Bug 966684 – VUL-0: CVE-2016-2383: kernel: Incorrect branch fixups for eBPF allow arbitrary read

Bug 966684 - (CVE-2016-2383) VUL-0: CVE-2016-2383: kernel: Incorrect branch fixups for eBPF allow arbitrary read

(CVE-2016-2383)
Summary:	VUL-0: CVE-2016-2383: kernel: Incorrect branch fixups for eBPF allow arbitrar...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161884/
Whiteboard:	CVSSv2:SUSE:CVE-2016-2383:3.3:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-02-15 09:48 UTC by Sebastian Krahmer
Modified:	2018-07-03 21:08 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-02-15 09:48:35 UTC

Via OSS-sec:

> https://git.kernel.org/linus/a1b14d27ed0965838350f1377ff97c93ee383492
>bpf: fix branch offset adjustment on backjumps after patching ctx expansion
>
>for backward jumps it fails to account the delta
>
>kernel/bpf/verifier.c
>adjust_branches
>
>-    else if (i > pos && i + insn->off + 1 < pos)
>+    else if (i > pos + delta && i + insn->off + 1 <= pos + delta)

Use CVE-2016-2383


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2383
http://seclists.org/oss-sec/2016/q1/333
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-2383.html

Comment 1 Sebastian Krahmer 2016-02-15 09:57:58 UTC

Via OSS:

The issue was introduced in v4.1-rc1 with commit
https://git.kernel.org/linus/9bac3d6d548e5cc925570b263f35b70a00a00ffd

Comment 2 Swamp Workflow Management 2016-02-15 23:01:19 UTC

bugbot adjusting priority

Comment 3 Borislav Petkov 2016-02-20 10:27:47 UTC

79b9217f8567..9dff6f3e8af8  HEAD -> ... openSUSE-42.1/for-next
9b5bc469588b..34c3c2e5ca1b  HEAD -> ... SLE12-SP2/for-next

Done.

Comment 4 Swamp Workflow Management 2016-04-12 10:16:09 UTC

openSUSE-SU-2016:1008-1: An update that solves 15 vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 814440,884701,949936,951440,951542,951626,951638,953527,954018,954404,954405,954876,958439,958463,958504,959709,960561,960563,960710,961263,961500,961509,962257,962866,962977,963746,963765,963767,963931,965125,966137,966179,966259,966437,966684,966693,968018,969356,969582,970845,971125
CVE References: CVE-2015-1339,CVE-2015-7799,CVE-2015-7872,CVE-2015-7884,CVE-2015-8104,CVE-2015-8709,CVE-2015-8767,CVE-2015-8785,CVE-2015-8787,CVE-2015-8812,CVE-2016-0723,CVE-2016-2069,CVE-2016-2184,CVE-2016-2383,CVE-2016-2384
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.20-11.1, kernel-default-4.1.20-11.1, kernel-docs-4.1.20-11.3, kernel-ec2-4.1.20-11.1, kernel-obs-build-4.1.20-11.2, kernel-obs-qa-4.1.20-11.1, kernel-obs-qa-xen-4.1.20-11.1, kernel-pae-4.1.20-11.1, kernel-pv-4.1.20-11.1, kernel-source-4.1.20-11.1, kernel-syms-4.1.20-11.1, kernel-vanilla-4.1.20-11.1, kernel-xen-4.1.20-11.1

Comment 5 Marcus Meissner 2016-08-01 13:22:05 UTC

released