Bug 1102851 – VUL-0: CVE-2017-18344: kernel: The timer_create syscall implementationdoesn't properly validate the sigevent->sigev_notifyfield, which leads to out-of-bounds access

Bug 1102851 - (CVE-2017-18344) VUL-0: CVE-2017-18344: kernel: The timer_create syscall implementationdoesn't properly validate the sigevent->sigev_notifyfield, which leads to out-of-bounds access

(CVE-2017-18344)
Summary:	VUL-0: CVE-2017-18344: kernel: The timer_create syscall implementationdoesn't...

Status:	RESOLVED FIXED
Duplicates:	1103580 (view as bug list)

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/211759/
Whiteboard:	CVSSv3:SUSE:CVE-2017-18344:7.1:(AV:L/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2018-07-27 09:45 UTC by Johannes Segitz
Modified:	2020-06-12 20:52 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Johannes Segitz 2018-07-27 09:45:41 UTC

CVE-2017-18344

The timer_create syscall implementation in kernel/time/posix-timers.c in the
Linux kernel before 4.14.8 doesn't properly validate the sigevent->sigev_notify
field, which leads to out-of-bounds access in the show_timer function (called
when /proc/$PID/timers is read). This allows userspace applications to read
arbitrary kernel memory (on a kernel built with CONFIG_POSIX_TIMERS and
CONFIG_CHECKPOINT_RESTORE).

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18344
https://github.com/torvalds/linux/commit/cef31d9af908243421258f1df35a4a644604efbe

Comment 3 Takashi Iwai 2018-07-27 13:35:09 UTC

SLE12-SP2-LTSS and SLE12-SP3 already contain the fix via stable 4.4.116.
SLE15 misses the fix.

Comment 4 Takashi Iwai 2018-07-30 15:58:22 UTC

Backported to SLE15 branch now, and the patch tags in SLE12-SP2-LTSS/SP3 updated.

SLE12-SP1 and earlier had no CONFIG_CHECKPOINT_RESTORE.

Reassigned back to security team.

Comment 5 Marcus Meissner 2018-08-02 13:38:47 UTC

*** Bug 1103580 has been marked as a duplicate of this bug. ***

Comment 8 Swamp Workflow Management 2018-08-06 20:25:51 UTC

This is an autogenerated message for OBS integration:
This bug (1102851) was mentioned in
https://build.opensuse.org/request/show/627749 15.0 / kernel-source

Comment 9 Swamp Workflow Management 2018-08-06 22:30:40 UTC

SUSE-SU-2018:2222-1: An update that solves 8 vulnerabilities and has 132 fixes is now available.

Category: security (important)
Bug References: 1012382,1037697,1046299,1046300,1046302,1046303,1046305,1046306,1046307,1046533,1046543,1048129,1050242,1050529,1050536,1050538,1050540,1050549,1051510,1054245,1056651,1056787,1058115,1058169,1058659,1060463,1066110,1068032,1075087,1075360,1075876,1077338,1077761,1077989,1078248,1085042,1085536,1085539,1086282,1086283,1086286,1086301,1086313,1086314,1086319,1086323,1086324,1086457,1086652,1087092,1087202,1087217,1087233,1087978,1088821,1088866,1090098,1090888,1091041,1091171,1091424,1091860,1092472,1093035,1093118,1093148,1093290,1093666,1094119,1094244,1094978,1095155,1095337,1096330,1096529,1096790,1096793,1097034,1097583,1097584,1097585,1097586,1097587,1097588,1097941,1097961,1098050,1098236,1098401,1098599,1098626,1098633,1098706,1098983,1098995,1099029,1099041,1099109,1099142,1099183,1099193,1099715,1099792,1099918,1099924,1099966,1100132,1100209,1100340,1100362,1100382,1100416,1100418,1100491,1100602,1100633,1100843,1100884,1101143,1101296,1101315,1101324,1101337,1101352,1101564,1101669,1101674,1101789,1101813,1101816,1102088,1102097,1102147,1102340,1102512,1102851,1103216,1103220,1103230,1103421
CVE References: CVE-2017-18344,CVE-2017-5753,CVE-2018-1118,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-5390,CVE-2018-9385
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15 (src):    kernel-azure-4.12.14-5.8.1, kernel-source-azure-4.12.14-5.8.1, kernel-syms-azure-4.12.14-5.8.1

Comment 10 Swamp Workflow Management 2018-08-06 22:42:37 UTC

SUSE-SU-2018:2223-1: An update that solves two vulnerabilities and has 75 fixes is now available.

Category: security (important)
Bug References: 1012382,1037697,1046299,1046300,1046302,1046303,1046305,1046306,1046307,1046533,1046543,1050242,1050536,1050538,1050540,1051510,1054245,1056651,1056787,1058169,1058659,1060463,1068032,1075087,1075360,1077338,1077761,1077989,1085042,1085536,1085539,1086301,1086313,1086314,1086324,1086457,1087092,1087202,1087217,1087233,1090098,1090888,1091041,1091171,1093148,1093666,1094119,1096330,1097583,1097584,1097585,1097586,1097587,1097588,1098633,1099193,1100132,1100884,1101143,1101337,1101352,1101564,1101669,1101674,1101789,1101813,1101816,1102088,1102097,1102147,1102340,1102512,1102851,1103216,1103220,1103230,1103421
CVE References: CVE-2017-18344,CVE-2018-5390
Sources used:
SUSE Linux Enterprise Workstation Extension 15 (src):    kernel-default-4.12.14-25.6.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-25.6.1, kernel-livepatch-SLE15_Update_2-1-1.3.1
SUSE Linux Enterprise Module for Legacy Software 15 (src):    kernel-default-4.12.14-25.6.1
SUSE Linux Enterprise Module for Development Tools 15 (src):    kernel-docs-4.12.14-25.6.1, kernel-obs-build-4.12.14-25.6.1, kernel-source-4.12.14-25.6.1, kernel-syms-4.12.14-25.6.1, kernel-vanilla-4.12.14-25.6.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    kernel-default-4.12.14-25.6.1, kernel-source-4.12.14-25.6.1, kernel-zfcpdump-4.12.14-25.6.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-25.6.1

Comment 11 Swamp Workflow Management 2018-08-07 19:23:38 UTC

openSUSE-SU-2018:2242-1: An update that solves two vulnerabilities and has 87 fixes is now available.

Category: security (important)
Bug References: 1012382,1037697,1046299,1046300,1046302,1046303,1046305,1046306,1046307,1046533,1046543,1050242,1050536,1050538,1050540,1051510,1054245,1056651,1056787,1058169,1058659,1060463,1066110,1068032,1075087,1075360,1077338,1077761,1077989,1085042,1085536,1085539,1086301,1086313,1086314,1086324,1086457,1087092,1087202,1087217,1087233,1090098,1090888,1091041,1091171,1093148,1093666,1094119,1096330,1097583,1097584,1097585,1097586,1097587,1097588,1098633,1099193,1100132,1100884,1101143,1101337,1101352,1101465,1101564,1101669,1101674,1101789,1101813,1101816,1102088,1102097,1102147,1102340,1102512,1102851,1103216,1103220,1103230,1103356,1103421,1103517,1103723,1103724,1103725,1103726,1103727,1103728,1103729,1103730
CVE References: CVE-2017-18344,CVE-2018-5390
Sources used:
openSUSE Leap 15.0 (src):    kernel-debug-4.12.14-lp150.12.10.1, kernel-default-4.12.14-lp150.12.10.1, kernel-docs-4.12.14-lp150.12.10.1, kernel-kvmsmall-4.12.14-lp150.12.10.1, kernel-obs-build-4.12.14-lp150.12.10.1, kernel-obs-qa-4.12.14-lp150.12.10.1, kernel-source-4.12.14-lp150.12.10.1, kernel-syms-4.12.14-lp150.12.10.1, kernel-vanilla-4.12.14-lp150.12.10.1

Comment 16 Marcus Meissner 2018-08-09 14:23:20 UTC

exploit posted on oss-sec

From: Andrey Konovalov <andreyknvl@gmail.com>
Date: Thu, 9 Aug 2018 16:21:03 +0200

I've uploaded the exploit:
https://github.com/xairy/kernel-exploits/blob/master/CVE-2017-18344/poc.c

The exploit allows to read arbitrary virtual or physical (within the
physmap) memory, to dump virtual memory that belongs to a particular
process by its pid and to search the physical memory for a pattern
(only the start of each page though, but that's enough to locate at
least /etc/shadow). See the comment in the exploit source code for a
usage example that shows how to read /etc/shadow on Ubuntu xenial
4.13.0-38-generic. The exploit bypasses KASLR and SMEP, but doesn't
bypass SMAP.

