** Summary changed: - Fix-compat_sys_recvmmsg-on-x32-archs + CVE-2014-0038
** Description changed: - The timeout pointer parameter is provided by userland (hence the __user - annotation) but for x32 syscalls it's simply cast to a kernel pointer - and is passed to __sys_recvmmsg which will eventually directly - dereference it for both reading and writing. Other callers to - __sys_recvmmsg properly copy from userland to the kernel first. The - impact is a sort of arbitrary kernel write-where-what primitive by - unprivileged users where the to-be-written area must contain valid - timespec data initially (the first 64 bit long field must be positive - and the second one must be < 1G). + The compat_sys_recvmmsg function in net/compat.c in the Linux kernel before + 3.13.2, when CONFIG_X86_X32 is enabled, allows local users to gain + privileges via a recvmmsg system call with a crafted timeout pointer + parameter. Break-Fix: ee4fa23c4bfcc635d077a9633d405610de45bc70 2def2ef2ae5f3990aabdbe8a755911902707d268 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1274349 Title: CVE-2014-0038 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1274349/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
