Bug 1051790 - (CVE-2017-12134) VUL-0: CVE-2017-12134: kernel: Incorrect Xen block IO merge-ability calculation (XSA-229)
(CVE-2017-12134)
VUL-0: CVE-2017-12134: kernel: Incorrect Xen block IO merge-ability calculati...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Jürgen Groß
Security Team bot
CVSSv2:SUSE:CVE-2017-12134:6.2:(AV:L/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-02 06:34 UTC by Johannes Segitz
Modified: 2020-06-09 03:30 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2017-08-02 06:34:52 UTC
CRD: 2017-08-15 12:00 UTC
Comment 2 Marcus Meissner 2017-08-15 12:52:55 UTC
is public

            Xen Security Advisory CVE-2017-12134 / XSA-229
                               version 3

            linux: Fix Xen block IO merge-ability calculation

UPDATES IN VERSION 3
====================

Public release.

ISSUE DESCRIPTION
=================

The block layer in Linux may choose to merge adjacent block IO requests.
When Linux is running as a Xen guest, the default merging algorithm is
replaced with a Xen-specific one.  When Linux is running as an x86 PV
guest, some BIO's are erroneously merged, corrupting the data stream
to/from the block device.

This can result in incorrect access to an uncontrolled adjacent frame.

IMPACT
======

A buggy or malicious guest can cause Linux to read or write incorrect
memory when processing a block stream.  This could leak information from
other guests in the system or from Xen itself, or be used to DoS or
escalate privilege within the system.

VULNERABLE SYSTEMS
==================

All x86 Xen systems using pvops Linux in a backend role (either as
dom0, or as a disk device driver domain) are affected.  This includes
upstream Linux versions 2.6.37 and later.  Systems using the older
classic-linux fork are not affected.

All PV x86 domains doing block IO on behalf of a guest, including dom0
and any PV driver domains, are vulnerable.  (Any HVM driver domains
running are not vulnerable.)  This includes Xen vbd backends such as
blkback, but also direct IO performed for the guest via eg qemu.

ARM systems are not affected.

The vulnerability is only exposed if the underlying block device has
request merging enabled.  See Mitigation.

The vulnerability is only exposed to configurations which use grant
mapping as a transport mechanism for the block data.  Configurations
which use exclusively grant copy are not vulnerable.

MITIGATION
==========

Disable bio merges on all relevant underlying backend block devices.
For example,
  echo 2 > /sys/block/nvme0n1/queue/nomerges

CREDITS
=======

This issue was discovered by Jan H. Schönherr of Amazon.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

xsa229.patch           Linux

$ sha256sum xsa229*
5f96c72c8c5a971d52f5540475a3fc6f4fef2071ec772ef21392fdc238eda858  xsa229.patch
$
Comment 3 Jürgen Groß 2017-08-21 09:28:51 UTC
Patch is in SLE12-SP2 and SLE12-SP3 branch.
Comment 4 Swamp Workflow Management 2017-09-07 16:12:51 UTC
openSUSE-SU-2017:2384-1: An update that solves two vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1005776,1015342,1020645,1020657,1030850,1031717,1031784,1034048,1037838,1040813,1042847,1047487,1047989,1048155,1048228,1048325,1048327,1048356,1048501,1048912,1048934,1049226,1049272,1049291,1049336,1050211,1050742,1051790,1052093,1052094,1052095,1052384,1052580,1052888,1053117,1053309,1053472,1053627,1053629,1053633,1053681,1053685,1053802,1053915,1053919,1054082,1054084,1055013,1055096,1055272,1055290,1055359,1055709,1055896,1055935,1055963,1056185,1056588,1056827,969756
CVE References: CVE-2017-12134,CVE-2017-14051
Sources used:
openSUSE Leap 42.3 (src):    kernel-debug-4.4.85-22.1, kernel-default-4.4.85-22.1, kernel-docs-4.4.85-22.3, kernel-obs-build-4.4.85-22.1, kernel-obs-qa-4.4.85-22.1, kernel-source-4.4.85-22.1, kernel-syms-4.4.85-22.1, kernel-vanilla-4.4.85-22.1
Comment 5 Swamp Workflow Management 2017-09-15 13:15:51 UTC
openSUSE-SU-2017:2495-1: An update that solves 5 vulnerabilities and has 32 fixes is now available.

