Bug 904013 (CVE-2014-7826)

Summary: VUL-0: CVE-2014-7826: kernel: OOB read in ftrace
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Borislav Petkov <bpetkov>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: bpetkov, meissner, mhocko
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:released:sle11-sp3:60050 maint:released:sle11-sp3:59882 maint:released:sle11-sp3:60051 maint:released:sle11-sp3:59877 maint:released:sle11-sp3:60054 maint:released:sle11-sp2:60466 maint:released:sle11-sp2:60465 maint:released:sle11-sp2:60467 maint:released:sle11-sp2:60469
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Johannes Segitz 2014-11-05 12:22:12 UTC
Created attachment 612478 [details]
PoC

Date: Mon, 3 Nov 2014 22:20:10 +0100
From: Robert Święcki <robert@swiecki.net>
To: linux-distros@vs.openwall.org

2. Possible ftrace subsystem priv escalation - well... it requires
help from root which should be running trace-cmd at the time we
exploit the system

It's a bit more interesting because it potentially leads to ring0 code
execution. It starts similarly with a incorrect syscall_nr check here

http://lxr.free-electrons.com/source/kernel/trace/trace_syscalls.c#L362

Then ftrace_file is dereferenced from an offsetted adress

(gdb) x/i $pc
=> 0xc11213a7 <ftrace_syscall_enter+23>:        mov    0x4(%eax,%ecx,4),%esi
(gdb) p/x $eax+($ecx*4)+0x4
$7 = 0x81bc4ab0  <--- ftrace_file is read from user-controlled address
(gdb) p/x *regs
$8 = {bx = 0x0, cx = 0x0, dx = 0x0, si = 0x0, di = 0x0, bp = 0x0, ax =
0xffffffda, ds = 0x7b, es = 0x7b, fs = 0x0,
  gs = 0x33, orig_ax = 0x30000007, ip = 0xb7766d7c, cs = 0x73, flags =
0x246, sp = 0xbffb46fc, ss = 0x7b}

Now, the user-provided ftrace_event_file *file is checked here
http://lxr.free-electrons.com/source/include/linux/ftrace_event.h#L432
and the (user-controlled) pointer is called here
http://lxr.free-electrons.com/source/kernel/trace/trace_events_trigger.c#L77

To reproduce (just a oob read in the file)
(from root console): trace-cmd record  -e syscalls:sys_enter_write
(from user): ./ftrace (code attached)

===================

Currently there is no decision on the CRD date, maybe it will be release quite quickly since the patch is public. Only the information about the possible exploitation is private. I checked in SLE 12 kernel and it looks like we're vulnerable.
Comment 2 Swamp Workflow Management 2014-11-05 23:01:06 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2014-11-10 09:43:58 UTC
 2. Ftrace subsystem supervisor mode code execution - CVE-2014-7826
=====================================================================

As a precondition this attack scenario requires system administrators
to enable ftrace-level system tracing (e.g. with 'trace-cmd record -e
syscalls:sys_enter_write' command) on the local system, at the time of
attack taking place. Likewise, the problem stems from an incorrect
upper boundary check of the syscall_nr variable inside
ftrace_syscall_enter()/ftrace_syscall_exit() functions. However,
unlike with CVE-2014-7825, here a user-controlled pointer inside the
'struct ftrace_event_file' structure can be called through the
ftrace_trigger_soft_disabled() -> event_triggers_call() function
call-chain (http://lxr.free-electrons.com/source/kernel/trace/trace_events_trigger.c#L77)
 leading to supervisor mode code execution of user-controlled code
(under systems w/o SMEP/SMAP-type protections enabled).

This issue has been fixed with the same patch:

 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/kernel/trace/trace_syscalls.c?id=086ba77a6db00ed858ff07451bedee197df868c9
 Author: Rabin Vincent <rabin@rab.in>
 Date:   Wed Oct 29 23:06:58 2014 +0100
Comment 6 Borislav Petkov 2014-11-10 09:50:27 UTC
Let me do it - I feel like doing this right now :-P
Comment 7 Borislav Petkov 2014-11-10 12:02:51 UTC
Fix pushed to all relevant trees, closing.
Comment 8 Swamp Workflow Management 2014-12-19 18:08:38 UTC
openSUSE-SU-2014:1669-1: An update that solves 22 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 768714,818561,835839,853040,865882,882639,883518,883724,883948,887082,889173,890624,892490,896382,896385,896390,896391,896392,896689,899785,904013,904700,905100,905764,907818,909077,910251
CVE References: CVE-2013-2889,CVE-2013-2891,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 12.3 (src):    kernel-docs-3.7.10-1.45.2, kernel-source-3.7.10-1.45.1, kernel-syms-3.7.10-1.45.1
Comment 9 Swamp Workflow Management 2014-12-21 12:11:28 UTC
openSUSE-SU-2014:1677-1: An update that solves 31 vulnerabilities and has 12 fixes is now available.

Category: security (important)
Bug References: 818966,835839,853040,856659,864375,865882,873790,875051,881008,882639,882804,883518,883724,883948,883949,884324,887046,887082,889173,890114,891689,892490,893429,896382,896385,896390,896391,896392,896689,897736,899785,900392,902346,902349,902351,904013,904700,905100,905744,907818,908163,909077,910251
CVE References: CVE-2013-2891,CVE-2013-2898,CVE-2014-0181,CVE-2014-0206,CVE-2014-1739,CVE-2014-3181,CVE-2014-3182,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-4171,CVE-2014-4508,CVE-2014-4608,CVE-2014-4611,CVE-2014-4943,CVE-2014-5077,CVE-2014-5206,CVE-2014-5207,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410,CVE-2014-7826,CVE-2014-7841,CVE-2014-7975,CVE-2014-8133,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.16.1, crash-7.0.2-2.16.1, hdjmod-1.28-16.16.1, ipset-6.21.1-2.20.1, iscsitarget-1.4.20.3-13.16.1, kernel-docs-3.11.10-25.2, kernel-source-3.11.10-25.1, kernel-syms-3.11.10-25.1, ndiswrapper-1.58-16.1, pcfclock-0.44-258.16.1, vhba-kmp-20130607-2.17.1, virtualbox-4.2.18-2.21.1, xen-4.3.2_02-30.1, xtables-addons-2.3-2.16.1
Comment 10 Swamp Workflow Management 2014-12-21 12:15:16 UTC
openSUSE-SU-2014:1678-1: An update that solves 8 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 665315,856659,897112,897736,900786,902346,902349,902351,902632,902633,902728,903748,903986,904013,904097,904289,904417,904539,904717,904932,905068,905100,905329,905739,906914,907818,908163,908253,909077,910251
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-9090,CVE-2014-9322
Sources used:
openSUSE 13.2 (src):    kernel-docs-3.16.7-7.2, kernel-obs-build-3.16.7-7.3, kernel-obs-qa-3.16.7-7.2, kernel-obs-qa-xen-3.16.7-7.2, kernel-source-3.16.7-7.1, kernel-syms-3.16.7-7.1
Comment 11 Swamp Workflow Management 2014-12-23 18:15:10 UTC
SUSE-SU-2014:1693-1: An update that solves 21 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8709,CVE-2014-8884
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-ec2-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1, xen-4.2.5_02-0.7.2
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.115, gfs2-2-0.16.121, ocfs2-1.6-0.20.115
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1, xen-4.2.5_02-0.7.2
SLE 11 SERVER Unsupported Extras (src):    kernel-default-3.0.101-0.42.1, kernel-pae-3.0.101-0.42.1, kernel-ppc64-3.0.101-0.42.1, kernel-xen-3.0.101-0.42.1
Comment 12 Swamp Workflow Management 2014-12-23 19:13:12 UTC
SUSE-SU-2014:1695-1: An update that solves 24 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522,907818,909077,910251
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-ec2-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1, xen-4.2.5_02-0.7.9
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.120, gfs2-2-0.16.126, ocfs2-1.6-0.20.120
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-source-3.0.101-0.46.1, kernel-syms-3.0.101-0.46.1, kernel-trace-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1, xen-4.2.5_02-0.7.9
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.46.1, kernel-default-3.0.101-0.46.1, kernel-xen-3.0.101-0.46.1
Comment 13 Swamp Workflow Management 2014-12-24 07:17:40 UTC
SUSE-SU-2014:1693-2: An update that solves 21 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8709,CVE-2014-8884
Sources used:
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-default-3.0.101-0.42.1, kernel-ppc64-3.0.101-0.42.1, kernel-source-3.0.101-0.42.1, kernel-syms-3.0.101-0.42.1, kernel-trace-3.0.101-0.42.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.27.115, gfs2-2-0.16.121, ocfs2-1.6-0.20.115
Comment 14 Swamp Workflow Management 2015-01-14 18:17:30 UTC
SUSE-SU-2014:1695-2: An update that solves 24 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 755743,779488,800255,835839,851603,853040,857643,860441,868049,873228,876633,883724,883948,885077,887418,888607,891211,891368,891790,892782,893758,894058,894895,895387,895468,896382,896390,896391,896392,896415,897502,897694,897708,898295,898375,898554,899192,899574,899843,901638,902346,902349,903331,903653,904013,904358,904700,905100,905522,907818,909077,910251
CVE References: CVE-2012-4398,CVE-2013-2889,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-7263,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-4508,CVE-2014-4608,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-8709,CVE-2014-8884,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.27.121, drbd-kmp-8.4.4-0.22.87, iscsitarget-1.4.20-0.38.106, kernel-rt-3.0.101.rt130-0.32.1, kernel-rt_trace-3.0.101.rt130-0.32.1, kernel-source-rt-3.0.101.rt130-0.32.1, kernel-syms-rt-3.0.101.rt130-0.32.1, lttng-modules-2.1.1-0.11.96, ocfs2-1.6-0.20.121, ofed-1.5.4.1-0.13.112
Comment 15 Swamp Workflow Management 2015-01-16 13:15:55 UTC
SUSE-SU-2015:0068-1: An update that solves 11 vulnerabilities and has 62 fixes is now available.

Category: security (important)
Bug References: 851603,853040,860441,862957,863526,870498,873228,874025,877622,879255,880767,880892,881085,883139,887046,887382,887418,889295,889297,891259,891619,892254,892612,892650,892860,893454,894057,894863,895221,895387,895468,895680,895983,896391,897101,897736,897770,897912,898234,898297,899192,899489,899551,899785,899787,899908,900126,901090,901774,901809,901925,902010,902016,902346,902893,902898,903279,903307,904013,904077,904115,904354,904871,905087,905100,905296,905758,905772,907818,908184,909077,910251,910697
CVE References: CVE-2013-6405,CVE-2014-3185,CVE-2014-3610,CVE-2014-3611,CVE-2014-3647,CVE-2014-3673,CVE-2014-7826,CVE-2014-7841,CVE-2014-8133,CVE-2014-9090,CVE-2014-9322
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.32-33.3, kernel-obs-build-3.12.32-33.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.32-33.1, kernel-syms-3.12.32-33.1
Comment 16 Swamp Workflow Management 2015-03-11 19:12:28 UTC
SUSE-SU-2015:0481-1: An update that solves 34 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,779488,833588,835839,847652,857643,864049,865442,867531,867723,870161,875051,876633,880892,883096,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,909078,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9584,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    kernel-default-3.0.101-0.7.29.1, kernel-ec2-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-source-3.0.101-0.7.29.1, kernel-syms-3.0.101-0.7.29.1, kernel-trace-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1, xen-4.1.6_08-0.5.19
SLE 11 SERVER Unsupported Extras (src):    ext4-writeable-0-0.14.142, kernel-default-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1
Comment 17 Swamp Workflow Management 2015-03-21 14:12:42 UTC
openSUSE-SU-2015:0566-1: An update that solves 38 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,778463,833588,835839,847652,853040,864049,865442,867531,867723,870161,875051,876633,880892,883096,883724,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,907818,909077,909078,910251,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8133,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322,CVE-2014-9584,CVE-2014-9585
Sources used:
openSUSE Evergreen 11.4 (src):    kernel-docs-3.0.101-99.2, kernel-source-3.0.101-99.1, kernel-syms-3.0.101-99.1, preload-1.2-6.77.1