Bug 1045922 (CVE-2017-7518)

Summary: VUL-0: CVE-2017-7518: kernel: KVM: debug exception via syscall emulation
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/187258/
Whiteboard: CVSSv2:SUSE:CVE-2017-7518:4.1:(AV:L/AC:M/Au:S/C:P/I:P/A:P) CVSSv3:SUSE:CVE-2017-7518:5.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-06-26 07:19:10 UTC
http://www.openwall.com/lists/oss-security/2017/06/23/5

From: P J P 

Linux kernel built with the Kernel-based Virtual Machine(CONFIG_KVM) support 
is vulnerable to an incorrect debug exception(#DB) error. It could occur while 
emulating a syscall instruction.

A user/process inside guest could use this flaw to potentially escalate their 
privileges inside guest.

Note: Linux guests are not affected.

Upstream patch: https://www.spinics.net/lists/kvm/msg151817.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1464473
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-7518
http://seclists.org/oss-sec/2017/q2/574
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-7518.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7518
https://xenbits.xen.org/xsa/advisory-204.html
Comment 1 Joerg Roedel 2017-06-30 09:02:10 UTC
This is commit c8401dda2f0a00cd25c0af6a95ed50e478d25de4 upstream.
Comment 2 Bernhard Wiedemann 2017-06-30 22:01:18 UTC
This is an autogenerated message for OBS integration:
This bug (1045922) was mentioned in
https://build.opensuse.org/request/show/507453 42.3 / kernel-source
https://build.opensuse.org/request/show/507458 42.2 / kernel-source
Comment 4 Swamp Workflow Management 2017-07-08 13:12:10 UTC
openSUSE-SU-2017:1825-1: An update that solves two vulnerabilities and has 14 fixes is now available.

Category: security (important)
Bug References: 1025461,1026570,1031784,1039354,1040182,1040941,1043347,1043488,1043912,1044854,1044912,1045922,1046105,1046434,1046589,1046821
CVE References: CVE-2017-1000365,CVE-2017-7518
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.74-18.20.1, kernel-default-4.4.74-18.20.1, kernel-docs-4.4.74-18.20.3, kernel-obs-build-4.4.74-18.20.1, kernel-obs-qa-4.4.74-18.20.1, kernel-source-4.4.74-18.20.1, kernel-syms-4.4.74-18.20.1, kernel-vanilla-4.4.74-18.20.1
Comment 5 Joerg Roedel 2017-07-24 11:49:37 UTC
Fix is backported to 4.4 and 3.12 based kernels.

Kernels 3.0 and below do not emulated guest-single-stepping for emulated instructions (the guest single-steps itself). So these are not affected.
Comment 6 Joerg Roedel 2017-07-25 12:20:33 UTC
Updated the KABI workaround for both backports to make them similar in 3.12 and 4.4 and fixed a bug found while updating.
Comment 7 Joerg Roedel 2017-07-25 13:26:38 UTC
Update has been merged into SLE12-SP2 branch. Assigning back to sec-team.
Comment 8 Swamp Workflow Management 2017-08-09 13:14:41 UTC
openSUSE-SU-2017:2110-1: An update that solves 5 vulnerabilities and has 61 fixes is now available.

Category: security (important)
Bug References: 1006180,1011913,1012829,1013887,1022476,1028173,1028286,1029693,1030552,1031515,1031717,1033587,1034075,1034762,1036303,1036632,1037344,1038078,1038616,1039915,1040307,1040351,1041958,1042286,1042314,1042422,1042778,1043652,1044112,1044636,1045154,1045563,1045922,1046682,1046985,1047048,1047096,1047118,1047121,1047152,1047277,1047343,1047354,1047651,1047653,1047670,1048155,1048221,1048317,1048891,1048914,1049483,1049486,1049603,1049645,1049882,1050061,1050188,1051022,1051059,1051239,1051478,1051479,1051663,964063,974215
CVE References: CVE-2017-10810,CVE-2017-11473,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.79-18.23.1, kernel-default-4.4.79-18.23.1, kernel-docs-4.4.79-18.23.2, kernel-obs-build-4.4.79-18.23.1, kernel-obs-qa-4.4.79-18.23.1, kernel-source-4.4.79-18.23.1, kernel-syms-4.4.79-18.23.1, kernel-vanilla-4.4.79-18.23.1
Comment 9 Swamp Workflow Management 2017-08-09 13:26:24 UTC
openSUSE-SU-2017:2112-1: An update that solves four vulnerabilities and has 61 fixes is now available.

