Bug 1009969 (CVE-2016-8645)

Summary: VUL-0: CVE-2016-8645: kernel: BUG() statement can be hit in net/ipv4/tcp_input.c
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P5 - None CC: meissner, mikhail.kasimov, mkubecek, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/176287/
Whiteboard: CVSSv2:SUSE:CVE-2016-8645:4.4:(AV:L/AC:M/Au:S/C:N/I:N/A:C) CVSSv2:NVD:CVE-2016-8645:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVSSv3:NVD:CVE-2016-8645:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv2:RedHat:CVE-2016-8645:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVSSv3:RedHat:CVE-2016-8645:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Michal Kubeček 2016-11-14 12:06:37 UTC
Fix submitted:

  http://patchwork.ozlabs.org/patch/693484/

accepted to net tree as commit

  ac6e780070e3  tcp: take care of truncations done by sk_filter()

and queued for stable (not in mainline yet).
Comment 2 Michal Kubeček 2016-11-14 12:15:35 UTC
Note: this is quite similar to earlier CVE-2016-6162 / bsc#988013, going to
check when this particular issue was introduced.
Comment 3 Mikhail Kasimov 2016-11-30 23:43:42 UTC
http://seclists.org/oss-sec/2016/q4/546
===============================================
Hello,

A further investigation was made to find out the Linux kernel commit which has
introduced the flaw. It appeared that previous Linux kernel versions are vulnerable,
down to v3.6-rc1. This fact was hidden by 'net.ipv4.tcp_fastopen' set to 0 by default,
and now it is easier to notice since kernel v3.12 due to commit 0d41cca490 where the
default was changed to 1. With 'net.ipv4.tcp_fastopen' set to 1, previous Linux
kernels including RHEL-7 ones are also vulnerable (see [0] below).

The bug is here since tcp-fastopen feature was introduced in kernel v3.6-rc1, the first
commit when the reproducer starts to panic the kernel with net.ipv4.tcp_fastopen=1 is
cf60af03ca, which is a part of commit serie 2100c8d2d9..67da22d23f introducing
net-tcp-fastopen feature:

$ git bisect bad cf60af03ca4e71134206809ea892e49b92a88896
cf60af03ca4e71134206809ea892e49b92a88896 is the first bad commit
commit cf60af03ca4e71134206809ea892e49b92a88896
Author: Yuchung Cheng <ycheng () google com>
Date:   Thu Jul 19 06:43:09 2012 +0000

So, formally, the Linux kernel upstream commit ac6e780070 fixing the bug should have
"Fixes: cf60af03ca" statement, unfortunately, this investigation was not completed at
the time the patch was accepted upstream.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer

=== [0] =====

$ uname -r
3.10.0-123.el7.x86_64

$ sysctl net.ipv4.tcp_fastopen
net.ipv4.tcp_fastopen = 1

$ ./poc
[   67.356749] ------------[ cut here ]------------
[   67.357016] kernel BUG at net/ipv4/tcp_input.c:4563!
[   67.357016] invalid opcode: 0000 [#1] SMP 
[   67.357016] CPU: 2 PID: 1317 Comm: poc Not tainted 3.10.0-123.el7.x86_64 #1
[   67.357016] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.8.2-20150714_191134- 04/01/2014
[   67.357016] task: ffff880135cc4440 ti: ffff8800b8552000 task.ti: ffff8800b8552000
[   67.357016] RIP: 0010:[<ffffffff8151f493>]  [<ffffffff8151f493>] tcp_collapse+0x433/0x440
[   67.357016] RSP: 0018:ffff8800b8553a20  EFLAGS: 00010282
[   67.357016] RAX: 00000000fffffff2 RBX: ffff880135d550f8 RCX: 0000000000000db0
[   67.357016] RDX: ffff8800b84cb110 RSI: 0000000000000000 RDI: ffff880135d550f8
[   67.357016] RBP: ffff8800b8553a70 R08: 0000000000000ec0 R09: 0000000000000db0
[   67.357016] R10: ffff8800b140be00 R11: 0000000000000000 R12: 00000000606804a0
[   67.357016] R13: ffff8800b16e0090 R14: 0000000000000000 R15: 0000000000000db0
[   67.357016] FS:  00007fd1e51a6800(0000) GS:ffff88013fc80000(0000) knlGS:0000000000000000
[   67.357016] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   67.357016] CR2: 000000002002a000 CR3: 00000000b14fd000 CR4: 00000000001406e0
[   67.357016] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[   67.357016] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[   67.357016] Stack:
[   67.357016]  606814a000000004 ffff8800b16e0000 ffff8800b140be00 ffffffff00000db0
[   67.357016]  ffff880000000000 ffff8800b16e0680 0000000000000900 ffff880135d55af8
[   67.357016]  ffff8800b16e0000 ffff8800b16e0680 ffff8800b8553aa8 ffffffff8151f66b
[   67.357016] Call Trace:
[   67.357016]  [<ffffffff8151f66b>] tcp_try_rmem_schedule+0x1cb/0x410
[   67.357016]  [<ffffffff8151fe41>] tcp_data_queue+0x291/0xcf0
[   67.357016]  [<ffffffff81523014>] tcp_rcv_established+0x1e4/0x8d0
[   67.357016]  [<ffffffff815a11a6>] tcp_v6_do_rcv+0x2e6/0x6b0
[   67.357016]  [<ffffffff81525f8a>] ? tcp_schedule_loss_probe+0x13a/0x1d0
[   67.357016]  [<ffffffff81526c95>] ? tcp_write_xmit+0x215/0xb80
[   67.357016]  [<ffffffff814c0b11>] ? __alloc_skb+0xa1/0x2d0
[   67.357016]  [<ffffffff814bbfd1>] release_sock+0xa1/0x170
[   67.357016]  [<ffffffff81518652>] tcp_sendmsg+0x132/0xdb0
[   67.357016]  [<ffffffff81542a24>] inet_sendmsg+0x64/0xb0
[   67.357016]  [<ffffffff814b79b0>] sock_sendmsg+0xb0/0xf0
[   67.357016]  [<ffffffff8114fd1e>] ? lru_cache_add+0xe/0x10
[   67.357016]  [<ffffffff81176ad1>] ? page_add_new_anon_rmap+0x91/0x130
[   67.357016]  [<ffffffff814b7f21>] SYSC_sendto+0x121/0x1c0
[   67.357016]  [<ffffffff815ed58a>] ? do_page_fault+0x1a/0x70
[   67.357016]  [<ffffffff814b89ae>] SyS_sendto+0xe/0x10
[   67.357016]  [<ffffffff815f2119>] system_call_fastpath+0x16/0x1b
[   67.357016] Code: 00 48 89 42 08 48 89 10 e8 cb 1c fa ff 48 8b 45 b8 48 8b 40 30
48 8b 80 30 01 00 00 65 48 ff 80 b0 01 00 00 e9 af fc ff ff 0f 0b <0f> 0b 66 66 2e
0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 
[   67.357016] RIP  [<ffffffff8151f493>] tcp_collapse+0x433/0x440
[   67.357016]  RSP <ffff8800b8553a20>
[   67.390450] ---[ end trace c5a1da3f9a89016e ]---
[   67.390741] Kernel panic - not syncing: Fatal exception in interrupt
===============================================
Comment 4 Michal Kubeček 2017-01-03 11:11:40 UTC
The fix is now present in or submitted to

    master              4.9.0
    stable              4.9.0
    SLE12-SP2           4.4.34
    openSUSE-42.1       b7938abcfe83
    openSUSE-13.2       2de80f7c7b6e (submitted)
    SLE12-SP1           3.12.68
    SLE12-LTSS          8199d98680f7

Reassigning back to the security team.
Comment 5 Swamp Workflow Management 2017-01-17 18:24:03 UTC
SUSE-SU-2017:0181-1: An update that solves 13 vulnerabilities and has 127 fixes is now available.

