This bug was fixed in the package linux - 3.13.0-101.148
---------------
linux (3.13.0-101.148) trusty; urgency=low
[ Seth Forshee ]
* Release Tracking Bug
- LP: #1635430
* [arm64] nova instances can't boot with 3.13.0-92 (LP: #1608854)
- Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog
calls"
- Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()"
- Revert "x86/efi: Store upper bits of command line buffer address in
ext_cmd_line_ptr"
- Revert "efivarfs: Ensure VariableName is NUL-terminated"
- Revert "efi/libstub: Fix boundary checking in efi_high_alloc()"
- Revert "arm64: efi: only attempt efi map setup if booting via EFI"
- Revert "UBUNTU: arm64: Implement efi_enabled()"
- Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled"
- Revert "doc: arm64: add description of EFI stub support"
- Revert "UBUNTU: Move get_dram_base to arm private file"
- Revert "arm64: efi: add EFI stub"
- Revert "arm64: add EFI runtime services"
- Revert "efi: Add shared FDT related functions for ARM/ARM64"
- Revert "efi: add helper function to get UEFI params from FDT"
- Revert "doc: efi-stub.txt updates for ARM"
- Revert "efi: Add get_dram_base() helper function"
- Revert "efi: create memory map iteration helper"
- Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to
pci_vga_fixup()"
- Revert "firmware: Do not use WARN_ON(!spin_is_locked())"
- Revert "efi-pstore: Fix an overflow on 32-bit builds"
- Revert "x86/efi: Fix 32-bit fallout"
- Revert "x86/efi: Check krealloc return value"
- Revert "x86/efi: Runtime services virtual mapping"
- Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation"
- x86/efi: Simplify EFI_DEBUG
- x86/efi: Runtime services virtual mapping
- x86/efi: Check krealloc return value
- SAUCE: Merge tag 'efi-next' of
git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/efi
- doc: Fix trivial spelling mistake in efi-stub.txt
- x86/efi: Remove unused variables in __map_region()
- x86/efi: Add a wrapper function efi_map_region_fixed()
- x86/efi: Fix off-by-one bug in EFI Boot Services reservation
- x86/efi: Cleanup efi_enter_virtual_mode() function
- efi: Export more EFI table variables to sysfs
- [Config] CONFIG_EFI_RUNTIME_MAP=y
- efi: Export EFI runtime memory mapping to sysfs
- x86/efi: Pass necessary EFI data for kexec via setup_data
- x86/efi: Delete superfluous global variables
- x86/efi: parse_efi_setup() build fix
- SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts
- x86/efi: Allow mapping BGRT on x86-32
- x86/efi: Fix 32-bit fallout
- x86/efi: Check status field to validate BGRT header
- x86/efi: Quirk out SGI UV
- v3.14 - Bacported EFI up to v3.14
- efi: Move facility flags to struct efi
- efi: Set feature flags inside feature init functions
- efivarfs: 'efivarfs_file_write' function reorganization
- x86/efi: Delete out-of-date comments of efi_query_variable_store
- x86/efi: Style neatening
- x86/efi: Dump the EFI page table
- x86, pageattr: Export page unmapping interface
- x86/efi: Make efi virtual runtime map passing more robust
- x86/efi: Split efi_enter_virtual_mode
- ia64/efi: Implement efi_enabled()
- efi: Use NULL instead of 0 for pointer
- x86, tools: Consolidate #ifdef code
- x86/efi: Delete dead code when checking for non-native
- efi: Add separate 32-bit/64-bit definitions
- x86/efi: Build our own EFI services pointer table
- x86/efi: Add early thunk code to go from 64-bit to 32-bit
- x86/efi: Firmware agnostic handover entry points
- [Config] CONFIG_EFI_MIXED=y
- x86/efi: Wire up CONFIG_EFI_MIXED
- x86/efi: Re-disable interrupts after calling firmware services
- SAUCE: Merge remote-tracking branch 'tip/x86/efi-mixed' into efi-for-mingo
- x86, tools: Fix up compiler warnings
- x86/efi: Preserve segment registers in mixed mode
- x86/efi: Rip out phys_efi_get_time()
- x86/efi: Restore 'attr' argument to query_variable_info()
- SAUCE: merge with v3.15
- fs/efivarfs/super.c: use static const for dentry_operations
