Bugzilla – Bug 871797
VUL-0: CVE-2014-2706: kernel: net: mac80211: crash dues to AP powersave TX vs. wakeup race
Last modified: 2014-10-22 23:45:06 UTC
Via rh#1083512: A Linux kernel built with a Generic IEEE 802.11 Networking Stack (CONFIG_MAC80211) is vulnerable to a crash caused by a race condition in frame transmission path and station wakeup event, in case when it's sleeping. The crash occurs because, mac80211 stack buffers frames when the station is sleeping, and the same are transmitted upon the station's(STA) wakeup. At this point, a buffered TX frame list is being emptied, while a new frame is being added to the RX list. A remote unprivileged user/program could use this flaw to crash the system kernel, resulting in DoS. Upstream fix: https://git.kernel.org/linus/1d147bfa64293b2723c4fec50922168658e613ba CVE-2014-2706 was assigned to this issue. References: https://bugzilla.redhat.com/show_bug.cgi?id=1083512 http://seclists.org/oss-sec/2014/q2/7
bugbot adjusting priority
The patch breaks kABI, I guess, and it doesn't apply cleanly. I am not familiar with this area so I would rather wait with backports to older products (if applicable) until we have the backport in other more up-to-date SLES branches.
Created attachment 593026 [details] Backport of 1d147bfa64 upstream for SLE11 This is a backport of commit 1d147bfa64 upstream to v3.0 for SLE11. It only goes build tested so far.
(In reply to comment #6) > Created an attachment (id=593026) [details] > Backport of 1d147bfa64 upstream for SLE11 > > This is a backport of commit 1d147bfa64 upstream to v3.0 for SLE11. It only > goes build tested so far. This seems to break kABI. And I can see in-tree drivers using sta_info structure so it seems we will need a kABI workaround.
Code added through af81858172cc was part of the code that is affected, and that was introduced as of v2.6.33 and since SLE11-SP1-TD is on v2.6.32 it would have seemed this issue would affect SLE11-SP1-TD but this however requires a bit more careful evaluation. af81858172cc adds a feature to help with some hardware issues and also synchronization to help avoiding frames getting out of order -- and the commit actually shifted the affected code in that process. Let's evaluate a bit more then commit 1d147bfa64 in terms of impact, reproducibility and also evaluation on severity. Technically one should *also* consider whether or not af81858172cc itself should have had a port for older kernels too. Some notes about that change: 0) af81858172cc only affects AP mode of operation 1) af81858172cc was introduced for Intel, but also helps with avoiding getting frames out of order for when a STA goes to sleep and out of it, it adds an API to let drivers inform mac80211 when it can allowed buffered frames to be sent to a STA waking up (ap_sta_ps_end()). 2) Intel 802.11 drivers on 2.6.32 did not support AP mode Because of this only out of order issues would seem important to address for non Intel drivers, and the API added is actually only used by a few drivers anyway even today. Addressing af81858172cc is a non-critical then. Because of this only out of order issues would seem important to address for non Intel drivers, and the API added is actually only used by a few drivers anyway even today. Addressing af81858172cc is a non-critical then. As for 1d147bfa64, that addresses a synchronization issue between TX'ing of buffered frames and a STA going to sleep for which we would have otherwise buffered frames for. Without af81858172cc in place we simply wouldn't let drivers flush the buffered frames in place prior to letting the STA go to sleep but more importantly the interfaces added for drivers to *trigger* sending pending frames was added via af81858172cc and that *is* where this race does occur. In theory it may be possible that an implicit rate can staill happen between non-driver induced sending of buffered frames -- that is between the mac80211 RX handler ieee80211_rx_h_sta_process() and ieee80211_tx_h_unicast_ps_buf() but that is not something confirmed but I will check. 1d147bfa64 fix also only affects device drivers capable of AP mode of operation. It technically also provides a fix for Wifi Direct P2P GO but that is not supported on older kernels. Only these drivers supported AP mode on 2.6.32: * ath5k * ath9k * b43 * b43legacy * mac80211_hwsim (simulator) * p54 * rt2x00 through rt2x00lib There is no atomic test I was able to gather yet to reproduce easily, but this could happen for example if the AP were to pump frames to the STA and the STA would be go in and out of PS mode very quickly. If we support AP mode of operation on SLE11-SP1-TD we can evaluate a fix then that does not break ABI and if possible should try to reproduce to ensure and verify we have a fix in place.
Johannes, the mac80211 maintainer has confirmed that sta_ps_end() and ieee80211_tx_h_unicast_ps_buf() can in theory race however the results that would be produced from that race are expected and valid as such this other potential corner case I raised is a non-issue and if it were we'd run into it upstream as well. We can therefore disregard the port of 1d147bfa64 to SLE11-SP1-TD and older.
Created attachment 593748 [details] Backport of 1d147bfa64 upstream for SLE11-SP1-TD Attached is a patch for SLE11-SP1-TD. Even though upstream confirmed the face still likely provides valid results for older kernels it is best to provide a port taking into consideration some code shuffling that was done through commit af81858172cc added as of v2.6.33. The chances of this occurring are really low and this is only for AP mode of operation. The status of this CVE / bug then is: * latest code - patch already merged * SLE11-SP3 - patch attached on comment #6 * SLE11-SP1-TD - patch attached * SLES10-SP3-TD - not applicable as mac80211 was not merged then kabi has been verified to not affect integrated drivers upstream on Linux or external.
pushed to SLE11-SP1-TD branch. Thanks a lot Luis!
I forgot to provide documentation about the SLE12 branch, Jiri Slaby's commit ef1bbc74 on SLE12 includes a cherry pick for the commit: patches.kernel.org/patch-3.12.14-15:Git-commit: 1d147bfa64293b2723c4fec50922168658e613ba SLE12 then has this fix already in place.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-07-08. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58141
Update released for: kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-docs, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
Applied to SLE11-SP2-LTSS now.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-09-03. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58726
SUSE-SU-2014:1105-1: An update that solves 18 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 846404,864464,866911,870173,870576,871676,871797,871854,872634,873374,876590,877257,877775,878115,878509,879921,880484,881051,882804,883724,883795,885422,885725,886474,889173,889324 CVE References: CVE-2013-4299,CVE-2014-0055,CVE-2014-0077,CVE-2014-1739,CVE-2014-2706,CVE-2014-2851,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-5077 Sources used: SUSE Linux Enterprise Server 11 SP2 LTSS (src): kernel-default-3.0.101-0.7.23.1, kernel-ec2-3.0.101-0.7.23.1, kernel-pae-3.0.101-0.7.23.1, kernel-source-3.0.101-0.7.23.1, kernel-syms-3.0.101-0.7.23.1, kernel-trace-3.0.101-0.7.23.1, kernel-xen-3.0.101-0.7.23.1, xen-4.1.6_06-0.5.30 SLE 11 SERVER Unsupported Extras (src): kernel-default-3.0.101-0.7.23.1, kernel-pae-3.0.101-0.7.23.1, kernel-xen-3.0.101-0.7.23.1
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2014-09-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/58957
SUSE-SU-2014:1138-1: An update that fixes 22 vulnerabilities is now available. Category: security (important) Bug References: 794824,806431,831058,854722,856756,871797,877257,879921,880484,881051,882809,883526,883724,883795,884530,885422,885725,887082,889173,892490 CVE References: CVE-2013-1860,CVE-2013-4162,CVE-2013-7266,CVE-2013-7267,CVE-2013-7268,CVE-2013-7269,CVE-2013-7270,CVE-2013-7271,CVE-2014-0203,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-4943,CVE-2014-5077 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): kernel-default-2.6.32.59-0.15.2, kernel-ec2-2.6.32.59-0.15.2, kernel-pae-2.6.32.59-0.15.2, kernel-source-2.6.32.59-0.15.2, kernel-syms-2.6.32.59-0.15.2, kernel-trace-2.6.32.59-0.15.2, kernel-xen-2.6.32.59-0.15.2, xen-4.0.3_21548_16-0.5.26 SLE 11 SERVER Unsupported Extras (src): kernel-default-2.6.32.59-0.15.2, kernel-pae-2.6.32.59-0.15.2, kernel-xen-2.6.32.59-0.15.2
