CVE-2014-0038

Bug #1274754 reported by John Johansen
This bug report is a duplicate of:  Bug #1274349: CVE-2014-0038. Edit Remove
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
New
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
New
Critical
Unassigned
Saucy
Fix Released
Critical
Unassigned
Trusty
New
Critical
Unassigned
linux-armadaxp (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-ec2 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-fsl-imx51 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-backport-maverick (Ubuntu)
New
Undecided
Unassigned
Lucid
New
Undecided
Unassigned
Precise
New
Undecided
Unassigned
Quantal
New
Undecided
Unassigned
Saucy
New
Undecided
Unassigned
Trusty
New
Undecided
Unassigned
linux-lts-backport-natty (Ubuntu)
New
Undecided
Unassigned
Lucid
New
Undecided
Unassigned
Precise
New
Undecided
Unassigned
Quantal
New
Undecided
Unassigned
Saucy
New
Undecided
Unassigned
Trusty
New
Undecided
Unassigned
linux-lts-quantal (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
New
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-raring (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Fix Released
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-lts-saucy (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Fix Released
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-mvl-dove (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned
linux-ti-omap4 (Ubuntu)
Invalid
Critical
Unassigned
Lucid
Invalid
Critical
Unassigned
Precise
Invalid
Critical
Unassigned
Quantal
Invalid
Critical
Unassigned
Saucy
Invalid
Critical
Unassigned
Trusty
Invalid
Critical
Unassigned

Bug Description

The timeout pointer parameter is provided by userland (hence the __user annotation) but for x32 syscalls it's simply cast to a kernel pointer and is passed to __sys_recvmmsg which will eventually directly dereference it for both reading and writing. Other callers to __sys_recvmmsg properly copy from userland to the kernel first. The impact is a sort of arbitrary kernel write-where-what primitive by unprivileged users where the to-be-written area must contain valid timespec data initially (the first 64 bit long field must be positive and the second one must be < 1G).

Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 lp1274754

Revision history for this message
John Johansen (jjohansen) wrote :

CVE-2014-0038

tags: added: kernel-cve-tracking-bug
information type: Public → Public Security
Changed in linux-armadaxp (Ubuntu Saucy):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Lucid):
status: New → Invalid
Changed in linux-armadaxp (Ubuntu Trusty):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Precise):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Trusty):
status: New → Invalid
Changed in linux-ec2 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Trusty):
status: New → Invalid
Changed in linux-lts-quantal (Ubuntu Quantal):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Precise):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Saucy):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Trusty):
status: New → Invalid
Changed in linux-mvl-dove (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Trusty):
status: New → Invalid
Changed in linux-lts-saucy (Ubuntu Quantal):
status: New → Invalid
Changed in linux-ti-omap4 (Ubuntu Lucid):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Precise):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Saucy):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Trusty):
status: New → Invalid
Changed in linux-fsl-imx51 (Ubuntu Quantal):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Saucy):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Lucid):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Trusty):
status: New → Invalid
Changed in linux-lts-raring (Ubuntu Quantal):
status: New → Invalid
description: updated
Changed in linux-armadaxp (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Lucid):
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-armadaxp (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-ec2 (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Lucid):
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-quantal (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-mvl-dove (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Lucid):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-saucy (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Precise):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Saucy):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Lucid):
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Trusty):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-ti-omap4 (Ubuntu Quantal):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Lucid):
status: New → Invalid
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-fsl-imx51 (Ubuntu Quantal):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Precise):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Saucy):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Lucid):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Trusty):
importance: Undecided → Critical
Changed in linux-lts-raring (Ubuntu Quantal):
importance: Undecided → Critical
description: updated
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (55.2 KiB)

This bug was fixed in the package linux - 3.11.0-17.31

---------------
linux (3.11.0-17.31) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1275899
  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"

  [ John Johansen ]

