*** This bug is a security vulnerability *** Public security bug reported:
[Impact] Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can be used to perform a denial of service (system crash) or possibly execute arbitrary code in the Ubuntu Xenial kernel: https://twitter.com/vnik5287/status/1180666151216435200 [Test Case] Execute the following test program and verify that it prints out "clock_gettime: Invalid argument" rather than triggering a NULL pointer dereference and stack trace in the kernel logs. ========== #include <stdio.h> #include <time.h> int main(void) { int rc = clock_gettime(10, 0); if (rc < 0) perror("clock_gettime"); return rc; } ========== [Regression Potential] Low. The fix is easy to review and fixes a denial of service issue that's trivial to trigger. ** Affects: linux (Ubuntu) Importance: Undecided Status: Invalid ** Affects: linux (Ubuntu Xenial) Importance: Medium Assignee: Tyler Hicks (tyhicks) Status: In Progress ** Also affects: linux (Ubuntu Xenial) Importance: Undecided Status: New ** Changed in: linux (Ubuntu Xenial) Status: New => In Progress ** Changed in: linux (Ubuntu Xenial) Assignee: (unassigned) => Tyler Hicks (tyhicks) ** Changed in: linux (Ubuntu Xenial) Importance: Undecided => Medium ** Changed in: linux (Ubuntu) Status: In Progress => Invalid ** Changed in: linux (Ubuntu) Assignee: Tyler Hicks (tyhicks) => (unassigned) -- You received this bug notification because you are a member of Kernel Packages, which is subscribed to linux in Ubuntu. https://bugs.launchpad.net/bugs/1847189 Title: Bad posix clock speculation mitigation backport Status in linux package in Ubuntu: Invalid Status in linux source package in Xenial: In Progress Bug description: [Impact] Vitaly Nikolenko pointed out that syscall(__NR_clock_gettime, 10, 0) can be used to perform a denial of service (system crash) or possibly execute arbitrary code in the Ubuntu Xenial kernel: https://twitter.com/vnik5287/status/1180666151216435200 [Test Case] Execute the following test program and verify that it prints out "clock_gettime: Invalid argument" rather than triggering a NULL pointer dereference and stack trace in the kernel logs. ========== #include <stdio.h> #include <time.h> int main(void) { int rc = clock_gettime(10, 0); if (rc < 0) perror("clock_gettime"); return rc; } ========== [Regression Potential] Low. The fix is easy to review and fixes a denial of service issue that's trivial to trigger. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1847189/+subscriptions -- Mailing list: https://launchpad.net/~kernel-packages Post to : kernel-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~kernel-packages More help : https://help.launchpad.net/ListHelp