Category: security (important)
Bug References: 1005778,1011913,1012829,1013887,1016119,1019695,1022476,1022600,1022604,1028286,1030552,1031717,1033587,1036215,1036632,1037838,1039153,1040347,1042257,1042286,1042422,1043598,1044443,1044623,1045404,1045563,1045922,1046651,1046682,1047121,1048146,1048155,1048348,1048421,1048451,1048501,1048891,1048912,1048914,1048916,1048919,1049231,1049289,1049361,1049483,1049486,1049603,1049619,1049645,1049706,1049882,1050061,1050188,1050320,1050322,1051022,1051048,1051059,1051239,1051471,1051478,1051479,1051663,964063,974215
CVE References: CVE-2017-11473,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.79-4.2, kernel-default-4.4.79-4.2, kernel-docs-4.4.79-4.2, kernel-obs-build-4.4.79-4.2, kernel-obs-qa-4.4.79-4.2, kernel-source-4.4.79-4.2, kernel-syms-4.4.79-4.2, kernel-vanilla-4.4.79-4.2
Comment 10 Swamp Workflow Management 2017-08-29 16:24:55 UTC
SUSE-SU-2017:2286-1: An update that solves 8 vulnerabilities and has 150 fixes is now available.

Category: security (important)
Bug References: 1005778,1006180,1011913,1012829,1013887,1015337,1015342,1016119,1019151,1019695,1020645,1022476,1022600,1022604,1023175,1024346,1024373,1025461,1026570,1028173,1028286,1029693,1030552,1031515,1031717,1031784,1033587,1034075,1034113,1034762,1036215,1036632,1037344,1037404,1037838,1037994,1038078,1038616,1038792,1039153,1039348,1039915,1040307,1040347,1040351,1041958,1042257,1042286,1042314,1042422,1042778,1043261,1043347,1043520,1043598,1043652,1043805,1043912,1044112,1044443,1044623,1044636,1045154,1045293,1045330,1045404,1045563,1045596,1045709,1045715,1045866,1045922,1045937,1046105,1046170,1046434,1046651,1046655,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047174,1047277,1047343,1047354,1047418,1047506,1047595,1047651,1047653,1047670,1047802,1048146,1048155,1048221,1048317,1048348,1048356,1048421,1048451,1048501,1048891,1048912,1048914,1048916,1048919,1049231,1049289,1049298,1049361,1049483,1049486,1049603,1049619,1049645,1049706,1049882,1050061,1050188,1050211,1050320,1050322,1050677,1051022,1051048,1051059,1051239,1051399,1051471,1051478,1051479,1051556,1051663,1051689,1051979,1052049,1052223,1052311,1052325,1052365,1052442,1052533,1052709,1052773,1052794,1052899,1052925,1053043,1053117,964063,974215,998664
CVE References: CVE-2017-1000111,CVE-2017-1000112,CVE-2017-10810,CVE-2017-11473,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.82-6.3.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.82-6.3.5, kernel-obs-build-4.4.82-6.3.3
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.82-6.3.1, kernel-source-4.4.82-6.3.1, kernel-syms-4.4.82-6.3.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_1-1-2.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.82-6.3.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.82-6.3.1, kernel-source-4.4.82-6.3.1, kernel-syms-4.4.82-6.3.1
Comment 11 Swamp Workflow Management 2017-10-27 16:40:10 UTC
SUSE-SU-2017:2869-1: An update that solves 16 vulnerabilities and has 120 fixes is now available.

Category: security (important)
Bug References: 1006180,1011913,1012382,1012829,1013887,1019151,1020645,1020657,1021424,1022476,1022743,1022967,1023175,1024405,1028173,1028286,1029693,1030552,1030850,1031515,1031717,1031784,1033587,1034048,1034075,1034762,1036303,1036632,1037344,1037404,1037994,1038078,1038583,1038616,1038792,1039915,1040307,1040351,1041958,1042286,1042314,1042422,1042778,1043652,1044112,1044636,1045154,1045563,1045922,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047277,1047343,1047354,1047487,1047651,1047653,1047670,1048155,1048221,1048317,1048891,1048893,1048914,1048934,1049226,1049483,1049486,1049580,1049603,1049645,1049882,1050061,1050188,1051022,1051059,1051239,1051399,1051478,1051479,1051556,1051663,1051790,1052049,1052223,1052533,1052580,1052593,1052709,1052773,1052794,1052888,1053117,1053802,1053915,1053919,1054084,1055013,1055096,1055359,1055493,1055755,1055896,1056261,1056588,1056827,1056982,1057015,1058038,1058116,1058410,1058507,1059051,1059465,1060197,1061017,1061046,1061064,1061067,1061172,1061831,1061872,1063667,1064206,1064388,964063,971975,974215,981309
CVE References: CVE-2017-1000252,CVE-2017-10810,CVE-2017-11472,CVE-2017-11473,CVE-2017-12134,CVE-2017-12153,CVE-2017-12154,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14489,CVE-2017-15649,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.90-92.45.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.90-92.45.3, kernel-obs-build-4.4.90-92.45.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_14-1-2.4
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.90-92.45.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Container as a Service Platform ALL (src):    kernel-default-4.4.90-92.45.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.90-92.45.1
Comment 12 Swamp Workflow Management 2017-10-30 18:30:11 UTC
SUSE-SU-2017:2908-1: An update that solves 30 vulnerabilities and has 38 fixes is now available.

