Bug 962075 (CVE-2016-0728)

Summary: VUL-0: CVE-2016-0728: kernel: Use-after-free vulnerability in keyring facility
Product: [Novell Products] SUSE Security Incidents Reporter: Johannes Segitz <jsegitz>
Component: IncidentsAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: andreas.taschner, aromond, astieger, bpetkov, brent.griggs, fbonin, jason, jeffm, jsegitz, jslaby, mbenes, meissner, mge, mhocko, mjr19, mkubecek, mmarek, mpluskal, msvec, rjschwei, roger.whittaker, thomas, tiwai
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/160755/
Whiteboard: CVSSv2:RedHat:CVE-2016-0728:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: poc

Description Johannes Segitz 2016-01-15 12:50:51 UTC 
Created attachment 661901 [details]
Patch for CVE-2016-0728

Perception Point research team reported to RH:

Use-after-free vulnerability in keyring facility, possibly leading to
local privilege escalation, was found. Function join_session_keyring in
security/keys/process_keys.c holds a reference to the requested keyring,
but if that keyring is the same as the one being currently used by the
process, the kernel wouldn't decrease keyring->usage before returning to
userspace. The usage field can be possibly overflowed causing
use-after-free on the keyring object.

Introduced by:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a50597de8635cd05133bd12c95681c82fe7b878

RH suspects that Perception Point research team is preparing a blog
post to be published on the embargo lift date, possibly with a (fully?)
working exploit disclosure.

CRD: 2016-01-19
Comment 5 Swamp Workflow Management 2016-01-15 23:00:33 UTC 
bugbot adjusting priority
Comment 26 Johannes Segitz 2016-01-19 12:36:39 UTC 
Created attachment 662323 [details]
poc
Comment 30 Jeff Mahoney 2016-01-20 01:49:12 UTC 
Ok, it's public now and I'm getting pinged from community folks.  To which branches has it been pushed so I can pull it into our repo and get maintenance updates started?
Comment 31 Joey Lee 2016-01-20 03:17:45 UTC 
(In reply to Jeff Mahoney from comment #30)
> Ok, it's public now and I'm getting pinged from community folks.  To which
> branches has it been pushed so I can pull it into our repo and get
> maintenance updates started?

I pushed patch to users/jlee/openSUSE-42.1/for-next.

And, I am working on stable branch
Comment 32 Joey Lee 2016-01-20 04:13:05 UTC 
(In reply to Joey Lee from comment #31)
> (In reply to Jeff Mahoney from comment #30)
> > Ok, it's public now and I'm getting pinged from community folks.  To which
> > branches has it been pushed so I can pull it into our repo and get
> > maintenance updates started?
> 
> I pushed patch to users/jlee/openSUSE-42.1/for-next.
> 
> And, I am working on stable branch

Also push to 
users/jlee/stable/for-next and users/jlee/master/for-next
Comment 33 Michal Marek 2016-01-20 07:53:20 UTC 
I updated all three SLE12 branches.
Comment 34 Marcus Meissner 2016-01-20 08:30:24 UTC 
we also need it in 13.1 and 13.2 branches.

(13.1 is migrating to evergreen support, but we should do one last update for the kernel there I guess.)
Comment 35 Michal Kubeček 2016-01-20 08:40:04 UTC 
(In reply to Marcus Meissner from comment #34)
> we also need it in 13.1 and 13.2 branches.
> 
> (13.1 is migrating to evergreen support, but we should do one last update
> for the kernel there I guess.)

Yes, that's the agreement between Jeff and me. For the record, a 3.12 kernel
(based on SLE12-SP1) for 13.1 with the fix is available in OBS project home:mkubecek:evergreen-13.1
Comment 36 Jiri Slaby 2016-01-20 10:38:47 UTC 
I merged master to stable, now you can drop stable/for-next. Thanks.
Comment 37 Joey Lee 2016-01-20 10:51:46 UTC 
I pushed patch to my branch:
  users/jlee/openSUSE-13.1/for-next
  users/jlee/openSUSE-13.2/for-next
Comment 38 Johannes Segitz 2016-01-20 15:49:42 UTC 
Affected are SLE 12 and SLE 12 SP1. SLE 11 and older are not affected.
A kernel update for SLE 12 SP1 is expected today, the update for SLE 12 should be available tomorrow
Comment 39 Bernhard Wiedemann 2016-01-20 17:00:55 UTC 
This is an autogenerated message for OBS integration:
This bug (962075) was mentioned in
https://build.opensuse.org/request/show/355040 13.1 / kernel-source
Comment 40 Swamp Workflow Management 2016-01-20 20:11:41 UTC 
SUSE-SU-2016:0186-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 962075
CVE References: CVE-2016-0728
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.51-60.25.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.51-60.25.2, kernel-obs-build-3.12.51-60.25.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.51-60.25.1, kernel-source-3.12.51-60.25.1, kernel-syms-3.12.51-60.25.1, kernel-xen-3.12.51-60.25.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.51-60.25.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_2-1-2.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.51-60.25.1, kernel-source-3.12.51-60.25.1, kernel-syms-3.12.51-60.25.1, kernel-xen-3.12.51-60.25.1
Comment 41 Bernhard Wiedemann 2016-01-20 22:00:26 UTC 
This is an autogenerated message for OBS integration:
This bug (962075) was mentioned in
https://build.opensuse.org/request/show/355080 42.1 / kernel-source
Comment 42 Florian BONIN 2016-01-21 12:25:38 UTC 
(In reply to Johannes Segitz from comment #38)
> Affected are SLE 12 and SLE 12 SP1. SLE 11 and older are not affected.
> A kernel update for SLE 12 SP1 is expected today, the update for SLE 12
> should be available tomorrow

Hi Johannes,

Do you have an idea where the patch will be available for SLES ES and RES Product ?