- SAUCE: merge with v3.16
- efi: efi-stub-helper cleanup
- efi: create memory map iteration helper
- efi: Add shared printk wrapper for consistent prefixing
- efi: Add get_dram_base() helper function
- efi: x86: Handle arbitrary Unicode characters
- x86/efi: Delete most of the efi_call* macros
- x86/efi: Implement a __efi_call_virt macro
- x86/efi: Save and restore FPU context around efi_calls (x86_64)
- x86/efi: Save and restore FPU context around efi_calls (i386)
- efivars: Use local variables instead of a pointer dereference
- efivars: Check size of user object
- efivars: Stop passing a struct argument to efivar_validate()
- efivars: Refactor sanity checking code into separate function
- efivars: Add compatibility code for compat tasks
- doc: efi-stub.txt updates for ARM
- efi: add helper function to get UEFI params from FDT
- efi: Add shared FDT related functions for ARM/ARM64
- [Config] CONFIG_LIBFDT=y
- arm64: add EFI runtime services
- arm64: efi: add EFI stub
- doc: arm64: add description of EFI stub support
- efi/arm64: ignore dtb= when UEFI SecureBoot is enabled
- arm64: efi: only attempt efi map setup if booting via EFI
- efi-pstore: Fix an overflow on 32-bit builds
- firmware: Do not use WARN_ON(!spin_is_locked())
- x86, ia64: Move EFI_FB vga_default_device() initialization to
pci_vga_fixup()
- efivarfs: Ensure VariableName is NUL-terminated
- x86/efi: Store upper bits of command line buffer address in
ext_cmd_line_ptr
- x86/efi: Use all 64 bit of efi_memmap in setup_e820()
- efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
- x86/efi: Fix boot failure with EFI stub
- x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at
runtime,
instead of top-down
- efi/libstub: Fix boundary checking in efi_high_alloc()
- efi: Fix compiler warnings (unused, const, type)
- efi: fdt: Do not report an error during boot if UEFI is not available
- efi: Make our variable validation list include the guid
- lib/ucs2_string: Add ucs2 -> utf8 helper functions
- efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
- efi/reboot: Add generic wrapper around EfiResetSystem()
- efi/arm64: efistub: remove local copy of linux_banner
- x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag
- efi/reboot: Allow powering off machines using EFI
- efi: Fix error handling in add_sysfs_runtime_map_entry()
- efi: Small leak on error in runtime map code
- arm64/efi: map the entire UEFI vendor string before reading it
- arm64/efi: add missing call to early_ioremap_reset()
- efi/arm64: Store Runtime Services revision
- SAUCE: UEFI: Add secure_modules() call
- SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
- SAUCE: UEFI: ACPI: Limit access to custom_method
- SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is
restricted
- SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading
is
restricted
- SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading
restrictions
- SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- [Config] CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y
- SAUCE: UEFI: Add option to automatically enforce module signatures when in
Secure Boot mode
- SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- SAUCE: UEFI: Display MOKSBState when disabled
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
- Revert "x86/efi: Save and restore FPU context around efi_calls (x86_64)"
- [Config] CONFIG_RTC_DRV_EFI=y
* proc_keys_show crash when reading /proc/keys (LP: #1634496)
- KEYS: ensure xbuf is large enough to fix buffer overflow in proc_keys_show
(LP: #1634496)
* [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
__copy_tofrom_user (LP: #1632462)
- SAUCE: (no-up) powerpc/64: Fix incorrect return value from
__copy_tofrom_user
* Ubuntu 16.10: Oops panic in move_page_tables/page_remove_rmap after running
memory_stress_ng. (LP: #1628976)
- SAUCE: (no-up) powerpc/pseries: Fix stack corruption in htpe code
* sha1-powerpc returning wrong results (LP: #1629977)
