915: Add the WaCsStallBeforeStateCacheInvalidate:bdw workaround.
    - LP: #1374389
  * drm/i915/bdw: Remove BDW preproduction W/As until C stepping.
    - LP: #1374389
  * mptfusion: enable no_write_same for vmware scsi disks
    - LP: #1371591
  * iommu/amd: Fix cleanup_domain for mass device removal
    - LP: #1375266
  * cifs: mask off top byte in get_rfc1002_length()
    - LP: #1372482
  * Input: synaptics - add support for ForcePads
    - LP: #1377564
  * ASoC: pxa-ssp: drop SNDRV_PCM_FMTBIT_S24_LE
    - LP: #1377564
  * drm/radeon: add bapm module parameter
    - LP: #1377564
  * drm/radeon: Add missing lines to ci_set_thermal_temperature_range
    - LP: #1377564
  * drm/radeon: Add ability to get and change dpm state when radeon PX card
    is turned off
    - LP: #1377564
  * ALSA: hda/realtek - Avoid setting wrong COEF on ALC269 & co
    - LP: #1377564
  * of/irq: Fix lookup to use 'interrupts-extended' property first
    - LP: #1377564
  * Possible null ptr deref in SMB2_tcon
    - LP: #1377564
  * CIFS: Fix SMB2 readdir error handling
    - LP: #1377564
  * CIFS: Fix wrong directory attributes after rename
    - LP: #1377564
  * md/raid6: avoid data corruption during recovery of double-degraded
    RAID6
    - LP: #1377564
  * ARM: dts: i.MX53: fix apparent bug in VPU clks
    - LP: #1377564
  * pata_scc: propagate return value of scc_wait_after_reset
    - LP: #1377564
  * libata: widen Crucial M550 blacklist matching
    - LP: #1377564
  * ALSA: hda - restore the gpio led after resume
    - LP: #1358116, #1377564
  * md/raid10: fix memory leak when reshaping a RAID10.
    - LP: #1377564
  * md/raid10: Fix memory leak when raid10 reshape completes.
    - LP: #1377564
  * MIPS: OCTEON: make get_system_type() thread-safe
    - LP: #1377564
  * can: c_can: checking IS_ERR() instead of NULL
    - LP: #1377564
  * HID: logitech: perform bounds checking on device_id early enough
    - LP: #1377564
  * firmware: Do not use WARN_ON(!spin_is_locked())
    - LP: #1377564
  * drm/radeon: add new KV pci id
    - LP: #1377564
  * drm/radeon: add new bonaire pci ids
    - LP: #1377564
  * drm/radeon: add additional SI pci ids
    - LP: #1377564
  * ibmveth: Fix endian issues with rx_no_buffer statistic
    - LP: #1377564
  * spi/omap-mcspi: Fix the spi task hangs waiting dma_rx
    - LP: #1377564
  * xtensa: replace IOCTL code definitions with constants
    - LP: #1377564
  * xtensa: fix address checks in dma_{alloc,free}_coherent
    - LP: #1377564
  * xtensa: fix access to THREAD_RA/THREAD_SP/THREAD_DS
    - LP: #1377564
  * xtensa: fix TLBTEMP_BASE_2 region handling in fast_second_level_miss
    - LP: #1377564
  * xtensa: fix a6 and a7 handling in fast_syscall_xtensa
    - LP: #1377564
  * staging: lustre: Remove circular dependency on header
    - LP: #1377564
  * USB: option: reduce interrupt-urb logging verbosity
    - LP: #1377564
  * USB: option: add VIA Telecom CDS7 chipset device id
    - LP: #1377564
  * USB: zte_ev: remove duplicate Gobi PID
    - LP: #1377564
  * USB: zte_ev: remove duplicate Qualcom PID
    - LP: #1377564
  * USB: ftdi_sio: add Basic Micro ATOM Nano USB2Serial PID
    - LP: #1377564
  * USB: serial: pl2303: add device id for ztek device
    - LP: #1377564
  * USB: ftdi_sio: Added PID for new ekey device
    - LP: #1377564
  * xhci: Treat not finding the event_seg on COMP_STOP the same as
    COMP_STOP_INVAL
    - LP: #1377564
  * usb: xhci: amd chipset also needs short TX quirk
    - LP: #1377564
  * xhci: rework cycle bit checking for new dequeue pointers
    - LP: #1377564
  * spi/pxa2xx: Add ACPI ID for Intel Braswell
    - LP: #1377564
  * ALSA: core: fix buffer overflow in snd_info_get_line()
    - LP: #1377564
  * HID: logitech-dj: prevent false errors to be shown
    - LP: #1377564
  * usb: ehci: using wIndex + 1 for hub port
    - LP: #1377564