The bug is that the timer_create syscall doesn't validate the
sigevent->sigev_notify value and then uses it to address a global
array of strings in show_timer() when /proc/PID/timers is read. By
providing a large sigev_notify value we can cause a
global-out-of-bounds access that results in nstr[notify &
~SIGEV_THREAD_ID] overflowing 8 bytes and ending up in the userspace.
We can then mmap the accessed userspace page and put an arbitrary
address there, which allows us to read arbitrary kernel memory. Since
the kernel accesses the userspace here, the exploit attempt would be
caught by SMAP.

Since kernel image location is randomized due to KASLR we can't know
in advance which page exactly we should mmap. However since the kernel
usually lies in a known address range [0xffffffff81000000, ...), we
can mmap a huge chunk of userspace memory that would catch the access
wherever the kernel image is placed. We can then bisect the exact
location by filling half of the mapped memory with one pointer and the
other half with another and reading /proc/PID/timers to see which one
got accessed. At this point we know the exact address in the userspace
where we can place a pointer to read kernel data.

We could now calculate the kernel location based on this userspace
address, but instead for whatever reason I leak the first IDT entry
(which is divide_error) and calculate kernel image address based on
that. The location of physmap is also randomized due to KASLR on some
kernels (where CONFIG_RANDOMIZE_MEMORY=y), so we read the
page_offset_base global variable value to find out the physmap
location. It should be possible to find the location of all required
kernel symbols heuristically instead of hard coding offsets, but I
haven't really explored this.

Now we can read arbitrary physical memory through physmap. The
/etc/shadow content always seems to be page aligned, so we can search
the beginning of each page for something like 'root:!:' and locate it
in the physical memory. We can also walk the list of running tasks
starting with init_task and dump memory that belongs to a particular
tasks by walking the page tables that belong to it. Dumping and
inspecting memory for gnome-keyring-daemon for example allows us to
find out user password.

Thanks!

Comment 21 Swamp Workflow Management 2018-08-14 19:13:32 UTC

This is an autogenerated message for OBS integration:
This bug (1102851) was mentioned in
https://build.opensuse.org/request/show/629279 42.3 / kernel-source

Comment 22 Swamp Workflow Management 2018-08-14 22:11:51 UTC

SUSE-SU-2018:2328-1: An update that solves 5 vulnerabilities and has 29 fixes is now available.

Category: security (important)
Bug References: 1012382,1082653,1085042,1085536,1087081,1089343,1090123,1090435,1092001,1094244,1095643,1096978,1097771,1099858,1100132,1100930,1101658,1101789,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103119,1103580,1103745,1103884
CVE References: CVE-2017-18344,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.143-94.47.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    dpdk-16.11.6-8.7.2, dpdk-thunderx-16.11.6-8.7.2, kernel-docs-4.4.143-94.47.1, kernel-obs-build-4.4.143-94.47.1
SUSE Linux Enterprise Server 12-SP3 (src):    dpdk-16.11.6-8.7.2, dpdk-thunderx-16.11.6-8.7.2, kernel-default-4.4.143-94.47.1, kernel-source-4.4.143-94.47.1, kernel-syms-4.4.143-94.47.1, lttng-modules-2.7.1-8.4.2
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_16-1-4.5.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.143-94.47.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.143-94.47.1, kernel-source-4.4.143-94.47.1, kernel-syms-4.4.143-94.47.1
SUSE CaaS Platform ALL (src):    kernel-default-4.4.143-94.47.1
SUSE CaaS Platform 3.0 (src):    kernel-default-4.4.143-94.47.1

Comment 23 Swamp Workflow Management 2018-08-16 10:18:41 UTC

SUSE-SU-2018:2344-1: An update that solves 11 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1064232,1076110,1083635,1085042,1086652,1087081,1089343,1090123,1091171,1094248,1096130,1096480,1096978,1097140,1097551,1098016,1098425,1098435,1099924,1100089,1100416,1100418,1100491,1101557,1102340,1102851,1103097,1103119,1103580
CVE References: CVE-2017-18344,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-5814,CVE-2018-9385
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.92.1
SUSE Enterprise Storage 4 (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.121-92.92.1

Comment 24 Swamp Workflow Management 2018-08-16 13:20:17 UTC

SUSE-SU-2018:2374-1: An update that solves 6 vulnerabilities and has 63 fixes is now available.

