Bug 1057179 - (CVE-2017-14140) VUL-1: CVE-2017-14140: kernel: Missing permission check in move_pages system call
(CVE-2017-14140)
VUL-1: CVE-2017-14140: kernel: Missing permission check in move_pages system ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Vlastimil Babka
Security Team bot
https://smash.suse.de/issue/191437/
CVSSv2:SUSE:CVE-2017-14140:1.7:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-09-05 09:28 UTC by Alexander Bergmann
Modified: 2020-06-16 18:01 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2017-09-05 09:28:08 UTC
rh#1488329

The move_pages system call in mm/migrate.c in the Linux kernel before
4.12.9 doesn't check the effective uid of the target process, enabling
a local attacker to learn the memory layout of a setuid executable
despite ASLR.

Upstream fix:
https://github.com/torvalds/linux/commit/197e7e521384a23b9e585178f3f11c9fa08274b9

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1488329
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14140
Comment 1 Vlastimil Babka 2017-09-07 08:55:39 UTC
SLE12-SP2+SP3 already got the stable update. SLE15 will get it as well.
I did cve/linux-3.12 yesterday (SLE12 and -SP1).
Older kernel's don't yet have commit caaee6234d05a which added PTRACE_MODE_READ_REALCREDS. I'm trying to figure out whether PTRACE_MODE_READ will be good enough for this check. CC Michal for his opinion.
Comment 2 Vlastimil Babka 2017-09-07 12:01:16 UTC
Hmm, we seem to have a problem on ia64 and ppc64 for 3.0-based kernels:

mm/migrate.c:1430:2: error: implicit declaration of function 'ptrace_may_access' [-Werror=implicit-function-declaration]
mm/migrate.c:1430:31: error: 'PTRACE_MODE_READ' undeclared (first use in this function)
Comment 3 Vlastimil Babka 2017-09-07 14:13:00 UTC
(In reply to Vlastimil Babka from comment #2)
> Hmm, we seem to have a problem on ia64 and ppc64 for 3.0-based kernels:
> 
> mm/migrate.c:1430:2: error: implicit declaration of function
> 'ptrace_may_access' [-Werror=implicit-function-declaration]
> mm/migrate.c:1430:31: error: 'PTRACE_MODE_READ' undeclared (first use in
> this function)

Just a missing include, sorry for the noise
Comment 4 Vlastimil Babka 2017-09-08 13:22:08 UTC
(In reply to Vlastimil Babka from comment #1)
> SLE12-SP2+SP3 already got the stable update. SLE15 will get it as well.
> I did cve/linux-3.12 yesterday (SLE12 and -SP1).
> Older kernel's don't yet have commit caaee6234d05a which added
> PTRACE_MODE_READ_REALCREDS. I'm trying to figure out whether
> PTRACE_MODE_READ will be good enough for this check. CC Michal for his
> opinion.

I've prepared branches for review with Michal:

users/vbabka/cve/linux-2.6.32/bsc1057179
users/vbabka/cve/linux-3.0/bsc1057179

Turns out 2.6.16 doesn't yet have the move_pages() syscall, so nothing to do there.
Comment 5 Michal Hocko 2017-09-12 14:08:51 UTC
(In reply to Vlastimil Babka from comment #4)
> (In reply to Vlastimil Babka from comment #1)
> > SLE12-SP2+SP3 already got the stable update. SLE15 will get it as well.
> > I did cve/linux-3.12 yesterday (SLE12 and -SP1).
> > Older kernel's don't yet have commit caaee6234d05a which added
> > PTRACE_MODE_READ_REALCREDS. I'm trying to figure out whether
> > PTRACE_MODE_READ will be good enough for this check. CC Michal for his
> > opinion.
> 
> I've prepared branches for review with Michal:
> 
> users/vbabka/cve/linux-2.6.32/bsc1057179
> users/vbabka/cve/linux-3.0/bsc1057179

Yes, checking ptrace_may_access(task, PTRACE_MODE_READ) should be sufficient from ASLR POV. This is what we do in mm_access which is used for /proc/<pid>/[s]maps and those would be a more obvious target for that purpose.
Comment 6 Vlastimil Babka 2017-09-13 08:32:18 UTC
(In reply to Michal Hocko from comment #5)
> Yes, checking ptrace_may_access(task, PTRACE_MODE_READ) should be sufficient
> from ASLR POV. This is what we do in mm_access which is used for
> /proc/<pid>/[s]maps and those would be a more obvious target for that
> purpose.

Thanks Michal. Good point.

Pushed the remaining branches to for-next. All done from my side.
Comment 8 Swamp Workflow Management 2017-10-10 16:19:38 UTC
SUSE-SU-2017:2694-1: An update that solves 8 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 1013018,1024450,1031358,1036629,1037441,1037667,1037669,1037994,1039803,1040609,1042863,1045154,1047523,1050381,1050431,1051932,1052311,1052370,1053148,1053152,1053802,1053933,1054070,1054076,1054093,1054247,1054706,1055680,1056588,1057179,1057389,1058524,984530
CVE References: CVE-2017-1000112,CVE-2017-1000251,CVE-2017-10661,CVE-2017-12762,CVE-2017-14051,CVE-2017-14140,CVE-2017-14340,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.8.1, kernel-rt_trace-3.0.101.rt130-69.8.1, kernel-source-rt-3.0.101.rt130-69.8.1, kernel-syms-rt-3.0.101.rt130-69.8.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.8.1, kernel-rt_debug-3.0.101.rt130-69.8.1, kernel-rt_trace-3.0.101.rt130-69.8.1
Comment 9 Swamp Workflow Management 2017-10-30 18:31:34 UTC
SUSE-SU-2017:2908-1: An update that solves 30 vulnerabilities and has 38 fixes is now available.

