Bug 1080533 (CVE-2017-18174)

Summary: VUL-0: CVE-2017-18174: kernel-source: In the Linux kernel before 4.7, the amd_gpio_remove function indrivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function, leading to a double free
Product: [Novell Products] SUSE Security Incidents Reporter: Karol Babioch <karol>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: bpetkov, mbrugger, meissner, msuchanek, smash_bz, tiwai, yousaf.kaukab
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/199838/
Whiteboard: CVSSv3:SUSE:CVE-2017-18174:5.3:(AV:L/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:L) CVSSv3:RedHat:CVE-2017-18174:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2017-18174:7.5:(AV:N/AC:L/Au:N/C:P/I:P/A:P) CVSSv3:NVD:CVE-2017-18174:9.8:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Karol Babioch 2018-02-12 08:14:45 UTC
CVE-2017-18174

In the Linux kernel before 4.7, the amd_gpio_remove function in
drivers/pinctrl/pinctrl-amd.c calls the pinctrl_unregister function,
leading to a double free.

Upstream commits:
https://github.com/torvalds/linux/commit/251e22abde21833b3d29577e4d8c7aaccd650eee
https://github.com/torvalds/linux/commit/8dca4a41f1ad65043a78c2338d9725f859c8d2c3

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18174
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18174
Comment 1 Karol Babioch 2018-02-12 08:40:18 UTC
This module first appeared with commit dbad75dd1f25e0107c643d42774a7f9a8ba85e9b, which first appeared in 4.1

Affected codestreams:

- SUSE:SLE-12-SP3:Update
- SUSE:SLE-12-SP2:Update

However, they are unsupported:

-               drivers/pinctrl/*
Comment 2 Michal Suchanek 2018-02-12 13:10:01 UTC
Seems the second patch is already part of the first patch.
Comment 3 Michal Suchanek 2018-02-12 13:23:38 UTC
Queued the first patch for SLE12 inclusion.

This being hardware-specific issue I suppose there is not much that can be done to verify the fix?
Comment 4 Michal Suchanek 2018-02-12 13:31:29 UTC
We do not have devm_pinctrl_register which is used in the patch to make kernel care for freeing the memory automagically so we will need a different fix.
Comment 5 Michal Suchanek 2018-02-12 16:15:40 UTC
So this should be fixed in SLE12-SP3 and would require an alternative fix for SLE12-SP2.

Maybe the ARM folks would be more familiar with pinctrl.
Comment 7 Michal Suchanek 2018-03-07 13:11:48 UTC
I suppose setting pinctrl to null after unregister should resolve the issue.
Comment 8 Matthias Brugger 2018-03-07 16:52:43 UTC
I wasn't able to find where the double free takes place.

After looking deeper into this, I found that this was introduced with upstream commit:
3bfd44306c65 ("pinctrl: amd: Add support for additional GPIO")

which is not in SLE12-SP2 nor SLE12-SP3.

So no need to add the following fix:
8dca4a41f1ad ("pinctrl/amd: Drop pinctrl_unregister for devm_ registered device")

I think Takashi has access to the HW.
Comment 11 Swamp Workflow Management 2018-03-23 02:18:21 UTC
openSUSE-SU-2018:0781-1: An update that solves 11 vulnerabilities and has 110 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1020645,1022607,1027054,1031717,1033587,1034503,103998_FIXME,1042286,1043441,1043725,1043726,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1070404,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1073407,1074198,1074426,1075087,1076282,1076693,1076760,1076982,1077241,1077285,1077560,1078583,1078672,1078673,1079029,1079038,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,966170,966172,966328,975772,983145
CVE References: CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18174,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.120-45.1, kernel-default-4.4.120-45.1, kernel-docs-4.4.120-45.2, kernel-obs-build-4.4.120-45.2, kernel-obs-qa-4.4.120-45.1, kernel-source-4.4.120-45.1, kernel-syms-4.4.120-45.1, kernel-vanilla-4.4.120-45.1
Comment 12 Swamp Workflow Management 2018-03-23 17:32:44 UTC
SUSE-SU-2018:0786-1: An update that solves 11 vulnerabilities and has 116 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1020645,1022607,1024376,1027054,1031717,1033587,1034503,1042286,1043441,1043725,1043726,1062840,1065600,1065615,1066223,1067118,1068032,1068569,1069135,1070404,1071306,1071892,1072363,1072689,1072739,1072865,1073401,1073407,1074198,1074426,1075087,1076282,1076693,1076760,1076982,1077241,1077285,1077513,1077560,1077779,1078583,1078672,1078673,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,966170,966172,966328,969476,969477,975772,983145
CVE References: CVE-2017-13166,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17975,CVE-2017-18174,CVE-2017-18208,CVE-2018-1000026,CVE-2018-1068,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.120-94.17.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.120-94.17.1, kernel-obs-build-4.4.120-94.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.120-94.17.1, kernel-source-4.4.120-94.17.1, kernel-syms-4.4.120-94.17.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_10-1-4.3.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.120-94.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.120-94.17.1, kernel-source-4.4.120-94.17.1, kernel-syms-4.4.120-94.17.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.120-94.17.1
Comment 13 Swamp Workflow Management 2018-04-19 13:32:02 UTC
SUSE-SU-2018:0986-1: An update that solves 19 vulnerabilities and has 166 fixes is now available.

