Bug 1031796 (CVE-2017-7346)

Summary: VUL-0: CVE-2017-7346: kernel: drm/vmwgfx: Limit the number of mip levels in vmw_gb_surface_define_ioctl() to prevent local DOS
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, meissner, mmarek, mstaudt, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/182500/
Whiteboard: CVSSv2:SUSE:CVE-2017-7346:4.4:(AV:L/AC:M/Au:S/C:N/I:N/A:C) CVSSv2:NVD:CVE-2017-7346:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVSSv3:NVD:CVE-2017-7346:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-7346:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-03-31 06:41:09 UTC
rh#1437431

The vmw_gb_surface_define_ioctl function in
drivers/gpu/drm/vmwgfx/vmwgfx_surface.c in the Linux kernel through 4.10.7 does
not validate certain levels data, which allows local users to cause a denial of
service (system hang) via a crafted ioctl call for a /dev/dri/renderD* device.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1437431
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7346
http://www.cvedetails.com/cve/CVE-2017-7346/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7346
https://lists.freedesktop.org/archives/dri-devel/2017-March/137429.html
http://marc.info/?l=linux-kernel&m=149086968410117&w=2
Comment 1 Takashi Iwai 2017-03-31 07:17:57 UTC
vmw_gb_surface_define_ioctl() was introduced since 3.14, so only SLE12-SP2/SP3, openSUSE-42.1, 42.2 and TW suffer.
Comment 6 Michal Marek 2017-06-02 16:17:52 UTC
Patrik, can you backport this one? It is needed in branches that have CONFIG_DRM_VMWGFX, which is SLE12-LTSS and later. See http://kerncvs.suse.de/ for the relation of the branches and where the fix needs to be appliead.
Comment 7 Patrik Jakobsson 2017-06-02 19:54:08 UTC
Ok, pushed the fix for SLE12-SP2. I'm assuming (according to the graph) that it will automatically propagate to the rest.
Comment 8 Takashi Iwai 2017-06-02 20:42:08 UTC
(In reply to Patrik Jakobsson from comment #7)
> Ok, pushed the fix for SLE12-SP2. I'm assuming (according to the graph) that
> it will automatically propagate to the rest.

Could you create a patch from freedesktop.org git tree as Max pointed in comment 5?  Usually the branch is merged to upstream as is, thus it can be easily identified when it's really merged to Linus tree and stable tree by the commit ID.

If you have time, you can apply the same fix for stable branch, too.
Comment 9 Michal Marek 2017-06-05 06:37:02 UTC
Right, in this case we use an annotation like this:

Git-commit: b3853a7a95888646e1246f85625477c50084e1f4
Patch-mainline: Queued in subsystem maintainer repository
Comment 10 Michal Marek 2017-06-05 07:00:58 UTC
Also, SLE12-LTSS and SLE12-SP1 need a fix (they both consume cve/linux-3.12).
Comment 11 Patrik Jakobsson 2017-06-05 20:31:58 UTC
Michal, I'm a bit confused. The fix only applies to >= 3.14 (as the ioctl was introduced in 3.14-rc1 with a97e21923b42) so CVE-3.12 and SLE12-LTSS does not need it IIUC.

I've now pushed an updated version (with new tags) to SLE12-SP2, SLE12-SP3 and stable. It this correct?
Comment 12 Michal Marek 2017-06-06 17:18:24 UTC
I did not notice that this code is not present in SLE12-SP1 and earlier. BTW, the correct way is to check the base kernel version AND any backports we have in kernel-source.git -- in this case, we did not even backport the code. So SLE12-SP2 is all that's needed, handing over to the security team.
Comment 14 Swamp Workflow Management 2017-06-21 10:13:15 UTC
openSUSE-SU-2017:1633-1: An update that solves four vulnerabilities and has 35 fixes is now available.

