Bug 1040279 (CVE-2017-9150)

Summary: VUL-0: CVE-2017-9150: kernel-source: The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1 does not make the allow_ptr_leaks value print_bpf_insn function
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: dchang, glin, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/185718/
Whiteboard: CVSSv3:SUSE:CVE-2017-9150:4.0:(AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVSSv3:RedHat:CVE-2017-9150:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) CVSSv2:SUSE:CVE-2017-9150:1.9:(AV:L/AC:M/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2017-9150:2.1:(AV:L/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2017-9150:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2017-05-23 06:33:06 UTC
CVE-2017-9150

The do_check function in kernel/bpf/verifier.c in the Linux kernel before 4.11.1
does not make the allow_ptr_leaks value available for restricting the output of
the print_bpf_insn function, which allows local users to obtain sensitive
address information via crafted bpf system calls.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-9150
http://www.cvedetails.com/cve/CVE-2017-9150/
https://github.com/torvalds/linux/commit/0d0e57697f162da4aa218b5feafe614fb666db07
https://bugs.chromium.org/p/project-zero/issues/detail?id=1251
http://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.1
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0d0e57697f162da4aa218b5feafe614fb666db07
Comment 1 Marcus Meissner 2017-05-23 07:02:28 UTC
the allow_ptr_leaks are only supported since the 4.4 kernel.
Comment 2 david chang 2017-05-24 06:59:18 UTC
Introduced by
        cbd357008604 bpf: verifier (add ability to receive verification log) (v3.18-rc1)
and allow_ptr_leaks introduced by
        1be7f75d1668 bpf: enable non-root eBPF programs (v4.4-rc1)

The issue can be reproduced with bpf_pointer_leak_poc on SLE12-SP2 and SP3.
And we confirmed that the following patch resolves it.

Fixed in
0d0e57697f16 bpf: don't let ldimm64 leak map addresses on unprivileged (v4.12-rc1)
        adapted to SLE12-SP2, since it depends on absent commit
        58e2af8b3a6b bpf: expose internal verfier structures (v4.9-rc1)

SLE12-SP2 : 4.4.69
        pushed to 75c3110470c8
SLE12-SP3 : 4.4.69
        merged SP2 to SP3 4388ad2a7de9
Comment 3 Swamp Workflow Management 2017-06-08 16:22:34 UTC
openSUSE-SU-2017:1513-1: An update that solves 8 vulnerabilities and has 68 fixes is now available.

Category: security (important)
Bug References: 1003581,1004003,1011044,1012422,1012452,1012829,1012910,1012985,1013561,1018885,1020412,1022266,1026570,1028310,1028340,1029607,1030057,1031040,1031142,1031470,1031500,1031512,1031717,1034635,1034670,1034762,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036752,1036763,1037177,1037186,1037384,1037483,1037871,1037969,1038033,1038043,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1039700,1039864,1039882,1039883,1039885,1040069,1040125,1040279,1040395,1040425,1040463,1040929,1040941,1041087,1041160,1041168,1041242,799133,922871,966321,971975,989311
CVE References: CVE-2017-7487,CVE-2017-7645,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.70-18.9.1, kernel-default-4.4.70-18.9.1, kernel-docs-4.4.70-18.9.2, kernel-obs-build-4.4.70-18.9.1, kernel-obs-qa-4.4.70-18.9.1, kernel-source-4.4.70-18.9.1, kernel-syms-4.4.70-18.9.1, kernel-vanilla-4.4.70-18.9.1
Comment 4 Swamp Workflow Management 2017-07-13 13:25:24 UTC
SUSE-SU-2017:1853-1: An update that solves 15 vulnerabilities and has 162 fixes is now available.

Category: security (important)
Bug References: 1003581,1004003,1011044,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013561,1013887,1015342,1015452,1017461,1018885,1020412,1021424,1022266,1022595,1023287,1025461,1026570,1027101,1027512,1027974,1028217,1028310,1028340,1028883,1029607,1030057,1030070,1031040,1031142,1031147,1031470,1031500,1031512,1031555,1031717,1031796,1032141,1032339,1032345,1032400,1032581,1032803,1033117,1033281,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039214,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045467,1045568,1046105,1046434,1046589,799133,863764,922871,939801,966170,966172,966191,966321,966339,971975,988065,989311,990058,990682,993832,995542
CVE References: CVE-2017-1000365,CVE-2017-1000380,CVE-2017-7346,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.74-92.29.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.74-92.29.3, kernel-obs-build-4.4.74-92.29.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_10-1-4.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.74-92.29.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.74-92.29.1, kernel-source-4.4.74-92.29.1, kernel-syms-4.4.74-92.29.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.74-92.29.1
Comment 5 Swamp Workflow Management 2017-07-28 13:48:38 UTC
SUSE-SU-2017:1990-1: An update that solves 43 vulnerabilities and has 282 fixes is now available.

Category: security (important)
Bug References: 1000092,1003077,1003581,1004003,1007729,1007959,1007962,1008842,1009674,1009718,1010032,1010612,1010690,1011044,1011176,1011913,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013001,1013561,1013792,1013887,1013994,1014120,1014136,1015342,1015367,1015452,1015609,1016403,1017164,1017170,1017410,1017461,1017641,1018100,1018263,1018358,1018385,1018419,1018446,1018813,1018885,1018913,1019061,1019148,1019163,1019168,1019260,1019351,1019594,1019614,1019618,1019630,1019631,1019784,1019851,1020048,1020214,1020412,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021424,1021455,1021474,1021762,1022181,1022266,1022304,1022340,1022429,1022476,1022547,1022559,1022595,1022785,1022971,1023101,1023175,1023287,1023762,1023866,1023884,1023888,1024015,1024081,1024234,1024508,1024938,1025039,1025235,1025461,1025683,1026024,1026405,1026462,1026505,1026509,1026570,1026692,1026722,1027054,1027066,1027101,1027153,1027179,1027189,1027190,1027195,1027273,1027512,1027565,1027616,1027974,1028017,1028027,1028041,1028158,1028217,1028310,1028325,1028340,1028372,1028415,1028819,1028883,1028895,1029220,1029514,1029607,1029634,1029986,1030057,1030070,1030118,1030213,1030573,1031003,1031040,1031052,1031142,1031147,1031200,1031206,1031208,1031440,1031470,1031500,1031512,1031555,1031579,1031662,1031717,1031796,1031831,1032006,1032141,1032339,1032345,1032400,1032581,1032673,1032681,1032803,1033117,1033281,1033287,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042200,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045340,1045467,1045568,1046105,1046434,1046589,799133,863764,870618,922871,951844,966170,966172,966191,966321,966339,968697,969479,969755,970083,971975,982783,985561,986362,986365,987192,987576,988065,989056,989311,990058,990682,991273,993832,995542,995968,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-4997,CVE-2016-4998,CVE-2016-7117,CVE-2016-9191,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-2671,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7346,CVE-2017-7374,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.74-7.10.1, kernel-rt_debug-4.4.74-7.10.1, kernel-source-rt-4.4.74-7.10.1, kernel-syms-rt-4.4.74-7.10.1
Comment 6 Marcus Meissner 2017-12-27 20:44:06 UTC
released