[Kernel-packages] [Bug 1831103] Re: bionic: netlink: potential shift overflow in netlink_bind()

Thu, 30 May 2019 08:40:58 -0700 

** Changed in: linux (Ubuntu)
       Status: Incomplete => Confirmed

** Changed in: linux (Ubuntu Bionic)
       Status: Incomplete => Confirmed

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1831103

Title:
  bionic: netlink: potential shift overflow in netlink_bind()

Status in linux package in Ubuntu:
  Confirmed
Status in linux source package in Bionic:
  Confirmed

Bug description:
  [Impact]

  The check for correctness of netlink_bind() userspace supplied
  parameter is done by applying a bitmask made from ngroups shift.
  However if we have more than 64 groups the shift results in an
  overflow causing an incorrect validation of the netlink_bind()
  parameters.

  This has been fixed upstream:
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058

  And this fix has been applied to xenial, cosmic and disco (apparently
  only bionic is missing it).

  [Test Case]

  I've been able to reproduce this problem using a script with acpid to
  handle ACPI hibernate events. The script is the following:

  $ cat /etc/acpi/actions/sleep.sh
  #!/bin/sh
  echo "1=$1 2=$2" >> /home/ubuntu/acpi-event.log

  Any kernel that has the fix (xenial and cosmic for example) are
  logging two events (input and netlink) when the sleep button is fired:

  $ cat /home/ubuntu/acpi-event.log
  1=button/sleep 2=SBTN
  1=button/sleep 2=LNXSLPBN:00

  The bionic kernel, instead, is logging only one event (input, netlink
  is lost):

  $ cat /home/ubuntu/acpi-event.log
  1=button/sleep 2=SBTN

  [Fix]

  Fix that solves this problem:
  
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058

  [Regression Potential]

  Upsteram fix, tested on the affected platform, all other kernel
  releases have this fix applied already, so regression potential is
  minimal.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1831103/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to