Category: security (important)
Bug References: 1001459,1012985,1023287,1027149,1028217,1030531,1030552,1031515,1033960,1034405,1035531,1035738,1037182,1037183,1037994,1038544,1038564,1038879,1038883,1038981,1038982,1039348,1039354,1039456,1039721,1039864,1039882,1039883,1039885,1040069,1041160,1041429,1041431,1042696,1042832,1042863,1044125,1045327,1045487,1045922,1046107,1048275,1048788,1049645,1049882,1053148,1053152,1053317,1056588,1056982,1057179,1058410,1058507,1058524,1059863,1062471,1062520,1063667,1064388,856774,860250,863764,878240,922855,922871,986924,993099,994364
CVE References: CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE OpenStack Cloud 6 (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.63.1, kernel-source-3.12.74-60.64.63.1, kernel-syms-3.12.74-60.64.63.1, kernel-xen-3.12.74-60.64.63.1, kgraft-patch-SLE12-SP1_Update_22-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.63.1
Comment 10 Swamp Workflow Management 2017-11-02 17:19:56 UTC
SUSE-SU-2017:2920-1: An update that solves 36 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1008353,1012422,1017941,1029850,1030593,1032268,1034405,1034670,1035576,1035877,1036752,1037182,1037183,1037306,1037994,1038544,1038879,1038981,1038982,1039348,1039349,1039354,1039456,1039721,1039882,1039883,1039885,1040069,1041431,1041958,1044125,1045327,1045487,1045922,1046107,1047408,1048275,1049645,1049882,1052593,1053148,1053152,1056588,1056982,1057179,1058038,1058410,1058507,1058524,1062520,1063667,1064388,938162,975596,977417,984779,985562,990682
CVE References: CVE-2015-9004,CVE-2016-10229,CVE-2016-9604,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-2647,CVE-2017-6951,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8106,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.101.1, kernel-source-3.12.61-52.101.1, kernel-syms-3.12.61-52.101.1, kernel-xen-3.12.61-52.101.1, kgraft-patch-SLE12_Update_28-1-8.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.101.1
Comment 11 Swamp Workflow Management 2017-12-11 20:16:25 UTC
SUSE-SU-2017:3265-1: An update that solves 20 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 1012917,1013018,1022967,1024450,1031358,1036286,1036629,1037441,1037667,1037669,1037994,1039803,1040609,1042863,1045154,1045205,1045327,1045538,1047523,1050381,1050431,1051133,1051932,1052311,1052365,1052370,1052593,1053148,1053152,1053317,1053802,1053933,1054070,1054076,1054093,1054247,1054305,1054706,1056230,1056504,1056588,1057179,1057796,1058524,1059051,1060245,1060665,1061017,1061180,1062520,1062842,1063301,1063544,1063667,1064803,1064861,1065180,1066471,1066472,1066573,1066606,1066618,1066625,1066650,1066671,1066700,1066705,1067085,1067816,1067888,909484,984530,996376
CVE References: CVE-2017-1000112,CVE-2017-10661,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14140,CVE-2017-14340,CVE-2017-14489,CVE-2017-15102,CVE-2017-15265,CVE-2017-15274,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16649,CVE-2017-8831
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-108.18.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-108.18.1, kernel-default-3.0.101-108.18.1, kernel-ec2-3.0.101-108.18.1, kernel-pae-3.0.101-108.18.1, kernel-ppc64-3.0.101-108.18.1, kernel-source-3.0.101-108.18.1, kernel-syms-3.0.101-108.18.1, kernel-trace-3.0.101-108.18.1, kernel-xen-3.0.101-108.18.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.18.1, kernel-pae-3.0.101-108.18.1, kernel-ppc64-3.0.101-108.18.1, kernel-trace-3.0.101-108.18.1, kernel-xen-3.0.101-108.18.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.18.1, kernel-default-3.0.101-108.18.1, kernel-ec2-3.0.101-108.18.1, kernel-pae-3.0.101-108.18.1, kernel-ppc64-3.0.101-108.18.1, kernel-trace-3.0.101-108.18.1, kernel-xen-3.0.101-108.18.1
Comment 12 Swamp Workflow Management 2018-01-08 20:08:10 UTC
SUSE-SU-2018:0040-1: An update that solves 32 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1010175,1034862,1045327,1050231,1052593,1056982,1057179,1057389,1058524,1062520,1063544,1063667,1066295,1066472,1066569,1066573,1066606,1066618,1066625,1066650,1066671,1066693,1066700,1066705,1067085,1068032,1068671,1069702,1069708,1070771,1071074,1071470,1071695,1072561,1072876,1073792,1073874,1074033,999245
CVE References: CVE-2017-1000251,CVE-2017-11600,CVE-2017-13080,CVE-2017-13167,CVE-2017-14106,CVE-2017-14140,CVE-2017-14340,CVE-2017-15102,CVE-2017-15115,CVE-2017-15265,CVE-2017-15274,CVE-2017-15868,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16534,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16538,CVE-2017-16649,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-ppc64-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
Comment 13 Marcus Meissner 2018-02-09 06:50:05 UTC
released