Category: security (important)
Bug References: 1012060,1012382,1012422,1012829,1015452,1022595,1031796,1032339,1036638,1037840,1038085,1039348,1039900,1040855,1041242,1041431,1041810,1042286,1042356,1042421,1042517,1042535,1042536,1042886,1043014,1043231,1043236,1043371,1043467,1043598,1043935,1044015,1044125,1044532,863764,966321,966339,971975,995542
CVE References: CVE-2017-1000364,CVE-2017-1000380,CVE-2017-7346,CVE-2017-9242
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.72-18.12.2, kernel-default-4.4.72-18.12.2, kernel-docs-4.4.72-18.12.3, kernel-obs-build-4.4.72-18.12.2, kernel-obs-qa-4.4.72-18.12.1, kernel-source-4.4.72-18.12.1, kernel-syms-4.4.72-18.12.1, kernel-vanilla-4.4.72-18.12.2
Comment 15 Swamp Workflow Management 2017-07-13 13:16:57 UTC
SUSE-SU-2017:1853-1: An update that solves 15 vulnerabilities and has 162 fixes is now available.

Category: security (important)
Bug References: 1003581,1004003,1011044,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013561,1013887,1015342,1015452,1017461,1018885,1020412,1021424,1022266,1022595,1023287,1025461,1026570,1027101,1027512,1027974,1028217,1028310,1028340,1028883,1029607,1030057,1030070,1031040,1031142,1031147,1031470,1031500,1031512,1031555,1031717,1031796,1032141,1032339,1032345,1032400,1032581,1032803,1033117,1033281,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039214,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045467,1045568,1046105,1046434,1046589,799133,863764,922871,939801,966170,966172,966191,966321,966339,971975,988065,989311,990058,990682,993832,995542
CVE References: CVE-2017-1000365,CVE-2017-1000380,CVE-2017-7346,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.74-92.29.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.74-92.29.3, kernel-obs-build-4.4.74-92.29.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_10-1-4.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.74-92.29.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.74-92.29.1
Comment 16 Swamp Workflow Management 2017-07-28 13:39:05 UTC
SUSE-SU-2017:1990-1: An update that solves 43 vulnerabilities and has 282 fixes is now available.

Category: security (important)
Bug References: 1000092,1003077,1003581,1004003,1007729,1007959,1007962,1008842,1009674,1009718,1010032,1010612,1010690,1011044,1011176,1011913,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013001,1013561,1013792,1013887,1013994,1014120,1014136,1015342,1015367,1015452,1015609,1016403,1017164,1017170,1017410,1017461,1017641,1018100,1018263,1018358,1018385,1018419,1018446,1018813,1018885,1018913,1019061,1019148,1019163,1019168,1019260,1019351,1019594,1019614,1019618,1019630,1019631,1019784,1019851,1020048,1020214,1020412,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021424,1021455,1021474,1021762,1022181,1022266,1022304,1022340,1022429,1022476,1022547,1022559,1022595,1022785,1022971,1023101,1023175,1023287,1023762,1023866,1023884,1023888,1024015,1024081,1024234,1024508,1024938,1025039,1025235,1025461,1025683,1026024,1026405,1026462,1026505,1026509,1026570,1026692,1026722,1027054,1027066,1027101,1027153,1027179,1027189,1027190,1027195,1027273,1027512,1027565,1027616,1027974,1028017,1028027,1028041,1028158,1028217,1028310,1028325,1028340,1028372,1028415,1028819,1028883,1028895,1029220,1029514,1029607,1029634,1029986,1030057,1030070,1030118,1030213,1030573,1031003,1031040,1031052,1031142,1031147,1031200,1031206,1031208,1031440,1031470,1031500,1031512,1031555,1031579,1031662,1031717,1031796,1031831,1032006,1032141,1032339,1032345,1032400,1032581,1032673,1032681,1032803,1033117,1033281,1033287,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042200,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045340,1045467,1045568,1046105,1046434,1046589,799133,863764,870618,922871,951844,966170,966172,966191,966321,966339,968697,969479,969755,970083,971975,982783,985561,986362,986365,987192,987576,988065,989056,989311,990058,990682,991273,993832,995542,995968,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-4997,CVE-2016-4998,CVE-2016-7117,CVE-2016-9191,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-2671,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7346,CVE-2017-7374,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.74-7.10.1, kernel-rt_debug-4.4.74-7.10.1, kernel-source-rt-4.4.74-7.10.1, kernel-syms-rt-4.4.74-7.10.1
Comment 17 Marcus Meissner 2017-10-24 09:35:05 UTC
released