Bug 1087095 (CVE-2018-1093)

Summary: VUL-1: CVE-2018-1093: kernel-source: Out of bounds read in ext4/balloc.c:ext4_valid_block_bitmap() causes crash with crafted ext4 image
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: bpetkov, jack, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/202737/
Whiteboard: CVSSv3:SUSE:CVE-2018-1093:4.4:(AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2018-1093:7.1:(AV:N/AC:M/Au:N/C:N/I:N/A:C) CVSSv3:NVD:CVE-2018-1093:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H) CVSSv3:RedHat:CVE-2018-1093:4.6:(AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2018-1000204:6.3:(AV:N/AC:M/Au:S/C:C/I:N/A:N) CVSSv3:NVD:CVE-2018-1000204:5.3:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N) CVSSv3:RedHat:CVE-2018-1000204:4.1:(AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N) CVSSv3:SUSE:CVE-2018-1000204:6.2:(AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 230.img
poc.c

Description Marcus Meissner 2018-03-27 13:36:39 UTC
rh#1560782

The Linux kernel through version 4.15 is vulnerable to an out-of-bounds read in ext4/balloc.c:ext4_valid_block_bitmap() function. An privileged attacker could exploit this by mounting a crafted ext4 image to cause a crash.


Upstream Bug:

https://bugzilla.kernel.org/show_bug.cgi?id=199181

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1560782
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1093
Comment 1 Marcus Meissner 2018-03-27 13:40:45 UTC
Created attachment 765105 [details]
230.img

QA REPRODUCER img:

230.img
Comment 2 Marcus Meissner 2018-03-27 13:41:17 UTC
Created attachment 765108 [details]
poc.c

QA REPRODUCER:

# mkdir mnt
# mount -t ext4 230.img mnt
# gcc -o poc poc.c
# ./poc mnt
Comment 4 Jan Kara 2018-05-17 13:07:05 UTC
OK, respective upstream commits are 7dac4a1726a9 and a followup fixup 22be37acce25. Backporting...
Comment 5 Jan Kara 2018-05-23 14:30:14 UTC
Pushed out fixes to SLE15-UPDATE, SLE12-SP3 has it from stable - just updated tags, SLE12-SP2-LTSS, cve/linux-3.12. I didn't backport the fix to 3.0-based kernels as we support ext4 there in read-only mode for migration purposes only and this bug doesn't look serious enough to warrant a backport there.

All is done from my side, reassigning to security team.
Comment 6 Swamp Workflow Management 2018-06-20 13:12:01 UTC
SUSE-SU-2018:1761-1: An update that solves 10 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 1038553,1046610,1079152,1082962,1083382,1083900,1087007,1087012,1087082,1087086,1087095,1092813,1092904,1094033,1094353,1094823,1096140,1096242,1096281,1096480,1096728,1097356
CVE References: CVE-2017-13305,CVE-2018-1000204,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.96.1, kernel-source-3.12.74-60.64.96.1, kernel-syms-3.12.74-60.64.96.1, kernel-xen-3.12.74-60.64.96.1, kgraft-patch-SLE12-SP1_Update_29-1-2.3.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.96.1, kernel-source-3.12.74-60.64.96.1, kernel-syms-3.12.74-60.64.96.1, kernel-xen-3.12.74-60.64.96.1, kgraft-patch-SLE12-SP1_Update_29-1-2.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.96.1
Comment 7 Swamp Workflow Management 2018-06-20 13:16:34 UTC
SUSE-SU-2018:1762-1: An update that solves 10 vulnerabilities and has 11 fixes is now available.

Category: security (important)
Bug References: 1046610,1079152,1082962,1083900,1087007,1087012,1087082,1087086,1087095,1092552,1092813,1092904,1094033,1094353,1094823,1096140,1096242,1096281,1096480,1096728,1097356
CVE References: CVE-2017-13305,CVE-2018-1000204,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.136.1, kernel-source-3.12.61-52.136.1, kernel-syms-3.12.61-52.136.1, kernel-xen-3.12.61-52.136.1, kgraft-patch-SLE12_Update_36-1-1.3.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.136.1
Comment 8 Swamp Workflow Management 2018-06-21 16:25:47 UTC
openSUSE-SU-2018:1773-1: An update that solves 11 vulnerabilities and has 66 fixes is now available.

Category: security (important)
Bug References: 1012382,1019695,1019699,1022604,1022607,1022743,1024718,1031492,1031717,1035432,1036215,1041740,1045330,1056415,1066223,1068032,1068054,1068951,1070404,1073311,1075428,1076049,1078583,1079152,1080542,1080656,1081500,1081514,1082153,1082504,1082979,1085308,1086400,1086716,1087007,1087012,1087036,1087082,1087086,1087095,1088871,1090435,1090534,1090734,1090955,1091594,1091815,1092552,1092813,1092903,1093533,1093904,1094177,1094268,1094353,1094356,1094405,1094466,1094532,1094823,1094840,1095042,1095147,1096037,1096140,1096214,1096242,1096281,1096751,1096982,1097234,1097356,1098009,1098012,971975,973378,978907
CVE References: CVE-2017-13305,CVE-2017-17741,CVE-2017-18241,CVE-2017-18249,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-12233,CVE-2018-3639,CVE-2018-3665,CVE-2018-5848
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.138-59.1, kernel-default-4.4.138-59.1, kernel-docs-4.4.138-59.1, kernel-obs-build-4.4.138-59.1, kernel-obs-qa-4.4.138-59.1, kernel-source-4.4.138-59.1, kernel-syms-4.4.138-59.1, kernel-vanilla-4.4.138-59.1
Comment 11 Swamp Workflow Management 2018-06-26 16:19:58 UTC
SUSE-SU-2018:1816-1: An update that solves 17 vulnerabilities and has 109 fixes is now available.

