[Kernel-packages] [Bug 1316729] Re: CVE-2014-1737

Mon, 26 May 2014 08:14:31 -0700 

This bug was fixed in the package linux-lts-quantal -
3.5.0-51.76~precise1

---------------
linux-lts-quantal (3.5.0-51.76~precise1) precise; urgency=low

  [ Brad Figg ]

  * Revert "rtlwifi: Set the link state"

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - re-used previous tracking bug

linux (3.5.0-51.75) quantal; urgency=low

  [ Kamal Mostafa ]

  * Merged back Ubuntu-3.5.0-49.74 security release
  * Revert "n_tty: Fix n_tty_write crash when echoing in raw mode"
    - LP: #1314762
  * Release Tracking Bug
    - LP: #1317333

  [ Upstream Kernel Changes ]

  * ipv6: don't set DST_NOCOUNT for remotely added routes
    - LP: #1293726
    - CVE-2014-2309
  * vhost: fix total length when packets are too short
    - LP: #1312984
    - CVE-2014-0077
  * n_tty: Fix n_tty_write crash when echoing in raw mode
    - LP: #1314762
    - CVE-2014-0196
  * floppy: ignore kernel-only members in FDRAWCMD ioctl input
    - LP: #1316729
    - CVE-2014-1737
  * floppy: don't write kernel-only members to FDRAWCMD ioctl output
    - LP: #1316735
    - CVE-2014-1738

linux (3.5.0-50.74) quantal; urgency=low

  [ Joseph Salisbury ]

  * Release Tracking Bug
    - LP: #1313852

  [ Upstream Kernel Changes ]

  * rds: prevent dereference of a NULL device in rds_iw_laddr_check
    - LP: #1302222
    - CVE-2014-2678
  * vhost: validate vhost_get_vq_desc return value
    - LP: #1298117
    - CVE-2014-0055
  * netfilter: nf_conntrack_dccp: fix skb_header_pointer API usages
    - LP: #1295090
    - CVE-2014-2523
  * ALSA: oxygen: Xonar DG(X): capture from I2S channel 1, not 2
    - LP: #1310783
  * ALSA: oxygen: Xonar DG(X): modify DAC routing
    - LP: #1310783
  * mac80211: fix AP powersave TX vs. wakeup race
    - LP: #1310783
  * iwlwifi: dvm: clear IWL_STA_UCODE_INPROGRESS when assoc fails
    - LP: #1310783
  * ath9k: protect tid->sched check
    - LP: #1310783
  * ath9k: Fix ETSI compliance for AR9462 2.0
    - LP: #1310783
  * genirq: Remove racy waitqueue_active check
    - LP: #1310783
  * sched: Fix double normalization of vruntime
    - LP: #1310783
  * cpuset: fix a race condition in __cpuset_node_allowed_softwall()
    - LP: #1310783
  * firewire: net: fix use after free
    - LP: #1310783
  * mwifiex: do not advertise usb autosuspend support
    - LP: #1310783
  * NFS: Fix a delegation callback race
    - LP: #1310783
  * can: flexcan: fix shutdown: first disable chip, then all interrupts
    - LP: #1310783
  * can: flexcan: flexcan_open(): fix error path if flexcan_chip_start()
    fails
    - LP: #1310783
  * tracing: Do not add event files for modules that fail tracepoints
    - LP: #1310783
  * ocfs2: fix quota file corruption
    - LP: #1310783
  * rapidio/tsi721: fix tasklet termination in dma channel release
    - LP: #1310783
  * ALSA: usb-audio: Add quirk for Logitech Webcam C500
    - LP: #1310783
  * drm/radeon: TTM must be init with cpu-visible VRAM, v2
    - LP: #1310783
  * drm/radeon/atom: select the proper number of lanes in transmitter setup
    - LP: #1310783
  * powerpc: Align p_dyn, p_rela and p_st symbols
    - LP: #1310783
  * libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for Seagate Momentus
    SpinPoint M8 (2BA30001)
    - LP: #1310783
  * usb: Add device quirk for Logitech HD Pro Webcams C920 and C930e
    - LP: #1310783
  * usb: Make DELAY_INIT quirk wait 100ms between Get Configuration
    requests
    - LP: #1310783
  * ARM: 7991/1: sa1100: fix compile problem on Collie
