Bug 1020602 – VUL-0: CVE-2017-2583: kernel-source: broken emulation of "MOV SS, null selector"

Bug 1020602 - (CVE-2017-2583) VUL-0: CVE-2017-2583: kernel-source: broken emulation of "MOV SS, null selector"

(CVE-2017-2583)
Summary:	VUL-0: CVE-2017-2583: kernel-source: broken emulation of "MOV SS, null selector"

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/178813/
Whiteboard:	CVSSv2:SUSE:CVE-2017-2583:5.4:(AV:A/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-18 10:46 UTC by Andreas Stieger
Modified:	2019-08-16 17:19 UTC (History)
CC List:	5 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-01-18 10:46:51 UTC

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=33ab91103b3415e12457e3104f0e4517ce12d0f3

KVM: x86: fix emulation of "MOV SS, null selector"
This is CVE-2017-2583.  On Intel this causes a failed vmentry because
SS's type is neither 3 nor 7 (even though the manual says this check is
only done for usable SS, and the dmesg splat says that SS is unusable!).
On AMD it's worse: svm.c is confused and sets CPL to 0 in the vmcb.

The fix fabricates a data segment descriptor when SS is set to a null
selector, so that CPL and SS.DPL are set correctly in the VMCS/vmcb.
Furthermore, only allow setting SS to a NULL selector if SS.RPL < 3;
this in turn ensures CPL < 3 because RPL must be equal to CPL.

Thanks to Andy Lutomirski and Willy Tarreau for help in analyzing
the bug and deciphering the manuals.

Reported-by: Xiaohan Zhang <zhangxiaohan1@huawei.com>
Fixes: 79d5b4c3cd809c770d4bf9812635647016c56011
Cc: stable@nongnu.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>



Fixed in v4.10-rc4, from v3.6 

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2583
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2583.html

Comment 1 Swamp Workflow Management 2017-01-18 23:00:29 UTC

bugbot adjusting priority

Comment 2 Joerg Roedel 2017-01-20 14:42:52 UTC

Patch is backported to all relevant branches.

Comment 3 Joerg Roedel 2017-01-30 12:14:14 UTC

Assigning back to security team.

Comment 4 Swamp Workflow Management 2017-02-06 20:17:07 UTC

SUSE-SU-2017:0407-1: An update that solves 24 vulnerabilities and has 56 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008831,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011685,1012060,1012422,1012754,1012917,1012985,1013001,1013038,1013479,1013531,1013533,1013540,1013604,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8645,CVE-2016-8655,CVE-2016-9083,CVE-2016-9084,CVE-2016-9555,CVE-2016-9576,CVE-2016-9756,CVE-2016-9793,CVE-2016-9794,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP1 (src):    kernel-compute-3.12.69-60.30.1, kernel-compute_debug-3.12.69-60.30.1, kernel-rt-3.12.69-60.30.1, kernel-rt_debug-3.12.69-60.30.1, kernel-source-rt-3.12.69-60.30.1, kernel-syms-rt-3.12.69-60.30.1

Comment 5 Swamp Workflow Management 2017-02-13 20:22:35 UTC

openSUSE-SU-2017:0456-1: An update that solves 11 vulnerabilities and has 98 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1003253,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1009969,1010612,1010690,1011176,1011250,1011602,1011660,1011913,1012422,1012829,1012910,1013000,1013001,1013273,1013531,1013540,1013542,1013792,1013994,1014120,1014392,1014410,1014701,1014710,1015038,1015212,1015359,1015367,1015416,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1017589,1018100,1018316,1018358,1018385,1018446,1018813,1018913,1019061,1019148,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,921494,959709,960561,964944,966170,966172,966186,966191,969474,969475,969756,971975,974215,979378,981709,985561,987192,987576,991273
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-8645,CVE-2016-9793,CVE-2016-9806,CVE-2016-9919,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.46-11.1, kernel-default-4.4.46-11.1, kernel-docs-4.4.46-11.3, kernel-obs-build-4.4.46-11.1, kernel-obs-qa-4.4.46-11.1, kernel-source-4.4.46-11.1, kernel-syms-4.4.46-11.1, kernel-vanilla-4.4.46-11.1

Comment 6 Swamp Workflow Management 2017-02-14 23:18:38 UTC

SUSE-SU-2017:0464-1: An update that solves 19 vulnerabilities and has 58 fixes is now available.

Category: security (important)
Bug References: 1003813,1005666,1007197,1008557,1008567,1008833,1008876,1008979,1009062,1009969,1010040,1010213,1010294,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1012060,1012422,1012917,1012985,1013001,1013038,1013479,1013531,1013540,1013542,1014410,1014746,1016713,1016725,1016961,1017164,1017170,1017410,1017589,1017710,1018100,1019032,1019148,1019260,1019300,1019783,1019851,1020214,1020602,1021258,856380,857394,858727,921338,921778,922052,922056,923036,923037,924381,938963,972993,980560,981709,983087,983348,984194,984419,985850,987192,987576,990384,991273,993739,997807,999101
CVE References: CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.69-60.64.29.3, kernel-obs-build-3.12.69-60.64.29.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.69-60.64.29.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_12-1-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.69-60.64.29.1, kernel-source-3.12.69-60.64.29.1, kernel-syms-3.12.69-60.64.29.1, kernel-xen-3.12.69-60.64.29.1

Comment 7 Swamp Workflow Management 2017-02-15 20:13:14 UTC

SUSE-SU-2017:0471-1: An update that solves 34 vulnerabilities and has 48 fixes is now available.

