This bug was fixed in the package linux - 3.13.0-157.207
---------------
linux (3.13.0-157.207) trusty; urgency=medium
* linux: 3.13.0-157.207 -proposed tracker (LP: #1787982)
* CVE-2017-5715 (Spectre v2 retpoline)
- SAUCE: Fix "x86/retpoline/entry: Convert entry assembler indirect jumps"
* CVE-2017-2583
- KVM: x86: fix emulation of "MOV SS, null selector"
* CVE-2017-7518
- KVM: x86: fix singlestepping over syscall
* CVE-2017-18270
- KEYS: prevent creating a different user's keyrings
* Update to upstream's implementation of Spectre v1 mitigation (LP: #1774181)
- Documentation: Document array_index_nospec
- array_index_nospec: Sanitize speculative array de-references
- x86: Implement array_index_mask_nospec
- x86: Introduce barrier_nospec
- x86/get_user: Use pointer masking to limit speculation
- x86/syscall: Sanitize syscall table de-references under speculation
- vfs, fdtable: Prevent bounds-check bypass via speculative execution
- nl80211: Sanitize array index in parse_txq_params
- x86/spectre: Report get_user mitigation for spectre_v1
- x86/kvm: Update spectre-v1 mitigation
- nospec: Allow index argument to have const-qualified type
- nospec: Move array_index_nospec() parameter checking into separate macro
- nospec: Kill array_index_nospec_mask_check()
- SAUCE: Replace osb() calls with array_index_nospec()
- SAUCE: Rename osb() to barrier_nospec()
- SAUCE: x86: Use barrier_nospec in arch/x86/um/asm/barrier.h
* Prevent speculation on user controlled pointer (LP: #1775137)
- x86: reorganize SMAP handling in user space accesses
- x86: fix SMAP in 32-bit environments
- x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
- x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
- x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
* CVE-2016-10208
- ext4: validate s_first_meta_bg at mount time
- ext4: fix fencepost in s_first_meta_bg validation
* CVE-2018-10323
- xfs: set format back to extents if xfs_bmap_extents_to_btree
* CVE-2017-16911
- usbip: prevent vhci_hcd driver from leaking a socket pointer address
* CVE-2018-13406
- video: uvesafb: Fix integer overflow in allocation
* CVE-2018-10877
- ext4: verify the depth of extent tree in ext4_find_extent()
* CVE-2018-10881
- ext4: clear i_data in ext4_inode_info when removing inline data
* CVE-2018-1092
- ext4: fail ext4_iget for root directory if unallocated
* CVE-2018-1093
- ext4: fix block bitmap validation when bigalloc, ^flex_bg
- ext4: add validity checks for bitmap block numbers
* CVE-2018-12233
- jfs: Fix inconsistency between memory allocation and ea_buf->max_size
* CVE-2017-16912
- usbip: fix stub_rx: get_pipe() to validate endpoint number
* CVE-2018-10675
- mm/mempolicy: fix use after free when calling get_mempolicy
* CVE-2017-8831
- saa7164: fix sparse warnings
- saa7164: fix double fetch PCIe access condition
* CVE-2017-16533
- HID: usbhid: fix out-of-bounds bug
* CVE-2017-16538
- media: dvb-usb-v2: lmedm04: move ts2020 attach to dm04_lme2510_tuner
- media: dvb-usb-v2: lmedm04: Improve logic checking of warm start
* CVE-2017-16644
- hdpvr: Remove deprecated create_singlethread_workqueue
- media: hdpvr: Fix an error handling path in hdpvr_probe()
* CVE-2017-16645
- Input: ims-psu - check if CDC union descriptor is sane
* CVE-2017-5549
- USB: serial: kl5kusb105: fix line-state error handling
* CVE-2017-16532
- usb: usbtest: fix NULL pointer dereference
* CVE-2017-16537
- media: imon: Fix null-ptr-deref in imon_probe
* CVE-2017-11472
- ACPICA: Add additional debug info/statements
- ACPICA: Namespace: fix operand cache leak
* CVE-2017-16643
- Input: gtco - fix potential out-of-bound access
* CVE-2017-16531
- USB: fix out-of-bounds in usb_set_configuration
* CVE-2018-10124
- kernel/signal.c: avoid undefined behaviour in kill_something_info
* CVE-2017-6348
- irda: Fix lockdep annotations in hashbin_delete().
