CVE-2014-3153
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| linux (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Fix Released
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-armadaxp (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-ec2 (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-flo (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-fsl-imx51 (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-goldfish (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-quantal (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-raring (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-saucy (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-trusty (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-utopic (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-vivid (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Fix Committed
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-wily (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-lts-xenial (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Fix Committed
|
High
|
Unassigned | ||
| Vivid |
Won't Fix
|
Undecided
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-mako (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-manta (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-mvl-dove (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-raspi2 (Ubuntu) |
Expired
|
Undecided
|
Unassigned | ||
| Precise |
Invalid
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
| linux-ti-omap4 (Ubuntu) |
Invalid
|
High
|
Unassigned | ||
| Precise |
Fix Released
|
High
|
Unassigned | ||
| Trusty |
Invalid
|
High
|
Unassigned | ||
| Vivid |
Invalid
|
High
|
Unassigned | ||
| Wily |
Invalid
|
High
|
Unassigned | ||
Bug Description
The futex_requeue function in kernel/futex.c in the Linux kernel through 3.14.5 does not ensure that calls have two different futex addresses, which allows local users to gain privileges via a crafted FUTEX_REQUEUE command that facilitates unsafe waiter modification.
Break-Fix: 52400ba946759af
Break-Fix: 52400ba946759af
Break-Fix: 52400ba946759af
Break-Fix: 52400ba946759af
Related branches
This bug was fixed in the package linux - 2.6.32-61.124
---------------
linux (2.6.32-61.124) lucid; urgency=low
[ Luis Henriques ]
* Revert "sysctl net: Keep tcp_syn_retries inside the boundary"
- LP: #1326473
* Revert "net: check net.core.somaxconn sysctl values"
- LP: #1326473
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 07:21:55 -0700
The verification of the Stable Release Update for linux has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regresssions.
This bug was fixed in the package linux - 3.13.0-29.53
---------------
linux (3.13.0-29.53) trusty; urgency=low
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 08:25:41 -0700
This bug was fixed in the package linux - 3.11.0-23.40
---------------
linux (3.11.0-23.40) saucy; urgency=low
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 09:12:14 -0700
This bug was fixed in the package linux-lts-quantal - 3.5.0-51.
---------------
linux-lts-quantal (3.5.0-
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 16:49:16 -0700
This bug was fixed in the package linux-lts-raring - 3.8.0-42.
---------------
linux-lts-raring (3.8.0-
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 12:01:23 -0700
This bug was fixed in the package linux-lts-saucy - 3.11.0-
---------------
linux-lts-saucy (3.11.0-
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 09:12:14 -0700
This bug was fixed in the package linux - 3.2.0-64.97
---------------
linux (3.2.0-64.97) precise; urgency=low
[ Upstream Kernel Changes ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Brad Figg <email address hidden> 2014年6月04日 10:48:57 -0700
This bug was fixed in the package linux-armadaxp - 3.2.0-1634.49
---------------
linux-armadaxp (3.2.0-1634.49) precise-proposed; urgency=low
[ Ike Panhc ]
* Release Tracking Bug
- LP: #1326748
* Rebase to Ubuntu-3.2.0-64.97
[ Ubuntu: 3.2.0-64.97 ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
-- Ike Panhc <email address hidden> 2014年6月05日 19:41:05 +0800
This bug was fixed in the package linux-ti-omap4 - 3.2.0-1449.68
---------------
linux-ti-omap4 (3.2.0-1449.68) precise; urgency=low
* Release Tracking Bug
- LP: #1326747
[ Paolo Pisati ]
* rebased on Ubuntu-3.2.0-64.97
[ Ubuntu: 3.2.0-64.97 ]
* futex-prevent-
uaddr2 in futex_requeue(..., requeue_pi=1)
- LP: #1326367
- CVE-2014-3153
* futex: Validate atomic acquisition in futex_lock_
- LP: #1326367
- CVE-2014-3153
* futex: Always cleanup owner tid in unlock_pi
- LP: #1326367
- CVE-2014-3153
* futex: Make lookup_pi_state more robust
- LP: #1326367
- CVE-2014-3153