Thanks,
Regards,
Comment 43 Swamp Workflow Management 2016-01-22 17:12:43 UTC 
SUSE-SU-2016:0205-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 962075
CVE References: CVE-2016-0728
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    kernel-default-3.12.51-52.39.1
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.51-52.39.3, kernel-obs-build-3.12.51-52.39.1
SUSE Linux Enterprise Server 12 (src):    kernel-default-3.12.51-52.39.1, kernel-source-3.12.51-52.39.1, kernel-syms-3.12.51-52.39.1, kernel-xen-3.12.51-52.39.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.51-52.39.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_11-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-default-3.12.51-52.39.1, kernel-source-3.12.51-52.39.1, kernel-syms-3.12.51-52.39.1, kernel-xen-3.12.51-52.39.1
Comment 44 Andrew Romond 2016-01-26 15:18:42 UTC 
Is there any update on when this should be available for OpenSUSE 13.2 systems?
Comment 45 Marcus Meissner 2016-01-26 15:21:09 UTC 
our qa team is testing the opensuse updates

they can be accessed via

http://download.opensuse.org/update/13.2-test/ 

already.

(replace 13.2 by 13.1 and leap/42.1 for 13.1 and leap)
Comment 46 Swamp Workflow Management 2016-01-29 13:17:50 UTC 
openSUSE-SU-2016:0280-1: An update that solves 10 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 865096,865259,913996,950178,950998,952621,954324,954532,954647,955422,956708,957152,957988,957990,958439,958463,958504,958510,958886,958951,959190,959399,960021,960710,961263,961509,962075,962597
CVE References: CVE-2015-7550,CVE-2015-8539,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.15-8.1, kernel-default-4.1.15-8.1, kernel-docs-4.1.15-8.3, kernel-ec2-4.1.15-8.1, kernel-obs-build-4.1.15-8.2, kernel-obs-qa-4.1.15-8.1, kernel-obs-qa-xen-4.1.15-8.1, kernel-pae-4.1.15-8.1, kernel-pv-4.1.15-8.1, kernel-source-4.1.15-8.1, kernel-syms-4.1.15-8.1, kernel-vanilla-4.1.15-8.1, kernel-xen-4.1.15-8.1
Comment 47 Swamp Workflow Management 2016-02-01 15:29:54 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
Comment 51 Michael Rutter 2016-02-03 14:07:08 UTC 
The RPM's changelog on these seems not to have been updated. E.g. for 13.1:

rpm -q --changelog -p kernel-default-3.11.10-32.1.x86_64.rpm | head -2
* Thu Mar 05 2015 oneukum@suse.de
- HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103

rpm -q --changelog -p kernel-default-3.11.10-29.1.x86_64.rpm | head -2
* Thu Mar 05 2015 oneukum@suse.de
- HID: usbhid: enable always-poll quirk for Elan Touchscreen 0103

I'd expect something more recent on the -32 version.
Comment 52 Michal Marek 2016-02-03 14:09:46 UTC 
This is a known issue, see the thread at http://lists.opensuse.org/opensuse-kernel/2016-02/msg00000.html
Comment 53 Swamp Workflow Management 2016-02-03 14:20:01 UTC 
openSUSE-SU-2016:0318-1: An update that solves 19 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 814440,906545,912202,921949,937969,937970,938706,944296,945825,949936,950998,951627,951638,952384,952579,952976,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-8989,CVE-2014-9529,CVE-2015-5157,CVE-2015-5307,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.15.1, cloop-2.639-14.15.1, crash-7.0.8-15.1, hdjmod-1.28-18.16.1, ipset-6.23-15.1, kernel-debug-3.16.7-32.1, kernel-default-3.16.7-32.1, kernel-desktop-3.16.7-32.1, kernel-docs-3.16.7-32.2, kernel-ec2-3.16.7-32.1, kernel-obs-build-3.16.7-32.2, kernel-obs-qa-3.16.7-32.1, kernel-obs-qa-xen-3.16.7-32.1, kernel-pae-3.16.7-32.1, kernel-source-3.16.7-32.1, kernel-syms-3.16.7-32.1, kernel-vanilla-3.16.7-32.1, kernel-xen-3.16.7-32.1, pcfclock-0.44-260.15.1, vhba-kmp-20140629-2.15.1, virtualbox-4.3.34-37.1, xen-4.4.3_08-38.1, xtables-addons-2.6-15.1
Comment 54 Marcus Meissner 2016-06-01 12:27:46 UTC 
all released