- crypto: sha1-powerpc - little-endian support
* linux: Implement secure boot state variables (LP: #1593075)
- SAUCE: UEFI: Add secure boot and MOK SB State disabled sysctl
- SAUCE: UEFI: Set EFI_SECURE_BOOT bit in x86_efi_facility
* linux: MokSBState is ignored (LP: #1571691)
- SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- SAUCE: UEFI: Display MOKSBState when disabled
* linux: Enforce signed module loading when UEFI secure boot (LP: #1566221)
- SAUCE: UEFI: Add secure_modules() call
- SAUCE: UEFI: PCI: Lock down BAR access when module security is enabled
- SAUCE: UEFI: x86: Lock down IO port access when module security is enabled
- SAUCE: UEFI: ACPI: Limit access to custom_method
- SAUCE: UEFI: asus-wmi: Restrict debugfs interface when module loading is
restricted
- SAUCE: UEFI: Restrict /dev/mem and /dev/kmem when module loading is
restricted
- SAUCE: UEFI: acpi: Ignore acpi_rsdp kernel parameter when module loading
is
restricted
- SAUCE: UEFI: kexec: Disable at runtime if the kernel enforces module
loading
restrictions
- SAUCE: UEFI: x86: Restrict MSR access when module loading is restricted
- SAUCE: UEFI: Add option to automatically enforce module signatures when in
Secure Boot mode
- SAUCE: UEFI: efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI
- SAUCE: UEFI MODSIGN: Import certificates from UEFI Secure Boot
- SAUCE: UEFI: efi: Disable secure boot if shim is in insecure mode
- SAUCE: UEFI: Display MOKSBState when disabled
* Utopic update to 3.16.7-ckt5 stable release (LP: #1419125)
- arm64/efi: add missing call to early_ioremap_reset()
* Trusty update to 3.16.7-ckt17 stable release (LP: #1500484)
- arm64/efi: map the entire UEFI vendor string before reading it
* Utopic update to 3.16.7-ckt8 stable release (LP: #1434595)
- efi: Small leak on error in runtime map code
* Utopic update to 3.16.7-ckt12 stable release (LP: #1465613)
- efi/reboot: Add generic wrapper around EfiResetSystem()
- x86/reboot: Add EFI reboot quirk for ACPI Hardware Reduced flag
- efi/reboot: Allow powering off machines using EFI
- efi: Fix error handling in add_sysfs_runtime_map_entry()
* Trusty update to 3.16.7-ckt26 stable release (LP: #1563345)
- efi: Make our variable validation list include the guid
- lib/ucs2_string: Add ucs2 -> utf8 helper functions
- efi: Use ucs2_as_utf8 in efivarfs instead of open coding a bad version
* Utopic update to 3.16.7-ckt9 stable release (LP: #1441317)
- efi/libstub: Fix boundary checking in efi_high_alloc()
* Trusty update to 3.16.7-ckt19 stable release (LP: #1514911)
- x86/efi: Fix boot crash by mapping EFI memmap entries bottom-up at
runtime,
instead of top-down
* Boot failure with EFI stub (LP: #1603476)
- x86/efi: Fix boot failure with EFI stub
* Trusty update to v3.13.11-ckt33 stable release (LP: #1538756)
- efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
* Trusty update to 3.13.11-ckt26 stable release (LP: #1493305)
- x86/efi: Use all 64 bit of efi_memmap in setup_e820()
* Trusty update to v3.13.11.9 stable release (LP: #1381234)
- x86, ia64: Move EFI_FB vga_default_device() initialization to
pci_vga_fixup()
* CVE-2015-7833
- usbvision: revert commit 588afcc1
* CVE-2014-9904
- ALSA: compress: fix an integer overflow check
* CVE-2015-3288
- mm: avoid setting up anonymous pages into file mapping
* CVE-2016-3961 (LP: #1571020)
- mm: hugetlb: allow hugepages_supported to be architecture specific
- s390/hugetlb: add hugepages_supported define
- x86/mm/xen: Suppress hugetlbfs in PV guests
-- Seth Forshee <seth.fors...@canonical.com> Thu, 20 Oct 2016 16:50:48
-0500
** Changed in: linux (Ubuntu Trusty)
Status: Fix Committed => Fix Released
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2014-9904
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2015-3288
** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2016-3961
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux in Ubuntu.
