This bug was fixed in the package linux - 4.4.0-13.29
---------------
linux (4.4.0-13.29) xenial; urgency=low
[ Tim Gardner ]
* Release Tracking Bug
- LP: #1556247
* s390/mm: four page table levels vs. fork (LP: #1556141)
- s390/mm: four page table levels vs. fork
* [Hyper-V] network performance patches for Xenial 16.04 (LP: #1556037)
- hv_netvsc: use skb_get_hash() instead of a homegrown implementation
- hv_netvsc: cleanup netdev feature flags for netvsc
* fails to boot on megaraid (LP: #1552903)
- SAUCE: (noup) megaraid_sas: Don't issue kill adapter for MFI controllers
in
case of PD list DCMD failure
* ALSA: hda - add codec support for Kabylake display audio codec (LP:
#1556002)
- ALSA: hda - add codec support for Kabylake display audio codec
* Backport upstream bugfixes to ubuntu-16.04 (LP: #1555765)
- cpufreq: powernv: Free 'chips' on module exit
- cpufreq: powernv: Hot-plug safe the kworker thread
- cpufreq: powernv: Remove cpu_to_chip_id() from hot-path
- cpufreq: powernv/tracing: Add powernv_throttle tracepoint
- cpufreq: powernv: Replace pr_info with trace print for throttle event
- SAUCE: (noup) cpufreq: powernv: Fix bugs in powernv_cpufreq_{init/exit}
* Linux netfilter IPT_SO_SET_REPLACE memory corruption (LP: #1555338)
- SAUCE: [nf,v2] netfilter: x_tables: don't rely on well-behaving userspace
* integer overflow in xt_alloc_table_info (LP: #1555353)
- SAUCE: (noup) netfilter: x_tables: check for size overflow
* linux: auto-generate the reconstruct information from the git tag (LP:
#1555543)
- [Packaging] reconstruct -- automatically reconstruct against base tag
- [Config] reconstruct -- update to autoreconstruct output
- [Packaging] reconstruct -- update when inserting final changes
* Xenial update to v4.4.5 stable release (LP: #1555640)
- use ->d_seq to get coherency between ->d_inode and ->d_flags
- drivers: sh: Restore legacy clock domain on SuperH platforms
- Btrfs: fix deadlock running delayed iputs at transaction commit time
- btrfs: Fix no_space in write and rm loop
- btrfs: async-thread: Fix a use-after-free error for trace
- block: Initialize max_dev_sectors to 0
- PCI: keystone: Fix MSI code that retrieves struct pcie_port pointer
- parisc: Fix ptrace syscall number and return value modification
- mips/kvm: fix ioctl error handling
- kvm: x86: Update tsc multiplier on change.
- fbcon: set a default value to blink interval
- cifs: fix out-of-bounds access in lease parsing
- CIFS: Fix SMB2+ interim response processing for read requests
- Fix cifs_uniqueid_to_ino_t() function for s390x
- vfio: fix ioctl error handling
- KVM: x86: fix root cause for missed hardware breakpoints
- arm/arm64: KVM: Fix ioctl error handling
- iommu/amd: Apply workaround for ATS write permission check
- iommu/amd: Fix boot warning when device 00:00.0 is not iommu covered
- iommu/vt-d: Use BUS_NOTIFY_REMOVED_DEVICE in hotplug path
- target: Fix WRITE_SAME/DISCARD conversion to linux 512b sectors
- drm/ast: Fix incorrect register check for DRAM width
- drm/radeon/pm: update current crtc info after setting the powerstate
- drm/amdgpu/pm: update current crtc info after setting the powerstate
- drm/amdgpu: apply gfx_v8 fixes to gfx_v7 as well
- drm/amdgpu/gfx8: specify which engine to wait before vm flush
- drm/amdgpu: return from atombios_dp_get_dpcd only when error
- libata: fix HDIO_GET_32BIT ioctl
- libata: Align ata_device's id on a cacheline
- block: bio: introduce helpers to get the 1st and last bvec
- writeback: flush inode cgroup wb switches instead of pinning super_block
- Adding Intel Lewisburg device IDs for SATA
- arm64: vmemmap: use virtual projection of linear region
- PM / sleep / x86: Fix crash on graph trace through x86 suspend
- ata: ahci: don't mark HotPlugCapable Ports as external/removable
- tracing: Do not have 'comm' filter override event 'comm' field
- pata-rb532-cf: get rid of the irq_to_gpio() call
- Btrfs: fix loading of orphan roots leading to BUG_ON
- Revert "jffs2: Fix lock acquisition order bug in jffs2_write_begin"
- jffs2: Fix page lock / f->sem deadlock
- Fix directory hardlinks from deleted directories
- dmaengine: pxa_dma: fix cyclic transfers