openSUSE-SU-2014:1246-1: An update that solves 18 vulnerabilities and has 8 fixes is now available. Category: security (moderate) Bug References: 846404,854722,864464,866911,870173,870576,871676,871797,871854,872634,873374,876590,877257,878115,878509,879921,880484,881051,882804,883724,883795,885422,885725,886474,889173,889324 CVE References: CVE-2013-6463,CVE-2014-0055,CVE-2014-0077,CVE-2014-1739,CVE-2014-2706,CVE-2014-2851,CVE-2014-3144,CVE-2014-3145,CVE-2014-3917,CVE-2014-4508,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-4699,CVE-2014-5077 Sources used: openSUSE Evergreen 11.4 (src): kernel-docs-3.0.101-91.2, kernel-source-3.0.101-91.1, kernel-syms-3.0.101-91.1, preload-1.2-6.69.2
SUSE-SU-2014:1316-1: An update that solves 11 vulnerabilities and has 64 fixes is now available. Category: security (important) Bug References: 774818,806990,816708,826486,832309,849123,855657,859840,860441,860593,863586,866130,866615,866864,866911,869055,869934,870161,871797,876017,876055,876114,876590,879921,880344,880370,881051,881759,882317,882639,882804,882900,883376,883518,883724,884333,884582,884725,884767,885262,885382,885422,885509,886840,887082,887503,887608,887645,887680,888058,888105,888591,888607,888847,888849,888968,889061,889173,889451,889614,889727,890297,890426,890513,890526,891087,891259,891619,892200,892490,892723,893064,893496,893596,894200 CVE References: CVE-2013-1979,CVE-2014-1739,CVE-2014-2706,CVE-2014-4027,CVE-2014-4171,CVE-2014-4508,CVE-2014-4667,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kernel-bigsmp-3.0.101-0.40.1 SUSE Linux Enterprise Server 11 SP3 (src): iscsitarget-1.4.20-0.38.83, kernel-bigsmp-3.0.101-0.40.1, ofed-1.5.4.1-0.13.89, oracleasm-2.0.5-7.39.89 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): cluster-network-1.4-2.27.98, drbd-kmp-8.4.4-0.22.64, gfs2-2-0.16.104, ocfs2-1.6-0.20.98 SUSE Linux Enterprise Desktop 11 SP3 (src): kernel-bigsmp-3.0.101-0.40.1 SLE 11 SERVER Unsupported Extras (src): kernel-bigsmp-3.0.101-0.40.1
SUSE-SU-2014:1319-1: An update that solves 13 vulnerabilities and has 75 fixes is now available. Category: security (important) Bug References: 774818,806990,816708,826486,832309,833820,849123,855657,859840,860441,860593,863586,866130,866615,866864,866911,869055,869934,870161,871134,871797,876017,876055,876114,876590,879304,879921,880344,880370,880892,881051,881759,882317,882639,882804,882900,883096,883376,883518,883724,884333,884582,884725,884767,885262,885382,885422,885509,886840,887082,887418,887503,887608,887645,887680,888058,888105,888591,888607,888847,888849,888968,889061,889173,889451,889614,889727,890297,890426,890513,890526,891087,891259,891281,891619,891746,892200,892490,892723,893064,893496,893596,894200,895221,895608,895680,895983,896689 CVE References: CVE-2013-1979,CVE-2014-1739,CVE-2014-2706,CVE-2014-3153,CVE-2014-4027,CVE-2014-4171,CVE-2014-4508,CVE-2014-4667,CVE-2014-4943,CVE-2014-5077,CVE-2014-5471,CVE-2014-5472,CVE-2014-6410 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1 SUSE Linux Enterprise Server 11 SP3 (src): kernel-default-3.0.101-0.40.1, kernel-ec2-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3 SUSE Linux Enterprise Real Time Extension 11 SP3 (src): cluster-network-1.4-2.27.99, drbd-kmp-8.4.4-0.22.65, iscsitarget-1.4.20-0.38.84, kernel-rt-3.0.101.rt130-0.28.1, kernel-rt_trace-3.0.101.rt130-0.28.1, kernel-source-rt-3.0.101.rt130-0.28.1, kernel-syms-rt-3.0.101.rt130-0.28.1, lttng-modules-2.1.1-0.11.75, ocfs2-1.6-0.20.99, ofed-1.5.4.1-0.13.90 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): cluster-network-1.4-2.27.98, gfs2-2-0.16.104, ocfs2-1.6-0.20.98 SUSE Linux Enterprise Desktop 11 SP3 (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-source-3.0.101-0.40.1, kernel-syms-3.0.101-0.40.1, kernel-trace-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1, xen-4.2.4_04-0.7.3 SLE 11 SERVER Unsupported Extras (src): kernel-default-3.0.101-0.40.1, kernel-pae-3.0.101-0.40.1, kernel-ppc64-3.0.101-0.40.1, kernel-xen-3.0.101-0.40.1