Category: security (important)
Bug References: 1009062,1012382,1019695,1019699,1022604,1022607,1022743,1024718,1031717,1035432,1036215,1041740,1043598,1044596,1045330,1056415,1056427,1060799,1066223,1068032,1068054,1068951,1070404,1073059,1073311,1075087,1075428,1076049,1076263,1076805,1078583,1079152,1080157,1080542,1080656,1081500,1081514,1081599,1082153,1082299,1082485,1082504,1082962,1082979,1083635,1083650,1083900,1084721,1085185,1085308,1086400,1086716,1087007,1087012,1087036,1087082,1087086,1087095,1088810,1088871,1089023,1089115,1089393,1089895,1090225,1090435,1090534,1090643,1090658,1090663,1090708,1090718,1090734,1090953,1090955,1091041,1091325,1091594,1091728,1091960,1092289,1092497,1092552,1092566,1092772,1092813,1092888,1092904,1092975,1093008,1093035,1093144,1093215,1093533,1093904,1093990,1094019,1094033,1094059,1094177,1094268,1094353,1094356,1094405,1094466,1094532,1094823,1094840,1095042,1095147,1096037,1096140,1096214,1096242,1096281,1096751,1096982,1097234,1097356,1098009,1098012,919144,971975,973378,978907,993388
CVE References: CVE-2017-13305,CVE-2017-17741,CVE-2017-18241,CVE-2017-18249,CVE-2018-1000199,CVE-2018-1065,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-12233,CVE-2018-3639,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492,CVE-2018-8781
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.138-3.14.1, kernel-rt_debug-4.4.138-3.14.1, kernel-source-rt-4.4.138-3.14.1, kernel-syms-rt-4.4.138-3.14.1
Comment 12 Swamp Workflow Management 2018-06-29 19:18:08 UTC
SUSE-SU-2018:1855-1: An update that solves 14 vulnerabilities and has 15 fixes is now available.

Category: security (important)
Bug References: 1068032,1079152,1082962,1083650,1083900,1085185,1086400,1087007,1087012,1087036,1087086,1087095,1089895,1090534,1090955,1092497,1092552,1092813,1092904,1094033,1094353,1094823,1095042,1096140,1096242,1096281,1096728,1097356,973378
CVE References: CVE-2017-13305,CVE-2017-18241,CVE-2017-18249,CVE-2018-1000199,CVE-2018-1000204,CVE-2018-1065,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.85.1, kernel-source-4.4.121-92.85.1, kernel-syms-4.4.121-92.85.1, kgraft-patch-SLE12-SP2_Update_23-1-3.5.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.85.1, kernel-source-4.4.121-92.85.1, kernel-syms-4.4.121-92.85.1, kgraft-patch-SLE12-SP2_Update_23-1-3.5.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.85.1, kernel-source-4.4.121-92.85.1, kernel-syms-4.4.121-92.85.1, kgraft-patch-SLE12-SP2_Update_23-1-3.5.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.85.1, kernel-source-4.4.121-92.85.1, kernel-syms-4.4.121-92.85.1, kgraft-patch-SLE12-SP2_Update_23-1-3.5.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.85.1
Comment 18 Swamp Workflow Management 2018-07-18 06:10:35 UTC
This is an autogenerated message for OBS integration:
This bug (1087095) was mentioned in
https://build.opensuse.org/request/show/623532 15.0 / kernel-source
Comment 19 Swamp Workflow Management 2018-10-18 16:46:37 UTC
SUSE-SU-2018:1855-2: An update that solves 14 vulnerabilities and has 15 fixes is now available.

Category: security (important)
Bug References: 1068032,1079152,1082962,1083650,1083900,1085185,1086400,1087007,1087012,1087036,1087086,1087095,1089895,1090534,1090955,1092497,1092552,1092813,1092904,1094033,1094353,1094823,1095042,1096140,1096242,1096281,1096728,1097356,973378
CVE References: CVE-2017-13305,CVE-2017-18241,CVE-2017-18249,CVE-2018-1000199,CVE-2018-1000204,CVE-2018-1065,CVE-2018-1092,CVE-2018-1093,CVE-2018-1094,CVE-2018-1130,CVE-2018-3665,CVE-2018-5803,CVE-2018-5848,CVE-2018-7492
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.85.1, kernel-source-4.4.121-92.85.1, kernel-syms-4.4.121-92.85.1, kgraft-patch-SLE12-SP2_Update_23-1-3.5.1
Comment 20 Marcus Meissner 2019-07-11 05:44:05 UTC
all done