- adv7604: fix tx 5v detect regression
- ALSA: usb-audio: Add a quirk for Plantronics DA45
- ALSA: ctl: Fix ioctls for X32 ABI
- ALSA: hda - Fix mic issues on Acer Aspire E1-472
- ALSA: rawmidi: Fix ioctls X32 ABI
- ALSA: timer: Fix ioctls for X32 ABI
- ALSA: pcm: Fix ioctls for X32 ABI
- ALSA: seq: oss: Don't drain at closing a client
- ALSA: hdspm: Fix wrong boolean ctl value accesses
- ALSA: hdsp: Fix wrong boolean ctl value accesses
- ALSA: hdspm: Fix zero-division
- ALSA: timer: Fix broken compat timer user status ioctl
- usb: chipidea: otg: change workqueue ci_otg as freezable
- USB: cp210x: Add ID for Parrot NMEA GPS Flight Recorder
- USB: qcserial: add Dell Wireless 5809e Gobi 4G HSPA+ (rev3)
- USB: qcserial: add Sierra Wireless EM74xx device ID
- USB: serial: option: add support for Telit LE922 PID 0x1045
- USB: serial: option: add support for Quectel UC20
- MIPS: scache: Fix scache init with invalid line size.
- MIPS: traps: Fix SIGFPE information leak from `do_ov' and `do_trap_or_bp'
- ubi: Fix out of bounds write in volume update code
- i2c: brcmstb: allocate correct amount of memory for regmap
- thermal: cpu_cooling: fix out of bounds access in time_in_idle
- block: check virt boundary in bio_will_gap()
- block: get the 1st and last bvec via helpers
- drm/i915: more virtual south bridge detection
- drm/i915: refine qemu south bridge detection
- modules: fix longstanding /proc/kallsyms vs module insertion race.
- drm/amdgpu: fix topaz/tonga gmc assignment in 4.4 stable
- Linux 4.4.5
* QEMU: causes vCPU steal time overflow on live migration (LP: #1494350)
- x86/mm: Fix slow_virt_to_phys() for X86_PAE again
* TPM2.0 trusted keys fixes (LP: #1398274)
- tpm_tis: further simplify calculation of ordinal duration
- tpm_tis: Use devm_free_irq not free_irq
- tpm_tis: Ensure interrupts are disabled when the driver starts
- tpm: rework tpm_get_timeouts()
- tpm_tis: Get rid of the duplicate IRQ probing code
- tpm_tis: Refactor the interrupt setup
- tpm_tis: Tighten IRQ auto-probing
- tpm_ibmvtpm: properly handle interrupted packet receptions
* linux: review all versioned depends/conflicts/replaces/breaks for
validility (LP: #1555033)
- [Config] control.stub.in -- review versioned Build-Depends:
- [Config] control.stub.in -- review versioned
Depends/Breaks/Conflicts/Replaces
- [Config] flavour-control.stub -- review versioned
Breaks/Conflicts/Replaces
- [Config] x86 vars.* -- review versioned Breaks/Conflicts/Replaces
-- Tim Gardner <tim.gard...@canonical.com> Wed, 09 Mar 2016 05:11:51
-0700
** Changed in: linux (Ubuntu Xenial)
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1555353
Title:
integer overflow in xt_alloc_table_info
Status in linux package in Ubuntu:
Fix Released
Status in linux-armadaxp package in Ubuntu:
Invalid
Status in linux-flo package in Ubuntu:
New
Status in linux-goldfish package in Ubuntu:
New
Status in linux-lts-quantal package in Ubuntu:
Invalid
Status in linux-lts-raring package in Ubuntu:
Invalid
Status in linux-lts-saucy package in Ubuntu:
Invalid
Status in linux-lts-trusty package in Ubuntu:
Invalid
Status in linux-lts-utopic package in Ubuntu:
Invalid
Status in linux-lts-vivid package in Ubuntu:
Invalid
Status in linux-lts-wily package in Ubuntu:
Invalid
Status in linux-lts-xenial package in Ubuntu:
Invalid
Status in linux-mako package in Ubuntu:
New
Status in linux-manta package in Ubuntu:
New
Status in linux-raspi2 package in Ubuntu:
New
Status in linux-ti-omap4 package in Ubuntu:
Invalid
Status in linux source package in Precise:
Invalid
Status in linux-armadaxp source package in Precise:
Invalid
Status in linux-flo source package in Precise:
Invalid
Status in linux-goldfish source package in Precise:
Invalid
Status in linux-lts-quantal source package in Precise:
Invalid
Status in linux-lts-raring source package in Precise:
Invalid
Status in linux-lts-saucy source package in Precise:
Invalid
Status in linux-lts-trusty source package in Precise:
Invalid
Status in linux-lts-utopic source package in Precise:
Invalid
Status in linux-lts-vivid source package in Precise:
Invalid
Status in linux-lts-wily source package in Precise:
Invalid
Status in linux-lts-xenial source package in Precise:
Invalid
Status in linux-mako source package in Precise:
Invalid
Status in linux-manta source package in Precise:
Invalid
Status in linux-raspi2 source package in Precise:
Invalid
Status in linux-ti-omap4 source package in Precise:
Invalid
Status in linux source package in Trusty:
Invalid
Status in linux-armadaxp source package in Trusty:
Invalid
Status in linux-flo source package in Trusty:
Invalid
Status in linux-goldfish source package in Trusty:
Invalid
Status in linux-lts-quantal source package in Trusty:
Invalid
Status in linux-lts-raring source package in Trusty:
Invalid
Status in linux-lts-saucy source package in Trusty:
Invalid
Status in linux-lts-trusty source package in Trusty:
Invalid
Status in linux-lts-utopic source package in Trusty:
Invalid
Status in linux-lts-vivid source package in Trusty:
Invalid
Status in linux-lts-wily source package in Trusty:
Fix Released
Status in linux-lts-xenial source package in Trusty:
New
Status in linux-mako source package in Trusty:
Invalid
Status in linux-manta source package in Trusty:
Invalid
Status in linux-raspi2 source package in Trusty:
Invalid
Status in linux-ti-omap4 source package in Trusty:
Invalid
Status in linux source package in Wily:
Fix Released
Status in linux-armadaxp source package in Wily:
Invalid
Status in linux-flo source package in Wily:
New
Status in linux-goldfish source package in Wily:
New
Status in linux-lts-quantal source package in Wily:
Invalid
Status in linux-lts-raring source package in Wily:
Invalid
Status in linux-lts-saucy source package in Wily:
Invalid
Status in linux-lts-trusty source package in Wily:
Invalid
Status in linux-lts-utopic source package in Wily:
Invalid
Status in linux-lts-vivid source package in Wily:
Invalid
Status in linux-lts-wily source package in Wily:
Invalid
Status in linux-lts-xenial source package in Wily:
Invalid
Status in linux-mako source package in Wily:
New
Status in linux-manta source package in Wily:
New
Status in linux-raspi2 source package in Wily:
New
Status in linux-ti-omap4 source package in Wily:
Invalid
Status in linux source package in Xenial:
Fix Released
Status in linux-armadaxp source package in Xenial:
Invalid
Status in linux-flo source package in Xenial:
New
Status in linux-goldfish source package in Xenial:
New
Status in linux-lts-quantal source package in Xenial:
Invalid
Status in linux-lts-raring source package in Xenial:
Invalid
Status in linux-lts-saucy source package in Xenial:
Invalid
Status in linux-lts-trusty source package in Xenial:
Invalid
Status in linux-lts-utopic source package in Xenial:
Invalid
Status in linux-lts-vivid source package in Xenial:
Invalid
Status in linux-lts-wily source package in Xenial:
Invalid
Status in linux-lts-xenial source package in Xenial:
Invalid
Status in linux-mako source package in Xenial:
New
Status in linux-manta source package in Xenial:
New
Status in linux-raspi2 source package in Xenial:
New
Status in linux-ti-omap4 source package in Xenial:
Invalid
Bug description:
[Impact]
[From https://code.google.com/p/google-security-research/issues/detail?id=758
]
A recent refactoring cof this codepath
(https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc)
introduced an integer overflow in xt_alloc_table_info, which on 32-bit
systems can lead to small structure allocation and a copy_from_user
based heap corruption.
More specifically, the overflow may have been introduced in
https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90
; specifically the bit:
+ size_t sz = sizeof(*info) + size;
(where size is an unsigned int passed from userspace).
This issue should only affect 32bit platforms (xt_table_info.size is
an unsigned int).
[Fix]
Upstream proposed fix:
http://marc.info/?l=netfilter-devel&m=145757136822750&w=2
[Test Case]
Download v4 code from:
https://code.google.com/p/google-security-research/issues/detail?id=758
gcc *v4.c -o v4
./v4
Your machine should _not_ crash. This only affects 32-bit kernels
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555353/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
