Bug 915322 - (CVE-2014-7822) VUL-0: CVE-2014-7822: kernel-source: splice: lack of generic write checks
(CVE-2014-7822)
VUL-0: CVE-2014-7822: kernel-source: splice: lack of generic write checks
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/113285/
maint:released:sle11-sp3:60951 maint:...
:
Depends on:
Blocks: 939240
  Show dependency treegraph
 
Reported: 2015-01-29 09:23 UTC by Victor Pereira
Modified: 2016-04-27 19:34 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
cve-2014-7822.c (3.71 KB, text/plain)
2015-09-01 10:48 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Victor Pereira 2015-01-29 09:23:16 UTC
rh#1163792

It was found that there are no size checks in the splice IO path, so it's
possible to send a write past s_maxbytes to a filesystem.  For ext4, at
least, this ends badly, with a BUG_ON.

A local unprivileged user could use this flaw to crash the system.

Acknowledgements:

Red Hat would like to thank Akira Fujita of NEC for reporting this issue.

Upstream patches:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8d0207652cbe27d1f962050737848e5ad4671958

(this patch rearranges splice with a side effect of invoking
generic_write_checks() along the way)

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1163792
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7822
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7822
Comment 1 Swamp Workflow Management 2015-01-29 23:00:14 UTC
bugbot adjusting priority
Comment 4 Miklos Szeredi 2015-02-09 16:57:18 UTC
Pushed to SLE11-SP3 and SLE12

The splice(2) syscall was introduced in 2.6.17 so SLE10 isn't affected.

Michal, do you want to take care of the -TD branches?
Comment 6 Miklos Szeredi 2015-02-10 09:06:45 UTC
Pushed to openSUSE-13.1 as well.

openSUSE-13.2 is fixed upstream by

  8d0207652cbe ("->splice_write() via ->write_iter()")
Comment 7 Michal Hocko 2015-02-16 10:37:21 UTC
applied to SLE11-SP1-TD as well. Thanks a lot Miklos.
Comment 8 Swamp Workflow Management 2015-02-26 10:06:28 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60808
Comment 9 Michal Hocko 2015-03-08 19:28:58 UTC
back to security team.
Comment 10 Swamp Workflow Management 2015-03-18 21:14:13 UTC
SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
Comment 11 Swamp Workflow Management 2015-03-24 06:21:30 UTC
SUSE-SU-2015:0581-1: An update that solves 21 vulnerabilities and has 67 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-ec2-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.7, gfs2-2-0.17.1.7, ocfs2-1.6-0.21.1.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
Comment 12 Swamp Workflow Management 2015-03-25 14:42:35 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-04-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61308
Comment 13 Jiri Slaby 2015-04-03 12:02:33 UTC
We seem to have 2 checks in generic_file_splice_write now. One coming from one of v3.12.39 commits and one from this bug.

Can the patch from this bug be removed now?
Comment 14 Swamp Workflow Management 2015-04-13 12:19:59 UTC
openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1
Comment 15 Swamp Workflow Management 2015-04-20 19:22:02 UTC
SUSE-SU-2015:0736-1: An update that solves 21 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910251,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250,924282
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.14, drbd-kmp-8.4.4-0.23.1.14, iscsitarget-1.4.20-0.39.1.14, kernel-rt-3.0.101.rt130-0.33.36.1, kernel-rt_trace-3.0.101.rt130-0.33.36.1, kernel-source-rt-3.0.101.rt130-0.33.36.1, kernel-syms-rt-3.0.101.rt130-0.33.36.1, lttng-modules-2.1.1-0.12.1.13, ocfs2-1.6-0.21.1.14, ofed-1.5.4.1-0.14.1.14
Comment 17 Marcus Meissner 2015-08-14 09:42:50 UTC
Jiri, removing the duplicated check is ok.
Comment 18 Jiri Slaby 2015-08-14 09:52:57 UTC
Done in d594094358eb7ac7f54645c3074eaf8e10f44cbc.
Comment 21 Marcus Meissner 2015-09-01 10:48:46 UTC
Created attachment 645770 [details]
cve-2014-7822.c

gcc -o cve-2014-7822 cve-2014-7822.c
./cve-2014-7822


BAD:
[cve_2014_7822]: POC triggered, ... system will panic after some time

GOOD:
[cve_2014_7822]: ViciousOffset = 118402345721856
[cve_2014_7822 error]: 27 - File too large
Comment 22 Marcus Meissner 2015-09-04 09:56:18 UTC
think we are good, released