bionic: netlink: potential shift overflow in netlink_bind()
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
linux (Ubuntu) |
Confirmed
|
High
|
Andrea Righi | ||
Bionic |
Fix Released
|
High
|
Andrea Righi |
Bug Description
[Impact]
The check for correctness of netlink_bind() userspace supplied parameter is done by applying a bitmask made from ngroups shift. However if we have more than 64 groups the shift results in an overflow causing an incorrect validation of the netlink_bind() parameters.
This has been fixed upstream: https:/
And this fix has been applied to xenial, cosmic and disco (apparently only bionic is missing it).
[Test Case]
I've been able to reproduce this problem using a script with acpid to handle ACPI hibernate events. The script is the following:
$ cat /etc/acpi/
#!/bin/sh
echo "1=$1 2=$2" >> /home/ubuntu/
Any kernel that has the fix (xenial and cosmic for example) are logging two events (input and netlink) when the sleep button is fired:
$ cat /home/ubuntu/
1=button/sleep 2=SBTN
1=button/sleep 2=LNXSLPBN:00
The bionic kernel, instead, is logging only one event (input, netlink is lost):
$ cat /home/ubuntu/
1=button/sleep 2=SBTN
[Fix]
Fix that solves this problem:
https:/
[Regression Potential]
Upsteram fix, tested on the affected platform, all other kernel releases have this fix applied already, so regression potential is minimal.
CVE References
Changed in linux (Ubuntu): | |
importance: | Undecided → High |
Changed in linux (Ubuntu Bionic): | |
importance: | Undecided → High |
Changed in linux (Ubuntu): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux (Ubuntu Bionic): | |
assignee: | nobody → Andrea Righi (arighi) |
Changed in linux (Ubuntu): | |
status: | Incomplete → Confirmed |
Changed in linux (Ubuntu Bionic): | |
status: | Incomplete → Confirmed |
Changed in linux (Ubuntu Bionic): | |
status: | Confirmed → Fix Committed |
tags: |
added: verification-done-bionic removed: verification-needed-bionic |
tags: | added: cscc |
This bug is missing log files that will aid in diagnosing the problem. While running an Ubuntu kernel (not a mainline or third-party kernel) please enter the following command in a terminal window:
apport-collect 1831103
and then change the status of the bug to 'Confirmed'.
If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.
This change has been made by an automated script, maintained by the Ubuntu Kernel Team.