    - LP: #1310783
  * firewire: don't use PREPARE_DELAYED_WORK
    - LP: #1310783
  * x86: Ignore NMIs that come in during early boot
    - LP: #1310783
  * x86: fix compile error due to X86_TRAP_NMI use in asm files
    - LP: #1310783
  * virtio-net: alloc big buffers also when guest can receive UFO
    - LP: #1310783
  * tg3: Don't check undefined error bits in RXBD
    - LP: #1310783
  * net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable
    - LP: #1310783
  * usb: dwc3: add support for Merrifield
    - LP: #1310783
  * mac80211: clear sequence/fragment number in QoS-null frames
    - LP: #1310783
  * mwifiex: copy AP's HT capability info correctly
    - LP: #1310783
  * net: unix socket code abuses csum_partial
    - LP: #1310783
  * ibmveth: Fix endian issues with MAC addresses
    - LP: #1310783
  * [SCSI] isci: fix reset timeout handling
    - LP: #1310783
  * [SCSI] isci: correct erroneous for_each_isci_host macro
    - LP: #1310783
  * [SCSI] qla2xxx: Poll during initialization for ISP25xx and ISP83xx
    - LP: #1310783
  * ocfs2 syncs the wrong range...
    - LP: #1310783
  * fs/proc/base.c: fix GPF in /proc/$PID/map_files
    - LP: #1310783
  * vmxnet3: fix netpoll race condition
    - LP: #1310783
  * [SCSI] storvsc: NULL pointer dereference fix
    - LP: #1310783
  * PCI: Enable INTx in pci_reenable_device() only when MSI/MSI-X not
    enabled
    - LP: #1310783
  * KVM: SVM: fix cr8 intercept window
    - LP: #1310783
  * drm/ttm: don't oops if no invalidate_caches()
    - LP: #1310783
  * vmxnet3: fix building without CONFIG_PCI_MSI
    - LP: #1310783
  * x86/amd/numa: Fix northbridge quirk to assign correct NUMA node
    - LP: #1310783
  * Btrfs: fix data corruption when reading/updating compressed extents
    - LP: #1310783
  * jiffies: Avoid undefined behavior from signed overflow
    - LP: #1310783
  * ALSA: compress: Pass through return value of open ops callback
    - LP: #1310783
  * acpi-cpufreq: set current frequency based on target P-State
    - LP: #1310783
  * hpfs: deadlock and race in directory lseek()
    - LP: #1310783
  * intel_idle: Check cpu_idle_get_driver() for NULL before dereferencing
    it.
    - LP: #1310783
  * ipc/msg: fix race around refcount
    - LP: #1310783
  * Input: synaptics - add manual min/max quirk
    - LP: #1310783
  * Input: synaptics - add manual min/max quirk for ThinkPad X240
    - LP: #1310783
  * x86: fix boot on uniprocessor systems
    - LP: #1310783
  * staging: speakup: Prefix externally-visible symbols
    - LP: #1310783
  * ext4: atomically set inode->i_flags in ext4_set_inode_flags()
    - LP: #1310783
  * deb-pkg: Fix cross-building linux-headers package
    - LP: #1310783
  * x86: bpf_jit: support negative offsets
    - LP: #1310783
  * p54: clamp properly instead of just truncating
    - LP: #1310783
  * ALSA: hda/realtek - Avoid invalid COEFs for ALC271X
    - LP: #1310783
  * of: Fix address decoding on Bimini and js2x machines
    - LP: #1310783
  * of: fix PCI bus match for PCIe slots
    - LP: #1310783
  * libata: disable LPM for some WD SATA-I devices
    - LP: #1310783
  * mmc: sdhci: fix lockdep error in tuning routine
    - LP: #1310783
  * usb: ehci: add freescale imx28 special write register method
    - LP: #1310783
  * USB: pl2303: fix data corruption on termios updates
    - LP: #1310783
  * Linux 3.5.7.33
    - LP: #1310783
  * net: ipv4: current group_info should be put after using.
    - CVE-2014-2851
 -- Kamal Mostafa <ka...@canonical.com>   Fri, 16 May 2014 09:12:33 -0700