Category: security (important)
Bug References: 1000118,1000189,1000287,1000304,1000433,1000776,1001169,1001171,1001310,1001462,1001486,1001888,1002322,1002770,1002786,1003068,1003566,1003581,1003606,1003813,1003866,1003964,1004048,1004052,1004252,1004365,1004517,1005169,1005327,1005545,1005666,1005745,1005895,1005917,1005921,1005923,1005925,1005929,1006103,1006175,1006267,1006528,1006576,1006804,1006809,1006827,1006915,1006918,1007197,1007615,1007653,1007955,1008557,1008979,1009062,1009969,1010040,1010158,1010444,1010478,1010507,1010665,1010690,1010970,1011176,1011250,1011913,1012060,1012094,1012452,1012767,1012829,1012992,1013001,1013479,1013531,1013700,1014120,1014392,1014701,1014710,1015212,1015359,1015367,1015416,799133,914939,922634,963609,963655,963904,964462,966170,966172,966186,966191,966316,966318,966325,966471,969474,969475,969476,969477,969756,971975,971989,972993,974313,974842,974843,978907,979378,979681,981825,983087,983152,983318,985850,986255,986987,987641,987703,987805,988524,988715,990384,992555,993739,993841,993891,994881,995278,997059,997639,997807,998054,998689,999907,999932
CVE References: CVE-2015-1350,CVE-2015-8964,CVE-2016-7039,CVE-2016-7042,CVE-2016-7425,CVE-2016-7913,CVE-2016-7917,CVE-2016-8645,CVE-2016-8666,CVE-2016-9083,CVE-2016-9084,CVE-2016-9793,CVE-2016-9919
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.38-93.3, kernel-obs-build-4.4.38-93.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_4-1-2.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.38-93.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.38-93.1, kernel-source-4.4.38-93.1, kernel-syms-4.4.38-93.1
Comment 6 Swamp Workflow Management 2017-02-06 20:09:35 UTC
SUSE-SU-2017:0407-1: An update that solves 24 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008831,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011685,1012060,1012422,1012754,1012917,1012985,1013001,1013038,1013479,1013531,1013533,1013540,1013604,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8645,CVE-2016-8655,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9576,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.69-60.30.1, kernel-compute_debug-3.12.69-60.30.1, kernel-rt-3.12.69-60.30.1, kernel-rt_debug-3.12.69-60.30.1, kernel-source-rt-3.12.69-60.30.1, kernel-syms-rt-3.12.69-60.30.1
Comment 7 Swamp Workflow Management 2017-02-13 20:13:05 UTC
openSUSE-SU-2017:0456-1: An update that solves 11 vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1003253,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1009969,1010612,1010690,1011176,1011250,1011602,1011660,1011913,1012422,1012829,1012910,1013000,1013001,1013273,1013531,1013540,1013542,1013792,1013994,1014120,1014392,1014410,1014701,1014710,1015038,1015212,1015359,1015367,1015416,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1017589,1018100,1018316,1018358,1018385,1018446,1018813,1018913,1019061,1019148,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,921494,959709,960561,964944,966170,966172,966186,966191,969474,969475,969756,971975,974215,979378,981709,985561,987192,987576,991273
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2016-9919,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.46-11.1, kernel-default-4.4.46-11.1, kernel-docs-4.4.46-11.3, kernel-obs-build-4.4.46-11.1, kernel-obs-qa-4.4.46-11.1, kernel-source-4.4.46-11.1, kernel-syms-4.4.46-11.1, kernel-vanilla-4.4.46-11.1
Comment 8 Swamp Workflow Management 2017-02-13 20:30:58 UTC
openSUSE-SU-2017:0458-1: An update that solves 8 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1003077,1007886,1009969,1010444,1011820,1013273,1013531,1013540,1013542,1017589,1017710,1019658,1019660,1019784,1020214,1020381,1021258,983348,987333,987576
CVE References: CVE-2016-10088,CVE-2016-10147,CVE-2016-7117,CVE-2016-7917,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2017-5551
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.38-47.1, kernel-default-4.1.38-47.1, kernel-docs-4.1.38-47.2, kernel-ec2-4.1.38-47.1, kernel-obs-build-4.1.38-47.3, kernel-obs-qa-4.1.38-47.1, kernel-pae-4.1.38-47.1, kernel-pv-4.1.38-47.1, kernel-source-4.1.38-47.1, kernel-syms-4.1.38-47.1, kernel-vanilla-4.1.38-47.1, kernel-xen-4.1.38-47.1
Comment 9 Swamp Workflow Management 2017-02-14 23:11:01 UTC
SUSE-SU-2017:0464-1: An update that solves 19 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1012060,1012422,1012917,1012985,1013001,1013038,1013479,1013531,1013540,1013542,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017589,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.69-60.64.29.3, kernel-obs-build-3.12.69-60.64.29.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.69-60.64.29.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_12-1-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1
Comment 10 Swamp Workflow Management 2017-02-15 20:09:29 UTC
SUSE-SU-2017:0471-1: An update that solves 34 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943
CVE References: CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4998,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.66.1
Comment 11 Marcus Meissner 2017-03-02 13:12:18 UTC
released