Category: security (important)
Bug References: 1006867,1012382,1015342,1015343,1019784,1020645,1022595,1022607,1022912,1024296,1024376,1027054,1031492,1031717,1033587,1034503,1037838,1038078,1038085,1040182,1042286,1043441,1043652,1043725,1043726,1048325,1048585,1053472,1060279,1062129,1065600,1065615,1066163,1066223,1067118,1068032,1068038,1068569,1068984,1069135,1069138,1069160,1070052,1070404,1070799,1071306,1071892,1072163,1072363,1072484,1072689,1072739,1072865,1073229,1073401,1073407,1073928,1074134,1074198,1074426,1074488,1074621,1074839,1074847,1075066,1075078,1075087,1075091,1075397,1075428,1075617,1075621,1075627,1075811,1075994,1076017,1076110,1076187,1076232,1076282,1076693,1076760,1076805,1076847,1076872,1076899,1076982,1077068,1077241,1077285,1077513,1077560,1077592,1077704,1077779,1077871,1078002,1078583,1078672,1078673,1078681,1078787,1079029,1079038,1079195,1079313,1079384,1079609,1079886,1079989,1080014,1080263,1080321,1080344,1080364,1080384,1080464,1080533,1080656,1080774,1080813,1080851,1081134,1081431,1081436,1081437,1081491,1081498,1081500,1081512,1081514,1081681,1081735,1082089,1082223,1082299,1082373,1082478,1082632,1082795,1082864,1082897,1082979,1082993,1083048,1083056,1083086,1083223,1083387,1083409,1083494,1083548,1083750,1083770,1084041,1084397,1084427,1084610,1084772,1084888,1084926,1084928,1084967,1085011,1085015,1085045,1085047,1085050,1085053,1085054,1085056,1085107,1085224,1085239,863764,963844,966170,966172,966328,969476,969477,973818,975772,983145,985025
CVE References: CVE-2017-13166,CVE-2017-15129,CVE-2017-15951,CVE-2017-16644,CVE-2017-16912,CVE-2017-16913,CVE-2017-17712,CVE-2017-17862,CVE-2017-17864,CVE-2017-17975,CVE-2017-18017,CVE-2017-18174,CVE-2017-18208,CVE-2017-5715,CVE-2018-1000004,CVE-2018-1000026,CVE-2018-5332,CVE-2018-5333,CVE-2018-8087
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.120-3.8.1, kernel-rt_debug-4.4.120-3.8.1, kernel-source-rt-4.4.120-3.8.1, kernel-syms-rt-4.4.120-3.8.1
Comment 18 Swamp Workflow Management 2019-05-17 19:11:00 UTC
SUSE-SU-2019:1287-1: An update that solves 16 vulnerabilities and has 19 fixes is now available.

Category: security (important)
Bug References: 1012382,1024908,1034113,1043485,1068032,1073311,1080157,1080533,1082632,1087231,1087659,1087906,1093158,1094268,1096748,1100152,1103186,1106913,1109772,1111331,1112178,1113399,1116841,1118338,1119019,1122822,1124832,1125580,1129279,1131416,1131427,1131587,1132673,1132828,1133188
CVE References: CVE-2016-8636,CVE-2017-17741,CVE-2017-18174,CVE-2018-1091,CVE-2018-1120,CVE-2018-1128,CVE-2018-1129,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-19407,CVE-2019-11091,CVE-2019-11486,CVE-2019-3882,CVE-2019-8564,CVE-2019-9503
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.109.2, kernel-source-4.4.121-92.109.2, kernel-syms-4.4.121-92.109.2, kgraft-patch-SLE12-SP2_Update_29-1-3.5.2
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.109.2, kernel-source-4.4.121-92.109.2, kernel-syms-4.4.121-92.109.2, kgraft-patch-SLE12-SP2_Update_29-1-3.5.2
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.109.2, kernel-source-4.4.121-92.109.2, kernel-syms-4.4.121-92.109.2, kgraft-patch-SLE12-SP2_Update_29-1-3.5.2
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.109.2, kernel-source-4.4.121-92.109.2, kernel-syms-4.4.121-92.109.2
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.109.2
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.109.2, kernel-source-4.4.121-92.109.2, kernel-syms-4.4.121-92.109.2, kgraft-patch-SLE12-SP2_Update_29-1-3.5.2
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.109.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Marcus Meissner 2019-07-11 05:36:17 UTC
all released