This has been assigned CVE-2016-3135 ( http://www.openwall.com/lists /oss-security/2016/03/14/1 ).
** CVE added: http://www.cve.mitre.org/cgi- bin/cvename.cgi?name=2016-3135 -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1555353 Title: integer overflow in xt_alloc_table_info Status in linux package in Ubuntu: Fix Committed Status in linux source package in Wily: Fix Committed Status in linux source package in Xenial: Fix Committed Bug description: [Impact] [From https://code.google.com/p/google-security-research/issues/detail?id=758 ] A recent refactoring cof this codepath (https://github.com/torvalds/linux/commit/2e4e6a17af35be359cc8f1c924f8f198fbd478cc) introduced an integer overflow in xt_alloc_table_info, which on 32-bit systems can lead to small structure allocation and a copy_from_user based heap corruption. More specifically, the overflow may have been introduced in https://github.com/torvalds/linux/commit/711bdde6a884354ddae8da2fcb495b2a9364cc90 ; specifically the bit: + size_t sz = sizeof(*info) + size; (where size is an unsigned int passed from userspace). This issue should only affect 32bit platforms (xt_table_info.size is an unsigned int). [Fix] Upstream proposed fix: http://marc.info/?l=netfilter-devel&m=145757136822750&w=2 [Test Case] Download v4 code from: https://code.google.com/p/google-security-research/issues/detail?id=758 gcc *v4.c -o v4 ./v4 Your machine should _not_ crash. This only affects 32-bit kernels To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1555353/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
