Bug 1192345 (CVE-2021-3736)

Summary: VUL-0: CVE-2021-3736: kernel-source-rt,kernel-source,kernel-source-azure: uninitialized kernel stack may lead to information disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Gianluca Gabrielli <gianluca.gabrielli>
Component: IncidentsAssignee: Kernel Bugs <kernel-bugs>
Status: RESOLVED WONTFIX QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P3 - Medium CC: bpetkov, smash_bz, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/314138/
Whiteboard: CVSSv3.1:SUSE:CVE-2021-3736:3.3:(AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gianluca Gabrielli 2021-11-04 13:14:28 UTC 
A memory leak problem was found in mbochs_ioctl in samples/vfio-mdev/mbochs.c in Virtual Function I/O (VFIO) Mediated devices.  This flaw could allow a local attacker to leak internal kernel information.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1995570
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3736
Comment 1 Gianluca Gabrielli 2021-11-04 13:16:28 UTC 
Technical details are not yet made public, I will monitor it and post updates as soon as possible.
Comment 2 Gianluca Gabrielli 2021-11-09 10:57:41 UTC 
I think the fixing commit should be de5494af4815a4c9328536c72741229b7de88e7f, which in turn addresses 681c1615f8914451cfd432ad30e2f307b6490542.

If my assumption is correct, the branches containing the offended commit are:
 - SLE15-SP4
 - stable

which also contains the fixing commit.

@kernel-team: can you also provide your feedback here?

Thanks
Comment 3 Takashi Iwai 2021-11-09 11:04:02 UTC 
Too little information to judge, but that's the only change seen in the relevant code path, and the description matches with it, so it's very likely the case.
Comment 4 Gianluca Gabrielli 2021-11-30 13:27:18 UTC 
(In reply to Takashi Iwai from comment #3)
> Too little information to judge, but that's the only change seen in the
> relevant code path, and the description matches with it, so it's very likely
> the case.

From RH [0] they agree about the fixing commit.

[0] https://bugzilla.redhat.com/show_bug.cgi?id=1995570#c7
Comment 5 Borislav Petkov 2021-12-03 08:51:38 UTC 
Wait a minute - this is a fix for code in samples/ which is toy stuff and we have in the three latest branches I checked

# CONFIG_SAMPLES is not set

so why do we even bother with this?
Comment 6 Gianluca Gabrielli 2021-12-03 09:09:06 UTC 
(In reply to Borislav Petkov from comment #5)
> Wait a minute - this is a fix for code in samples/ which is toy stuff and we
> have in the three latest branches I checked
> 
> # CONFIG_SAMPLES is not set
> 
> so why do we even bother with this?

You are right, CONFIG_SAMPLES is not set both for SLES and openSUSE configs. I agree with you and we can close this issue as WONTFIX. Thanks for your feedback.