Bug 1087813 - (CVE-2017-18255) VUL-0: CVE-2017-18255: kernel-source: The perf_cpu_time_max_percent_handler function in kernel/events/core.c inthe Linux kernel before 4.11 allows local users to cause a denial ofservice (integer overflow) or possibly have unspecified oth
(CVE-2017-18255)
VUL-0: CVE-2017-18255: kernel-source: The perf_cpu_time_max_percent_handler f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/202984/
CVSSv3:SUSE:CVE-2017-18255:6.0:(AV:L...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-04-03 05:22 UTC by Marcus Meissner
Modified: 2022-06-08 13:54 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-04-03 05:22:52 UTC
CVE-2017-18255

The perf_cpu_time_max_percent_handler function in kernel/events/core.c
in the Linux kernel before 4.11 allows local users to cause a denial of
service (integer overflow) or possibly have unspecified other impact
via a large value, as demonstrated by an incorrect sample-rate
calculation.


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-18255
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-18255.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18255
http://www.cvedetails.com/cve/CVE-2017-18255/
Comment 1 Marcus Meissner 2018-04-03 05:23:50 UTC
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1572e45a924f254d9570093abde46430c3172e3d

perf/core: Fix the perf_cpu_time_max_percent check
Use "proc_dointvec_minmax" instead of "proc_dointvec" to check the input
value from user-space.

If not, we can set a big value and some vars will overflow like
"sysctl_perf_event_sample_rate" which will cause a lot of unexpected
problems.
Comment 2 Marcus Meissner 2018-04-03 05:38:28 UTC
root writeable only? Or can it reached with a namespace?
Comment 3 Tony Jones 2018-04-05 16:22:45 UTC
(In reply to Marcus Meissner from comment #2)
> root writeable only? Or can it reached with a namespace?

/proc/sys/kernel/perf_cpu_time_max_percent is root writeable only.
I guess root, could construct a namespace where it's accessible.

The fix seems to be addressing a value range issue rather than an unprivileged access issue. 

Needs fixing, but once again, I find the CVE description confusing.
Comment 5 Marcus Meissner 2020-01-31 15:56:23 UTC
ping
Comment 6 Tony Jones 2020-02-03 20:33:18 UTC
pushed to cve-4.4 and cve-3.12

perf_cpu_time_max_percent check was added in v3.11-rc1, so other cve branches do not apply
Comment 9 Swamp Workflow Management 2020-05-12 13:19:18 UTC
SUSE-SU-2020:1255-1: An update that solves 53 vulnerabilities and has 32 fixes is now available.

Category: security (important)
Bug References: 1037216,1075091,1075994,1087082,1087813,1091041,1099279,1120386,1131107,1133147,1136449,1137325,1146519,1146544,1146612,1149591,1153811,1154844,1155311,1155897,1156060,1157038,1157042,1157070,1157143,1157155,1157157,1157158,1157303,1157324,1157333,1157464,1157804,1157923,1158021,1158132,1158381,1158394,1158398,1158410,1158413,1158417,1158427,1158445,1158819,1158823,1158824,1158827,1158834,1158900,1158903,1158904,1159199,1159285,1159297,1159841,1159908,1159910,1159911,1159912,1160195,1162227,1162298,1162928,1162929,1162931,1163971,1164069,1164078,1164846,1165111,1165311,1165873,1165881,1165984,1165985,1167629,1168075,1168295,1168424,1168829,1168854,1170056,1170345,1170778
CVE References: CVE-2017-18255,CVE-2018-21008,CVE-2019-14615,CVE-2019-14895,CVE-2019-14896,CVE-2019-14897,CVE-2019-14901,CVE-2019-15213,CVE-2019-18660,CVE-2019-18675,CVE-2019-18683,CVE-2019-19052,CVE-2019-19062,CVE-2019-19066,CVE-2019-19073,CVE-2019-19074,CVE-2019-19319,CVE-2019-19332,CVE-2019-19447,CVE-2019-19523,CVE-2019-19524,CVE-2019-19525,CVE-2019-19527,CVE-2019-19530,CVE-2019-19531,CVE-2019-19532,CVE-2019-19533,CVE-2019-19534,CVE-2019-19535,CVE-2019-19536,CVE-2019-19537,CVE-2019-19767,CVE-2019-19768,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20096,CVE-2019-3701,CVE-2019-5108,CVE-2019-9455,CVE-2019-9458,CVE-2020-10690,CVE-2020-10720,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-2732,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8992,CVE-2020-9383
Sources used:
SUSE OpenStack Cloud 7 (src):    kernel-default-4.4.121-92.129.1, kernel-source-4.4.121-92.129.1, kernel-syms-4.4.121-92.129.1, kgraft-patch-SLE12-SP2_Update_34-1-3.3.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    kernel-default-4.4.121-92.129.1, kernel-source-4.4.121-92.129.1, kernel-syms-4.4.121-92.129.1, kgraft-patch-SLE12-SP2_Update_34-1-3.3.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    kernel-default-4.4.121-92.129.1, kernel-source-4.4.121-92.129.1, kernel-syms-4.4.121-92.129.1, kgraft-patch-SLE12-SP2_Update_34-1-3.3.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.129.1, kernel-source-4.4.121-92.129.1, kernel-syms-4.4.121-92.129.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.121-92.129.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-05-14 13:15:59 UTC
SUSE-SU-2020:1275-1: An update that solves 35 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 1056134,1087813,1120386,1133147,1137325,1145929,1149591,1154118,1154844,1155689,1157155,1157157,1157303,1157804,1158021,1158642,1158819,1159199,1159285,1159297,1159841,1159908,1159910,1159911,1159912,1160195,1161586,1162227,1162928,1162929,1162931,1163508,1163971,1164009,1164051,1164069,1164078,1164846,1165111,1165311,1165873,1165881,1165984,1165985,1167421,1167423,1167629,1168075,1168295,1168424,1168829,1168854,1170056,1170345,1170778,1170847
CVE References: CVE-2017-18255,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-21008,CVE-2019-11091,CVE-2019-14615,CVE-2019-14896,CVE-2019-14897,CVE-2019-18675,CVE-2019-19066,CVE-2019-19319,CVE-2019-19447,CVE-2019-19767,CVE-2019-19768,CVE-2019-19965,CVE-2019-19966,CVE-2019-20054,CVE-2019-20096,CVE-2019-3701,CVE-2019-5108,CVE-2019-9455,CVE-2019-9458,CVE-2020-10690,CVE-2020-10720,CVE-2020-10942,CVE-2020-11494,CVE-2020-11608,CVE-2020-11609,CVE-2020-2732,CVE-2020-8647,CVE-2020-8648,CVE-2020-8649,CVE-2020-8992,CVE-2020-9383
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1
SUSE OpenStack Cloud 8 (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    kernel-default-4.4.180-94.116.1
SUSE Enterprise Storage 5 (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1
HPE Helion Openstack 8 (src):    kernel-default-4.4.180-94.116.1, kernel-source-4.4.180-94.116.1, kernel-syms-4.4.180-94.116.1, kgraft-patch-SLE12-SP3_Update_31-1-4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Carlos López 2022-06-08 13:54:23 UTC
Done, closing.