  * [Upstream] x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274754

linux (3.11.0-17.30) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270292

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs"

linux (3.11.0-17.29) saucy; urgency=low

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * GFS2: Fix ref count bug relating to atomic_open
    - LP: #1269863
  * aio: restore locking of ioctx list on removal
    - LP: #1269863
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1269863
  * net/mlx4_en: Fixed crash when port type is changed
    - LP: #1269863
  * net: Fix "ip rule delete table 256"
    - LP: #1269863
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1269863
  * ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh
    - LP: #1269863

linux (3.11.0-17.28) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1269875

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * igb: Update link modes display in ethtool
  * Revert "mac80211: allow disable power save in mesh"
    - LP: #1269863
  * Revert "of/address: Handle #address-cells > 2 specially"
    - LP: #1269863
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * random32: fix off-by-one in seeding requirement
    - LP: #1269863
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1269863
  * usbnet: fix status interrupt urb handling
    - LP: #1269863
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1269863
  * tuntap: limit head length of skb allocated
    - LP: #1269863
  * macvtap: limit head length of skb allocated
    - LP: #1269863
  * tcp: tsq: restore minimal amount of queueing
    - LP: #1269863
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1269863
  * net-tcp: fix panic in tcp_fastopen_cache_set()
    - LP: #1269863
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1269863
  * connector: improved unaligned access error fix
    - LP: #1269863
  * ipv4: fix possible seqlock deadlock
    - LP: #1269863
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1269863
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1269863
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1269863
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1269863
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1269863
  * ip6_output: fragment outgoing reassembled skb properly
    - LP: #1269863
  * netfilter: push reasm skb through instead of original frag skbs
    - LP: #1269863
  * xf...

Changed in linux (Ubuntu Saucy):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (12.0 KiB)

This bug was fixed in the package linux-lts-raring - 3.8.0-36.52~precise1

---------------
linux-lts-raring (3.8.0-36.52~precise1) precise; urgency=low

  [ John Johansen]

  * UBUNTU: [Upstream] x86, x32: Correct invalid use of user timespec in the
    kernel
    - LP: #1274754

  [ Brad Figg ]

  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"
  * Release Tracking Bug
    - LP: #1275862

linux-lts-raring (3.8.0-36.51~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1266582

  [ Brad Figg ]

  * debian.raring/etc/getabis: get the packages from linux-lts-raring in
    the archive
  * debian/scripts/misc/getabis: the abi directory should only be made up
    of the version-abi-bld

  [ Upstream Kernel Changes ]

  * Revert "ima: policy for RAMFS"
    - LP: #1265572
  * ipv6: ip6_dst_check needs to check for expired dst_entries
    - LP: #1265572
  * ipv6: reset dst.expires value when clearing expire flag
    - LP: #1265572
  * cxgb3: Fix length calculation in write_ofld_wr() on 32-bit
    architectures
    - LP: #1265572
  * xen-netback: use jiffies_64 value to calculate credit timeout
    - LP: #1265572
  * virtio-net: correctly handle cpu hotplug notifier during resuming
    - LP: #1265572
  * net: flow_dissector: fail on evil iph->ihl
    - LP: #1265572
  * X.509: Remove certificate date checks
    - LP: #1265572
  * selinux: correct locking in selinux_netlbl_socket_connect)
    - LP: #1265572
  * NFSv4: Fix a use-after-free situation in _nfs4_proc_getlk()
    - LP: #1265572
  * usb: musb: cancel work on removal
    - LP: #1265572
  * USB: mos7840: fix tiocmget error handling
    - LP: #1265572
  * pinctrl: dove: unset twsi option3 for gconfig as well
    - LP: #1265572
  * usb: Disable USB 2.0 Link PM before device reset.
    - LP: #1265572
  * usb: hub: Clear Port Reset Change during init/resume
    - LP: #1265572
  * rt2400pci: fix RSSI read
    - LP: #1265572
  * rt2x00: check if device is still available on rt2x00mac_flush()
    - LP: #1265572
  * rt2800usb: slow down TX status polling
    - LP: #1265572
  * cfg80211: fix scheduled scan pointer access
    - LP: #1265572
  * ARM: OMAP2+: irq, AM33XX add missing register check
    - LP: #1265572
  * ALSA: hda - Add support of new codec ALC233
    - LP: #1265572
  * ALSA: hda - Add support of ALC255 codecs
    - LP: #1265572
  * USB:add new zte 3g-dongle's pid to option.c
    - LP: #1265572
  * [SCSI] sd: Reduce buffer size for vpd request
    - LP: #1265572
  * libata: Fix display of sata speed
    - LP: #1265572
  * ahci: disabled FBS prior to issuing software reset
    - LP: #1265572
  * drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH
    drive
    - LP: #1265572
  * NFSv4: fix NULL dereference in open recover
    - LP: #1265572
  * ALSA: 6fire: Fix probe of multiple cards
    - LP: #1265572
  * ARM: sa11x0/assabet: ensure CS2 is configured appropriately
    - LP: #1265572
  * usb: wusbcore: set the RPIPE wMaxPacketSize value correctly
    - LP: #1265572
  * usb: wusbcore: change WA_SEGS_MAX to a legal value
    - LP: #1265572
  * powerpc/vio: use strcpy in modalias_show
    - LP: #1265572
  * i2c: mux: gpio: use gpio_...