** Changed in: linux-lts-raring (Ubuntu Precise)
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-armadaxp in Ubuntu.
https://bugs.launchpad.net/bugs/1316729

Title:
  CVE-2014-1737

Status in “linux” package in Ubuntu:
  Fix Committed
Status in “linux-armadaxp” package in Ubuntu:
  Invalid
Status in “linux-ec2” package in Ubuntu:
  Invalid
Status in “linux-fsl-imx51” package in Ubuntu:
  Invalid
Status in “linux-lts-backport-maverick” package in Ubuntu:
  New
Status in “linux-lts-backport-natty” package in Ubuntu:
  New
Status in “linux-lts-quantal” package in Ubuntu:
  Invalid
Status in “linux-lts-raring” package in Ubuntu:
  Invalid
Status in “linux-lts-saucy” package in Ubuntu:
  Invalid
Status in “linux-mvl-dove” package in Ubuntu:
  Invalid
Status in “linux-ti-omap4” package in Ubuntu:
  Invalid
Status in “linux” source package in Lucid:
  Fix Released
Status in “linux-armadaxp” source package in Lucid:
  Invalid
Status in “linux-ec2” source package in Lucid:
  Fix Released
Status in “linux-fsl-imx51” source package in Lucid:
  Invalid
Status in “linux-lts-backport-maverick” source package in Lucid:
  New
Status in “linux-lts-backport-natty” source package in Lucid:
  New
Status in “linux-lts-quantal” source package in Lucid:
  Invalid
Status in “linux-lts-raring” source package in Lucid:
  Invalid
Status in “linux-lts-saucy” source package in Lucid:
  Invalid
Status in “linux-mvl-dove” source package in Lucid:
  Invalid
Status in “linux-ti-omap4” source package in Lucid:
  Invalid
Status in “linux” source package in Precise:
  Fix Released
Status in “linux-armadaxp” source package in Precise:
  Fix Released
Status in “linux-ec2” source package in Precise:
  Invalid
Status in “linux-fsl-imx51” source package in Precise:
  Invalid
Status in “linux-lts-backport-maverick” source package in Precise:
  New
Status in “linux-lts-backport-natty” source package in Precise:
  New
Status in “linux-lts-quantal” source package in Precise:
  Fix Released
Status in “linux-lts-raring” source package in Precise:
  Fix Released
Status in “linux-lts-saucy” source package in Precise:
  Fix Released
Status in “linux-mvl-dove” source package in Precise:
  Invalid
Status in “linux-ti-omap4” source package in Precise:
  Fix Committed
Status in “linux-lts-backport-maverick” source package in Quantal:
  New
Status in “linux-lts-backport-natty” source package in Quantal:
  New
Status in “linux” source package in Saucy:
  Fix Committed
Status in “linux-armadaxp” source package in Saucy:
  Invalid
Status in “linux-ec2” source package in Saucy:
  Invalid
Status in “linux-fsl-imx51” source package in Saucy:
  Invalid
Status in “linux-lts-backport-maverick” source package in Saucy:
  New
Status in “linux-lts-backport-natty” source package in Saucy:
  New
Status in “linux-lts-quantal” source package in Saucy:
  Invalid
Status in “linux-lts-raring” source package in Saucy:
  Invalid
Status in “linux-lts-saucy” source package in Saucy:
  Invalid
Status in “linux-mvl-dove” source package in Saucy:
  Invalid
Status in “linux-ti-omap4” source package in Saucy:
  Fix Committed
Status in “linux” source package in Trusty:
  Fix Committed
Status in “linux-armadaxp” source package in Trusty:
  Invalid
Status in “linux-ec2” source package in Trusty:
  Invalid
Status in “linux-fsl-imx51” source package in Trusty:
  Invalid
Status in “linux-lts-backport-maverick” source package in Trusty:
  New
Status in “linux-lts-backport-natty” source package in Trusty:
  New
Status in “linux-lts-quantal” source package in Trusty:
  Invalid
Status in “linux-lts-raring” source package in Trusty:
  Invalid
Status in “linux-lts-saucy” source package in Trusty:
  Invalid
Status in “linux-mvl-dove” source package in Trusty:
  Invalid
Status in “linux-ti-omap4” source package in Trusty:
  Invalid
Status in “linux” source package in Utopic:
  Fix Committed
Status in “linux-armadaxp” source package in Utopic:
  Invalid
Status in “linux-ec2” source package in Utopic:
  Invalid
Status in “linux-fsl-imx51” source package in Utopic:
  Invalid
Status in “linux-lts-backport-maverick” source package in Utopic:
  New
Status in “linux-lts-backport-natty” source package in Utopic:
  New
Status in “linux-lts-quantal” source package in Utopic:
  Invalid
Status in “linux-lts-raring” source package in Utopic:
  Invalid
Status in “linux-lts-saucy” source package in Utopic:
  Invalid
Status in “linux-mvl-dove” source package in Utopic:
  Invalid
Status in “linux-ti-omap4” source package in Utopic:
  Invalid

Bug description:
  The raw_cmd_copyin function in drivers/block/floppy.c in the Linux
  kernel through 3.14.3 does not properly handle error conditions during
  processing of an FDRAWCMD ioctl call, which allows local users to
  trigger kfree operations and gain privileges by leveraging write
  access to a /dev/fd device. First, raw_cmd_ioctl calls raw_cmd_copyin.
  This function kmallocs space for a floppy_raw_cmd structure and stores
  the resulting allocation in the "rcmd" pointer argument. It then
  attempts to copy_from_user the structure from userspace. If this
  fails, an early EFAULT return is taken. The problem is that even if
  the early return is taken, the pointer to the non-/partially-
  initialized floppy_raw_cmd structure has already been returned via the
  "rcmd" pointer. Back out in raw_cmd_ioctl, it attempts to raw_cmd_free
  this pointer. raw_cmd_free attempts to free any DMA pages allocated
  for the raw command, kfrees the raw command structure itself, and
  follows the linked list, if any, of further raw commands (a user can
  specify the FD_RAW_MORE flag to signal that there are more raw
  commands to follow in a single FDRAWCMD ioctl). So, a malicious user
  can send a FDRAWCMD ioctl with a raw command argument structure that
  has some bytes inaccessible (ie. off the end of an allocated page).
  The copy_from_user will fail but raw_cmd_free will attempt to process
  the floppy_raw_cmd as if it had been fully initialized by the rest of
  raw_cmd_copyin. The user can control the arguments passed to
  fd_dma_mem_free and kfree (by making use of the linked-list feature
  and specifying the target address as a next-in-list structure).

  Break-Fix: - ef87dbe7614341c2e7bfe8d32fcb7028cc97442c

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1316729/+subscriptions

-- 
Mailing list: https://launchpad.net/~kernel-packages
Post to     : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to