Ask / Submit

validate the range we feed to iov_iter_init() in sys_sendto/sys_recvfrom in kernel-net CVE-2015-2686 critical [released]

Tracked by Jolla (In release)

asked 2017-05-09 12:58:29 +0300

this post is marked as community wiki

This post is a wiki. Anyone with karma >75 is welcome to improve it.

updated 2017-05-23 19:16:57 +0300

lpr gravatar image

net/socket.c in the Linux kernel - not just 3.19 - before 3.19.3 does not validate certain range data for (1) sendto and (2) recvfrom system calls, which allows local users to gain privileges by leveraging a subsystem that uses the copy_from_iter function in the iov_iter interface, as demonstrated by the Bluetooth subsystem. CVSSv3 7.8 high (attack range: local)

Upstream-Commit is available.

File affected: kernel-adaptation-sbj- lines:1707-1712; 1766-1771

edit20170523: seems to be rejected, why?

edit retag flag offensive reopen delete

The question has been closed for the following reason "released in a software update" by lpr
close date 2017-07-24 21:09:51.698006



@jovirkku why is this "Rejected"?

lpr ( 2017-05-23 12:29:26 +0300 )edit

@veskuh seems not to be too hard to fix this (4-liner), CVSSv3 base score 7.8 high, so why is it rejected?

lpr ( 2017-05-23 12:39:10 +0300 )edit

because in the Linux kernel 3.19 before 3.19.3

coderus ( 2017-05-23 14:14:51 +0300 )edit

@coderusas you may know: Linux kernel 3.19 before 3.19.3 means Linux kernel 3.19 vanilla before 3.19.3 vanilla

lpr ( 2017-05-23 15:08:14 +0300 )edit

we have no devices running 3.19 kernels :D

coderus ( 2017-05-23 18:17:25 +0300 )edit

1 Answer

Sort by » oldest newest most voted

answered 2017-05-23 14:14:20 +0300

IZh gravatar image

This CVE affects only kernels 3.19 to 3.19.3, none of our kernels have the copy_from_iter() function.

edit flag offensive delete publish link more


this should be verified: according to google all Nexus devices are affected AND not all Nexus use 3.19 . the fix is just a check if range is ok, so you should check it independently what routine this is fed to

lpr ( 2017-05-23 15:12:18 +0300 )edit

you are wrong:

lpr ( 2017-05-23 17:23:03 +0300 )edit

you got official Jolla reject, engineers checked kernels, and out kernels are not affected by this problem, so please calm down.

coderus ( 2017-05-23 18:18:29 +0300 )edit

how many sockets per second do you open that you cannot afford this range check in no way????

lpr ( 2017-05-23 19:05:46 +0300 )edit

regarding this list none of community ports have the kernels. BUT the lpr intervention let me have a question. How will jolla do to remind themselves for the day when someone will use these kernel generation?
Is that not a problem (because at this moment the kernel will be fixed)?
Or It will be a problem indeed because of forgotten?
Is just a neutral question....
Anyway to calm down is a good suggestion ;-)

cemoi71 ( 2017-05-23 19:31:30 +0300 )edit

Question tools



Asked: 2017-05-09 12:58:29 +0300

Seen: 288 times

Last updated: May 23 '17