Bug 927257 - (CVE-2015-3331) VUL-0: CVE-2015-3331: kernel: Buffer overruns in Linux kernel RFC4106 implementation using AESNI
(CVE-2015-3331)
VUL-0: CVE-2015-3331: kernel: Buffer overruns in Linux kernel RFC4106 impleme...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:61844:important maint:r...
:
Depends on:
Blocks: 939262
  Show dependency treegraph
 
Reported: 2015-04-15 10:13 UTC by Marcus Meissner
Modified: 2019-05-21 14:40 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-04-15 10:13:19 UTC
via oss-sec

From: Ben Hutchings <ben@decadent.org.uk>
Date: Tue, 14 Apr 2015 21:46:32 +0100
Subject: [oss-security] Buffer overruns in Linux kernel RFC4106 implementation using AESNI

Linux kernel commit ccfe8c3f7e52 ("crypto: aesni - fix memory usage in
GCM decryption") fixes two bugs in pointer arithmetic that lead to
buffer overruns (even with valid parameters!):

https://git.kernel.org/linus/ccfe8c3f7e52ae83155cb038753f4c75b774ca8a

These are described as resulting in DoS (local or remote), but are
presumably also exploitable for privilege escalation.

The bugs appear to have been introduced by commit 0bd82f5f6355 ("crypto:
aesni-intel - RFC4106 AES-GCM Driver Using Intel New Instructions") in
Linux 2.6.38.

The above fix is included in Linux 4.0 and the following stable updates:

v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption
v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption
v3.14.37: e9b15363c101 crypto: aesni - fix memory usage in GCM decryption
v3.18.11: 3b389956156c crypto: aesni - fix memory usage in GCM decryption
v3.19.3: b90935f1d9a0 crypto: aesni - fix memory usage in GCM decryption
v3.13.11-ckt19: 40e073009626 crypto: aesni - fix memory usage in GCM decryp=
tion

Please assign a CVE ID for this.

Ben.
Comment 1 Marcus Meissner 2015-04-15 10:16:21 UTC
Will come with 3.12.40 stable for SLE12.

needs backport to SLE11 I think (and openSUSE).
Comment 2 Stephan Müller 2015-04-15 14:52:14 UTC
Apologies to not having you notified about that one earlier. I found that bug and sent the patch upstream.

However, it is not critical IMHO. The following reasons apply:

1. the overrun is in a code path that works on non-aligned data -- the only user of GCM in the kernel is IPSEC atm. And esp_input uses aligned data requests.

2. the mentioned user space interface is the one I implemented and is just about to be added to 4.1-rc1 (Herbert Xu's git pull request to Linus just went out).

Hence, I personally do not see that as a big issue since I currently see no way that a user can trigger that faulty code path.
Comment 3 Swamp Workflow Management 2015-04-15 22:00:24 UTC
bugbot adjusting priority
Comment 4 Marcus Meissner 2015-04-18 06:30:43 UTC
CVE-2015-3331
Comment 5 Andreas Stieger 2015-04-20 08:30:00 UTC
(In reply to Stephan Müller from comment #2)
> Apologies to not having you notified about that one earlier. I found that
> bug and sent the patch upstream.
> 
> However, it is not critical IMHO. The following reasons apply:
> 
> 1. the overrun is in a code path that works on non-aligned data -- the only
> user of GCM in the kernel is IPSEC atm. And esp_input uses aligned data
> requests.
> 
> 2. the mentioned user space interface is the one I implemented and is just
> about to be added to 4.1-rc1 (Herbert Xu's git pull request to Linus just
> went out).
> 
> Hence, I personally do not see that as a big issue since I currently see no
> way that a user can trigger that faulty code path.

Thank you for this information. Would you say that to take a safe stance w.r.t. further, possibly future, users of this code path or user space interface, the patch could be applied with the next regular kernel for SLE 12 and 11?
Comment 6 Marcus Meissner 2015-04-20 08:48:48 UTC
The patch should be applied to the next kernel update, the discussion above is just about impact.

It seems it does not risk FIPS certification of the previous kernel without the patch.
Comment 7 Stephan Müller 2015-04-20 15:18:13 UTC
I just have seen another report that the bug *is* triggerable in the wild: when the remote IPSEC end sends fragmented packets to the kernel IPSEC stack, then the issue can be triggered as in this case, the non-aligned code path is chosen.
Comment 8 Marcus Meissner 2015-04-23 14:37:13 UTC
remote denial of service according to stephan
Comment 9 Marcus Meissner 2015-05-15 14:39:28 UTC
Torsten?
Comment 10 Torsten Duwe 2015-05-15 17:00:04 UTC
(In reply to Marcus Meissner from comment #0)

> The above fix is included in Linux 4.0 and the following stable updates:
> 
> v3.10.73: 31c06b946ce6 crypto: aesni - fix memory usage in GCM decryption
> v3.12.40: 0585664d1732 crypto: aesni - fix memory usage in GCM decryption

Do not trust commit IDs, they may change e.g. with a rebase or merge.
Comment 11 Marcus Meissner 2015-05-18 09:15:17 UTC
in patches.kernel.org/patch-3.12.39-40
Comment 16 Torsten Duwe 2015-05-19 15:07:35 UTC
Patch also applied to SLE11-SP2-LTSS and -SP3 branches (should auto-merge to SP4).

Maintenance, please take over...
Comment 17 Swamp Workflow Management 2015-05-29 09:50:15 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 18 Swamp Workflow Management 2015-06-08 12:13:59 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 19 Swamp Workflow Management 2015-06-16 12:10:19 UTC
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 20 Swamp Workflow Management 2015-07-02 15:22:30 UTC
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 22 Swamp Workflow Management 2015-08-12 17:25:26 UTC
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 23 Swamp Workflow Management 2015-09-02 13:16:58 UTC
SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
Comment 24 Marcus Meissner 2015-09-04 09:57:23 UTC
i think we are done