This bug was fixed in the package linux - 4.13.0-25.29 --------------- linux (4.13.0-25.29) artful; urgency=low
* linux: 4.13.0-25.29 -proposed tracker (LP: #1741955) * CVE-2017-5754 - Revert "UBUNTU: [Config] updateconfigs to enable PTI" - [Config] Enable PTI with UNWINDER_FRAME_POINTER linux (4.13.0-24.28) artful; urgency=low * linux: 4.13.0-24.28 -proposed tracker (LP: #1741745) * CVE-2017-5754 - x86/cpu, x86/pti: Do not enable PTI on AMD processors linux (4.13.0-23.27) artful; urgency=low * linux: 4.13.0-23.27 -proposed tracker (LP: #1741556) [ Kleber Sacilotto de Souza ] * CVE-2017-5754 - x86/mm: Add the 'nopcid' boot option to turn off PCID - x86/mm: Enable CR4.PCIDE on supported systems - x86/mm: Document how CR4.PCIDE restore works - x86/entry/64: Refactor IRQ stacks and make them NMI-safe - x86/entry/64: Initialize the top of the IRQ stack before switching stacks - x86/entry/64: Add unwind hint annotations - xen/x86: Remove SME feature in PV guests - x86/xen/64: Rearrange the SYSCALL entries - irq: Make the irqentry text section unconditional - x86/xen/64: Fix the reported SS and CS in SYSCALL - x86/paravirt/xen: Remove xen_patch() - x86/traps: Simplify pagefault tracing logic - x86/idt: Unify gate_struct handling for 32/64-bit kernels - x86/asm: Replace access to desc_struct:a/b fields - x86/xen: Get rid of paravirt op adjust_exception_frame - x86/paravirt: Remove no longer used paravirt functions - x86/entry: Fix idtentry unwind hint - x86/mm/64: Initialize CR4.PCIDE early - objtool: Add ORC unwind table generation - objtool, x86: Add facility for asm code to provide unwind hints - x86/unwind: Add the ORC unwinder - x86/kconfig: Consolidate unwinders into multiple choice selection - objtool: Upgrade libelf-devel warning to error for CONFIG_ORC_UNWINDER - x86/ldt/64: Refresh DS and ES when modify_ldt changes an entry - x86/mm: Give each mm TLB flush generation a unique ID - x86/mm: Track the TLB's tlb_gen and update the flushing algorithm - x86/mm: Rework lazy TLB mode and TLB freshness tracking - x86/mm: Implement PCID based optimization: try to preserve old TLB entries using PCID - x86/mm: Factor out CR3-building code - x86/mm/64: Stop using CR3.PCID == 0 in ASID-aware code - x86/mm: Flush more aggressively in lazy TLB mode - Revert "x86/mm: Stop calling leave_mm() in idle code" - kprobes/x86: Set up frame pointer in kprobe trampoline - x86/tracing: Introduce a static key for exception tracing - x86/boot: Add early cmdline parsing for options with arguments - mm, x86/mm: Fix performance regression in get_user_pages_fast() - x86/asm: Remove unnecessary \n\t in front of CC_SET() from asm templates - objtool: Don't report end of section error after an empty unwind hint - x86/head: Remove confusing comment - x86/head: Remove unused 'bad_address' code - x86/head: Fix head ELF function annotations - x86/boot: Annotate verify_cpu() as a callable function - x86/xen: Fix xen head ELF annotations - x86/xen: Add unwind hint annotations - x86/head: Add unwind hint annotations - ACPI / APEI: adjust a local variable type in ghes_ioremap_pfn_irq() - x86/unwinder: Make CONFIG_UNWINDER_ORC=y the default in the 64-bit defconfig - x86/fpu/debug: Remove unused 'x86_fpu_state' and 'x86_fpu_deactivate_state' tracepoints - x86/unwind: Rename unwinder config options to 'CONFIG_UNWINDER_*' - x86/unwind: Make CONFIG_UNWINDER_ORC=y the default in kconfig for 64-bit - bitops: Add clear/set_bit32() to linux/bitops.h - x86/cpuid: Add generic table for CPUID dependencies - x86/fpu: Parse clearcpuid= as early XSAVE argument - x86/fpu: Make XSAVE check the base CPUID features before enabling - x86/fpu: Remove the explicit clearing of XSAVE dependent features - x86/platform/UV: Convert timers to use timer_setup() - objtool: Print top level commands on incorrect usage - x86/cpuid: Prevent out of bound access in do_clear_cpu_cap() - x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() - mm/sparsemem: Allocate mem_section at runtime for CONFIG_SPARSEMEM_EXTREME=y - x86/kasan: Use the same shadow offset for 4- and 5-level paging - x86/xen: Provide pre-built page tables only for CONFIG_XEN_PV=y and CONFIG_XEN_PVH=y - x86/xen: Drop 5-level paging support code from the XEN_PV code - ACPI / APEI: remove the unused dead-code for SEA/NMI notification type - x86/asm: Don't use the confusing '.ifeq' directive - x86/build: Beautify build log of syscall headers - x86/mm/64: Rename the register_page_bootmem_memmap() 'size' parameter to 'nr_pages' - x86/cpufeatures: Enable new SSE/AVX/AVX512 CPU features - x86/mm: Relocate page fault error codes to traps.h - x86/boot: Relocate definition of the initial state of CR0 - ptrace,x86: Make user_64bit_mode() available to 32-bit builds - x86/entry/64: Remove the restore_c_regs_and_iret label - x86/entry/64: Split the IRET-to-user and IRET-to-kernel paths - x86/entry/64: Move SWAPGS into the common IRET-to-usermode path - x86/entry/64: Simplify reg restore code in the standard IRET paths - x86/entry/64: Shrink paranoid_exit_restore and make labels local - x86/entry/64: Use pop instead of movq in syscall_return_via_sysret - x86/entry/64: Merge the fast and slow SYSRET paths - x86/entry/64: Use POP instead of MOV to restore regs on NMI return - x86/entry/64: Remove the RESTORE_..._REGS infrastructure - xen, x86/entry/64: Add xen NMI trap entry - x86/entry/64: De-Xen-ify our NMI code - x86/entry/32: Pull the MSR_IA32_SYSENTER_CS update code out of native_load_sp0() - x86/entry/64: Pass SP0 directly to load_sp0() - x86/entry: Add task_top_of_stack() to find the top of a task's stack - x86/xen/64, x86/entry/64: Clean up SP code in cpu_initialize_context() - x86/entry/64: Stop initializing TSS.sp0 at boot - x86/entry/64: Remove all remaining direct thread_struct::sp0 reads - x86/entry/32: Fix cpu_current_top_of_stack initialization at boot - x86/entry/64: Remove thread_struct::sp0 - x86/traps: Use a new on_thread_stack() helper to clean up an assertion - x86/entry/64: Shorten TEST instructions - x86/cpuid: Replace set/clear_bit32() - bitops: Revert cbe96375025e ("bitops: Add clear/set_bit32() to linux/bitops.h") - x86/mm: Define _PAGE_TABLE using _KERNPG_TABLE - x86/cpufeatures: Re-tabulate the X86_FEATURE definitions - x86/cpufeatures: Fix various details in the feature definitions - selftests/x86/protection_keys: Fix syscall NR redefinition warnings - selftests/x86/ldt_gdt: Robustify against set_thread_area() and LAR oddities - selftests/x86/ldt_gdt: Add infrastructure to test set_thread_area() - selftests/x86/ldt_gdt: Run most existing LDT test cases against the GDT as well - selftests/x86/ldt_get: Add a few additional tests for limits - ACPI / APEI: Replace ioremap_page_range() with fixmap - x86/virt, x86/platform: Merge 'struct x86_hyper' into 'struct x86_platform' and 'struct x86_init' - x86/virt: Add enum for hypervisors to replace x86_hyper - drivers/misc/intel/pti: Rename the header file to free up the namespace - x86/cpufeature: Add User-Mode Instruction Prevention definitions - x86: Make X86_BUG_FXSAVE_LEAK detectable in CPUID on AMD - perf/x86: Enable free running PEBS for REGS_USER/INTR - bpf: fix build issues on um due to mising bpf_perf_event.h - locking/barriers: Add implicit smp_read_barrier_depends() to READ_ONCE() - locking/barriers: Convert users of lockless_dereference() to READ_ONCE() - x86/mm/kasan: Don't use vmemmap_populate() to initialize shadow - mm/sparsemem: Fix ARM64 boot crash when CONFIG_SPARSEMEM_EXTREME=y - objtool: Move synced files to their original relative locations - objtool: Move kernel headers/code sync check to a script - objtool: Fix cross-build - tools/headers: Sync objtool UAPI header - objtool: Fix 64-bit build on 32-bit host - x86/decoder: Fix and update the opcodes map - x86/decoder: Add new TEST instruction pattern - x86/insn-eval: Add utility functions to get segment selector - x86/entry/64/paravirt: Use paravirt-safe macro to access eflags - x86/unwinder/orc: Dont bail on stack overflow - x86/unwinder: Handle stack overflows more gracefully - x86/irq: Remove an old outdated comment about context tracking races - x86/irq/64: Print the offending IP in the stack overflow warning - x86/entry/64: Allocate and enable the SYSENTER stack - x86/dumpstack: Add get_stack_info() support for the SYSENTER stack - x86/entry/gdt: Put per-CPU GDT remaps in ascending order - x86/mm/fixmap: Generalize the GDT fixmap mechanism, introduce struct cpu_entry_area - x86/kasan/64: Teach KASAN about the cpu_entry_area - x86/entry: Fix assumptions that the HW TSS is at the beginning of cpu_tss - x86/dumpstack: Handle stack overflow on all stacks - x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct - x86/entry: Remap the TSS into the CPU entry area - x86/entry/64: Separate cpu_current_top_of_stack from TSS.sp0 - x86/espfix/64: Stop assuming that pt_regs is on the entry stack - x86/entry/64: Use a per-CPU trampoline stack for IDT entries - x86/entry/64: Return to userspace from the trampoline stack - x86/entry/64: Create a per-CPU SYSCALL entry trampoline - x86/entry/64: Move the IST stacks into struct cpu_entry_area - x86/entry/64: Remove the SYSENTER stack canary - x86/entry: Clean up the SYSENTER_stack code - x86/entry/64: Make cpu_entry_area.tss read-only - x86/paravirt: Dont patch flush_tlb_single - x86/paravirt: Provide a way to check for hypervisors - x86/cpufeatures: Make CPU bugs sticky - x86/Kconfig: Limit NR_CPUS on 32-bit to a sane amount - x86/mm/dump_pagetables: Check PAGE_PRESENT for real - x86/mm/dump_pagetables: Make the address hints correct and readable - x86/vsyscall/64: Explicitly set _PAGE_USER in the pagetable hierarchy - x86/vsyscall/64: Warn and fail vsyscall emulation in NATIVE mode - arch, mm: Allow arch_dup_mmap() to fail - x86/ldt: Rework locking - x86/ldt: Prevent LDT inheritance on exec - x86/mm/64: Improve the memory map documentation - x86/doc: Remove obvious weirdnesses from the x86 MM layout documentation - x86/entry: Rename SYSENTER_stack to CPU_ENTRY_AREA_entry_stack - x86/uv: Use the right TLB-flush API - x86/microcode: Dont abuse the TLB-flush interface - x86/mm: Use __flush_tlb_one() for kernel memory - x86/mm: Remove superfluous barriers - x86/mm: Add comments to clarify which TLB-flush functions are supposed to flush what - x86/mm: Move the CR3 construction functions to tlbflush.h - x86/mm: Remove hard-coded ASID limit checks - x86/mm: Put MMU to hardware ASID translation in one place - x86/mm: Create asm/invpcid.h - x86/cpu_entry_area: Move it to a separate unit - x86/cpu_entry_area: Move it out of the fixmap - init: Invoke init_espfix_bsp() from mm_init() - x86/cpu_entry_area: Prevent wraparound in setup_cpu_entry_area_ptes() on 32bit - x86/cpufeatures: Add X86_BUG_CPU_INSECURE - x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y - x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching - x86/mm/pti: Add infrastructure for page table isolation - x86/pti: Add the pti= cmdline option and documentation - x86/mm/pti: Add mapping helper functions - x86/mm/pti: Allow NX poison to be set in p4d/pgd - x86/mm/pti: Allocate a separate user PGD - x86/mm/pti: Populate user PGD - x86/mm/pti: Add functions to clone kernel PMDs - x86/mm/pti: Force entry through trampoline when PTI active - x86/mm/pti: Share cpu_entry_area with user space page tables - x86/entry: Align entry text section to PMD boundary - x86/mm/pti: Share entry text PMD - x86/mm/pti: Map ESPFIX into user space - x86/cpu_entry_area: Add debugstore entries to cpu_entry_area - x86/events/intel/ds: Map debug buffers in cpu_entry_area - x86/mm/64: Make a full PGD-entry size hole in the memory map - x86/pti: Put the LDT in its own PGD if PTI is on - x86/pti: Map the vsyscall page if