Category: security (important)
Bug References: 1003153,1003925,1004462,1004517,1005666,1007197,1008833,1008979,1009969,1010040,1010475,1010478,1010501,1010502,1010507,1010612,1010711,1010716,1011820,1012422,1013038,1013531,1013540,1013542,1014746,1016482,1017410,1017589,1017710,1019300,1019851,1020602,1021258,881008,915183,958606,961257,970083,971989,976195,978094,980371,980560,981038,981597,981709,982282,982544,983619,983721,983977,984148,984419,984755,985978,986362,986365,986445,986569,986572,986811,986941,987542,987565,987576,989152,990384,991608,991665,993392,993890,993891,994296,994748,994881,995968,997708,998795,999584,999600,999932,999943
CVE References: CVE-2014-9904,CVE-2015-8956,CVE-2015-8962,CVE-2015-8963,CVE-2015-8964,CVE-2016-10088,CVE-2016-4470,CVE-2016-4998,CVE-2016-5696,CVE-2016-5828,CVE-2016-5829,CVE-2016-6130,CVE-2016-6327,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7913,CVE-2016-7914,CVE-2016-8399,CVE-2016-8633,CVE-2016-8645,CVE-2016-8658,CVE-2016-9083,CVE-2016-9084,CVE-2016-9756,CVE-2016-9793,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.66.1, kernel-source-3.12.61-52.66.1, kernel-syms-3.12.61-52.66.1, kernel-xen-3.12.61-52.66.1, kgraft-patch-SLE12_Update_19-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.66.1

Comment 8 Swamp Workflow Management 2017-02-28 23:20:21 UTC

SUSE-SU-2017:0575-1: An update that solves 11 vulnerabilities and has 95 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1010612,1010690,1010933,1011176,1011602,1011660,1011913,1012382,1012422,1012829,1012910,1013000,1013001,1013273,1013540,1013792,1013994,1014120,1014410,1015038,1015367,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1018100,1018316,1018358,1018446,1018813,1018913,1019061,1019148,1019168,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020048,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,1023762,1023884,1023888,1024081,1024234,1024508,1024938,1025235,921494,959709,964944,969476,969477,969479,971975,974215,981709,982783,985561,987192,987576,989056,991273,998106
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.49-92.11.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.49-92.11.3, kernel-obs-build-4.4.49-92.11.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_5-1-6.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.49-92.11.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.49-92.11.1

Comment 9 Marcus Meissner 2017-03-02 14:20:43 UTC

released

Comment 10 Swamp Workflow Management 2017-04-01 13:08:08 UTC

openSUSE-SU-2017:0906-1: An update that solves 15 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1019851,1020602,1022785,1023377,1025235,1026722,1026914,1027066,1027178,1027179,1027189,1027190,1027565,1028415,1029986,1030118,1030573,968697
CVE References: CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-5669,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.39-53.1, kernel-default-4.1.39-53.1, kernel-docs-4.1.39-53.2, kernel-ec2-4.1.39-53.1, kernel-obs-build-4.1.39-53.1, kernel-obs-qa-4.1.39-53.1, kernel-pae-4.1.39-53.1, kernel-pv-4.1.39-53.1, kernel-source-4.1.39-53.1, kernel-syms-4.1.39-53.1, kernel-vanilla-4.1.39-53.1, kernel-xen-4.1.39-53.1

Comment 11 Swamp Workflow Management 2017-07-28 13:23:14 UTC

SUSE-SU-2017:1990-1: An update that solves 43 vulnerabilities and has 282 fixes is now available.

Category: security (important)
Bug References: 1000092,1003077,1003581,1004003,1007729,1007959,1007962,1008842,1009674,1009718,1010032,1010612,1010690,1011044,1011176,1011913,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013001,1013561,1013792,1013887,1013994,1014120,1014136,1015342,1015367,1015452,1015609,1016403,1017164,1017170,1017410,1017461,1017641,1018100,1018263,1018358,1018385,1018419,1018446,1018813,1018885,1018913,1019061,1019148,1019163,1019168,1019260,1019351,1019594,1019614,1019618,1019630,1019631,1019784,1019851,1020048,1020214,1020412,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021424,1021455,1021474,1021762,1022181,1022266,1022304,1022340,1022429,1022476,1022547,1022559,1022595,1022785,1022971,1023101,1023175,1023287,1023762,1023866,1023884,1023888,1024015,1024081,1024234,1024508,1024938,1025039,1025235,1025461,1025683,1026024,1026405,1026462,1026505,1026509,1026570,1026692,1026722,1027054,1027066,1027101,1027153,1027179,1027189,1027190,1027195,1027273,1027512,1027565,1027616,1027974,1028017,1028027,1028041,1028158,1028217,1028310,1028325,1028340,1028372,1028415,1028819,1028883,1028895,1029220,1029514,1029607,1029634,1029986,1030057,1030070,1030118,1030213,1030573,1031003,1031040,1031052,1031142,1031147,1031200,1031206,1031208,1031440,1031470,1031500,1031512,1031555,1031579,1031662,1031717,1031796,1031831,1032006,1032141,1032339,1032345,1032400,1032581,1032673,1032681,1032803,1033117,1033281,1033287,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042200,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045340,1045467,1045568,1046105,1046434,1046589,799133,863764,870618,922871,951844,966170,966172,966191,966321,966339,968697,969479,969755,970083,971975,982783,985561,986362,986365,987192,987576,988065,989056,989311,990058,990682,991273,993832,995542,995968,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-4997,CVE-2016-4998,CVE-2016-7117,CVE-2016-9191,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-2671,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7346,CVE-2017-7374,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.74-7.10.1, kernel-rt_debug-4.4.74-7.10.1, kernel-source-rt-4.4.74-7.10.1, kernel-syms-rt-4.4.74-7.10.1