Bug 1004418 (CVE-2016-5195) - VUL-0: CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE "Dirty COW"
Summary: VUL-0: CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE "D...
Status: RESOLVED FIXED
Alias: CVE-2016-5195
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Critical
Target Milestone: ---
Deadline: 2016-12-05
Assignee: Michal Hocko
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-5195:6.6:(AV:L/A...
Keywords:
Depends on:
Blocks: 1004419
  Show dependency treegraph
 
Reported: 2016-10-13 05:47 UTC by Marcus Meissner
Modified: 2021-08-25 09:49 UTC (History)
40 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
PageAnon based patch (5.25 KB, patch)
2016-10-17 08:11 UTC, Michal Hocko
Details | Diff
Linus fix (3.30 KB, patch)
2016-10-18 07:21 UTC, Michal Hocko
Details | Diff
dirtyc0w.c (2.63 KB, text/plain)
2016-10-21 09:18 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-10-13 05:47:43 UTC
via distros

From: Andy Lutomirski <luto@amacapital.net>
Hi all-

CVE-2016-5195 is a Linux privilege escalation bug.  It probably
affects all architectures and many versions.  It is being actively
exploited in the wild.Hi all-

CVE-2016-5195 is a Linux privilege escalation bug.  It probably
affects all architectures and many versions.  It is being actively
exploited in the wild.

The attached test case is something I wrote in 15 minutes this
evening.  It's bed time and I haven't tried to weaponize it, so I'm
not 100% sure it works.

There's a patch in testing.  I don't know yet whether there will be an
embargo.  In the mean time, please don't share the test case.

Credit for this exploit should not go to me.  If anyone wants to step
forward and claim credit, they're welcome to do so.

--Andy


The attached test case is something I wrote in 15 minutes this
evening.  It's bed time and I haven't tried to weaponize it, so I'm
not 100% sure it works.

There's a patch in testing.  I don't know yet whether there will be an
embargo.  In the mean time, please don't share the test case.

Credit for this exploit should not go to me.  If anyone wants to step
forward and claim credit, they're welcome to do so.

--Andy
Comment 3 Michal Hocko 2016-10-13 06:58:14 UTC
Is there any additional information on the sec mailing list?
Comment 4 Marcus Meissner 2016-10-13 07:05:21 UTC
no, that was all so far.
Comment 5 Michal Marek 2016-10-13 11:55:58 UTC
So the patch has not been shared yet?
Comment 6 Marcus Meissner 2016-10-13 12:16:39 UTC
no, not yet.
Comment 7 Michal Hocko 2016-10-13 12:18:10 UTC
I am trying to wrap my head around this but have to admit a failure so far. 

get_user_pages_remote triggered when we are writing to /proc/<pid>/mem will imply FOLL_FORCE which means that check_vma_flags will not fail with EFAULT as one would expect because the VMA backing the private mapping is not opened for write.

So we continue to follow_page_mask which does the page table walk. We will get two possible results
	- page is mapped and pte read only pointing to the pagecache page
	  if the main thread hasn't done madvise MADV_DONTNEED yet and keeps
	  still continues the read fault
	- page is not present - aka madvise was faster

In both cases follow_page_pte should return with NULL
	- no present case is trivial
	- CoW case will rely on follow_page_pte doing
	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
		pte_unmap_unlock(ptep, ptl);
		return NULL;
	}

and we should go to the page fault path - faultin_page(). handle_pte_fault
would handle CoW in the first case and do_fault() should make sure to do the
CoW on a write access in the later case. In any case we should get a private
page.

Something went south apparently as we in fact manage to write to the
pagecache page somehow. Maybe the read fault hasn't marked the pte properly.
I will continue staring to the code...
Comment 8 Swamp Workflow Management 2016-10-13 22:00:20 UTC
bugbot adjusting priority
Comment 11 Marcus Meissner 2016-10-14 06:02:35 UTC
CRD: 2016-10-20 23:59
Comment 12 Marcus Meissner 2016-10-14 06:03:04 UTC
was also received via distros
Comment 13 Michal Marek 2016-10-14 08:58:19 UTC
Boris or Michal, please commit it to cve/linux-3.12 on top of tag rpm-3.12.60-52.54. That way, we can merge it easily for SLE12-LTSS and SLE12-SP1 fast-path.