Category: security (important)
Bug References: 1012829,1020645,1020657,1021424,1022743,1024405,1030850,1031717,1031784,1034048,1038583,1047487,1048155,1048893,1048934,1049226,1049580,1051790,1052580,1052888,1053117,1053802,1053915,1053919,1054084,1055013,1055096,1055359,1056261,1056588,1056827,1056982,1057015,1057389,1058116,971975,981309
CVE References: CVE-2017-1000251,CVE-2017-11472,CVE-2017-12134,CVE-2017-14051,CVE-2017-14106
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.87-18.29.1, kernel-default-4.4.87-18.29.1, kernel-docs-4.4.87-18.29.2, kernel-obs-build-4.4.87-18.29.1, kernel-obs-qa-4.4.87-18.29.1, kernel-source-4.4.87-18.29.1, kernel-syms-4.4.87-18.29.1, kernel-vanilla-4.4.87-18.29.1
Comment 6 Swamp Workflow Management 2017-10-25 13:27:39 UTC
SUSE-SU-2017:2847-1: An update that solves 11 vulnerabilities and has 170 fixes is now available.

Category: security (important)
Bug References: 1004527,1005776,1005778,1005780,1005781,1012382,1012829,1015342,1015343,1019675,1019680,1019695,1019699,1020412,1020645,1020657,1020989,1021424,1022595,1022604,1022743,1022912,1022967,1024346,1024373,1024405,1025461,1030850,1031717,1031784,1032150,1034048,1034075,1035479,1036060,1036215,1036737,1037579,1037838,1037890,1038583,1040813,1042847,1043598,1044503,1046529,1047238,1047487,1047989,1048155,1048228,1048325,1048327,1048356,1048501,1048893,1048912,1048934,1049226,1049272,1049291,1049336,1049361,1049580,1050471,1050742,1051790,1051987,1052093,1052094,1052095,1052360,1052384,1052580,1052593,1052888,1053043,1053309,1053472,1053627,1053629,1053633,1053681,1053685,1053802,1053915,1053919,1054082,1054084,1054654,1055013,1055096,1055272,1055290,1055359,1055493,1055567,1055709,1055755,1055896,1055935,1055963,1056061,1056185,1056230,1056261,1056427,1056587,1056588,1056596,1056686,1056827,1056849,1056982,1057015,1057031,1057035,1057038,1057047,1057067,1057383,1057498,1057849,1058038,1058116,1058135,1058410,1058507,1058512,1058550,1059051,1059465,1059500,1059863,1060197,1060229,1060249,1060400,1060985,1061017,1061046,1061064,1061067,1061172,1061451,1061721,1061775,1061831,1061872,1062279,1062520,1062962,1063102,1063349,1063460,1063475,1063479,1063501,1063509,1063520,1063570,1063667,1063671,1063695,1064064,1064206,1064388,1064436,963575,964944,966170,966172,966186,966191,966316,966318,969476,969477,969756,971975,981309
CVE References: CVE-2017-1000252,CVE-2017-11472,CVE-2017-12134,CVE-2017-12153,CVE-2017-12154,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14489,CVE-2017-15265,CVE-2017-15649
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    kernel-default-4.4.92-6.18.1
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    kernel-docs-4.4.92-6.18.3, kernel-obs-build-4.4.92-6.18.1
SUSE Linux Enterprise Server 12-SP3 (src):    kernel-default-4.4.92-6.18.1, kernel-source-4.4.92-6.18.1, kernel-syms-4.4.92-6.18.1
SUSE Linux Enterprise Live Patching 12-SP3 (src):    kgraft-patch-SLE12-SP3_Update_4-1-4.3
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.92-6.18.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    kernel-default-4.4.92-6.18.1, kernel-source-4.4.92-6.18.1, kernel-syms-4.4.92-6.18.1
Comment 7 Swamp Workflow Management 2017-10-27 16:45:48 UTC
SUSE-SU-2017:2869-1: An update that solves 16 vulnerabilities and has 120 fixes is now available.

