Bug 1035673 - (CVE-2017-8065) VUL-0: CVE-2017-8065: kernel-source: crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interactsincorrectly with the CON...
(CVE-2017-8065)
VUL-0: CVE-2017-8065: kernel-source: crypto/ccm.c in the Linux kernel 4.9.x a...
Status: RESOLVED UPSTREAM
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P5 - None : Normal
: ---
Assigned To: E-mail List
Security Team bot
https://smash.suse.de/issue/184096/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-04-24 10:01 UTC by Marcus Meissner
Modified: 2017-04-24 10:46 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-04-24 10:01:09 UTC
CVE-2017-8065

crypto/ccm.c in the Linux kernel 4.9.x and 4.10.x through 4.10.12 interacts
incorrectly with the CONFIG_VMAP_STACK option, which allows local users to cause
a denial of service (system crash or memory corruption) or possibly have
unspecified other impact by leveraging use of more than one virtual page for a
DMA scatterlist.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-8065
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8065
https://github.com/torvalds/linux/commit/3b30460c5b0ed762be75a004e924ec3f8711e032
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3b30460c5b0ed762be75a004e924ec3f8711e032
Comment 1 Marcus Meissner 2017-04-24 10:46:11 UTC
only in 4.11 RCs when i read the fixes line right.

 crypto: ccm - move cbcmac input off the stack

Commit f15f05b ("crypto: ccm - switch to separate cbcmac driver")
refactored the CCM driver to allow separate implementations of the
underlying MAC to be provided by a platform. However, in doing so, it
moved some data from the linear region to the stack, which violates the
SG constraints when the stack is virtually mapped.

So move idata/odata back to the request ctx struct, of which we can
reasonably expect that it has been allocated using kmalloc() et al.

Reported-by: Johannes Berg <johannes@sipsolutions.net>
Fixes: f15f05b ("crypto: ccm - switch to separate cbcmac driver")
Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Tested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>