CVE-2016-4557
Published: 5 May 2016
The replace_map_fd_with_map_ptr function in kernel/bpf/verifier.c in the Linux kernel before 4.5.5 does not properly maintain an fd data structure, which allows local users to gain privileges or cause a denial of service (use-after-free) via crafted BPF instructions that reference an incorrect file descriptor.
From the Ubuntu Security Team
Jann Horn discovered that the extended Berkeley Packet Filter (eBPF) implementation in the Linux kernel did not properly reference count file descriptors, leading to a use-after-free. A local unprivileged attacker could use this to gain administrative privileges.
Notes
| Author | Note |
|---|---|
| jdstrand | android kernels (flo, goldfish, grouper, maguro, mako and manta) are not supported on the Ubuntu Touch 14.10 and earlier preview kernels linux-lts-saucy no longer receives official support linux-lts-quantal no longer receives official support |
| sbeattie | affects 4.4 kernels only introduced in 0246e64d9a5f, but made exploitable by 1be7f75d1668 |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
linux-aws Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Not vulnerable
(4.4.0-1002.2)
|
|
| xenial |
Not vulnerable
(4.4.0-1001.10)
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-flo Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-gke Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.4.0-1003.3)
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-goldfish Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-grouper Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-hwe Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-hwe-edge Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| xenial |
Not vulnerable
(4.8.0-36.36~16.04.1)
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-linaro-vexpress Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-quantal Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-raring Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-saucy Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-lts-trusty Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-utopic Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-vivid Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-wily Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was not-affected)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-lts-xenial Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Released
(4.4.0-22.39~14.04.1)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-maguro Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-mako Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Not vulnerable
|
|
| xenial |
Not vulnerable
|
|
| yakkety |
Not vulnerable
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-manta Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
(trusty was ignored)
|
|
| wily |
Not vulnerable
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-qcm-msm Launchpad, Ubuntu, Debian |
precise |
Ignored
(end of life)
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-raspi2 Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| wily |
Not vulnerable
|
|
| xenial |
Released
(4.4.0-1010.12)
|
|
| yakkety |
Not vulnerable
(4.4.0-1010.12)
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-snapdragon Launchpad, Ubuntu, Debian |
precise |
Does not exist
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Released
(4.4.0-1013.14)
|
|
| yakkety |
Not vulnerable
(4.4.0-1013.14)
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux-ti-omap4 Launchpad, Ubuntu, Debian |
precise |
Not vulnerable
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| upstream |
Released
(4.6~rc6)
|
|
|
linux Launchpad, Ubuntu, Debian |
upstream |
Released
(4.6~rc6)
|
| precise |
Not vulnerable
|
|
| trusty |
Not vulnerable
|
|
| wily |
Not vulnerable
|
|
| xenial |
Released
(4.4.0-22.39)
|
|
| yakkety |
Not vulnerable
(4.4.0-22.39)
|
|
|
Patches: Introduced by 1be7f75d1668d6296b80bf35dcf6762393530afc |
||
|
linux-armadaxp Launchpad, Ubuntu, Debian |
upstream |
Released
(4.6~rc6)
|
| precise |
Not vulnerable
|
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
| This package is not directly supported by the Ubuntu Security Team | ||
|
linux-linaro-omap Launchpad, Ubuntu, Debian |
upstream |
Released
(4.6~rc6)
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
|
linux-linaro-shared Launchpad, Ubuntu, Debian |
upstream |
Released
(4.6~rc6)
|
| precise |
Ignored
(end of life)
|
|
| trusty |
Does not exist
|
|
| wily |
Does not exist
|
|
| xenial |
Does not exist
|
|
| yakkety |
Does not exist
|
|
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 7.8 |
| Attack vector | Local |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
References
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4557
- https://bugs.chromium.org/p/project-zero/issues/detail?id=808
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8358b02bf67d3a5d8a825070e1aa73f25fb2e4c7
- http://www.openwall.com/lists/oss-security/2016/05/06/7
- https://ubuntu.com/security/notices/USN-2965-1
- https://ubuntu.com/security/notices/USN-2965-4
- https://ubuntu.com/security/notices/USN-2965-3
- https://ubuntu.com/security/notices/USN-2965-2
- NVD
- Launchpad
- Debian