Bug 1014746 - (CVE-2016-8399) VUL-0: CVE-2016-8399: kernel-source: stack out-of-bounds read in memcpy_fromiovec
(CVE-2016-8399)
VUL-0: CVE-2016-8399: kernel-source: stack out-of-bounds read in memcpy_fromi...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/177320/
CVSSv2:SUSE:CVE-2016-8399:3.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-09 08:33 UTC by Marcus Meissner
Modified: 2018-05-22 22:51 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-12-09 08:33:34 UTC
CVE-2016-8399

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=0eab121ef8750a5c8637d51534d5e9143fb0633f

net: ping: check minimum size on ICMP header length
Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
was no check that the iovec contained enough bytes for an ICMP header,
and the read loop would walk across neighboring stack contents. Since the
iov_iter conversion, bad arguments are noticed, but the returned error is
EFAULT. Returning EINVAL is a clearer error and also solves the problem
prior to v3.19.

This was found using trinity with KASAN on v3.18:

BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[<ffffffc000209c98>] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[<ffffffc000209e54>] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[<     inline     >] __dump_stack lib/dump_stack.c:15
[<ffffffc000f18dc4>] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[<     inline     >] print_address_description mm/kasan/report.c:147
[<     inline     >] kasan_report_error mm/kasan/report.c:236
[<ffffffc000373dcc>] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[<     inline     >] check_memory_region mm/kasan/kasan.c:264
[<ffffffc00037352c>] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[<ffffffc0005b9624>] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[<     inline     >] memcpy_from_msg include/linux/skbuff.h:2667
[<ffffffc000ddeba0>] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[<ffffffc000dded30>] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[<ffffffc000dc91dc>] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[<     inline     >] __sock_sendmsg_nosec net/socket.c:624
[<     inline     >] __sock_sendmsg net/socket.c:632
[<ffffffc000cab61c>] sock_sendmsg+0x124/0x164 net/socket.c:643
[<     inline     >] SYSC_sendto net/socket.c:1797
[<ffffffc000cad270>] SyS_sendto+0x178/0x1d8 net/socket.c:1761

CVE-2016-8399

Reported-by: Qidan He <i@flanker017.me>
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Comment 2 Swamp Workflow Management 2016-12-09 23:00:48 UTC
bugbot adjusting priority
Comment 3 Marcus Meissner 2016-12-12 14:22:22 UTC
c319b4d76b9e is in Linux Kernel 3.0
Comment 4 Jiri Bohac 2016-12-22 14:54:07 UTC
Pushed to
users/jbohac/cve/linux-3.12/for-next
users/jbohac/cve/linux-3.0/for-next
users/jbohac/openSUSE-13.2/for-next 

Note that SLE12-SP1 already got the fix in the 3.12.69 stable update, so pushed to the cve/linux-3.12 branch just in case we want that for SLE12-LTSS.

The problem is not present in older kernels.
SLE12-SP2 got the fix it in 4.4.38 stable.
openSUSE-42.1 does not need the fix, as it's newer than v3.19 with c0371da6047a.
Comment 6 Swamp Workflow Management 2017-01-30 19:13:39 UTC
SUSE-SU-2017:0333-1: An update that solves 46 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 1003077,1003925,1004517,1007944,1008645,1008831,1008833,1009443,1010150,1010467,1010501,1010507,1010711,1010716,1011482,1011685,1012422,1012832,1013038,1013531,1013542,1014746,1017710,1021258,835175,839104,863873,874145,896484,908069,914939,922947,927287,940966,950998,954984,956514,958000,960689,963053,967716,968500,969340,971360,971944,978401,978821,979213,979274,979548,979595,979879,979915,980363,980371,980725,981267,983143,983213,984755,986362,986365,986445,986572,989261,991608,991665,992566,993890,993891,994296,994436,994618,994759,995968,997059,999932
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-4312,CVE-2015-1350,CVE-2015-7513,CVE-2015-7833,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2016-0823,CVE-2016-10088,CVE-2016-1583,CVE-2016-2187,CVE-2016-2189,CVE-2016-3841,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-4998,CVE-2016-5244,CVE-2016-5829,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-source-3.0.101-0.7.53.1, kernel-syms-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1
Comment 7 Swamp Workflow Management 2017-02-06 20:14:17 UTC
SUSE-SU-2017:0407-1: An update that solves 24 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008831,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011685,1012060,1012422,1012754,1012917,1012985,1013001,1013038,1013479,1013531,1013533,1013540,1013604,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8645,CVE-2016-8655,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9576,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.69-60.30.1, kernel-compute_debug-3.12.69-60.30.1, kernel-rt-3.12.69-60.30.1, kernel-rt_debug-3.12.69-60.30.1, kernel-source-rt-3.12.69-60.30.1, kernel-syms-rt-3.12.69-60.30.1
Comment 8 Swamp Workflow Management 2017-02-09 20:15:33 UTC
SUSE-SU-2017:0437-1: An update that solves 20 vulnerabilities and has 79 fixes is now available.

