Bug 1200598 - (CVE-2022-20166) VUL-0: CVE-2022-20166: kernel-source-rt,kernel-source,kernel-source-azure: possible out of bounds write due to sprintf unsafety
(CVE-2022-20166)
VUL-0: CVE-2022-20166: kernel-source-rt,kernel-source,kernel-source-azure: po...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/334765/
CVSSv3.1:SUSE:CVE-2022-20166:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-06-16 09:21 UTC by Carlos López
Modified: 2022-08-10 15:56 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-06-16 09:21:37 UTC
CVE-2022-20166

In various methods of kernel base drivers, there is a possible out of bounds
write due to a heap buffer overflow. This could lead to local escalation of
privilege with System execution privileges needed. User interaction is not
needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID:
A-182388481References: Upstream kernel

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-20166
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-20166
https://source.android.com/security/bulletin/pixel/2022-06-01
Comment 1 Carlos López 2022-06-16 09:40:20 UTC
Upstream fix:
https://github.com/torvalds/linux/commit/aa838896d87af561a33ecefea1caa4c15a68bc47

Cherrypicked Android fix:
https://android.googlesource.com/kernel/common/+/37c7c8d4f0856ca30c2583adead91f42711f9c2f%5E%21/

Android just patches the calls in drivers/base/power/wakeup_stats.c, which are also not fixed in cve/linux-5.3. There are instances of different unpatched s(n)printf calls going back to cve/linux-4.4. There are similar calls in cve/linux-3.0, perhaps it's worth to backport there as well.

SLE15-SP4 and newer already contain the upstream fix.

FTR I'm not sure why Android only fixed a subset of these calls.
Comment 4 Petr Mladek 2022-07-22 10:53:52 UTC
I have started working on it. It is more complicated than I thought.

The commit https://github.com/torvalds/linux/commit/aa838896d87af561a33ecefea1caa4c15a68bc47
is just one piece of a bigger series that fixed sysfs _show() callbacks
on many other locations.

I have backported the entire series for 5.3 but it was a lot of work
and it broke KABI.

Most of the changes are not actually needed because most sysfs
files show only some well defined short string and never overflow
PAGE_SIZE.

I am going to revisit it and probably backport only the parts
where _show() callback might eventually overflow PAGE_SIZE.
Comment 5 Petr Mladek 2022-07-28 11:14:38 UTC
I took the following upstream commits:

+ 2efc459d06f1630001e3984854848a5647086232 ("sysfs: Add sysfs_emit and sysfs_emit_at to format sysfs output")
+ aa838896d87af561a33ecefea1caa4c15a68bc47 ("drivers core: Use sysfs_emit and sysfs_emit_at for  show(device *...) functions")
+ 973c39115cb308b6b1fe64b4f342996f3eef06d0 ("drivers core: Remove strcat uses around sysfs_emit and neaten")
+ 948b3edba8988306b635578a72b0dab6091a5eb0 ("drivers core: Miscellaneous changes for sysfs_emit")
+ 7981593bf083801035b1f1377661849805acb216 ("mm: and drivers core: Convert hugetlb_report_node_meminfo to sysfs_emit")

Removed changes that did not fix any security problems. The more
secure API is not strictly needed when the PAGE_SIZE buffer could
never overflow, for example, it is used to show a single interger
or hardcoded string. Also I removed many pure clean up changes.

I have pushed it into all CVE branches cve/linux-3.0.

Reassining back to the security team for further tracking.
Comment 15 Swamp Workflow Management 2022-08-09 16:17:32 UTC
SUSE-SU-2022:2721-1: An update that fixes 14 vulnerabilities is now available.

