Bug 1074839 (CVE-2017-15129)

Summary: VUL-0: CVE-2017-15129: kernel-source: net: double-free and memory corruption in get_net_ns_by_id()
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: mkubecek, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/197730/
Whiteboard: CVSSv3:RedHat:CVE-2017-15129:6.1:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) CVSSv3:SUSE:CVE-2017-15129:6.1:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H) CVSSv2:NVD:CVE-2017-15129:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2018-01-05 15:07:01 UTC 
Heololo,

A use-after-free vulnerability was found in a network namespaces code affecting the Linux
kernel since  v4.0-rc1 through v4.15-rc5. The function get_net_ns_by_id() does not check
for the net::count value after it has found a peer network in netns_ids idr which could
lead to double free and memory corruption. This vulnerability could allow an unprivileged
local user to induce kernel memory corruption on the system, leading to a crash. Due to
the nature of the flaw, privilege escalation cannot be fully ruled out, although we believe
it is unlikely.

References:

https://marc.info/?l=linux-netdev&m=151370451121029&w=2

https://marc.info/?t=151370468900001&r=1&w=2 (a whole thread)

https://bugzilla.redhat.com/show_bug.cgi?id=1531174

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=21b5944350052d2583e82dd59b19a9ba94a007f0

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer
Comment 1 Michal Kubeček 2018-01-08 09:38:00 UTC 
Stable (Tumbleweed) already has the fix via 4.14.11 and our 4.4 based kernels
via 4.4.109. As the bug was introduced in v4.0-rc1 and the offending commit
wasn't backported into any of our pre-4.0 branches, the only branch needing
a backport is SLE15. I'm going to also add the CVE/bsc references to relevant
patches in SLE12-SP2 and stable.
Comment 2 Michal Kubeček 2018-01-08 09:39:43 UTC 
Correction: both SLE12-SP2 and SLE12-SP3 are still on 4.4.107 so that they need
a backport too (unless they receive 4.4.109 earlier).
Comment 3 Marcus Meissner 2018-01-08 09:46:36 UTC 
can you please add references where needed, so our update scripts / rpm changelog see this.
Comment 4 Marcus Meissner 2018-01-08 09:47:06 UTC 
I expect SLES 12 SP2 und SP3 to receive 4.4.latest anyway, so no need to seperately backport, just wait for 4.4.109
Comment 5 Michal Kubeček 2018-01-30 12:21:03 UTC 
The fix is now present in or submitted to (*) all affected branches.

  stable                  4.14.11
  SLE15                   249e5aceb36c *
  SLE12-SP3               4.4.109
  SLE12-SP2               4.4.109

Reassigning to security team.
Comment 6 Swamp Workflow Management 2018-02-07 17:17:27 UTC 
SUSE-SU-2018:0383-1: An update that solves 9 vulnerabilities and has 68 fixes is now available.

Category: security (important)
Bug References: 1005778,1005780,1005781,1012382,1012917,1015342,1015343,1019784,1022476,1022595,1022912,1024296,1024376,1031395,1031492,1031717,1037838,1038078,1038085,1040182,1043652,1048325,1048585,1053472,1060279,1062129,1066163,1066223,1068032,1068038,1068569,1068984,1069138,1069160,1070052,1070799,1072163,1072484,1073229,1073928,1074134,1074488,1074621,1074709,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076805,1076847,1076872,1076899,1077068,1077560,1077592,1077704,1077871,1078002,1078681,963844,966170,966172,973818,985025
CVE References: CVE-2017-15129,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-18017,CVE-2017-5715,CVE-2018-1000004,CVE-2018-5332,CVE-2018-5333
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.114-94.11.3
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.114-94.11.4, kernel-obs-build-4.4.114-94.11.3
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.114-94.11.3, kernel-source-4.4.114-94.11.2, kernel-syms-4.4.114-94.11.2
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_8-1-4.3.5
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.114-94.11.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.114-94.11.3, kernel-source-4.4.114-94.11.2, kernel-syms-4.4.114-94.11.2
SUSE CaaS Platform ALL (src):    kernel-default-4.4.114-94.11.3
Comment 7 Swamp Workflow Management 2018-02-09 14:17:30 UTC 
openSUSE-SU-2018:0408-1: An update that solves 9 vulnerabilities and has 70 fixes is now available.

