Bug 1084323 (CVE-2017-18221)

Summary: VUL-0: CVE-2017-18221: kernel: The __munlock_pagevec function allows local users to cause a denial of service (NR_MLOCK accounting corruption) via crafted use of mlockall and munlockall
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, mhocko, smash_bz, tiwai, vbabka
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/201395/
Whiteboard: CVSSv3:SUSE:CVE-2017-18221:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2017-18221:5.1:(AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2017-18221:4.9:(AV:L/AC:L/Au:N/C:N/I:N/A:C) CVSSv3:RedHat:CVE-2017-18221:5.5:(AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on: 1042696    
Bug Blocks:    

Description Johannes Segitz 2018-03-07 14:20:29 UTC 
CVE-2017-18221

The __munlock_pagevec function in mm/mlock.c in the Linux kernel before 4.11.4
allows local users to cause a denial of service (NR_MLOCK accounting corruption)
via crafted use of mlockall and munlockall system calls.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18221
https://www.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.11.4
https://github.com/torvalds/linux/commit/70feee0e1ef331b22cc51f383d532a0d043fbdcc
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=70feee0e1ef331b22cc51f383d532a0d043fbdcc
Comment 1 Takashi Iwai 2018-03-07 16:35:14 UTC 
It's in 4.12-rc4, so SLE15 already contains the fix.

4.4.71 stable contains the fix, so SLE12-SP2 and SLE12-SP3 already include the fix.

cve/linux-3.12 and earlier branches still miss the fix, as it seems.
Comment 2 Vlastimil Babka 2018-03-08 09:23:47 UTC 
(In reply to Takashi Iwai from comment #1)
> cve/linux-3.12 and earlier branches still miss the fix, as it seems.

I'll add it, but frankly I don't see how this is a DoS, because NR_MLOCK is used only for showing in /proc/vmstat, the mlocking rlimit uses a different variable (and it's per-process, anyway).
Comment 3 Vlastimil Babka 2018-03-08 10:10:19 UTC 
The patch is actually already in SLE12-SP1-LTSS (bsc#1042696), so it's just SLE12-LTSS missing it.
Comment 4 Vlastimil Babka 2018-03-08 13:22:01 UTC 
(In reply to Vlastimil Babka from comment #3)
> The patch is actually already in SLE12-SP1-LTSS (bsc#1042696), so it's just
> SLE12-LTSS missing it.

pushed to linux/cve-3.12 per maintainer's request
Comment 5 Vlastimil Babka 2018-03-12 08:36:47 UTC 
(In reply to Vlastimil Babka from comment #4)
> pushed to linux/cve-3.12 per maintainer's request

Kernels older than 3.12 don't have the bug in the first place (which the CVE filling also missed), so that's all and reassigning to security.
Comment 6 Swamp Workflow Management 2018-03-28 19:11:33 UTC 
SUSE-SU-2018:0834-1: An update that solves 19 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1010470,1012382,1045330,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077560,1078669,1078672,1078673,1078674,1080255,1080464,1080757,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085279,1085447
CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.125.1, kernel-source-3.12.61-52.125.1, kernel-syms-3.12.61-52.125.1, kernel-xen-3.12.61-52.125.1, kgraft-patch-SLE12_Update_33-1-1.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.125.1
Comment 7 Swamp Workflow Management 2018-03-29 16:16:12 UTC 
SUSE-SU-2018:0848-1: An update that solves 19 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 1010470,1012382,1045330,1055755,1062568,1063416,1066001,1067118,1068032,1072689,1072865,1074488,1075617,1075621,1077182,1077560,1077779,1078669,1078672,1078673,1078674,1080255,1080287,1080464,1080757,1081512,1082299,1083244,1083483,1083494,1083640,1084323,1085107,1085114,1085447
CVE References: CVE-2016-7915,CVE-2017-12190,CVE-2017-13166,CVE-2017-15299,CVE-2017-16644,CVE-2017-16911,CVE-2017-16912,CVE-2017-16913,CVE-2017-16914,CVE-2017-18017,CVE-2017-18204,CVE-2017-18208,CVE-2017-18221,CVE-2018-1066,CVE-2018-1068,CVE-2018-5332,CVE-2018-5333,CVE-2018-6927,CVE-2018-7566
Sources used:
SUSE OpenStack Cloud 6 (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.85.1, kernel-source-3.12.74-60.64.85.1, kernel-syms-3.12.74-60.64.85.1, kernel-xen-3.12.74-60.64.85.1, kgraft-patch-SLE12-SP1_Update_26-1-2.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.85.1
Comment 8 Marcus Meissner 2018-08-29 10:00:37 UTC 
released