Bug 979021 - (CVE-2015-3288) VUL-0: CVE-2015-3288: kernel: zero page memory arbitrary modification
(CVE-2015-3288)
VUL-0: CVE-2015-3288: kernel: zero page memory arbitrary modification
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/168681/
CVSSv2:SUSE:CVE-2015-3288:5.6:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-05-09 08:59 UTC by Sebastian Krahmer
Modified: 2020-06-08 23:22 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-05-09 12:38:31 UTC
A security flaw was found in the Linux kernel that
there is a way to arbitrary change zero page memory. Zero page is a page
which kernel maps into virtual address space on read page fault if the
page was not allocated before. Kernel has one zero page which used
everywhere. Programs that map 0 page are affected and code execution can
be gained. Upon running the exploit the system may become unusable as the
linker memory pages gets tainted. Furthermore, if the right code is put
in the 0 page, code execution is possible.

Upstream patch:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d
Comment 3 Michal Hocko 2016-05-13 08:58:24 UTC
(In reply to Marcus Meissner from comment #1)
> A security flaw was found in the Linux kernel that
> there is a way to arbitrary change zero page memory. Zero page is a page
> which kernel maps into virtual address space on read page fault if the
> page was not allocated before. Kernel has one zero page which used
> everywhere. Programs that map 0 page are affected and code execution can
> be gained. Upon running the exploit the system may become unusable as the
> linker memory pages gets tainted. Furthermore, if the right code is put
> in the 0 page, code execution is possible.

This sounds quite dangerous but the description is missing one important aspect. All non-anon vmas _should_ and the vast majority _have_ vm_ops defined. So we are talking about broken drivers which do not follow the general rules.

Certain special mappings do not have vm_ops but they do not fault either so they should be mostly OK - well as b53306285466 ("mm: introduce vma_is_anonymous(vma) helper") notes
"
    special_mapping_fault() is absolutely broken.  It seems it was always
    wrong, but this didn't matter until vdso/vvar started to use more than
    one page.
"
 
> Upstream patch:
> 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
> ?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d

In short the patch should be OK to backport but it would be better to know whether this really has any real security implications in the real life.
Comment 4 Michal Hocko 2016-05-13 09:51:25 UTC
I have checked 2.6.32, 3.0 based kernels and there doesn't seem to be any single device driver which would define vm_ops without the fault handler or doing some pfn remapping, aka:
\.fault[[:space:]]*= \|remap_pfn\|vm_insert_page\|remap_vmalloc_range"

So I do not think it is worth bothering with old kernels. Or do we want to protect users from buggy external drivers?

In other words is this really worth backporting into longterm branches? I will push it to SLE12 and openSUSE*. Do we want SLE11-SP4 as well?
Comment 5 Michal Hocko 2016-05-13 11:52:26 UTC
SLE12 and openSUSE-42.1 already have the fix from the stable tree
sent pull request for openSUSE-13.2
Comment 6 Marcus Meissner 2016-05-13 13:35:35 UTC
buggy external drivers might be an issue. but i think i am fine with sle12 onwards fixing.
Comment 7 Michal Hocko 2016-05-13 13:47:38 UTC
(In reply to Marcus Meissner from comment #6)
> buggy external drivers might be an issue. 

Just to clarify. Such an driver would have to be ultimately broken. Not having a bug that needs a small fix.

> but i think i am fine with sle12
> onwards fixing.

