[Kernel-packages] [Bug 1274349] Re: Fix-compat_sys_recvmsg-on-x32-archs
We got the update relating to this in kernel 3.11.0-15.25 (saucy) this morning and it broke remmina connectivity! Downgrading the kernel back to 3.11.0-15.23 fixed the remmina issues. We are running standard saucy Ubuntu amd64. -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux-armadaxp in Ubuntu. https://bugs.launchpad.net/bugs/1274349 Title: Fix-compat_sys_recvmsg-on-x32-archs Status in “linux” package in Ubuntu: Confirmed Status in “linux-armadaxp” package in Ubuntu: Invalid Status in “linux-ec2” package in Ubuntu: Invalid Status in “linux-fsl-imx51” package in Ubuntu: Invalid Status in “linux-lts-quantal” package in Ubuntu: Invalid Status in “linux-lts-raring” package in Ubuntu: Invalid Status in “linux-lts-saucy” package in Ubuntu: Invalid Status in “linux-mvl-dove” package in Ubuntu: Invalid Status in “linux-ti-omap4” package in Ubuntu: Invalid Status in “linux” source package in Lucid: Invalid Status in “linux-armadaxp” source package in Lucid: Invalid Status in “linux-ec2” source package in Lucid: Invalid Status in “linux-fsl-imx51” source package in Lucid: Invalid Status in “linux-lts-quantal” source package in Lucid: Invalid Status in “linux-lts-raring” source package in Lucid: Invalid Status in “linux-lts-saucy” source package in Lucid: Invalid Status in “linux-mvl-dove” source package in Lucid: Invalid Status in “linux-ti-omap4” source package in Lucid: Invalid Status in “linux” source package in Precise: Invalid Status in “linux-armadaxp” source package in Precise: Invalid Status in “linux-ec2” source package in Precise: Invalid Status in “linux-fsl-imx51” source package in Precise: Invalid Status in “linux-lts-quantal” source package in Precise: Invalid Status in “linux-lts-raring” source package in Precise: Fix Released Status in “linux-lts-saucy” source package in Precise: Fix Released Status in “linux-mvl-dove” source package in Precise: Invalid Status in “linux-ti-omap4” source package in Precise: Invalid Status in “linux” source package in Quantal: Invalid Status in “linux-armadaxp” source package in Quantal: Invalid Status in “linux-ec2” source package in Quantal: Invalid Status in “linux-fsl-imx51” source package in Quantal: Invalid Status in “linux-lts-quantal” source package in Quantal: Invalid Status in “linux-lts-raring” source package in Quantal: Invalid Status in “linux-lts-saucy” source package in Quantal: Invalid Status in “linux-mvl-dove” source package in Quantal: Invalid Status in “linux-ti-omap4” source package in Quantal: Invalid Status in “linux” source package in Saucy: Fix Released Status in “linux-armadaxp” source package in Saucy: Invalid Status in “linux-ec2” source package in Saucy: Invalid Status in “linux-fsl-imx51” source package in Saucy: Invalid Status in “linux-lts-quantal” source package in Saucy: Invalid Status in “linux-lts-raring” source package in Saucy: Invalid Status in “linux-lts-saucy” source package in Saucy: Invalid Status in “linux-mvl-dove” source package in Saucy: Invalid Status in “linux-ti-omap4” source package in Saucy: Invalid Status in “linux” source package in Trusty: Confirmed Status in “linux-armadaxp” source package in Trusty: Invalid Status in “linux-ec2” source package in Trusty: Invalid Status in “linux-fsl-imx51” source package in Trusty: Invalid Status in “linux-lts-quantal” source package in Trusty: Invalid Status in “linux-lts-raring” source package in Trusty: Invalid Status in “linux-lts-saucy” source package in Trusty: Invalid Status in “linux-mvl-dove” source package in Trusty: Invalid Status in “linux-ti-omap4” source package in Trusty: Invalid Bug description: The timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first. The impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users where the to-be-written area must contain valid timespec data initially (the first 64 bit long field must be positive and the second one must be 1G). Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1274349] Re: Fix-compat_sys_recvmsg-on-x32-archs
** Also affects: linux (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: linux-ec2 (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: linux-armadaxp (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: linux-lts-raring (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: linux-lts-saucy (Ubuntu Lucid) Importance: Undecided Status: New ** Also affects: linux (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: linux-ec2 (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: linux-armadaxp (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: linux-lts-raring (Ubuntu Quantal) Importance: Undecided Status: New ** Also affects: linux-lts-saucy (Ubuntu Quantal) Importance: Undecided Status: New ** Changed in: linux-armadaxp (Ubuntu Precise) Status: New = Invalid ** Changed in: linux-armadaxp (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux-armadaxp (Ubuntu Saucy) Status: New = Invalid ** Changed in: linux-armadaxp (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux-armadaxp (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux-armadaxp (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux-armadaxp (Ubuntu Trusty) Status: New = Invalid ** Changed in: linux-armadaxp (Ubuntu Trusty) Importance: Undecided = Critical ** Changed in: linux-armadaxp (Ubuntu Quantal) Status: New = Invalid ** Changed in: linux-armadaxp (Ubuntu Quantal) Importance: Undecided = Critical ** Changed in: linux-ec2 (Ubuntu Precise) Status: New = Invalid ** Changed in: linux-ec2 (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux-ec2 (Ubuntu Saucy) Status: New = Invalid ** Changed in: linux-ec2 (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux-ec2 (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux-ec2 (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux-ec2 (Ubuntu Trusty) Status: New = Invalid ** Changed in: linux-ec2 (Ubuntu Trusty) Importance: Undecided = Critical ** Changed in: linux-ec2 (Ubuntu Quantal) Status: New = Invalid ** Changed in: linux-ec2 (Ubuntu Quantal) Importance: Undecided = Critical ** Changed in: linux-lts-quantal (Ubuntu Precise) Status: New = Invalid ** Changed in: linux-lts-quantal (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux-lts-quantal (Ubuntu Saucy) Status: New = Invalid ** Changed in: linux-lts-quantal (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux-lts-quantal (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux-lts-quantal (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux-lts-quantal (Ubuntu Trusty) Status: New = Invalid ** Changed in: linux-lts-quantal (Ubuntu Trusty) Importance: Undecided = Critical ** Changed in: linux-lts-quantal (Ubuntu Quantal) Status: New = Invalid ** Changed in: linux-lts-quantal (Ubuntu Quantal) Importance: Undecided = Critical ** Changed in: linux-mvl-dove (Ubuntu Precise) Status: New = Invalid ** Changed in: linux-mvl-dove (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux-mvl-dove (Ubuntu Saucy) Status: New = Invalid ** Changed in: linux-mvl-dove (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux-mvl-dove (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux-mvl-dove (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux-mvl-dove (Ubuntu Trusty) Status: New = Invalid ** Changed in: linux-mvl-dove (Ubuntu Trusty) Importance: Undecided = Critical ** Changed in: linux-mvl-dove (Ubuntu Quantal) Status: New = Invalid ** Changed in: linux-mvl-dove (Ubuntu Quantal) Importance: Undecided = Critical ** Changed in: linux-lts-saucy (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux-lts-saucy (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux-lts-saucy (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux-lts-saucy (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux-lts-saucy (Ubuntu Trusty) Importance: Undecided = Critical ** Changed in: linux-lts-saucy (Ubuntu Quantal) Status: New = Invalid ** Changed in: linux-lts-saucy (Ubuntu Quantal) Importance: Undecided = Critical ** Changed in: linux (Ubuntu Precise) Importance: Undecided = Critical ** Changed in: linux (Ubuntu Saucy) Importance: Undecided = Critical ** Changed in: linux (Ubuntu Lucid) Status: New = Invalid ** Changed in: linux (Ubuntu Lucid) Importance: Undecided = Critical ** Changed in: linux (Ubuntu Trusty) Importance: Undecided =
[Kernel-packages] [Bug 1274349] Re: Fix-compat_sys_recvmsg-on-x32-archs
** Changed in: linux (Ubuntu Trusty)
Status: Incomplete = New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1274349
Title:
Fix-compat_sys_recvmsg-on-x32-archs
Status in “linux” package in Ubuntu:
Incomplete
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Invalid
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux” source package in Saucy:
Fix Released
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Incomplete
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
Reported by pageexec
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user
*mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
/*...*/
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be 1G).
The bug was introduced by commit
http://git.kernel.org/linus/ee4fa23c4b (other uses of
COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
3.4 (and perhaps vendor kernels if they backported x32 support along
with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
time and only if CONFIG_X86_X32 is enabled and ld can build x32
executables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1274349] Re: Fix-compat_sys_recvmsg-on-x32-archs
** Tags added: bot-stop-nagging
** Changed in: linux (Ubuntu Trusty)
Status: Incomplete = Confirmed
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1274349
Title:
Fix-compat_sys_recvmsg-on-x32-archs
Status in “linux” package in Ubuntu:
Confirmed
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Invalid
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux” source package in Saucy:
Fix Released
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Confirmed
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
Reported by pageexec
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user
*mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
/*...*/
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be 1G).
The bug was introduced by commit
http://git.kernel.org/linus/ee4fa23c4b (other uses of
COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
3.4 (and perhaps vendor kernels if they backported x32 support along
with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
time and only if CONFIG_X86_X32 is enabled and ld can build x32
executables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
[Kernel-packages] [Bug 1274349] Re: Fix-compat_sys_recvmsg-on-x32-archs
** Information type changed from Private Security to Public Security
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0038
** Also affects: linux-lts-saucy (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux-lts-raring (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-raring (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-saucy (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Precise)
Status: New = Invalid
** Changed in: linux-lts-raring (Ubuntu Precise)
Status: New = Fix Released
** Changed in: linux-lts-raring (Ubuntu Saucy)
Status: New = Invalid
** Changed in: linux-lts-raring (Ubuntu Trusty)
Status: New = Invalid
** Changed in: linux-lts-saucy (Ubuntu Precise)
Status: New = Fix Released
** Changed in: linux-lts-saucy (Ubuntu Saucy)
Status: New = Invalid
** Changed in: linux-lts-saucy (Ubuntu Trusty)
Status: New = Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1274349
Title:
Fix-compat_sys_recvmsg-on-x32-archs
Status in “linux” package in Ubuntu:
Incomplete
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Invalid
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux” source package in Saucy:
Fix Released
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Incomplete
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
Reported by pageexec
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user
*mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
/*...*/
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be 1G).
The bug was introduced by commit
http://git.kernel.org/linus/ee4fa23c4b (other uses of
COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
3.4 (and perhaps vendor kernels if they backported x32 support along
with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
time and only if CONFIG_X86_X32 is enabled and ld can build x32
executables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
