Bug 1046202 (CVE-2017-8797)

Summary: VUL-0: CVE-2017-8797: kernel: remote DoS in nfsd
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner, nfbrown, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/187345/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2017-06-27 15:29:36 UTC
CVE-2017-8797

From: Ari Kauppi

Linux kernel NFSv4 server is vulnerable to a remote DoS attack.

The NFSv4 server in the Linux kernel does not properly validate layout type
when processing NFSv4 pNFS LAYOUTGET operand. The provided input
value is not properly validated and is used for array dereferencing. OOPS
is triggered which leads to DoS of knfsd and eventually to soft-lockup of
whole system.

In addition, on normal processing path there is a C undefined behavior
weakness that can lead to out of bounds array dereferencing.

The attack vector requires that the attack host is within host mask of exported
NFSv4 mount or source address spoofing is not properly mitigated in the network.
The attack payload fits to single one-way UDP packet. The kernel must be
compiled with CONFIG_NFSD_PNFS enabled, which seems to be the case
with many vendor kernels.

The issue has been verified to be reproducible at least with unpatched v4.4, v4.8 and v4.11 baselines.

Upstream patches in mainline: (available in stable releases, too)
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=b550a32e60a4941994b437a8d662432a486235a5
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=f961e3f2acae94b727380c0b74e2d3954d0edf79

The issue was found by Jani Tuovila from Synopsys Ltd with Synopsys Defensics fuzzer.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8797
http://seclists.org/oss-sec/2017/q2/615
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8797
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=f961e3f2acae94b727380c0b74e2d3954d0edf79
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/fs/nfsd?h=v4.12-rc7&id=b550a32e60a4941994b437a8d662432a486235a5
Comment 1 Neil Brown 2017-06-30 05:32:52 UTC
The first commit, b550a32e60a4, fixes a bug introduced by
Commit: 8a4c3926889e ("nfsd: allow nfsd to advertise multiple layout types")
in v4.8
So this is only needed in 'master' and 'stable'.
It arrived in 'stable' via 4.11.3
It arrived in 'master' via 4.12-rc1

The second commit, f961e3f2acae, fixes a bug introduced by
Commit: 9cf514ccfacb ("nfsd: implement pNFS operations")
in v4.0
So this is needed in 'master' and 'stable' and SLE12-SP2.

It arrived in SLE12-SP2 via 4.4.70
It arrived in 'stable' via 4.11.3
It arrived in 'master' via 4.12-rc1

So there is nothing we need to add to any of our kernels to fix this.
Comment 2 Johannes Segitz 2017-06-30 09:20:52 UTC
thanks
Comment 3 Swamp Workflow Management 2017-08-04 19:08:02 UTC
SUSE-SU-2017:2043-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_3-7-2.1
Comment 4 Swamp Workflow Management 2017-08-04 19:10:07 UTC
SUSE-SU-2017:2046-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1038564,1042364,1042892,1046191,1046202,1046206,1047518,1050751
CVE References: CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_8-3-2.1
Comment 5 Swamp Workflow Management 2017-08-07 13:11:59 UTC
SUSE-SU-2017:2062-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_0-8-18.7.1
Comment 6 Swamp Workflow Management 2017-08-07 13:13:12 UTC
SUSE-SU-2017:2063-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_5-5-2.1
Comment 7 Swamp Workflow Management 2017-08-07 13:14:20 UTC
SUSE-SU-2017:2064-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1038564,1042364,1042892,1046191,1046202,1046206,1047518,1050751
CVE References: CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_7-3-2.1
Comment 8 Swamp Workflow Management 2017-08-07 13:15:52 UTC
SUSE-SU-2017:2065-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_4-7-2.1
Comment 9 Swamp Workflow Management 2017-08-07 13:17:04 UTC
SUSE-SU-2017:2066-1: An update that solves 6 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1038564,1042364,1042892,1046191,1046202,1046206,1047518,1050751
CVE References: CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_9-2-2.1
Comment 10 Swamp Workflow Management 2017-08-07 13:18:29 UTC
SUSE-SU-2017:2067-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_1-8-2.1
Comment 11 Swamp Workflow Management 2017-08-07 13:19:45 UTC
SUSE-SU-2017:2068-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027575,1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-2636,CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_2-7-2.1
Comment 12 Swamp Workflow Management 2017-08-07 13:21:17 UTC
SUSE-SU-2017:2070-1: An update that solves 6 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1038564,1042364,1042892,1046191,1046202,1046206,1050751
CVE References: CVE-2017-7533,CVE-2017-7645,CVE-2017-8797,CVE-2017-8890,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_6-4-2.1