Category: security (important)
Bug References: 1173514,1196973,1198829,1200598,1200762,1200910,1201251,1201429,1201635,1201636,1201742,1201752,1201930,1201940
CVE References: CVE-2020-15393,CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2021-39713,CVE-2022-1462,CVE-2022-20166,CVE-2022-2318,CVE-2022-26365,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    kernel-default-4.4.121-92.181.1, kernel-source-4.4.121-92.181.1, kernel-syms-4.4.121-92.181.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2022-08-09 16:19:39 UTC
SUSE-SU-2022:2720-1: An update that solves 7 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 1103269,1114648,1190812,1195775,1195926,1198484,1198829,1200442,1200598,1200644,1200651,1200910,1201196,1201381,1201429,1201635,1201636,1201644,1201651,1201742,1201752,1201930,1201940,1201954,1201958
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1462,CVE-2022-20166,CVE-2022-36946
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-azure-4.12.14-16.106.1, kernel-source-azure-4.12.14-16.106.1, kernel-syms-azure-4.12.14-16.106.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2022-08-09 16:22:07 UTC
SUSE-SU-2022:2723-1: An update that solves 8 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1195775,1195926,1198484,1198829,1200442,1200598,1200910,1201050,1201429,1201635,1201636,1201926,1201930,1201940
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-26341,CVE-2021-33655,CVE-2021-33656,CVE-2022-1462,CVE-2022-20166,CVE-2022-36946
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    kernel-default-4.12.14-150000.150.98.1, kernel-docs-4.12.14-150000.150.98.2, kernel-obs-build-4.12.14-150000.150.98.1, kernel-source-4.12.14-150000.150.98.1, kernel-syms-4.12.14-150000.150.98.1, kernel-vanilla-4.12.14-150000.150.98.1
SUSE Linux Enterprise Server 15-LTSS (src):    kernel-default-4.12.14-150000.150.98.1, kernel-docs-4.12.14-150000.150.98.2, kernel-obs-build-4.12.14-150000.150.98.1, kernel-source-4.12.14-150000.150.98.1, kernel-syms-4.12.14-150000.150.98.1, kernel-vanilla-4.12.14-150000.150.98.1, kernel-zfcpdump-4.12.14-150000.150.98.1
SUSE Linux Enterprise Module for Live Patching 15 (src):    kernel-default-4.12.14-150000.150.98.1, kernel-livepatch-SLE15_Update_32-1-150000.1.3.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    kernel-default-4.12.14-150000.150.98.1, kernel-docs-4.12.14-150000.150.98.2, kernel-obs-build-4.12.14-150000.150.98.1, kernel-source-4.12.14-150000.150.98.1, kernel-syms-4.12.14-150000.150.98.1, kernel-vanilla-4.12.14-150000.150.98.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    kernel-default-4.12.14-150000.150.98.1, kernel-docs-4.12.14-150000.150.98.2, kernel-obs-build-4.12.14-150000.150.98.1, kernel-source-4.12.14-150000.150.98.1, kernel-syms-4.12.14-150000.150.98.1, kernel-vanilla-4.12.14-150000.150.98.1
SUSE Linux Enterprise High Availability 15 (src):    kernel-default-4.12.14-150000.150.98.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2022-08-09 16:25:41 UTC
SUSE-SU-2022:2719-1: An update that solves 7 vulnerabilities and has 16 fixes is now available.

Category: security (important)
Bug References: 1103269,1114648,1190812,1195775,1195926,1198484,1198829,1200442,1200598,1200644,1200651,1200910,1201196,1201381,1201429,1201635,1201636,1201644,1201651,1201930,1201940,1201954,1201958
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1462,CVE-2022-20166,CVE-2022-36946
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    kernel-default-4.12.14-122.130.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    kernel-docs-4.12.14-122.130.2, kernel-obs-build-4.12.14-122.130.1
SUSE Linux Enterprise Server 12-SP5 (src):    kernel-default-4.12.14-122.130.1, kernel-source-4.12.14-122.130.1, kernel-syms-4.12.14-122.130.1
SUSE Linux Enterprise Live Patching 12-SP5 (src):    kernel-default-4.12.14-122.130.1, kgraft-patch-SLE12-SP5_Update_34-1-8.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    kernel-default-4.12.14-122.130.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2022-08-10 13:17:44 UTC
SUSE-SU-2022:2741-1: An update that solves 16 vulnerabilities, contains one feature and has 15 fixes is now available.

Category: security (important)
Bug References: 1178134,1198829,1199364,1199647,1199665,1199670,1200521,1200598,1200644,1200651,1200762,1200910,1201196,1201206,1201251,1201381,1201429,1201458,1201635,1201636,1201644,1201664,1201672,1201673,1201676,1201846,1201930,1201940,1201954,1201956,1201958
CVE References: CVE-2020-36557,CVE-2020-36558,CVE-2021-33655,CVE-2021-33656,CVE-2022-1116,CVE-2022-1462,CVE-2022-20166,CVE-2022-21505,CVE-2022-2318,CVE-2022-26365,CVE-2022-29581,CVE-2022-32250,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-36946
JIRA References: SLE-24559
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.75.1, kernel-source-azure-5.3.18-150300.38.75.1, kernel-syms-azure-5.3.18-150300.38.75.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.75.1, kernel-source-azure-5.3.18-150300.38.75.1, kernel-syms-azure-5.3.18-150300.38.75.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.