Bug 1180812 (CVE-2021-0342)

Summary: VUL-0: CVE-2021-0342: kernel-source-azure,kernel-source,kernel-source-rt: memory corruption due to a use after free in tun_get_user() of tun.c
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: bpetkov, meissner, mkubecek, smash_bz, tbogendoerfer
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/275073/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-0342:7.0:(AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1180859    

Description Robert Frohl 2021-01-12 09:51:17 UTC 
CVE-2021-0342

In tun_get_user of tun.c, there is possible memory corruption due to a use after
free. This could lead to local escalation of privilege with System execution
privileges required. User interaction is not required for exploitation. Product:
Android; Versions: Android kernel; Android ID: A-146554327.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-0342
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-0342
https://source.android.com/security/bulletin/pixel/2021-01-01
Comment 1 Robert Frohl 2021-01-12 09:55:27 UTC 
tracking the affected kernels as follows:

affected:
- SUSE:SLE-15-SP1:Update
- SUSE:SLE-12-SP5:Update

already fixed:
- SUSE:SLE-15-SP2:Update
- SUSE:SLE-15-SP3:Update

not affected:
- SUSE:SLE-15:Update
- SUSE:SLE-12-SP4:Update
- SUSE:SLE-12-SP3:Update and older

based on [0]:
> Fixes: 90e33d459407 ("tun: enable napi_gro_frags() for TUN/TAP driver")

[0] https://android.googlesource.com/kernel/common/+/96aa1b22bd6bb9fccf62f6261f390ed6f3e7967f%5E%21/#F0
Comment 2 Thomas Bogendoerfer 2021-01-26 14:42:55 UTC 
the fix is now present in all maintained branches.

SLE15-SP1          0ae29aafc2a7
SLE12-SP5          0ae29aafc2a7

Updatesd CVE references:

SLE15-SP2          0059c1d32e6e
SLE15-SP3          0059c1d32e6e

assigning back to security team
Comment 11 OBSbugzilla Bot 2021-02-02 18:32:55 UTC 
This is an autogenerated message for OBS integration:
This bug (1180812) was mentioned in
https://build.opensuse.org/request/show/868724 15.2 / kernel-source
Comment 16 Swamp Workflow Management 2021-02-05 22:03:14 UTC 
openSUSE-SU-2021:0241-1: An update that solves 7 vulnerabilities and has 49 fixes is now available.

Category: security (important)
Bug References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163930,1165545,1167773,1172355,1176395,1176831,1178142,1178631,1179142,1179396,1179508,1179509,1179567,1179572,1180130,1180264,1180412,1180759,1180765,1180809,1180812,1180848,1180889,1180891,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181584
CVE References: CVE-2020-25211,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    kernel-debug-5.3.18-lp152.63.1, kernel-default-5.3.18-lp152.63.1, kernel-default-base-5.3.18-lp152.63.1.lp152.8.21.1, kernel-docs-5.3.18-lp152.63.1, kernel-kvmsmall-5.3.18-lp152.63.1, kernel-obs-build-5.3.18-lp152.63.1, kernel-obs-qa-5.3.18-lp152.63.1, kernel-preempt-5.3.18-lp152.63.1, kernel-source-5.3.18-lp152.63.1, kernel-syms-5.3.18-lp152.63.1
Comment 18 Swamp Workflow Management 2021-02-09 14:22:26 UTC 
SUSE-SU-2021:0347-1: An update that solves 11 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163727,1163930,1165545,1167773,1172355,1175389,1176395,1176831,1176846,1178142,1178372,1178631,1178684,1179142,1179396,1179508,1179509,1179567,1179572,1179575,1179878,1180008,1180130,1180264,1180412,1180541,1180559,1180562,1180566,1180676,1180759,1180765,1180773,1180809,1180812,1180848,1180859,1180889,1180891,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181553,1181584,1181645
CVE References: CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-28374,CVE-2020-29568,CVE-2020-29569,CVE-2020-36158,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP2 (src):    kernel-azure-5.3.18-18.35.2, kernel-source-azure-5.3.18-18.35.2, kernel-syms-azure-5.3.18-18.35.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2021-02-09 14:38:36 UTC 
SUSE-SU-2021:0348-1: An update that solves 9 vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1144912,1149032,1163727,1172145,1174206,1176831,1176846,1178036,1178049,1178372,1178631,1178684,1178900,1179093,1179508,1179509,1179563,1179573,1179575,1179878,1180008,1180130,1180559,1180562,1180676,1180765,1180812,1180859,1180891,1180912,1181001,1181018,1181170,1181230,1181231,1181349,1181425,1181553,901327
CVE References: CVE-2020-25639,CVE-2020-27835,CVE-2020-28374,CVE-2020-29568,CVE-2020-29569,CVE-2020-36158,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.44.1, kernel-source-azure-4.12.14-16.44.1, kernel-syms-azure-4.12.14-16.44.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 20 Swamp Workflow Management 2021-02-09 20:24:04 UTC 
SUSE-SU-2021:0353-1: An update that solves 8 vulnerabilities and has 68 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176395,1176831,1176846,1178036,1178049,1178631,1178900,1179093,1179508,1179509,1179563,1179573,1179575,1179878,1180008,1180130,1180765,1180812,1180859,1180891,1180912,1181001,1181018,1181170,1181230,1181231,1181349,1181425,1181553
CVE References: CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.60.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.60.2, kernel-obs-build-4.12.14-122.60.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.60.1, kernel-source-4.12.14-122.60.1, kernel-syms-4.12.14-122.60.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.60.1, kgraft-patch-SLE12-SP5_Update_15-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.60.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-02-09 20:32:12 UTC 
SUSE-SU-2021:0354-1: An update that solves 9 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163930,1165545,1167773,1172355,1175389,1176395,1176831,1176846,1178142,1178631,1179142,1179396,1179508,1179509,1179567,1179572,1179575,1179878,1180008,1180130,1180264,1180412,1180759,1180765,1180773,1180809,1180812,1180848,1180859,1180889,1180891,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181553,1181584,1181645
CVE References: CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP2 (src):    kernel-default-5.3.18-24.49.2
SUSE Linux Enterprise Module for Live Patching 15-SP2 (src):    kernel-default-5.3.18-24.49.2, kernel-livepatch-SLE15-SP2_Update_10-1-5.3.2
SUSE Linux Enterprise Module for Legacy Software 15-SP2 (src):    kernel-default-5.3.18-24.49.2
SUSE Linux Enterprise Module for Development Tools 15-SP2 (src):    kernel-docs-5.3.18-24.49.3, kernel-obs-build-5.3.18-24.49.2, kernel-preempt-5.3.18-24.49.2, kernel-source-5.3.18-24.49.2, kernel-syms-5.3.18-24.49.2
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    kernel-default-5.3.18-24.49.2, kernel-default-base-5.3.18-24.49.2.9.21.2, kernel-preempt-5.3.18-24.49.2, kernel-source-5.3.18-24.49.2
SUSE Linux Enterprise High Availability 15-SP2 (src):    kernel-default-5.3.18-24.49.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-02-10 20:27:16 UTC 
SUSE-SU-2021:0427-1: An update that solves 10 vulnerabilities and has 61 fixes is now available.