Category: security (important)
Bug References: 1012382,1015342,1015343,1019784,1022595,1022912,1024296,1024376,1031492,1031717,1037838,1038078,1038085,1040182,1043652,1048325,1048585,1053472,1060279,1062129,1066163,1066223,1068032,1068038,1068569,1068984,1069138,1069160,1070052,1070799,1072163,1072484,1073229,1073230,1073928,1074134,1074488,1074621,1074709,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076805,1076847,1076872,1076899,1077068,1077513,1077560,1077592,1077704,1077779,1077871,1078002,1078681,1078787,1079038,1079195,963844,966170,966172,969476,969477,973818,985025
CVE References: CVE-2017-15129,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-18017,CVE-2017-5715,CVE-2018-1000004,CVE-2018-5332,CVE-2018-5333
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.114-42.1, kernel-default-4.4.114-42.1, kernel-docs-4.4.114-42.1, kernel-obs-build-4.4.114-42.1, kernel-obs-qa-4.4.114-42.1, kernel-source-4.4.114-42.1, kernel-syms-4.4.114-42.1, kernel-vanilla-4.4.114-42.1
Comment 8 Swamp Workflow Management 2018-02-09 20:20:54 UTC 
SUSE-SU-2018:0416-1: An update that solves 9 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1012382,1012917,1019784,1022476,1031717,1038078,1038085,1043652,1048585,1052360,1060279,1066223,1066842,1068032,1068038,1068569,1068984,1069160,1070799,1072163,1072484,1072589,1073229,1073928,1074134,1074392,1074488,1074621,1074709,1074839,1074847,1075066,1075078,1075087,1075091,1075428,1075617,1075621,1075627,1075994,1076017,1076110,1076806,1076809,1076872,1076899,1077068,1077560,1077592,1078526,1078681,963844,988524
CVE References: CVE-2017-15129,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-18017,CVE-2017-5715,CVE-2018-1000004,CVE-2018-5332,CVE-2018-5333
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.114-92.64.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.114-92.64.2, kernel-obs-build-4.4.114-92.64.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.114-92.64.1, kernel-source-4.4.114-92.64.1, kernel-syms-4.4.114-92.64.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.114-92.64.1, kernel-source-4.4.114-92.64.1, kernel-syms-4.4.114-92.64.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_18-1-3.3.2
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.114-92.64.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.114-92.64.1, kernel-source-4.4.114-92.64.1, kernel-syms-4.4.114-92.64.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.114-92.64.1
Comment 9 Marcus Meissner 2018-02-10 11:14:30 UTC 
released
Comment 10 Swamp Workflow Management 2018-02-19 23:14:58 UTC 
SUSE-SU-2018:0482-1: An update that solves 9 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1012382,1019784,1031717,1036737,1038078,1038085,1043652,1048585,1052360,1060279,1066223,1066842,1068032,1068038,1068569,1068984,1069160,1070799,1072163,1072484,1072589,1073229,1073230,1073928,1074134,1074488,1074621,1074709,1074839,1074847,1075066,1075078,1075087,1075091,1075428,1075617,1075621,1075627,1075994,1076017,1076110,1076806,1076809,1076872,1076899,1077068,1077560,1077592,1077871,1078526,1078681,963844,988524
CVE References: CVE-2017-15129,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-18017,CVE-2017-5715,CVE-2018-1000004,CVE-2018-5332,CVE-2018-5333
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.114-27.1, kernel-rt_debug-4.4.114-27.1, kernel-source-rt-4.4.114-27.1, kernel-syms-rt-4.4.114-27.1
Comment 11 Swamp Workflow Management 2018-04-19 13:22:27 UTC 
SUSE-SU-2018:0986-1: An update that solves 19 vulnerabilities and has 166 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1019784,1020645,1022595,1022607,1022912,1024296,1024376,1027054,1031492,1031717,1033587,1034503,1037838,1038078,1038085,1040182,1042286,1043441,1043652,1043725,1043726,1048325,1048585,1053472,1060279,1062129,1065600,1065615,1066163,1066223,1067118,1068032,1068038,1068569,1068984,1069135,1069138,1069160,1070052,1070404,1070799,1071306,1071892,1072163,1072363,1072484,1072689,1072739,1072865,1073229,1073401,1073407,1073928,1074134,1074198,1074426,1074488,1074621,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076282,1076693,1076760,1076805,1076847,1076872,1076899,1076982,1077068,1077241,1077285,1077513,1077560,1077592,1077704,1077779,1077871,1078002,1078583,1078672,1078673,1078681,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083056,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,963844,966170,966172,966328,969476,969477,973818,975772,983145,985025
CVE References: CVE-2017-13166,CVE-2017-15129,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-17975,CVE-2017-18017,CVE-2017-18174,CVE-2017-18208,CVE-2017-5715,CVE-2018-1000004,CVE-2018-1000026,CVE-2018-5332,CVE-2018-5333,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.120-3.8.1, kernel-rt_debug-4.4.120-3.8.1, kernel-source-rt-4.4.120-3.8.1, kernel-syms-rt-4.4.120-3.8.1