needed - x86/mm: Allow flushing for future ASID switches - x86/mm: Abstract switching CR3 - x86/mm: Use/Fix PCID to optimize user/kernel switches - x86/mm: Optimize RESTORE_CR3 - x86/mm: Use INVPCID for __native_flush_tlb_single() - x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming - x86/dumpstack: Indicate in Oops whether PTI is configured and enabled - x86/mm/pti: Add Kconfig - x86/mm/dump_pagetables: Add page table directory to the debugfs VFS hierarchy - x86/mm/dump_pagetables: Check user space page table for WX pages - x86/mm/dump_pagetables: Allow dumping current pagetables - x86/ldt: Make the LDT mapping RO - x86/smpboot: Remove stale TLB flush invocations - x86/mm: Remove preempt_disable/enable() from __native_flush_tlb() - x86/ldt: Plug memory leak in error path - x86/ldt: Make LDT pgtable free conditional - [Config] updateconfigs to enable PTI - kvm: x86: fix RSM when PCID is non-zero - x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() - SAUCE: only attempt to use PCID in 64 bit builds - SAUCE: BODGE: temporarily disable some kprobe trace points which are cratering - s390/mm: use generic mm_hooks - objtool: use sh to invoke sync-check.sh in the Makefile * CVE-2017-17862 - bpf: fix branch pruning logic * CVE-2017-17864 - SAUCE: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN * CVE-2017-16995 - bpf: fix incorrect sign extension in check_alu_op() * CVE-2017-17863 - SAUCE: bpf: reject out-of-bounds stack pointer calculation -- Marcelo Henrique Cerri <marcelo.ce...@canonical.com> Mon, 08 Jan 2018 17:13:57 -0200 ** Changed in: linux (Ubuntu) Status: Invalid => Fix Released ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16995 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17862 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17863 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17864 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5754 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1731951 Title: Artful update to 4.13.10 stable release Status in linux package in Ubuntu: Fix Released Status in linux source package in Artful: Fix Released Bug description: SRU Justification Impact: The upstream process for stable tree updates is quite similar in scope to the Ubuntu SRU process, e.g., each patch has to demonstrably fix a bug, and each patch is vetted by upstream by originating either directly from a mainline/stable Linux tree or a minimally backported form of that patch. The 4.13.10 upstream stable patch set is now available. It should be included in the Ubuntu kernel as well. git://git.kernel.org/ TEST CASE: TBD The following patches from the 4.13.10 stable release shall be applied: * staging: bcm2835-audio: Fix memory corruption * USB: devio: Revert "USB: devio: Don't corrupt user memory" * USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor() * USB: serial: metro-usb: add MS7820 device id * usb: cdc_acm: Add quirk for Elatec TWN3 * usb: quirks: add quirk for WORLDE MINI MIDI keyboard * usb: hub: Allow reset retry for USB2 devices on connect bounce * ALSA: usb-audio: Add native DSD support for Pro-Ject Pre Box S2 Digital * can: gs_usb: fix busy loop if no more TX context is available * scsi: qla2xxx: Fix uninitialized work element * nbd: don't set the device size until we're connected * s390/cputime: fix guest/irq/softirq times after CPU hotplug * parisc: Fix double-word compare and exchange in LWS code on 32-bit kernels * parisc: Fix detection of nonsynchronous cr16 cycle counters * iio: dummy: events: Add missing break * usb: musb: sunxi: Explicitly release USB PHY on exit * USB: musb: fix session-bit runtime-PM quirk * USB: musb: fix late external abort on suspend * usb: musb: musb_cppi41: Fix the address of teardown and autoreq registers * usb: musb: musb_cppi41: Fix cppi41_set_dma_mode() for DA8xx * usb: musb: musb_cppi41: Configure the number of channels for DA8xx * usb: musb: Check for host-mode using is_host_active() on reset interrupt * xhci: Identify USB 3.1 capable hosts by their port protocol capability * xhci: Cleanup current_cmd in xhci_cleanup_command_queue() * usb: xhci: Reset halted endpoint if trb is noop * usb: xhci: Handle error condition in xhci_stop_device() * can: esd_usb2: Fix can_dlc value for received RTR, frames * can: af_can: can_pernet_init(): add missing error handling for kzalloc returning NULL * can: flexcan: fix state transition regression * can: flexcan: rename legacy error state quirk * can: flexcan: implement error passive state quirk * can: flexcan: fix i.MX6 state transition issue * can: flexcan: fix i.MX28 state transition issue * can: flexcan: fix p1010 state transition issue * KEYS: encrypted: fix dereference of NULL user_key_payload * mmc: sdhci-pci: Fix default d3_retune for Intel host controllers * drm/i915: Use bdw_ddi_translations_fdi for Broadwell * drm/nouveau/kms/nv50: fix oops during DP IRQ handling on non-MST boards * drm/nouveau/bsp/g92: disable by default * drm/nouveau/mmu: flush tlbs before deleting page tables * media: s5p-cec: add NACK detection support * media: cec: Respond to unregistered initiators, when applicable * media: dvb: i2c transfers over usb cannot be done from stack * tracing/samples: Fix creation and deletion of simple_thread_fn creation * ALSA: seq: Enable 'use' locking in all configurations * ALSA: hda: Remove superfluous '-' added by printk conversion * ALSA: hda: Abort capability probe at invalid register read * i2c: ismt: Separate I2C block read from SMBus block read * i2c: piix4: Fix SMBus port selection for AMD Family 17h chips * Revert "tools/power turbostat: stop migrating, unless '-m'" * Input: stmfts - fix setting ABS_MT_POSITION_* maximum size * brcmfmac: Add check for short event packets * brcmsmac: make some local variables 'static const' to reduce stack size * ARM: dts: sun6i: Fix endpoint IDs in second display pipeline * bus: mbus: fix window size calculation for 4GB windows * clockevents/drivers/cs5535: Improve resilience to spurious interrupts * rtlwifi: rtl8821ae: Fix connection lost problem * x86/microcode/intel: Disable late loading on model 79 * lib/digsig: fix dereference of NULL user_key_payload * fscrypt: fix dereference of NULL user_key_payload * ecryptfs: fix dereference of NULL user_key_payload * KEYS: Fix race between updating and finding a negative key * FS-Cache: fix dereference of NULL user_key_payload * KEYS: don't let add_key() update an uninstantiated key * pkcs7: Prevent NULL pointer dereference, since sinfo is not always set. * arm64: dts: rockchip: correct vqmmc voltage for rk3399 platforms * ALSA: hda - Fix incorrect TLV callback check introduced during set_fs() removal * iomap_dio_rw: Allocate AIO completion queue before submitting dio * xfs: don't unconditionally clear the reflink flag on zero-block files * xfs: evict CoW fork extents when performing finsert/fcollapse * fs/xfs: Use %pS printk format for direct addresses * xfs: report zeroed or not correctly in xfs_zero_range() * xfs: update i_size after unwritten conversion in dio completion * xfs: perag initialization should only touch m_ag_max_usable for AG 0 * xfs: Capture state of the right inode in xfs_iflush_done * xfs: always swap the cow forks when swapping extents * xfs: handle racy AIO in xfs_reflink_end_cow * xfs: Don't log uninitialised fields in inode structures * xfs: move more RT specific code under CONFIG_XFS_RT * xfs: don't change inode mode if ACL update fails * xfs: reinit btree pointer on attr tree inactivation walk * xfs: handle error if xfs_btree_get_bufs fails * xfs: cancel dirty pages on invalidation * xfs: trim writepage mapping to within eof * xfs: move two more RT specific functions into CONFIG_XFS_RT * Linux 4.13.10 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1731951/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp