Bug 927257 (CVE-2015-3331)

Summary: VUL-0: CVE-2015-3331: kernel: Buffer overruns in Linux kernel RFC4106 implementation using AESNI
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P2 - High CC: astieger, brent.griggs, jsegitz, meissner, smueller, thomas
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: maint:running:61844:important maint:released:sle11-sp3:61845 maint:released:sle11-sp3:61848 maint:released:sle11-sp3:61849 maint:released:sle11-sp3:61853 maint:released:sle11-sp3:61852 CVSSv2:NVD:CVE-2015-3331:9.3:(AV:N/AC:M/Au:N/C:C/I:C/A:C) maint:released:sle11-sp3:61909
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 939262    

Description Marcus Meissner 2015-04-15 10:13:19 UTC 
via oss-sec

From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 14 Apr 2015 21:46:32 +0100
Subject: [oss-security] Buffer overruns in Linux kernel RFC4106 implementation using AESNI

Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
GCM decryption") fixes two bugs in pointer arithmetic that lead to
buffer overruns (even with valid parameters!):

https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a

These are described as resulting in DoS (local or remote), but are
presumably also exploitable for privilege escalation.

The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto:
aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in
Linux 2.6.38.

The above fix is included in Linux 4.0 and the following stable updates:

v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption
v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption
v3.14.37: e9b15363c101 crypto: aesni - fix memory usage in GCM decryption
v3.18.11: 3b389956156c crypto: aesni - fix memory usage in GCM decryption
v3.19.3: b90935f1d9a0 crypto: aesni - fix memory usage in GCM decryption
v3.13.11-ckt19: 40e073009626 crypto: aesni - fix memory usage in GCM decryp=
tion

Please assign a CVE ID for this.

Ben.
Comment 1 Marcus Meissner 2015-04-15 10:16:21 UTC 
Will come with 3.12.40 stable for SLE12.

needs backport to SLE11 I think (and openSUSE).
Comment 2 Stephan Müller 2015-04-15 14:52:14 UTC 
Apologies to not having you notified about that one earlier. I found that bug and sent the patch upstream.

However, it is not critical IMHO. The following reasons apply:

1. the overrun is in a code path that works on non-aligned data -- the only user of GCM in the kernel is IPSEC atm. And esp_input uses aligned data requests.

2. the mentioned user space interface is the one I implemented and is just about to be added to 4.1-rc1 (Herbert Xu's git pull request to Linus just went out).

Hence, I personally do not see that as a big issue since I currently see no way that a user can trigger that faulty code path.
Comment 3 Swamp Workflow Management 2015-04-15 22:00:24 UTC 
bugbot adjusting priority
Comment 4 Marcus Meissner 2015-04-18 06:30:43 UTC 
CVE-2015-3331
Comment 5 Andreas Stieger 2015-04-20 08:30:00 UTC 
(In reply to Stephan Müller from comment #2)
> Apologies to not having you notified about that one earlier. I found that
> bug and sent the patch upstream.
> 
> However, it is not critical IMHO. The following reasons apply:
> 
> 1. the overrun is in a code path that works on non-aligned data -- the only
> user of GCM in the kernel is IPSEC atm. And esp_input uses aligned data
> requests.
> 
> 2. the mentioned user space interface is the one I implemented and is just
> about to be added to 4.1-rc1 (Herbert Xu's git pull request to Linus just
> went out).
> 
> Hence, I personally do not see that as a big issue since I currently see no
> way that a user can trigger that faulty code path.

Thank you for this information. Would you say that to take a safe stance w.r.t. further, possibly future, users of this code path or user space interface, the patch could be applied with the next regular kernel for SLE 12 and 11?
Comment 6 Marcus Meissner 2015-04-20 08:48:48 UTC 
The patch should be applied to the next kernel update, the discussion above is just about impact.

It seems it does not risk FIPS certification of the previous kernel without the patch.
Comment 7 Stephan Müller 2015-04-20 15:18:13 UTC 
I just have seen another report that the bug *is* triggerable in the wild: when the remote IPSEC end sends fragmented packets to the kernel IPSEC stack, then the issue can be triggered as in this case, the non-aligned code path is chosen.
Comment 8 Marcus Meissner 2015-04-23 14:37:13 UTC 
remote denial of service according to stephan
Comment 9 Marcus Meissner 2015-05-15 14:39:28 UTC 
Torsten?
Comment 10 Torsten Duwe 2015-05-15 17:00:04 UTC 
(In reply to Marcus Meissner from comment #0)

> The above fix is included in Linux 4.0 and the following stable updates:
> 
> v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption
> v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption

Do not trust commit IDs, they may change e.g. with a rebase or merge.
Comment 11 Marcus Meissner 2015-05-18 09:15:17 UTC 
in patches.kernel.org/patch-3.12.39-40
Comment 16 Torsten Duwe 2015-05-19 15:07:35 UTC 
Patch also applied to SLE11-SP2-LTSS and -SP3 branches (should auto-merge to SP4).

Maintenance, please take over...
Comment 17 Swamp Workflow Management 2015-05-29 09:50:15 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 18 Swamp Workflow Management 2015-06-08 12:13:59 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 19 Swamp Workflow Management 2015-06-16 12:10:19 UTC 
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 20 Swamp Workflow Management 2015-07-02 15:22:30 UTC 
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 22 Swamp Workflow Management 2015-08-12 17:25:26 UTC 
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 23 Swamp Workflow Management 2015-09-02 13:16:58 UTC 
SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
Comment 24 Marcus Meissner 2015-09-04 09:57:23 UTC 
i think we are done