|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2016-4557: kernel: double-free/use-after-free in eBPF | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | meissner, mkubecek, security-team, smash_bz |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| URL: | https://smash.suse.de/issue/168690/ | ||
| Whiteboard: | CVSSv2:SUSE:CVE-2016-4557:6.2:(AV:L/AC:H/Au:N/C:C/I:C/A:C) CVSSv2:RedHat:CVE-2016-4557:6.9:(AV:L/AC:M/Au:N/C:C/I:C/A:C) CVSSv2:NVD:CVE-2016-4557:7.2:(AV:L/AC:L/Au:N/C:C/I:C/A:C) | ||
| Found By: | Security Response Team | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 979077 | ||
|
Description
Sebastian Krahmer
2016-05-09 08:50:32 UTC
More detailed description: https://cxsecurity.com/issue/WLB-2016050014 Fixed by 8358b02bf67d bpf: fix double-fdput in replace_map_fd_with_map_ptr() (v4.6-rc6) The buggy code was introduced by 0246e64d9a5f bpf: handle pseudo BPF_LD_IMM64 insn (v3.18-rc1) but until 1be7f75d1668 bpf: enable non-root eBPF programs (v4.4-rc1) it required CAP_SYS_ADMIN to be exploited. Affected: stable (until it moves to 4.6) SLE12-SP2 openSUSE-42.1 (requires root/CAP_SYS_ADMIN to exploit) Note: I successfully reproduced the exploit on Tumbleweed with 4.6-rc5 kernel after changing /etc/crontab permissions to 644 (but other sensitive file with read access for anyone could be used instead, e.g. /etc/passwd). Fix submitted to stable SLE12-SP2 openSUSE-42.1 Closing and reassigning back to security team. openSUSE-SU-2016:1641-1: An update that solves 19 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 945345,955654,963762,966245,966849,970506,971126,971799,973570,974308,975945,977198,978073,978401,978821,978822,979018,979213,979278,979548,979728,979867,979879,979913,980348,980371,980657,981058,981267,981344,982238,982239,982712,983143,983213,984460 CVE References: CVE-2013-7446,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-3134,CVE-2016-3672,CVE-2016-3955,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4557,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4951,CVE-2016-5244 Sources used: openSUSE Leap 42.1 (src): kernel-debug-4.1.26-21.1, kernel-default-4.1.26-21.1, kernel-docs-4.1.26-21.2, kernel-ec2-4.1.26-21.1, kernel-obs-build-4.1.26-21.1, kernel-obs-qa-4.1.26-21.1, kernel-obs-qa-xen-4.1.26-21.1, kernel-pae-4.1.26-21.1, kernel-pv-4.1.26-21.1, kernel-source-4.1.26-21.1, kernel-syms-4.1.26-21.1, kernel-vanilla-4.1.26-21.1, kernel-xen-4.1.26-21.1 openSUSE-SU-2016:2290-1: An update that solves 17 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 963931,970948,971126,971360,974266,978821,978822,979018,979213,979879,980371,981058,981267,986362,986365,986570,987886,989084,989152,989176,990058,991110,991608,991665,994296,994520 CVE References: CVE-2015-8787,CVE-2016-1237,CVE-2016-2847,CVE-2016-3134,CVE-2016-3156,CVE-2016-4485,CVE-2016-4486,CVE-2016-4557,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4951,CVE-2016-4998,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828 Sources used: openSUSE Leap 42.1 (src): drbd-8.4.6-8.1, hdjmod-1.28-24.1, ipset-6.25.1-5.1, kernel-debug-4.1.31-30.2, kernel-default-4.1.31-30.2, kernel-docs-4.1.31-30.3, kernel-ec2-4.1.31-30.2, kernel-obs-build-4.1.31-30.3, kernel-obs-qa-4.1.31-30.1, kernel-obs-qa-xen-4.1.31-30.1, kernel-pae-4.1.31-30.2, kernel-pv-4.1.31-30.2, kernel-source-4.1.31-30.1, kernel-syms-4.1.31-30.1, kernel-vanilla-4.1.31-30.2, kernel-xen-4.1.31-30.2, lttng-modules-2.7.0-2.1, pcfclock-0.44-266.1, vhba-kmp-20140928-5.1 |