Category: security (important)
Bug References: 1012382,1023711,1064232,1076110,1078216,1082653,1082979,1085042,1085536,1085657,1087081,1087659,1089343,1089525,1090123,1090340,1090435,1090888,1091107,1092001,1092207,1093777,1094120,1094244,1095453,1095643,1096790,1096978,1097034,1097501,1097771,1098599,1099306,1099713,1099792,1099810,1099858,1099918,1099966,1099993,1100089,1100132,1100340,1100843,1100930,1101296,1101331,1101658,1101789,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103097,1103119,1103580,1103717,1103745,1103884,1104174,997935
CVE References: CVE-2017-18344,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-azure-4.4.143-4.13.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-azure-4.4.143-4.13.1, kernel-source-azure-4.4.143-4.13.1

Comment 25 Swamp Workflow Management 2018-08-17 10:28:26 UTC

openSUSE-SU-2018:2404-1: An update that solves 14 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1012382,1082653,1082979,1085042,1085536,1086457,1087081,1089343,1090123,1090435,1092001,1094244,1095643,1096978,1097771,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1100930,1101331,1101658,1101789,1101841,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102851,1103097,1103119,1103269,1103445,1103580,1103717,1103745,1103884,1104174,1104319,1104365,1104494,1104495
CVE References: CVE-2017-18344,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.143-65.1, kernel-default-4.4.143-65.1, kernel-docs-4.4.143-65.1, kernel-obs-build-4.4.143-65.1, kernel-obs-qa-4.4.143-65.1, kernel-source-4.4.143-65.1, kernel-syms-4.4.143-65.1, kernel-vanilla-4.4.143-65.1

Comment 27 Swamp Workflow Management 2018-09-03 19:20:37 UTC

SUSE-SU-2018:2596-1: An update that solves 15 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1012382,1064232,1065364,1068032,1076110,1082653,1082979,1085042,1085536,1086457,1087081,1089343,1090123,1090435,1091171,1091860,1092001,1094244,1095643,1096254,1096978,1097771,1098253,1098599,1099792,1099811,1099813,1099844,1099845,1099846,1099849,1099858,1099863,1099864,1100132,1100843,1100930,1101296,1101331,1101658,1101789,1101822,1101841,1102188,1102197,1102203,1102205,1102207,1102211,1102214,1102215,1102340,1102394,1102683,1102715,1102797,1102851,1103097,1103119,1103269,1103445,1103580,1103717,1103745,1103884,1104174,1104319,1104365,1104494,1104495,1104897,1105292,970506
CVE References: CVE-2017-18344,CVE-2018-10876,CVE-2018-10877,CVE-2018-10878,CVE-2018-10879,CVE-2018-10880,CVE-2018-10881,CVE-2018-10882,CVE-2018-10883,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-9363
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP3 (src):    kernel-rt-4.4.147-3.20.1, kernel-rt_debug-4.4.147-3.20.1, kernel-source-rt-4.4.147-3.20.1, kernel-syms-rt-4.4.147-3.20.1

Comment 28 Swamp Workflow Management 2018-10-18 18:13:46 UTC

SUSE-SU-2018:2344-2: An update that solves 11 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1064232,1076110,1083635,1085042,1086652,1087081,1089343,1090123,1091171,1094248,1096130,1096480,1096978,1097140,1097551,1098016,1098425,1098435,1099924,1100089,1100416,1100418,1100491,1101557,1102340,1102851,1103097,1103119,1103580
CVE References: CVE-2017-18344,CVE-2018-13053,CVE-2018-13405,CVE-2018-13406,CVE-2018-14734,CVE-2018-3620,CVE-2018-3646,CVE-2018-5390,CVE-2018-5391,CVE-2018-5814,CVE-2018-9385
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.92.1, kernel-source-4.4.121-92.92.1, kernel-syms-4.4.121-92.92.1, kgraft-patch-SLE12-SP2_Update_24-1-3.7.1, lttng-modules-2.7.1-9.4.1

Comment 29 Marcus Meissner 2018-11-14 06:10:03 UTC

released

Comment 34 Marcus Meissner 2019-10-14 15:19:09 UTC

ltp is showing a "timer_Create03" error on 12-sp1-ltss which refers to this bugreport.

We are not exploitable, as the /proc/*/timers is not exposed to the outside to our knowledge, which is the leak vector.