For SLE12-SP2, just use the tip of the branch.
Comment 14 Michal Hocko 2016-10-14 08:59:01 UTC
OK, I finally understand what is going on here. I was just too focused on the page fault path which is apparently OK. It is g-u-p which gets confused

faultin_page
  handle_mm_fault
    __handle_mm_fault
      handle_pte_fault
        do_fault <- pte is not present
	  do_cow_fault <- FAULT_FLAG_WRITE
	    alloc_set_pte
	      maybe_mkwrite(pte_mkdirty(entry), vma) <- mark the page dirty
	      						but keep it RO 
# Returns with 0 and retry
follow_page_mask
  follow_page_pte
    (flags & FOLL_WRITE) && !pte_write(pte) <- retry fault

faultin_page
  handle_mm_fault
    __handle_mm_fault
      handle_pte_fault
        FAULT_FLAG_WRITE && !pte_write
	  do_wp_page
	    PageAnon() <- this is CoWed page already
	    reuse_swap_page <- page is exclusively ours
	    wp_page_reuse
	      maybe_mkwrite <- dirty but RO again
	      ret = VM_FAULT_WRITE
((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) <- we drop FOLL_WRITE

# Returns with 0 and retry as a read fault
cond_resched -> different thread will now unmap via madvise
follow_page_mask
  !pte_present && pte_none
faultin_page
  handle_mm_fault
    __handle_mm_fault
      handle_pte_fault
        do_fault <- pte is not present
	  do_read_fault <- this is a read fault and we will get pagecache
	  		   page!

The patch works because the pte will be always dirty for CoWed page while it is clean for the shared page pte (aka not write fault).
Comment 15 Michal Hocko 2016-10-14 09:00:32 UTC
(In reply to Michal Marek from comment #13)
> Boris or Michal, please commit it to cve/linux-3.12 on top of tag
> rpm-3.12.60-52.54. That way, we can merge it easily for SLE12-LTSS and
> SLE12-SP1 fast-path.
> 
> For SLE12-SP2, just use the tip of the branch.

I will take care of this I just have to double check the s390 and dirty bit part. I am also thinking whether there is a simpler solution.
Comment 17 Michal Marek 2016-10-14 09:08:31 UTC
For cve/linux-3.0, use commit

574c4a7ce1d3 ("aacraid: Check size values after double-fetch from user   (CVE-2016-6480 bsc#991608).")

(git log origin/cve/linux-3.0 --not origin/scripts $(git describe --abbrev=0 origin/SLE11-SP4 origin/SLE11-SP3-LTSS origin/SLE11-SP2-LTSS) | tail; find the parent of the last commit shown).
Comment 18 Michal Hocko 2016-10-14 12:02:05 UTC
And just for the reference. I believe it is abf09bed3cce ("s390/mm: implement software dirty bits") which is necessary for s390 to handle pte_dirty properly and unfortunately this is 3.9. So we cannot rely on pte_dirty on anything older AFAIU.

I have an alternative fix which I have posted to Linus privately. If I got it right we should be OK without pte_dirty as well, but I am currently not sure that I made all the details right. The fix looks as follows. The primary idea is that if we want FOLL_WRITE && FOLL_FORCE on read only mapping then we must see anonymous (aka post CoW page). So checking for PageAnon should be OK AFAICS. This passes the test but as I've said, I might have missed some subtle details.
---
diff --git a/mm/gup.c b/mm/gup.c
index 96b2b2fd0fbd..ff198c5424c1 100644
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -95,10 +95,6 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
 	}
 	if ((flags & FOLL_NUMA) && pte_protnone(pte))
 		goto no_page;
-	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
-		pte_unmap_unlock(ptep, ptl);
-		return NULL;
-	}
 
 	page = vm_normal_page(vma, address, pte);
 	if (!page && pte_devmap(pte) && (flags & FOLL_GET)) {
@@ -129,6 +125,14 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
 		}
 	}
 
+	/*
+	 * Make sure we will never return a shared page and we
+	 * must have passed through CoW
+	 */
+	if ((flags & FOLL_FORCE) && (flags & FOLL_WRITE) && !(vma->vm_flags & VM_WRITE))
+		if (!PageAnon(page))
+			goto no_page;
+
 	if (flags & FOLL_SPLIT && PageTransCompound(page)) {
 		int ret;
 		get_page(page);
@@ -402,17 +406,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma,
 		return -EBUSY;
 	}
 