* CVE-2017-17558
- USB: core: prevent malicious bNumInterfaces overflow
* CVE-2017-5897
- ip6_gre: fix ip6gre_err() invalid reads
* CVE-2017-6345
- SAUCE: import sock_efree()
- net/llc: avoid BUG_ON() in skb_orphan()
* CVE-2017-7645
- nfsd: check for oversized NFSv2/v3 arguments
* CVE-2017-9984
- ALSA: msnd: Optimize / harden DSP and MIDI loops
* CVE-2018-1000204
- scsi: sg: allocate with __GFP_ZERO in sg_build_indirect()
* CVE-2018-10021
- scsi: libsas: defer ata device eh commands to libata
* CVE-2017-16914
- usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer
* CVE-2017-16913
- usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input
* CVE-2017-16535
- USB: core: fix out-of-bounds access bug in usb_get_bos_descriptor()
* CVE-2017-16536
- cx231xx-cards: fix NULL-deref on missing association descriptor
* CVE-2017-16650
- net: qmi_wwan: fix divide by 0 on bad descriptors
* CVE-2017-18255
- perf/core: Fix the perf_cpu_time_max_percent check
* CVE-2018-10940
- cdrom: information leak in cdrom_ioctl_media_changed()
* CVE-2018-13094
- xfs: don't call xfs_da_shrink_inode with NULL bp
* other users' coredumps can be read via setgid directory and killpriv bypass
(LP: #1779923) // CVE-2018-13405
- Fix up non-directory creation in SGID directories
* CVE-2017-16529
- ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
* CVE-2017-2671
- ping: implement proper locking
* CVE-2017-15649
- packet: hold bind lock when rebinding to fanout hook
- packet: in packet_do_bind, test fanout with bind_lock held
* CVE-2017-16527
- ALSA: usb-audio: Kill stray URB at exiting
* CVE-2017-16526
- uwb: properly check kthread_run return value
* CVE-2017-11473
- x86/acpi: Prevent out of bound access caused by broken ACPI tables
* CVE-2017-14991
- scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
* CVE-2017-2584
- KVM: x86: Introduce segmented_write_std
* CVE-2018-10087
- kernel/exit.c: avoid undefined behaviour when calling wait4()
* fscache: Fix hanging wait on page discarded by writeback (LP: #1777029)
- fscache: Fix hanging wait on page discarded by writeback
-- Khalid Elmously <khalid.elmou...@canonical.com> Mon, 20 Aug 2018
12:07:46 -0400
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2016-10208
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11472
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-11473
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-14991
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-15649
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16526
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16527
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16529
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16531
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16532
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16533
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16535
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16536
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16537
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16538
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16643
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16644
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16645
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16650
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16911
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16912
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16913
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-16914
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-17558
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18255
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-18270
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2583
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2584
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-2671
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5549
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5715
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-5897
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6345
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-6348
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7518
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-7645
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-8831
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-9984
** CVE added: https://cve.mitre.org/cgi-
bin/cvename.cgi?name=2018-1000204
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10021
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10087
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10124
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10323
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10675
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10877
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10881
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1092
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-1093
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-10940
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-12233
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13094
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13405
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2018-13406
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1775137
Title:
Prevent speculation on user controlled pointer
Status in linux package in Ubuntu:
Incomplete
Status in linux source package in Precise:
New
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Xenial:
Fix Released
Bug description:
== SRU Justification ==
Upstream's Spectre v1 mitigation prevents speculation on a user controlled
pointer. This part of the Spectre v1 patchset was never backported to 4.4 (for
unknown reasons) so Xenial/Trusty/Precise are lacking it as well. All the other
stable upstream kernels include it, so add it to our older kernels.
== Fix ==
Backport the following patches:
x86/uaccess: Use __uaccess_begin_nospec() and uaccess_try_nospec
x86/usercopy: Replace open coded stac/clac with __uaccess_{begin, end}
x86: Introduce __uaccess_begin_nospec() and uaccess_try_nospec
== Regression Potential ==
Low. Patches have been in upstream (and other distro kernels) for quite a
while now and the changes only introduce a barrier on copy_from_user operations.
== Test Case ==
TBD.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1775137/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