Category: security (important)
Bug References: 1006180,1011913,1012382,1012829,1013887,1019151,1020645,1020657,1021424,1022476,1022743,1022967,1023175,1024405,1028173,1028286,1029693,1030552,1030850,1031515,1031717,1031784,1033587,1034048,1034075,1034762,1036303,1036632,1037344,1037404,1037994,1038078,1038583,1038616,1038792,1039915,1040307,1040351,1041958,1042286,1042314,1042422,1042778,1043652,1044112,1044636,1045154,1045563,1045922,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047277,1047343,1047354,1047487,1047651,1047653,1047670,1048155,1048221,1048317,1048891,1048893,1048914,1048934,1049226,1049483,1049486,1049580,1049603,1049645,1049882,1050061,1050188,1051022,1051059,1051239,1051399,1051478,1051479,1051556,1051663,1051790,1052049,1052223,1052533,1052580,1052593,1052709,1052773,1052794,1052888,1053117,1053802,1053915,1053919,1054084,1055013,1055096,1055359,1055493,1055755,1055896,1056261,1056588,1056827,1056982,1057015,1058038,1058116,1058410,1058507,1059051,1059465,1060197,1061017,1061046,1061064,1061067,1061172,1061831,1061872,1063667,1064206,1064388,964063,971975,974215,981309
CVE References: CVE-2017-1000252,CVE-2017-10810,CVE-2017-11472,CVE-2017-11473,CVE-2017-12134,CVE-2017-12153,CVE-2017-12154,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14489,CVE-2017-15649,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.90-92.45.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.90-92.45.3, kernel-obs-build-4.4.90-92.45.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_14-1-2.4
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.90-92.45.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.90-92.45.1, kernel-source-4.4.90-92.45.1, kernel-syms-4.4.90-92.45.1
SUSE Container as a Service Platform ALL (src):    kernel-default-4.4.90-92.45.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.90-92.45.1
Comment 8 Swamp Workflow Management 2017-11-08 20:23:57 UTC
SUSE-SU-2017:2956-1: An update that solves 17 vulnerabilities and has 113 fixes is now available.

Category: security (important)
Bug References: 1005917,1006180,1011913,1012382,1012829,1013887,1018419,1019151,1020645,1020657,1020685,1021424,1022476,1022743,1023175,1024405,1028173,1028286,1028819,1029693,1030552,1030850,1031515,1031717,1031784,1033587,1034048,1034075,1034762,1036303,1036632,1037344,1037404,1037994,1038078,1038583,1038616,1038792,1038846,1038847,1039354,1039915,1040307,1040351,1041958,1042286,1042314,1042422,1042778,1043652,1044112,1044636,1045154,1045563,1045922,1046682,1046821,1046985,1047027,1047048,1047096,1047118,1047121,1047152,1047277,1047343,1047354,1047487,1047651,1047653,1047670,1048155,1048221,1048317,1048891,1048893,1048914,1048934,1049226,1049483,1049486,1049580,1049603,1049645,1049882,1050061,1050188,1051022,1051059,1051239,1051399,1051478,1051479,1051556,1051663,1051790,1052049,1052223,1052311,1052365,1052533,1052580,1052709,1052773,1052794,1052888,1053117,1053802,1053915,1054084,1055013,1055096,1055359,1056261,1056588,1056827,1056982,1057015,1057389,1058038,1058116,1058507,963619,964063,964944,971975,974215,981309,988784,993890
CVE References: CVE-2017-1000111,CVE-2017-1000112,CVE-2017-1000251,CVE-2017-1000252,CVE-2017-1000365,CVE-2017-10810,CVE-2017-11472,CVE-2017-11473,CVE-2017-12134,CVE-2017-12154,CVE-2017-14051,CVE-2017-14106,CVE-2017-7518,CVE-2017-7533,CVE-2017-7541,CVE-2017-7542,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.88-18.1, kernel-rt_debug-4.4.88-18.1, kernel-source-rt-4.4.88-18.1, kernel-syms-rt-4.4.88-18.1