-	/*
-	 * The VM_FAULT_WRITE bit tells us that do_wp_page has broken COW when
-	 * necessary, even if maybe_mkwrite decided not to set pte_write. We
-	 * can thus safely do subsequent page lookups as if they were reads.
-	 * But only do so when looping for pte_write is futile: in some cases
-	 * userspace may also be wanting to write to the gotten user page,
-	 * which a read fault here might prevent (a readonly page might get
-	 * reCOWed by userspace write).
-	 */
-	if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE))
-		*flags &= ~FOLL_WRITE;
 	return 0;
 }
Comment 19 Michal Hocko 2016-10-14 18:54:25 UTC
(In reply to Michal Hocko from comment #18)
[...]
> diff --git a/mm/gup.c b/mm/gup.c
> index 96b2b2fd0fbd..ff198c5424c1 100644
> --- a/mm/gup.c
> +++ b/mm/gup.c
> @@ -95,10 +95,6 @@ static struct page *follow_page_pte(struct vm_area_struct
> *vma,
>  	}
>  	if ((flags & FOLL_NUMA) && pte_protnone(pte))
>  		goto no_page;
> -	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
> -		pte_unmap_unlock(ptep, ptl);
> -		return NULL;
> -	}

This is not correct. I really have to preserve the pte_write check. So it seems like we will end up with the Linus patch and only do the following for pre 3.9 kernels differently. But let me think about that some more.

@@ -60,6 +60,24 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address,
 	return -EEXIST;
 }
 
+static inline bool exclusive_anon_page(struct page *page)
+{
+	return PageAnon(page) && page_mapcount(page) == 1;
+}
+
+static inline bool can_follow_write_pte(pte_t pte, struct page *page,
+					unsigned int flags)
+{
+	if (pte_write(pte))
+		return true;
+
+	/* Make sure that we are really following CoWed page */
+	if ((flags & FOLL_FORCE) && (flags & FOLL_COW))
+		return page && exclusive_anon_page(page);
+
+	return false;
+}
+
 static struct page *follow_page_pte(struct vm_area_struct *vma,
 		unsigned long address, pmd_t *pmd, unsigned int flags)
 {
@@ -95,12 +113,11 @@ static struct page *follow_page_pte(struct vm_area_struct *vma,
 	}
 	if ((flags & FOLL_NUMA) && pte_protnone(pte))
 		goto no_page;
-	if ((flags & FOLL_WRITE) && !pte_write(pte)) {
-		pte_unmap_unlock(ptep, ptl);
-		return NULL;
-	}
 
 	page = vm_normal_page(vma, address, pte);
+	if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags))
+		goto no_page;
+
 	if (!page && pte_devmap(pte) && (flags & FOLL_GET)) {
 		/*
 		 * Only return device mapping pages in the FOLL_GET case since
Comment 20 Michal Hocko 2016-10-17 08:08:45 UTC
While we were discussing over weekend it turned out (thanks to Hugh) that we are not affected prior to 2.6.22 because madvise used the exclusive mmap_sem before 0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem"). So cve/linux-2.6.16 is not affected. Newer kernels are, sadly.

We are still not settled whether to go with Linus' pte_dirty fix or mine based on PageAnon. Anyway both should be OK and if the upstream decides to go with Linus' one I will use PageAnon for our pre 3.9 kernels because pte_dirty wouldn't work for s390.
Comment 21 Michal Hocko 2016-10-17 08:11:23 UTC
Created attachment 697591 [details]
PageAnon based patch

this patch should be more easier to backport to older kernels as it doesn't depend on pte_dirty check which was a problem on pre 3.9 s390 kernels.
Comment 22 Michal Hocko 2016-10-18 07:21:00 UTC
Created attachment 697810 [details]
Linus fix

This will most probably end up in the Linus tree and I will push it for everything 3.9+ we have
Comment 23 Johannes Segitz 2016-10-18 07:22:56 UTC
Do you have an ETA for the submits?
Comment 24 Michal Hocko 2016-10-18 08:09:07 UTC
(In reply to Johannes Segitz from comment #23)
> Do you have an ETA for the submits?

I will have patches ready by this noon.
Comment 25 Michal Hocko 2016-10-18 08:20:04 UTC
Fixes are in
users/mhocko/SLE12-SP2/bnc1004418_EMBARGO
users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1 can pull

all of them are should be merge-able to the last released kernel therefore appropriate for a fast track update with a single fix. 