OK, we should be done then.
Comment 8 Swamp Workflow Management 2016-08-24 13:18:27 UTC
openSUSE-SU-2016:2144-1: An update that solves 53 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 901754,941113,942702,945219,955654,957052,957988,959709,960561,961512,963762,963765,966245,966437,966693,966849,967972,967973,967974,967975,968010,968011,968012,968013,968018,968670,969354,969355,970114,970275,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971360,971628,971799,971919,971944,972174,973378,973570,974308,974418,974646,975945,978401,978445,978469,978821,978822,979021,979213,979548,979867,979879,979913,980348,980363,980371,980725,981267,982706,983143,983213,984464,984755,984764,986362,986365,986377,986572,986573,986811
CVE References: CVE-2012-6701,CVE-2013-7446,CVE-2014-9904,CVE-2015-3288,CVE-2015-6526,CVE-2015-7566,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2015-8830,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2187,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-5244,CVE-2016-5829
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.20.3, cloop-2.639-14.20.3, crash-7.0.8-20.3, hdjmod-1.28-18.21.3, ipset-6.23-20.3, kernel-debug-3.16.7-42.1, kernel-default-3.16.7-42.1, kernel-desktop-3.16.7-42.1, kernel-docs-3.16.7-42.2, kernel-ec2-3.16.7-42.1, kernel-obs-build-3.16.7-42.2, kernel-obs-qa-3.16.7-42.1, kernel-obs-qa-xen-3.16.7-42.1, kernel-pae-3.16.7-42.1, kernel-source-3.16.7-42.1, kernel-syms-3.16.7-42.1, kernel-vanilla-3.16.7-42.1, kernel-xen-3.16.7-42.1, pcfclock-0.44-260.20.2, vhba-kmp-20140629-2.20.2, virtualbox-5.0.20-48.5, xen-4.4.4_02-46.2, xtables-addons-2.6-22.3
Comment 9 Marcus Meissner 2017-03-01 13:30:35 UTC
released
Comment 11 Michal Hocko 2017-03-21 17:43:49 UTC
After some reconsideration I've decided to backport the fix to 
- 11-sp3 users/mhocko/cve/linux-3.0/for-next and 
- 11-sp1 users/mhocko/cve/linux-2.6.32/for-next
- older kernels would require more tweaks and the attack vector doesn't apply to that old kernels so I am skipping it
Comment 12 Swamp Workflow Management 2017-05-15 19:43:05 UTC
SUSE-SU-2017:1301-1: An update that solves 18 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1005651,1008374,1008893,1013018,1013070,1013800,1013862,1016489,1017143,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1028415,1028880,1029212,1029770,1030213,1030573,1031003,1031052,1031440,1031579,1032141,1033336,1033771,1033794,1033804,1033816,1034026,909486,911105,931620,979021,982783,983212,985561,988065,989056,995542,999245
CVE References: CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-5243,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-100.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-source-3.0.101-100.1, kernel-syms-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
Comment 13 Swamp Workflow Management 2017-06-19 19:12:16 UTC
SUSE-SU-2017:1613-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1039348,979021
CVE References: CVE-2015-3288,CVE-2017-1000364
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-source-3.0.101-0.47.102.1, kernel-syms-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-ppc64-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-source-3.0.101-0.47.102.1, kernel-syms-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
Comment 14 Swamp Workflow Management 2017-09-04 19:39:10 UTC
SUSE-SU-2017:2342-1: An update that solves 44 vulnerabilities and has 135 fixes is now available.

Category: security (important)
Bug References: 1003077,1005651,1008374,1008850,1008893,1012422,1013018,1013070,1013800,1013862,1016489,1017143,1018074,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023051,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1027565,1028372,1028415,1028880,1029140,1029212,1029770,1029850,1030213,1030552,1030573,1030593,1030814,1031003,1031052,1031440,1031579,1032141,1032340,1032471,1033287,1033336,1033771,1033794,1033804,1033816,1034026,1034670,1035576,1035777,1035920,1036056,1036288,1036629,1037182,1037183,1037191,1037193,1037227,1037232,1037233,1037356,1037358,1037359,1037441,1038544,1038879,1038981,1038982,1039258,1039348,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1040351,1041160,1041431,1041762,1041975,1042045,1042200,1042615,1042633,1042687,1042832,1043014,1043234,1043935,1044015,1044125,1044216,1044230,1044854,1044882,1044913,1044985,1045154,1045340,1045356,1045406,1045416,1045525,1045538,1045547,1045615,1046107,1046122,1046192,1046715,1047027,1047053,1047343,1047354,1047487,1047523,1047653,1048185,1048221,1048232,1048275,1049483,1049603,1049688,1049882,1050154,1050431,1051478,1051515,1051770,784815,792863,799133,870618,909486,909618,911105,919382,928138,931620,938352,943786,948562,962257,970956,971975,972891,979021,982783,983212,985561,986362,986365,986924,988065,989056,990682,991651,995542,999245
CVE References: CVE-2014-9922,CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-2188,CVE-2016-4997,CVE-2016-4998,CVE-2016-5243,CVE-2016-7117,CVE-2017-1000363,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-11176,CVE-2017-11473,CVE-2017-2636,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1, kernel-source-rt-3.0.101.rt130-69.5.1, kernel-syms-rt-3.0.101.rt130-69.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_debug-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1