  * staging/rtl8188eu: add 0df6:0076 Sitecom Europe B.V.
    - LP: #1377564
  * staging: r8188eu: Add new USB ID
    - LP: #1377564
  * mtd: nand: omap: Fix 1-bit Hamming code scheme, omap_calculate_ecc()
    - LP: #1377564
  * trace: Fix epoll hang when we race with new entries
    - LP: #1377564
  * cfq-iosched: Fix wrong children_weight calculation
    - LP: #1377564
  * USB: sisusb: add device id for Magic Control USB video
    - LP: #1377564
  * NFSv4: Fix problems with close in the presence of a delegation
    - LP: #1377564
  * usb: hub: Prevent hub autosuspend if usbcore.autosuspend is -1
    - LP: #1377564
  * ARM: 8128/1: abort: don't clear the exclusive monitors
    - LP: #1377564
  * ARM: 8129/1: errata: work around Cortex-A15 erratum 830321 using dummy
    strex
    - LP: #1377564
  * USB: serial: fix potential stack buffer overflow
    - LP: #1377564
  * USB: serial: fix potential heap buffer overflow
    - LP: #1377564
  * ext4: update i_disksize coherently with block allocation on error path
    - LP: #1377564
  * jbd2: fix infinite loop when recovering corrupt journal blocks
    - LP: #1377564
  * jbd2: fix descriptor block size handling errors with journal_csum
    - LP: #1377564
  * memblock, memhotplug: fix wrong type in memblock_find_in_range_node().
    - LP: #1377564
  * xattr: fix check for simultaneous glibc header inclusion
    - LP: #1377564
  * KVM: s390: Fix user triggerable bug in dead code
    - LP: #1377564
  * KVM: s390/mm: try a cow on read only pages for key ops
    - LP: #1377564
  * regmap: Fix regcache debugfs initialization
    - LP: #1377564
  * regmap: Fix handling of volatile registers for format_write() chips
    - LP: #1377564
  * ASoC: rt5640: Do not allow regmap to use bulk read-write operations
    - LP: #1377564
  * drm/i915: Remove bogus __init annotation from DMI callbacks
    - LP: #1377564
  * hwmon: (ds1621) Update zbits after conversion rate change
    - LP: #1377564
  * arm64: ptrace: fix compat hardware watchpoint reporting
    - LP: #1377564
  * ARM/ARM64: KVM: Nuke Hyp-mode tlbs before enabling MMU
    - LP: #1377564
  * arm/arm64: KVM: Complete WFI/WFE instructions
    - LP: #1377564
  * get rid of propagate_umount() mistakenly treating slaves as busy.
    - LP: #1377564
  * fix EBUSY on umount() from MNT_SHRINKABLE
    - LP: #1377564
  * regmap: Don't attempt block writes when syncing cache on single_rw
    devices
    - LP: #1377564
  * drm/vmwgfx: Fix a potential infinite spin waiting for fifo idle
    - LP: #1377564
  * ALSA: hda - Fix digital mic on Acer Aspire 3830TG
    - LP: #1377564
  * xfs: don't dirty buffers beyond EOF
    - LP: #1377564
  * xfs: don't zero partial page cache pages during O_DIRECT writes
    - LP: #1377564
  * xfs: don't zero partial page cache pages during O_DIRECT writes
    - LP: #1377564
  * ALSA: hda - Fix COEF setups for ALC1150 codec
    - LP: #1377564
  * i2c: rcar: fix MNR interrupt handling
    - LP: #1377564
  * i2c: mv64xxx: continue probe when clock-frequency is missing
    - LP: #1377564
  * i2c: at91: Fix a race condition during signal handling in
    at91_do_twi_xfer.
    - LP: #1377564
  * i2c: at91: add bound checking on SMBus block length bytes
    - LP: #1377564
  * aio: add missing smp_rmb() in read_events_ring
    - LP: #1377564
  * KEYS: Fix use-after-free in assoc_array_gc()
    - LP: #1377564
  * ACPI / cpuidle: fix deadlock between cpuidle_lock and cpu_hotplug.lock
    - LP: #1377564
  * USB: fix build error with CONFIG_PM_RUNTIME disabled
    - LP: #1377564
  * Linux 3.13.11.8
    - LP: #1377564
  * powerpc: Fix kdump hang issue on p8 with relocation on exception
    enabled.
    - LP: #1352056
  * net-gre-gro: Fix a bug that breaks the forwarding path
    - LP: #1377851
 -- Luis Henriques <luis.henriques@xxxxxxxxxxxxx>   Tue, 28 Oct 2014 10:29:51 +0000