Others will follow
Comment 26 Michal Hocko 2016-10-18 09:14:37 UTC
users/mhocko/cve/linux-3.0/bnc1004418_EMBARGO - SLE11-SP3-TD, SLE11-SP[23]-LTSS and SLE11-SP4 can pull
users/mhocko/cve/linux-2.6.32/bnc1004418_EMBARGO - SLE11-SP1-TD can pull
Comment 28 Michal Marek 2016-10-18 09:26:27 UTC
Yes. And 42.2 will get it via SLE12-SP2. The question is, whether to do  fast path or regular update for openSUSE.
Comment 29 Marcus Meissner 2016-10-18 09:27:56 UTC
for opensuse we can do a regular update as the QA turnaround is quicker.
Comment 30 Michal Marek 2016-10-18 09:30:49 UTC
Are we able to submit an embargoed fix for openSUSE? Via IBS perhaps?
Comment 31 Marcus Meissner 2016-10-18 09:41:19 UTC
No. There is the potential of having read-protected OBS projects, but then you can not do requestrs from them.

For openSUSE I would suggest submitting directly after embargoe end. (sadly, aarchg64 will waste a lot of time during building the update again, delaying it ... but well.)
Comment 32 Michal Hocko 2016-10-18 09:42:20 UTC
(In reply to Marcus Meissner from comment #29)
> for opensuse we can do a regular update as the QA turnaround is quicker.

OK, I have pushed the fix to 
users/mhocko/openSUSE-42.1/bnc1004418_EMBARGO and users/mhocko/openSUSE-13.2/bnc1004418_EMBARGO

they are both based on the last maint. update just in case. 42.2 can pull from SLE12-SP2 embargo branch.

So we should be done here.
Comment 33 Takashi Iwai 2016-10-18 10:23:12 UTC
(In reply to Michal Hocko from comment #25)
> Fixes are in
> users/mhocko/SLE12-SP2/bnc1004418_EMBARGO
> users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO

The patches in these branches seem to have the wrong subject line (without colon).  Could you fix them?  Nowadays scripts/log catches and complains it :)
Comment 34 Michal Marek 2016-10-18 10:31:53 UTC
(In reply to Michal Hocko from comment #25)
> users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1
> can pull

Please commit on top of rpm-3.12.60-52.54.
Comment 35 Michal Hocko 2016-10-18 11:26:11 UTC
(In reply to Takashi Iwai from comment #33)
> (In reply to Michal Hocko from comment #25)
> > Fixes are in
> > users/mhocko/SLE12-SP2/bnc1004418_EMBARGO
> > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO
> 
> The patches in these branches seem to have the wrong subject line (without
> colon).  Could you fix them?  Nowadays scripts/log catches and complains it
> :)

Fixed

(In reply to Michal Marek from comment #34)
> (In reply to Michal Hocko from comment #25)
> > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1
> > can pull
> 
> Please commit on top of rpm-3.12.60-52.54.

ups I've screwed the base for the commit. Rebased on top of this tag. Sorry about that.
Comment 46 Michal Hocko 2016-10-19 21:15:28 UTC
the patch is public

commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
Author: Linus Torvalds <torvalds@linux-foundation.org>
Date:   Thu Oct 13 13:07:36 2016 -0700

    mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
Comment 47 Johannes Segitz 2016-10-20 07:46:33 UTC
No OSS posting, but public via other distros and git.
Comment 54 Jiri Slaby 2016-10-20 08:43:59 UTC
FWIW landed in 3.12.66, 4.8.3, 4.7.9 and 4.4.26.
Comment 55 Bernhard Wiedemann 2016-10-20 10:02:33 UTC
This is an autogenerated message for OBS integration:
This bug (1004418) was mentioned in
https://build.opensuse.org/request/show/436495 42.1 / kernel-source
https://build.opensuse.org/request/show/436499 42.2 / kernel-source
https://build.opensuse.org/request/show/436500 42.2 / kernel-source
Comment 56 Bernhard Wiedemann 2016-10-20 12:01:12 UTC
This is an autogenerated message for OBS integration:
This bug (1004418) was mentioned in
https://build.opensuse.org/request/show/436513 13.1 / kernel-source
Comment 57 Marcus Meissner 2016-10-21 05:35:04 UTC
From Solar Designer on oss-sec

Hi,

This was brought to the linux-distros list (and briefly inadvertently to
the distros list, although discussion continued on linux-distros only)
on October 13 and it was made public yesterday, so it must be in here as
well.  Unfortunately, no one posted about it in here so far (the person
who brought this to [linux-]distros must have done so!), and I don't
have time to make a proper posting (with full detail in the message
itself, as per oss-security list content guidelines), but I figured it's
better for me to post something than nothing at all.

