Public bug reported: [Impact]
The check for correctness of netlink_bind() userspace supplied parameter is done by applying a bitmask made from ngroups shift. However if we have more than 64 groups the shift results in an overflow causing an incorrect validation of the netlink_bind() parameters. This has been fixed upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058 And this fix has been applied to xenial, cosmic and disco (apparently only bionic is missing it). [Test Case] I've been able to reproduce this problem using a script with acpid to handle ACPI hibernate events. The script is the following: $ cat /etc/acpi/actions/sleep.sh #!/bin/sh echo "1=$1 2=$2" >> /home/ubuntu/acpi-event.log Any kernel that has the fix (xenial and cosmic for example) are logging two events (input and netlink) when the sleep button is fired: $ cat /home/ubuntu/acpi-event.log 1=button/sleep 2=SBTN 1=button/sleep 2=LNXSLPBN:00 The bionic kernel, instead, is logging only one event (input, netlink is lost): $ cat /home/ubuntu/acpi-event.log 1=button/sleep 2=SBTN [Fix] Fix that solves this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058 [Regression Potential] Upsteram fix, tested on the affected platform, all other kernel releases have this fix applied already, so regression potential is minimal. ** Affects: linux (Ubuntu) Importance: High Assignee: Andrea Righi (arighi) Status: New ** Affects: linux (Ubuntu Bionic) Importance: High Assignee: Andrea Righi (arighi) Status: New ** Also affects: linux (Ubuntu Bionic) Importance: Undecided Status: New ** Changed in: linux (Ubuntu) Importance: Undecided => High ** Changed in: linux (Ubuntu Bionic) Importance: Undecided => High ** Changed in: linux (Ubuntu) Assignee: (unassigned) => Andrea Righi (arighi) ** Changed in: linux (Ubuntu Bionic) Assignee: (unassigned) => Andrea Righi (arighi) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1831103 Title: bionic: netlink: potential shift overflow in netlink_bind() Status in linux package in Ubuntu: New Status in linux source package in Bionic: New Bug description: [Impact] The check for correctness of netlink_bind() userspace supplied parameter is done by applying a bitmask made from ngroups shift. However if we have more than 64 groups the shift results in an overflow causing an incorrect validation of the netlink_bind() parameters. This has been fixed upstream: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058 And this fix has been applied to xenial, cosmic and disco (apparently only bionic is missing it). [Test Case] I've been able to reproduce this problem using a script with acpid to handle ACPI hibernate events. The script is the following: $ cat /etc/acpi/actions/sleep.sh #!/bin/sh echo "1=$1 2=$2" >> /home/ubuntu/acpi-event.log Any kernel that has the fix (xenial and cosmic for example) are logging two events (input and netlink) when the sleep button is fired: $ cat /home/ubuntu/acpi-event.log 1=button/sleep 2=SBTN 1=button/sleep 2=LNXSLPBN:00 The bionic kernel, instead, is logging only one event (input, netlink is lost): $ cat /home/ubuntu/acpi-event.log 1=button/sleep 2=SBTN [Fix] Fix that solves this problem: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=91874ecf32e41b5d86a4cb9d60e0bee50d828058 [Regression Potential] Upsteram fix, tested on the affected platform, all other kernel releases have this fix applied already, so regression potential is minimal. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1831103/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
