** Information type changed from Private Security to Public Security
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-0038
** Also affects: linux-lts-saucy (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux-lts-raring (Ubuntu)
Importance: Undecided
Status: New
** Also affects: linux (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-raring (Ubuntu Precise)
Importance: Undecided
Status: New
** Also affects: linux-lts-saucy (Ubuntu Precise)
Importance: Undecided
Status: New
** Changed in: linux (Ubuntu Precise)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Precise)
Status: New => Fix Released
** Changed in: linux-lts-raring (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-lts-raring (Ubuntu Trusty)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Precise)
Status: New => Fix Released
** Changed in: linux-lts-saucy (Ubuntu Saucy)
Status: New => Invalid
** Changed in: linux-lts-saucy (Ubuntu Trusty)
Status: New => Invalid
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1274349
Title:
Fix-compat_sys_recvmsg-on-x32-archs
Status in “linux” package in Ubuntu:
Incomplete
Status in “linux-lts-raring” package in Ubuntu:
Invalid
Status in “linux-lts-saucy” package in Ubuntu:
Invalid
Status in “linux” source package in Precise:
Invalid
Status in “linux-lts-raring” source package in Precise:
Fix Released
Status in “linux-lts-saucy” source package in Precise:
Fix Released
Status in “linux” source package in Saucy:
Fix Released
Status in “linux-lts-raring” source package in Saucy:
Invalid
Status in “linux-lts-saucy” source package in Saucy:
Invalid
Status in “linux” source package in Trusty:
Incomplete
Status in “linux-lts-raring” source package in Trusty:
Invalid
Status in “linux-lts-saucy” source package in Trusty:
Invalid
Bug description:
Reported by pageexec
asmlinkage long compat_sys_recvmmsg(int fd, struct compat_mmsghdr __user
*mmsg,
unsigned int vlen, unsigned int flags,
struct compat_timespec __user *timeout)
{
int datagrams;
struct timespec ktspec;
if (flags & MSG_CMSG_COMPAT)
return -EINVAL;
if (COMPAT_USE_64BIT_TIME)
return __sys_recvmmsg(fd, (struct mmsghdr __user *)mmsg, vlen,
flags | MSG_CMSG_COMPAT,
(struct timespec *) timeout);
/*...*/
The timeout pointer parameter is provided by userland (hence the
__user annotation) but for x32 syscalls it's simply cast to a kernel
pointer and is passed to __sys_recvmmsg which will eventually directly
dereference it for both reading and writing. Other callers to
__sys_recvmmsg properly copy from userland to the kernel first.
The impact is a sort of arbitrary kernel write-where-what primitive by
unprivileged users where the to-be-written area must contain valid
timespec data initially (the first 64 bit long field must be positive
and the second one must be < 1G).
The bug was introduced by commit
http://git.kernel.org/linus/ee4fa23c4b (other uses of
COMPAT_USE_64BIT_TIME seem fine) and should affect all kernels since
3.4 (and perhaps vendor kernels if they backported x32 support along
with this code). Note that CONFIG_X86_X32_ABI gets enabled at build
time and only if CONFIG_X86_X32 is enabled and ld can build x32
executables.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