Category: security (important)
Bug References: 1003813,1005877,1007615,1008557,1008645,1008831,1008833,1008893,1009875,1010150,1010175,1010201,1010467,1010501,1010507,1010711,1010713,1010716,1011685,1011820,1012183,1012411,1012422,1012832,1012851,1012852,1012917,1013018,1013038,1013042,1013070,1013531,1013542,1014410,1014454,1014746,1015561,1015752,1015760,1015796,1015803,1015817,1015828,1015844,1015848,1015878,1015932,1016320,1016505,1016520,1016668,1016688,1016824,1016831,1017686,1017710,1019079,1019148,1019165,1019348,1019783,1020214,1021258,748806,786036,790588,795297,800999,821612,824171,851603,853052,871728,901809,909350,909491,913387,914939,919382,924708,925065,953233,961589,962846,969340,973691,987333,987576,989152,989680,989896,990245,992991,993739,993832,996541,996557,997401,999101
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-6368,CVE-2015-1350,CVE-2015-8962,CVE-2015-8964,CVE-2016-10088,CVE-2016-5696,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-94.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-94.1, kernel-default-3.0.101-94.1, kernel-ec2-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-source-3.0.101-94.1, kernel-syms-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-94.1, kernel-default-3.0.101-94.1, kernel-ec2-3.0.101-94.1, kernel-pae-3.0.101-94.1, kernel-ppc64-3.0.101-94.1, kernel-trace-3.0.101-94.1, kernel-xen-3.0.101-94.1
Comment 9 Swamp Workflow Management 2017-02-14 23:15:13 UTC
SUSE-SU-2017:0464-1: An update that solves 19 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1012060,1012422,1012917,1012985,1013001,1013038,1013479,1013531,1013540,1013542,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017589,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.69-60.64.29.3, kernel-obs-build-3.12.69-60.64.29.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.69-60.64.29.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_12-1-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1
Comment 10 Swamp Workflow Management 2017-02-15 20:12:03 UTC
SUSE-SU-2017:0471-1: An update that solves 34 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943
CVE References: CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4998,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.66.1
Comment 11 Swamp Workflow Management 2017-02-17 17:14:45 UTC
SUSE-SU-2017:0494-1: An update that solves 27 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1001419,1002165,1003077,1003253,1003925,1004517,1007944,1008374,1008645,1008831,1008833,1008850,1009875,1010150,1010467,1010501,1010507,1010711,1010713,1010716,1011685,1011820,1012183,1012422,1012832,1012851,1012852,1012895,1013038,1013042,1013531,1013542,1014454,1014746,1015878,1017710,1018446,1019079,1019783,1021258,821612,824171,914939,929141,935436,956514,961923,966826,967716,969340,973691,979595,987576,989152,989261,991665,992566,992569,992906,992991,993890,993891,994296,994618,994759,995968,996329,996541,996557,997059,997401,997708,998689,999932,999943
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2015-1350,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2015-8970,CVE-2016-0823,CVE-2016-10088,CVE-2016-3841,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE OpenStack Cloud 5 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Manager Proxy 2.1 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Manager 2.1 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-ppc64-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-source-3.0.101-0.47.96.1, kernel-syms-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.96.1, kernel-default-3.0.101-0.47.96.1, kernel-ec2-3.0.101-0.47.96.1, kernel-pae-3.0.101-0.47.96.1, kernel-trace-3.0.101-0.47.96.1, kernel-xen-3.0.101-0.47.96.1
Comment 12 Marcus Meissner 2017-03-02 14:17:58 UTC
released
Comment 13 Swamp Workflow Management 2017-04-25 19:18:37 UTC
SUSE-SU-2017:1102-1: An update that solves 27 vulnerabilities and has 114 fixes is now available.

Category: security (important)
Bug References: 1003077,1003344,1003568,1003677,1003813,1003866,1003925,1004517,1004520,1005857,1005877,1005896,1005903,1006917,1006919,1007615,1007944,1008557,1008645,1008831,1008833,1008893,1009875,1010150,1010175,1010201,1010467,1010501,1010507,1010711,1010716,1011685,1011820,1012411,1012422,1012832,1012851,1012917,1013018,1013038,1013042,1013070,1013531,1013533,1013542,1013604,1014410,1014454,1014746,1015561,1015752,1015760,1015796,1015803,1015817,1015828,1015844,1015848,1015878,1015932,1016320,1016505,1016520,1016668,1016688,1016824,1016831,1017686,1017710,1019148,1019165,1019348,1019783,1020214,1021258,748806,763198,771065,786036,790588,795297,799133,800999,803320,821612,824171,851603,853052,860441,863873,865783,871728,901809,907611,908458,908684,909077,909350,909484,909491,909618,913387,914939,919382,922634,924708,925065,928138,929141,953233,956514,960689,961589,962846,963655,967716,968010,969340,973203,973691,979681,984194,986337,987333,987576,989152,989680,989764,989896,990245,992566,992991,993739,993832,995968,996541,996557,997401,998689,999101,999907
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-6368,CVE-2015-1350,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2016-10088,CVE-2016-3841,CVE-2016-5696,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9576,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-68.1, kernel-rt_trace-3.0.101.rt130-68.1, kernel-source-rt-3.0.101.rt130-68.1, kernel-syms-rt-3.0.101.rt130-68.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-68.1, kernel-rt_debug-3.0.101.rt130-68.1, kernel-rt_trace-3.0.101.rt130-68.1