Category: security (important)
Bug References: 1001459,1012985,1023287,1027149,1028217,1030531,1030552,1031515,1033960,1034405,1035531,1035738,1037182,1037183,1037994,1038544,1038564,1038879,1038883,1038981,1038982,1039348,1039354,1039456,1039721,1039864,1039882,1039883,1039885,1040069,1041160,1041429,1041431,1042696,1042832,1042863,1044125,1045327,1045487,1045922,1046107,1048275,1048788,1049645,1049882,1053148,1053152,1053317,1056588,1056982,1057179,1058410,1058507,1058524,1059863,1062471,1062520,1063667,1064388,856774,860250,863764,878240,922855,922871,986924,993099,994364
CVE References: CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE OpenStack Cloud 6 (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.63.1
Comment 13 Swamp Workflow Management 2017-11-02 17:18:16 UTC
SUSE-SU-2017:2920-1: An update that solves 36 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1008353,1012422,1017941,1029850,1030593,1032268,1034405,1034670,1035576,1035877,1036752,1037182,1037183,1037306,1037994,1038544,1038879,1038981,1038982,1039348,1039349,1039354,1039456,1039721,1039882,1039883,1039885,1040069,1041431,1041958,1044125,1045327,1045487,1045922,1046107,1047408,1048275,1049645,1049882,1052593,1053148,1053152,1056588,1056982,1057179,1058038,1058410,1058507,1058524,1062520,1063667,1064388,938162,975596,977417,984779,985562,990682
CVE References: CVE-2015-9004,CVE-2016-10229,CVE-2016-9604,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-2647,CVE-2017-6951,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8106,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.101.1, kernel-source-3.12.61-52.101.1, kernel-syms-3.12.61-52.101.1, kernel-xen-3.12.61-52.101.1, kgraft-patch-SLE12_Update_28-1-8.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.101.1
Comment 14 Swamp Workflow Management 2017-11-08 20:18:09 UTC
SUSE-SU-2017:2956-1: An update that solves 17 vulnerabilities and has 113 fixes is now available.

Category: security (important)
Bug References: 1005917,1006180,1011913,1012382,1012829,1013887,1018419,1019151,1020645,1020657,1020685,1021424,1022476,1022743,1023175,1024405,1028173,1028286,1028819,1029693,1030552,1030850,1031515,1031717,1031784,1033587,1034048,1034075,1034762,1036303,1036632,1037344,1037404,1037994,1038078,1038583,1038616,1038792,1038846,1038847,1039354,1039915,1040307,1040351,1041958,1042286,1042314,1042422,1042778,1043652,1044112,1044636,1045154,1045563,1045922,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047277,1047343,1047354,1047487,1047651,1047653,1047670,1048155,1048221,1048317,1048891,1048893,1048914,1048934,1049226,1049483,1049486,1049580,1049603,1049645,1049882,1050061,1050188,1051022,1051059,1051239,1051399,1051478,1051479,1051556,1051663,1051790,1052049,1052223,1052311,1052365,1052533,1052580,1052709,1052773,1052794,1052888,1053117,1053802,1053915,1054084,1055013,1055096,1055359,1056261,1056588,1056827,1056982,1057015,1057389,1058038,1058116,1058507,963619,964063,964944,971975,974215,981309,988784,993890
CVE References: CVE-2017-1000111,CVE-2017-1000112,CVE-2017-1000251,CVE-2017-1000252,CVE-2017-1000365,CVE-2017-10810,CVE-2017-11472,CVE-2017-11473,CVE-2017-12134,CVE-2017-12154,CVE-2017-14051,CVE-2017-14106,CVE-2017-7518,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.88-18.1, kernel-rt_debug-4.4.88-18.1, kernel-source-rt-4.4.88-18.1, kernel-syms-rt-4.4.88-18.1
Comment 15 Marcus Meissner 2018-02-09 06:39:36 UTC
released