** Changed in: linux (Ubuntu Trusty)
       Status: Fix Committed => Fix Released

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3610

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3611

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3646

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-3647

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1371591

Title:
  file not initialized to 0s under some conditions

Status in “linux” package in Ubuntu:
  Fix Released
Status in “linux-lts-trusty” package in Ubuntu:
  Confirmed
Status in “linux” source package in Precise:
  Invalid
Status in “linux-lts-trusty” source package in Precise:
  Triaged
Status in “linux” source package in Trusty:
  Fix Released
Status in “linux-lts-trusty” source package in Trusty:
  Invalid

Bug description:
  SRU Justification:

  [Impact]

  Under some conditions, after fallocate() the file is observed not to
  be completely initilized to 0s: some 4KB pages have left-over data
  from previous files that occupied those pages. Note that in addition
  to causing functional problems for applications expecting files to be
  initialized to 0s, this is a security issue because it allows data to
  "leak" from one file to another, bypassing file access controls.

  The problem has been seen running under the following VMWare-based virtual environments:
  Fusion 6.0.2
  ESXi 5.1.0

  And under the following versions of Ubuntu:
  Ubuntu 12.04, 3.11.0-26-generic
  Ubuntu 14.04.1, 3.13.0-32-generic
  Ubuntu 14.04.1, 3.13.0-35-generic

  But did not reproduce under the following version:
  Ubuntu 10.04, 2.6.32-38-server

  The problem reproduced under LVM, but did not reproduce without LVM.

  [Test Case]

  I reproduced the problem as follows under VMWare Fusion:
  set up custom VM with default disk size (20 GB) and memory size (1 GB)
  attach Ubuntu 14.04.1 ISO to CDROM, set it as boot device, boot up
  select all defaults during installation _including_ LVM
  install gcc
  unpack the attached repro.tgz
  run repro.sh

  what it does:
  * fills the disk with a file containing bytes of 0xcc then deletes it
  * repeatedly runs the repro program which creates two files and accesses them in a certain pattern
  * checks the file f0 with hexdump; it should contain all 0s, but if pages 0x1000-0x7000 contain 0xcc you have reproduced the problem

  If the problem does not appear to reproduce, please try waiting a bit
  and checking the f0 files with hexdump again. This behavior was
  observed by a customer reproducing the problem under ESXi. I since
  added an sync after the running the repro binary which I think will
  fix that.

  If you still can't reproduce the problem please let me know if there's
  anything I can do to help. For example can we trace the disk accesses
  at the SCSI level to verify whether the appropriate SCSI commands are
  being sent? This may help determine whether the problem is in Linux or
  in VMWare.

  [Fix]

  mptfusion: enable no_write_same in scsi_host_template
  commit 4089b71cc820a426d601283c92fcd4ffeb5139c2 upstream

  https://lkml.org/lkml/2014/9/25/482

  (Note this patch may be reverted in the future as there is active
  discussion upstream about a more generic fix)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1371591/+subscriptions


References