Red Hat's description:

"A race condition was found in the way the Linux kernel's memory
subsystem handled the copy-on-write (COW) breakage of private read-only
memory mappings.  An unprivileged local user could use this flaw to gain
write access to otherwise read-only memory mappings and thus increase
their privileges on the system."

https://access.redhat.com/security/cve/cve-2016-5195
https://bugzilla.redhat.com/show_bug.cgi?id=1384344
https://security-tracker.debian.org/tracker/CVE-2016-5195
http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirty-cow-security-flaw
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
https://lkml.org/lkml/2016/10/19/860
https://dirtycow.ninja
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
https://twitter.com/DirtyCOWVuln

Alexander
Comment 58 Johannes Segitz 2016-10-21 06:28:34 UTC
Codename, website, reproducer and logo ...
http://dirtycow.ninja/
Comment 64 Marcus Meissner 2016-10-21 09:18:05 UTC
Created attachment 698546 [details]
dirtyc0w.c

QA REPRODUCER:

gcc -pthread -o dirtyc0w dirtyc0w.c -O2 -Wall

as root:
create a file /etc/foo  with content "test"

as user:
cat /etc/foo
./dirtyc0w /etc/foo "exploited"
cat /etc/foo

if /etc/foo is "exploited" afterwards, the reproducer worked.
Comment 68 Bernhard Wiedemann 2016-10-21 10:01:32 UTC
This is an autogenerated message for OBS integration:
This bug (1004418) was mentioned in
https://build.opensuse.org/request/show/436657 Evergreen:11.4 / kernel-debug+kernel-default+kernel-desktop+kernel-docs+kernel-ec2+kernel-pae+kernel-source+kernel-syms+kernel-trace+kernel-vanilla+kernel-vmi+kernel-xen+preload
Comment 79 Swamp Workflow Management 2016-10-21 15:10:00 UTC
openSUSE-SU-2016:2583-1: An update that solves four vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1000287,1000304,1000907,1001462,1001486,1004418,1004462,1005101,799133,881008,909994,911687,922634,963655,972460,978094,979681,987703,991247,991665,993890,993891,996664,999600,999932
CVE References: CVE-2016-5195,CVE-2016-7039,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE Leap 42.1 (src):    drbd-8.4.6-10.1, hdjmod-1.28-26.1, ipset-6.25.1-7.1, kernel-debug-4.1.34-33.1, kernel-default-4.1.34-33.1, kernel-docs-4.1.34-33.3, kernel-ec2-4.1.34-33.1, kernel-obs-build-4.1.34-33.1, kernel-obs-qa-4.1.34-33.1, kernel-obs-qa-xen-4.1.34-33.1, kernel-pae-4.1.34-33.1, kernel-pv-4.1.34-33.1, kernel-source-4.1.34-33.1, kernel-syms-4.1.34-33.1, kernel-vanilla-4.1.34-33.1, kernel-xen-4.1.34-33.1, lttng-modules-2.7.0-4.1, pcfclock-0.44-268.1, vhba-kmp-20140928-7.1
Comment 80 Swamp Workflow Management 2016-10-21 15:16:43 UTC
openSUSE-SU-2016:2584-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1001419,1001486,1002165,1004418
CVE References: CVE-2016-5195,CVE-2016-8666
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.34.1, crash-7.0.2-2.34.1, hdjmod-1.28-16.34.1, ipset-6.21.1-2.38.1, iscsitarget-1.4.20.3-13.34.1, kernel-debug-3.12.62-55.1, kernel-default-3.12.62-55.1, kernel-desktop-3.12.62-55.1, kernel-docs-3.12.62-55.2, kernel-ec2-3.12.62-55.1, kernel-pae-3.12.62-55.1, kernel-source-3.12.62-55.1, kernel-syms-3.12.62-55.1, kernel-trace-3.12.62-55.1, kernel-vanilla-3.12.62-55.1, kernel-xen-3.12.62-55.1, ndiswrapper-1.58-35.1, openvswitch-1.11.0-0.41.1, pcfclock-0.44-258.35.1, vhba-kmp-20130607-2.34.1, virtualbox-4.2.36-2.66.1, xen-4.3.4_10-67.1, xtables-addons-2.3-2.33.1
Comment 81 Swamp Workflow Management 2016-10-21 15:17:21 UTC
SUSE-SU-2016:2585-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1004418
CVE References: CVE-2016-5195
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-84.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-default-3.0.101-84.1, kernel-ec2-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-source-3.0.101-84.1, kernel-syms-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-default-3.0.101-84.1, kernel-ec2-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1
Comment 82 Swamp Workflow Management 2016-10-21 17:15:02 UTC
SUSE-SU-2016:2592-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (important)
Bug References: 1001419,1002165,1004418,904970,907150,920615,920633,930408
CVE References: CVE-2016-5195
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.62-60.64.8.2
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.62-60.64.8.5, kernel-obs-build-3.12.62-60.64.8.3
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.62-60.64.8.2, kernel-source-3.12.62-60.64.8.2, kernel-syms-3.12.62-60.64.8.2, kernel-xen-3.12.62-60.64.8.2
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.62-60.64.8.2
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_8-1-2.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.62-60.64.8.2, kernel-source-3.12.62-60.64.8.2, kernel-syms-3.12.62-60.64.8.2, kernel-xen-3.12.62-60.64.8.2
Comment 84 Swamp Workflow Management 2016-10-21 19:08:53 UTC
SUSE-SU-2016:2593-1: An update that solves one vulnerability and has 7 fixes is now available.