https://bugs.launchpad.net/bugs/1634496
Title:
proc_keys_show crash when reading /proc/keys
Status in Linux:
Unknown
Status in linux package in Ubuntu:
In Progress
Status in linux source package in Precise:
Fix Released
Status in linux source package in Trusty:
Fix Released
Status in linux source package in Vivid:
Fix Committed
Status in linux source package in Xenial:
Fix Committed
Status in linux source package in Yakkety:
Fix Committed
Bug description:
Running stress-ng /proc test trips the following crash:
[ 5315.044206] Kernel panic - not syncing: stack-protector: Kernel stack is
corrupted in: ffffffff8956b1ae
[ 5315.044206]
[ 5315.044883] CPU: 0 PID: 4820 Comm: Tainted: P OE
4.8.0-25-generic #27-Ubuntu
[ 5315.045361] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
Ubuntu-1.8.2-1ubuntu2 04/01/2014
[ 5315.045911] 0000000000000086 00000000b337622b ffff8fe574f37c78
ffffffff8962f5d2
[ 5315.046371] 00000000b3405b00 ffffffff89e83530 ffff8fe574f37d00
ffffffff8939e71c
[ 5315.046841] ffff8fe500000010 ffff8fe574f37d10 ffff8fe574f37ca8
00000000b337622b
[ 5315.047305] Call Trace:
[ 5315.047457] [<ffffffff8962f5d2>] dump_stack+0x63/0x81
[ 5315.047763] [<ffffffff8939e71c>] panic+0xe4/0x226
[ 5315.048049] [<ffffffff8956b1ae>] ? proc_keys_show+0x3ce/0x3d0
[ 5315.048398] [<ffffffff89282b89>] __stack_chk_fail+0x19/0x30
[ 5315.048735] [<ffffffff8956b1ae>] proc_keys_show+0x3ce/0x3d0
[ 5315.049072] [<ffffffff895686b0>] ? key_validate+0x50/0x50
[ 5315.049396] [<ffffffff89565d70>] ? key_default_cmp+0x20/0x20
[ 5315.049737] [<ffffffff89459832>] seq_read+0x102/0x3c0
[ 5315.050042] [<ffffffff894a6302>] proc_reg_read+0x42/0x70
[ 5315.050363] [<ffffffff89432448>] __vfs_read+0x18/0x40
[ 5315.050674] [<ffffffff89432ba6>] vfs_read+0x96/0x130
[ 5315.050977] [<ffffffff89434085>] SyS_read+0x55/0xc0
[ 5315.051275] [<ffffffff89a9f076>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 5315.051735] Kernel Offset: 0x8200000 from 0xffffffff81000000 (relocation
range: 0xffffffff80000000-0xffffffffbfffffff)
[ 5315.052563] ---[ end Kernel panic - not syncing: stack-protector: Kernel
stack is corrupted in: ffffffff8956b1ae
[ 5315.052563]
"The proc_keys_show function in security/keys/proc.c in the Linux
kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack
protector is enabled, uses an incorrect buffer size for certain
timeout data, which allows local users to cause a denial of service
(stack memory corruption and panic) by reading the /proc/keys file."
Fix detailed in: https://bugzilla.redhat.com/show_bug.cgi?id=1373966
see: https://bugzilla.redhat.com/attachment.cgi?id=1200212&action=diff
To manage notifications about this bug go to:
https://bugs.launchpad.net/linux/+bug/1634496/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
