Bugzilla – Bug 979018
VUL-0: CVE-2016-4557: kernel: double-free/use-after-free in eBPF
Last modified: 2018-07-03 21:18:22 UTC
CVE-2016-4557 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-4557 http://seclists.org/oss-sec/2016/q2/266 http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-4557.html
More detailed description: https://cxsecurity.com/issue/WLB-2016050014 Fixed by 8358b02bf67d bpf: fix double-fdput in replace_map_fd_with_map_ptr() (v4.6-rc6) The buggy code was introduced by 0246e64d9a5f bpf: handle pseudo BPF_LD_IMM64 insn (v3.18-rc1) but until 1be7f75d1668 bpf: enable non-root eBPF programs (v4.4-rc1) it required CAP_SYS_ADMIN to be exploited. Affected: stable (until it moves to 4.6) SLE12-SP2 openSUSE-42.1 (requires root/CAP_SYS_ADMIN to exploit) Note: I successfully reproduced the exploit on Tumbleweed with 4.6-rc5 kernel after changing /etc/crontab permissions to 644 (but other sensitive file with read access for anyone could be used instead, e.g. /etc/passwd).
Fix submitted to stable SLE12-SP2 openSUSE-42.1 Closing and reassigning back to security team.
openSUSE-SU-2016:1641-1: An update that solves 19 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 945345,955654,963762,966245,966849,970506,971126,971799,973570,974308,975945,977198,978073,978401,978821,978822,979018,979213,979278,979548,979728,979867,979879,979913,980348,980371,980657,981058,981267,981344,982238,982239,982712,983143,983213,984460 CVE References: CVE-2013-7446,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-3134,CVE-2016-3672,CVE-2016-3955,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4557,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4951,CVE-2016-5244 Sources used: openSUSE Leap 42.1 (src): kernel-debug-4.1.26-21.1, kernel-default-4.1.26-21.1, kernel-docs-4.1.26-21.2, kernel-ec2-4.1.26-21.1, kernel-obs-build-4.1.26-21.1, kernel-obs-qa-4.1.26-21.1, kernel-obs-qa-xen-4.1.26-21.1, kernel-pae-4.1.26-21.1, kernel-pv-4.1.26-21.1, kernel-source-4.1.26-21.1, kernel-syms-4.1.26-21.1, kernel-vanilla-4.1.26-21.1, kernel-xen-4.1.26-21.1
openSUSE-SU-2016:2290-1: An update that solves 17 vulnerabilities and has 9 fixes is now available. Category: security (important) Bug References: 963931,970948,971126,971360,974266,978821,978822,979018,979213,979879,980371,981058,981267,986362,986365,986570,987886,989084,989152,989176,990058,991110,991608,991665,994296,994520 CVE References: CVE-2015-8787,CVE-2016-1237,CVE-2016-2847,CVE-2016-3134,CVE-2016-3156,CVE-2016-4485,CVE-2016-4486,CVE-2016-4557,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4951,CVE-2016-4998,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828 Sources used: openSUSE Leap 42.1 (src): drbd-8.4.6-8.1, hdjmod-1.28-24.1, ipset-6.25.1-5.1, kernel-debug-4.1.31-30.2, kernel-default-4.1.31-30.2, kernel-docs-4.1.31-30.3, kernel-ec2-4.1.31-30.2, kernel-obs-build-4.1.31-30.3, kernel-obs-qa-4.1.31-30.1, kernel-obs-qa-xen-4.1.31-30.1, kernel-pae-4.1.31-30.2, kernel-pv-4.1.31-30.2, kernel-source-4.1.31-30.1, kernel-syms-4.1.31-30.1, kernel-vanilla-4.1.31-30.2, kernel-xen-4.1.31-30.2, lttng-modules-2.7.0-2.1, pcfclock-0.44-266.1, vhba-kmp-20140928-5.1