Category: security (important)
Bug References: 1001419,1002165,1004418,904970,907150,920615,920633,930408
CVE References: CVE-2016-5195
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.60-52.57.1, kernel-source-3.12.60-52.57.1, kernel-syms-3.12.60-52.57.1, kernel-xen-3.12.60-52.57.1, kgraft-patch-SLE12_Update_16-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.60-52.57.1, kernel-source-3.12.60-52.57.1, kernel-syms-3.12.60-52.57.1, kernel-xen-3.12.60-52.57.1, kgraft-patch-SLE12_Update_16-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.60-52.57.1
Comment 86 Robert Snow 2016-10-21 21:26:50 UTC
Is ther any possibility for this to be exploited remotely?
Comment 87 Swamp Workflow Management 2016-10-21 22:10:32 UTC
SUSE-SU-2016:2596-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1004418
CVE References: CVE-2016-5195
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.44.1, kernel-ec2-3.0.101-0.7.44.1, kernel-pae-3.0.101-0.7.44.1, kernel-source-3.0.101-0.7.44.1, kernel-syms-3.0.101-0.7.44.1, kernel-trace-3.0.101-0.7.44.1, kernel-xen-3.0.101-0.7.44.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.44.1, kernel-ec2-3.0.101-0.7.44.1, kernel-pae-3.0.101-0.7.44.1, kernel-trace-3.0.101-0.7.44.1, kernel-xen-3.0.101-0.7.44.1
Comment 90 Michal Hocko 2016-10-22 09:39:09 UTC
(In reply to Robert Snow from comment #86)
> Is ther any possibility for this to be exploited remotely?

It really depends on what you mean by that. If you are able to get run a code as a local user by exploiting a vulnerability on a remotely accessible service then yes unless you are in such a restricted environment which prohibits access to the all the parts of the exploit (in other words whoever can call madvise and is allowed to open sensitive files and /proc/self/maps will be affected).
Comment 93 Forgotten User btYsGb9LeL 2016-10-23 02:07:31 UTC
Just wondering if there's a timeline for SLES11 SP1 and SP3 LTSS packages? I've built my own in both cases using the patch that was used in the SP4 fix. The patch needed a little massaging for SP1 but in both cases the patched kernel appears resistant to the exploits online. My SP1 LTSS patch is here: https://www.dropbox.com/sh/jwlacynxok8ywoc/AAD1B2R4Wmdd1IR85NswIGERa/sles11_sp1_ltss.patch. If someone could take a look at the SP1 patch, that would be great!

-Aaron
Comment 96 Marcus Meissner 2016-10-24 04:44:48 UTC
(In reply to Aaron Knister from comment #93)
> Just wondering if there's a timeline for SLES11 SP1 and SP3 LTSS packages?
> I've built my own in both cases using the patch that was used in the SP4
> fix. The patch needed a little massaging for SP1 but in both cases the
> patched kernel appears resistant to the exploits online. My SP1 LTSS patch
> is here:

SLES 11 SP1 LTSS does not get proactive updates anymore, its EOL was AUgust 31 2015 (over 1 year ago). If you have an extended contract for it, contact your support agent.