Category: security (important)
Bug References: 1065600,1149032,1152472,1152489,1153274,1154353,1155518,1163930,1165545,1167773,1172355,1175389,1176395,1176831,1176846,1178142,1178372,1178631,1178684,1178995,1179142,1179396,1179508,1179509,1179567,1179572,1179575,1179878,1180008,1180130,1180264,1180412,1180676,1180759,1180765,1180773,1180809,1180812,1180848,1180859,1180889,1180891,1180964,1180971,1181014,1181018,1181077,1181104,1181148,1181158,1181161,1181169,1181203,1181217,1181218,1181219,1181220,1181237,1181318,1181335,1181346,1181349,1181425,1181494,1181504,1181511,1181538,1181544,1181553,1181584,1181645
CVE References: CVE-2020-25211,CVE-2020-25639,CVE-2020-27835,CVE-2020-28374,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP2 (src):    kernel-rt-5.3.18-25.1, kernel-rt_debug-5.3.18-25.1, kernel-source-rt-5.3.18-25.1, kernel-syms-rt-5.3.18-25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-02-11 14:34:17 UTC 
SUSE-SU-2021:0433-1: An update that solves 10 vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1144912,1149032,1163727,1172145,1174206,1176831,1176846,1178036,1178049,1178372,1178631,1178684,1178900,1179093,1179508,1179509,1179563,1179573,1179575,1179878,1180008,1180130,1180559,1180562,1180676,1180765,1180812,1180859,1180891,1180912,1181001,1181018,1181170,1181230,1181231,1181349,1181425,1181504,1181553,1181645
CVE References: CVE-2020-25639,CVE-2020-27835,CVE-2020-28374,CVE-2020-29568,CVE-2020-29569,CVE-2020-36158,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP5 (src):    kernel-rt-4.12.14-10.31.1, kernel-rt_debug-4.12.14-10.31.1, kernel-source-rt-4.12.14-10.31.1, kernel-syms-rt-4.12.14-10.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2021-02-19 20:22:11 UTC 
SUSE-SU-2021:0532-1: An update that solves 8 vulnerabilities and has 66 fixes is now available.

Category: security (important)
Bug References: 1046305,1046306,1046540,1046542,1046648,1050242,1050244,1050536,1050538,1050545,1056653,1056657,1056787,1064802,1066129,1073513,1074220,1075020,1086282,1086301,1086313,1086314,1098633,1103990,1103991,1103992,1104270,1104277,1104279,1104353,1104427,1104742,1104745,1109837,1111981,1112178,1112374,1113956,1119113,1126206,1126390,1127354,1127371,1129770,1136348,1149032,1174206,1176831,1176846,1178036,1178049,1178900,1179093,1179142,1179508,1179509,1179563,1179573,1179575,1179878,1180130,1180765,1180812,1180891,1180912,1181018,1181170,1181230,1181231,1181260,1181349,1181425,1181504,1181809
CVE References: CVE-2020-25639,CVE-2020-27835,CVE-2020-29568,CVE-2020-29569,CVE-2021-0342,CVE-2021-20177,CVE-2021-3347,CVE-2021-3348
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1, kernel-zfcpdump-4.12.14-197.83.1
SUSE Manager Retail Branch Server 4.0 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Manager Proxy 4.0 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    kernel-default-4.12.14-197.83.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1, kernel-zfcpdump-4.12.14-197.83.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.83.1, kernel-livepatch-SLE15-SP1_Update_22-1-3.5.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.83.1
SUSE Enterprise Storage 6 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1
SUSE CaaS Platform 4.0 (src):    kernel-default-4.12.14-197.83.1, kernel-docs-4.12.14-197.83.1, kernel-obs-build-4.12.14-197.83.1, kernel-source-4.12.14-197.83.1, kernel-syms-4.12.14-197.83.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Marcus Meissner 2021-09-08 19:23:01 UTC 
done