Changed in linux-lts-raring (Ubuntu Precise):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (55.2 KiB)

This bug was fixed in the package linux-lts-saucy - 3.11.0-17.31~precise1

---------------
linux-lts-saucy (3.11.0-17.31~precise1) precise; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270372
  * Revert "UBUNTU: SAUCE: Fix compat_sys_recvmsg on x32 archs"

  [ John Johansen ]

  * [Upstream] x86, x32: Correct invalid use of user timespec in the kernel
    - LP: #1274754

linux (3.11.0-17.30) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1270292

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * Revert "ACPI: Add BayTrail SoC GPIO and LPSS ACPI IDs"

linux (3.11.0-17.29) saucy; urgency=low

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * GFS2: Fix ref count bug relating to atomic_open
    - LP: #1269863
  * aio: restore locking of ioctx list on removal
    - LP: #1269863
  * mmc: block: fix a bug of error handling in MMC driver
    - LP: #1269863
  * net/mlx4_en: Fixed crash when port type is changed
    - LP: #1269863
  * net: Fix "ip rule delete table 256"
    - LP: #1269863
  * ipv6: use rt6_get_dflt_router to get default router in rt6_route_rcv
    - LP: #1269863
  * ipv6: protect for_each_sk_fl_rcu in mem_check with rcu_read_lock_bh
    - LP: #1269863

linux (3.11.0-17.28) saucy; urgency=low

  [ Brad Figg ]

  * Release Tracking Bug
    - LP: #1269875

  [ Brad Figg ]

  * Start new release

  [ Upstream Kernel Changes ]

  * igb: Update link modes display in ethtool
  * Revert "mac80211: allow disable power save in mesh"
    - LP: #1269863
  * Revert "of/address: Handle #address-cells > 2 specially"
    - LP: #1269863
  * net: clamp ->msg_namelen instead of returning an error
    - LP: #1269053
  * random32: fix off-by-one in seeding requirement
    - LP: #1269863
  * bonding: don't permit to use ARP monitoring in 802.3ad mode
    - LP: #1269863
  * usbnet: fix status interrupt urb handling
    - LP: #1269863
  * 6lowpan: Uncompression of traffic class field was incorrect
    - LP: #1269863
  * tuntap: limit head length of skb allocated
    - LP: #1269863
  * macvtap: limit head length of skb allocated
    - LP: #1269863
  * tcp: tsq: restore minimal amount of queueing
    - LP: #1269863
  * bonding: fix two race conditions in bond_store_updelay/downdelay
    - LP: #1269863
  * net-tcp: fix panic in tcp_fastopen_cache_set()
    - LP: #1269863
  * isdnloop: use strlcpy() instead of strcpy()
    - LP: #1269863
  * connector: improved unaligned access error fix
    - LP: #1269863
  * ipv4: fix possible seqlock deadlock
    - LP: #1269863
  * inet: prevent leakage of uninitialized memory to user in recv syscalls
    - LP: #1269863
  * net: rework recvmsg handler msg_name and msg_namelen logic
    - LP: #1269863
  * net: add BUG_ON if kernel advertises msg_namelen > sizeof(struct
    sockaddr_storage)
    - LP: #1269863
  * inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu
    functions
    - LP: #1269863
  * ipv6: fix leaking uninitialized port number of offender sockaddr
    - LP: #1269863
  * ip6_output: fragment outgoing reassembled skb properly
    - LP: #1269863
  * netfilter: push reasm skb through instead of orig...

Changed in linux-lts-saucy (Ubuntu Precise):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.