SLES 11 SP3 LTSS update will be released Monday (today).
Comment 97 Simon Lees 2016-10-24 07:10:52 UTC
Someone just pointed out on IRC it seems we have patches for openSUSE Evergreen but not 13.2 which is still under active support.
Comment 98 Marcus Meissner 2016-10-24 07:26:38 UTC
the kernel team had not submitted 13.2. I fetched current git yesterday and it is Currently building... hopefully can be released later Today.
Comment 100 Sascha Weber 2016-10-24 12:36:38 UTC
As per comment#71, can we get a clear statement here? Is SLES 10 affected?

If not, I would like to add a note to the TID to deflect questions in that area.
Comment 104 Swamp Workflow Management 2016-10-24 15:08:34 UTC
SUSE-SU-2016:2614-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1004418
CVE References: CVE-2016-5195
Sources used:
SUSE OpenStack Cloud 5 (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Manager Proxy 2.1 (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Manager 2.1 (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
Comment 105 Marcus Meissner 2016-10-24 16:24:06 UTC
I tested both the /proc/self/mem and the PTRACE_POKEDATA based exploits from https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs  on a SLES 10 machine and both did not result in exploitation. (Of course this is no explicit proof.)
Comment 113 Swamp Workflow Management 2016-10-25 17:07:32 UTC
openSUSE-SU-2016:2625-1: An update that solves 12 vulnerabilities and has 19 fixes is now available.

Category: security (important)
Bug References: 1000287,1001486,1003077,1003925,1003931,1004045,1004418,1004462,881008,909994,911687,922634,951155,960689,978094,980371,986570,989152,991247,991608,991665,993890,993891,994296,994520,994748,994752,994759,996664,999600,999932
CVE References: CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-1237,CVE-2016-5195,CVE-2016-5696,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7117,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.22.1, cloop-2.639-14.22.1, crash-7.0.8-22.1, hdjmod-1.28-18.23.1, ipset-6.23-22.1, kernel-debug-3.16.7-45.1, kernel-default-3.16.7-45.1, kernel-desktop-3.16.7-45.1, kernel-docs-3.16.7-45.2, kernel-ec2-3.16.7-45.1, kernel-obs-build-3.16.7-45.1, kernel-obs-qa-3.16.7-45.1, kernel-obs-qa-xen-3.16.7-45.1, kernel-pae-3.16.7-45.1, kernel-source-3.16.7-45.1, kernel-syms-3.16.7-45.1, kernel-vanilla-3.16.7-45.1, kernel-xen-3.16.7-45.1, pcfclock-0.44-260.22.1, vhba-kmp-20140629-2.22.1, virtualbox-5.0.28-54.2, xen-4.4.4_05-51.2, xtables-addons-2.6-24.1
Comment 117 Swamp Workflow Management 2016-10-26 01:06:38 UTC
SUSE-SU-2016:2632-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1004418,986362
CVE References: CVE-2016-4997,CVE-2016-5195
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kgraft-patch-SLE12_Update_10-6-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kgraft-patch-SLE12_Update_10-6-2.1
Comment 125 Swamp Workflow Management 2016-10-26 16:07:23 UTC
openSUSE-SU-2016:2649-1: An update that solves 49 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 1004418,758540,816446,861093,917648,928130,935757,939826,942367,944296,945825,946117,946309,948562,949744,949936,951440,952384,953527,954404,955354,955654,956708,956709,958463,958886,958951,959190,959399,961500,961509,961512,963765,963767,964201,966437,966460,966662,966693,967972,967973,967974,967975,968010,968011,968012,968013,968670,969356,970504,970892,970909,970911,970948,970956,970958,970970,971124,971125,971126,971360,972510,973570,975945,977847,978822
CVE References: CVE-2013-7446,CVE-2015-0272,CVE-2015-1339,CVE-2015-3339,CVE-2015-5307,CVE-2015-6252,CVE-2015-6937,CVE-2015-7509,CVE-2015-7515,CVE-2015-7550,CVE-2015-7566,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8539,CVE-2015-8543,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2069,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-4486,CVE-2016-5195
Sources used:
openSUSE Evergreen 11.4 (src):    kernel-debug-3.0.101-105.1, kernel-default-3.0.101-105.1, kernel-desktop-3.0.101-105.1, kernel-docs-3.0.101-105.2, kernel-ec2-3.0.101-105.1, kernel-pae-3.0.101-105.1, kernel-source-3.0.101-105.1, kernel-syms-3.0.101-105.1, kernel-trace-3.0.101-105.1, kernel-vanilla-3.0.101-105.1, kernel-vmi-3.0.101-105.1, kernel-xen-3.0.101-105.1, preload-1.2-6.83.1
Comment 130 Marcus Meissner 2016-10-27 17:37:22 UTC
The SLE(S/D) 12 SP2 Goldmaster candidates have this issue fixed, so SLE 12 SP2 is being delivered fixed to customers.
Comment 133 Deleted Name 2016-11-01 08:51:16 UTC
I am using openSUSE Leap 42.1 with kernel:

uname -r
4.1.34-33-default

Has it been fixed for my kernel version?
Comment 135 Marcus Meissner 2016-11-01 10:56:44 UTC
(In reply to Name Deleted from comment #133)
> I am using openSUSE Leap 42.1 with kernel:
> 
> uname -r
> 4.1.34-33-default
> 
> Has it been fixed for my kernel version?

Yes, in comment #c97 is the release announcement for the 42.1 leap kernel with version 4.1.34-33.1.  (the .1 is not shown in uname -r)
Comment 136 Deleted Name 2016-11-01 11:28:11 UTC
(In reply to Marcus Meissner from comment #135)

Great. Thank you!
Comment 139 Marcus Meissner 2016-11-07 15:35:37 UTC
all kernel updates and live patches were released, ptfs are available for inactive older distributions.
Comment 143 Swamp Workflow Management 2016-11-21 15:29:40 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-11-28.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63212
Comment 145 Swamp Workflow Management 2016-11-28 14:57:08 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-12-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63229
Comment 146 Swamp Workflow Management 2016-12-06 12:11:41 UTC
openSUSE-SU-2016:3021-1: An update that solves 12 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,799133,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,954986,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2013-5634,CVE-2015-8956,CVE-2016-2069,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.36.1, crash-7.0.2-2.36.1, hdjmod-1.28-16.36.1, ipset-6.21.1-2.40.1, iscsitarget-1.4.20.3-13.36.1, kernel-debug-3.12.67-58.1, kernel-default-3.12.67-58.1, kernel-desktop-3.12.67-58.1, kernel-docs-3.12.67-58.2, kernel-ec2-3.12.67-58.1, kernel-pae-3.12.67-58.1, kernel-source-3.12.67-58.1, kernel-syms-3.12.67-58.1, kernel-trace-3.12.67-58.1, kernel-vanilla-3.12.67-58.1, kernel-xen-3.12.67-58.1, ndiswrapper-1.58-37.1, openvswitch-1.11.0-0.43.1, pcfclock-0.44-258.37.1, vhba-kmp-20130607-2.36.1, virtualbox-4.2.36-2.68.1, xen-4.3.4_10-69.1, xtables-addons-2.3-2.35.1
Comment 147 Swamp Workflow Management 2016-12-09 17:12:14 UTC
SUSE-SU-2016:3069-1: An update that solves 11 vulnerabilities and has 49 fixes is now available.

Category: security (important)
Bug References: 1000189,1001419,1002165,1004418,732582,839104,843236,909994,911687,915183,920016,934760,951392,956514,960689,963655,971975,971989,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986362,986365,986445,987565,988440,989152,989261,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,996329,996664,997708,998399,999584,999600,999932
CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2016-0823,CVE-2016-3841,CVE-2016-4997,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7425
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1, kernel-source-rt-3.0.101.rt130-65.1, kernel-syms-rt-3.0.101.rt130-65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-65.1, kernel-rt_debug-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1
Comment 148 Swamp Workflow Management 2016-12-30 17:12:42 UTC
SUSE-SU-2016:3304-1: An update that solves 13 vulnerabilities and has 118 fixes is now available.

Category: security (important)
Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,789311,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,934067,937086,937888,941420,946309,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,980371,981597,982783,983619,984194,984419,984779,984992,985562,986362,986365,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990058,990245,991247,991608,991665,991667,992244,992555,992568,992591,992593,992712,993392,993841,993890,993891,994167,994296,994438,994520,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932
CVE References: CVE-2015-8956,CVE-2016-2069,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.67-60.27.1, kernel-compute_debug-3.12.67-60.27.1, kernel-rt-3.12.67-60.27.1, kernel-rt_debug-3.12.67-60.27.1, kernel-source-rt-3.12.67-60.27.1, kernel-syms-rt-3.12.67-60.27.1