linux-ti-omap4 (3.2.0-1448.67) precise; urgency=low
* Release Tracking Bug
- LP: #1322135
[ Paolo Pisati ]
* rebased on Ubuntu-3.2.0-64.96
* [Config] BLK_DEV_
[ Ubuntu: 3.2.0-64.96 ]
* Release Tracking Bug
- LP: #1321792
* [Config] updateconfigs after Linux v3.2.58 and v3.2.59 updates
* Revert "sparc64: Fix __copy_
- LP: #1319885
* Revert "alpha: fix broken network checksum"
- LP: #1319885
* Revert "isci: fix reset timeout handling"
- LP: #1319885
* Revert "USB: serial: add usbid for dell wwan card to sierra.c"
- LP: #1319885
* mm: try_to_
- LP: #1316268
- CVE-2014-3122
* net: sctp: fix skb leakage in COOKIE ECHO path of chunk->auth_chunk
- LP: #1319885
* bridge: multicast: add sanity check for query source addresses
- LP: #1319885
* net: unix: non blocking recvmsg() should not return -EINTR
- LP: #1319885
* vlan: Set correct source MAC address with TX VLAN offload enabled
- LP: #1319885
* net: socket: error on a negative msg_namelen
- LP: #1319885
* ipv6: Avoid unnecessary temporary addresses being generated
- LP: #1319885
* ipv6: ip6_append_data_mtu do not handle the mtu of the second fragment
properly
- LP: #1319885
* vhost: validate vhost_get_vq_desc return value
- LP: #1319885
- CVE-2014-0055
* xen-netback: remove pointless clause from if statement
- LP: #1319885
* ipv6: some ipv6 statistic counters failed to disable bh
- LP: #1319885
* netlink: don't compare the nul-termination in nla_strcmp
- LP: #1319885
* isdnloop: Validate NUL-terminated strings from user.
- LP: #1319885
* isdnloop: several buffer overflows
- LP: #1319885
* sparc: PCI: Fix incorrect address calculation of PCI Bridge windows on
Simba-bridges
- LP: #1319885
* sparc32: fix build failure for arch_jump_
- LP: #1319885
* sparc64: don't treat 64-bit syscall return codes as 32-bit
- LP: #1319885
* drm/i915: inverted brightness quirk for Acer Aspire 4736Z
- LP: #1319885
* drm/i915: quirk invert brightness for Acer Aspire 5336
- LP: #1319885
* w1: fix w1_send_slave dropping a slave id
- LP: #1319885
* ARM: mm: introduce present, faulting entries for PAGE_NONE
- LP: #1319885
* ARM: 7954/1: mm: remove remaining domain support from ARMv6
- LP: #1319885
* matroxfb: restore the registers M_ACC...
This fix seems to trigger problems with virtualization LP #1307473.
saucy has seen the end of its life and is no longer receiving any updates. Marking the saucy task for this ticket as "Won't Fix".
+ CVE-2014-3153
removed: kernel-release-tracking-bug
utopic and vivid are not affected according to http://
The task "linux-lts-wily (Ubuntu)" has expired because it has had no new comments or updates for more than three years.
If this issue is still present in an Ubuntu LTS kernel still under active support, please reopen the bug and provide updated details. If this issue was reported against an Ubuntu kernel no longer under active support but the issue still exists in a currently supported Ubuntu kernel, please open a new bug against that kernel version and provide the updated details, with a reference link to the original bug.
This action was performed by an automated process maintained by the Ubuntu Kernel Team.
The task "linux-lts-xenial (Ubuntu)" has expired because it has had no new comments or updates for more than three years.
If this issue is still present in an Ubuntu LTS kernel still under active support, please reopen the bug and provide updated details. If this issue was reported against an Ubuntu kernel no longer under active support but the issue still exists in a currently supported Ubuntu kernel, please open a new bug against that kernel version and provide the updated details, with a reference link to the original bug.
This action was performed by an automated process maintained by the Ubuntu Kernel Team.
The task "linux-raspi2 (Ubuntu)" has expired because it has had no new comments or updates for more than three years.
If this issue is still present in an Ubuntu LTS kernel still under active support, please reopen the bug and provide updated details. If this issue was reported against an Ubuntu kernel no longer under active support but the issue still exists in a currently supported Ubuntu kernel, please open a new bug against that kernel version and provide the updated details, with a reference link to the original bug.
This action was performed by an automated process maintained by the Ubuntu Kernel Team.
The task "linux-lts-xenial (Ubuntu Vivid)" has been closed automatically because it was filed against an Ubuntu release that is now end-of-life.
If this issue is still present in a supported Ubuntu kernel, please open a new bug and provide updated details.
This action was performed by an automated process maintained by the Ubuntu Kernel Team.