Univention Bugzilla – Bug 38008
linux: Multiple security issues (3.2)
Last modified: 2015-08-21 13:11:40 CEST
After Bug 37353 has been released, these issues are still open in the 3.10 kernel in UCS 3.2: Denial of service in KVM instruction emulation (CVE-2014-3647) Denial of service in the dcache in the fs layer (CVE-2014-8559) iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160) ext4 denial of service (CVE-2014-7822) Incorrect implementation of SYSENTER emulation (CVE-2015-0239) Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042) Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041) Soft lockup in AIO (CVE-2014-8172) chown can be abused to remove xattr permissions of files (CVE-2015-1350) Race condition in file handle support (CVE-2015-1420)
Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
These are fixed as of 3.10.72: Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830) These are fixed as of 3.10.73: Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
Also fixed in 3.10.73: * Buffer overruns in Linux kernel RFC4106 implementation using AESNI (CVE-2015-3331) Currently not yet backported to upstream version 3.10.75: * TCP Fast Open local DoS (CVE-2015-3332) Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782515#61 * chown() was racy relative to execve() (CVE-2015-3339)
DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715)
One new issue: * privilege escalation via ping sockets due to use-after-free (CVE-2015-3636) Fixed in 3.10.75: CVE-2014-8159 Fixed in 3.10.76: CVE-2015-0239, CVE-2014-8160 CVE-2014-7822
Fixed in 3.10.77: * privilege escalation via ping sockets due to use-after-free (CVE-2015-3636) Fixed in 3.10.81: • Linux UDP checksum DoS (CVE-2015-5364) • Linux UDP checksum DoS EGAIN part (CVE-2015-5366) Fixed in 3.10.83: • btrfs: non-atomic xattr replace operation (CVE-2014-9710) • Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666) • chown() was racy relative to execve() (CVE-2015-3339) • Soft lockup in AIO (CVE-2014-8172) Additional issues: • USERNS allows circumventing MNT_LOCKED (CVE-2014-9717) • It is possible to escape from bind mounts (CVE-2015-2925) • SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212) • drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036) * udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167) • kvm: x86: NULL pointer dereference in kvm_apic_has_events function (CVE-2015-4692) • Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700)
Note: this commit v3.10.73: e64a85197b3f tcp: make connect() mem charging friendly also introduces (backports): * TCP Fast Open local DoS (CVE-2015-3332) See http://bugs.debian.org/782515
Also fixed in 3.10.82: * pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805)
DSA 3313-1 mentions these as fixed in 3.16.7-ckt11-1+deb8u3, introduced in 3.3, so they probably affect the 3.10 version too: * Denial of service and possible privilege escalation by local unprivileged user due to incorrect handling of a NMI that interrupts userspace and encounters an IRET (CVE-2015-5157) * Denial of service due to skiped NMIs triggered by a malicious userspace program (CVE-2015-3291)
* Potential privilege escalation due to an integer overflow in the SCSI generic driver, exploitable by a local user with write permission on a SCSI generic device (CVE-2015-5707) * Information leak in the md driver (CVE-2015-5697)
Fixed. I've patched to the latest upstream 3.10 kernel: 3.10.87. I had some trouble with the aufs patches. Fore the outstanding issues: Bug #39209 YAML files: 2015-08-17-linux.yaml 2015-08-17-univention-kernel-image.yaml
OK: univention-install univention-kernel-image OK: uname -r # 3.10.0-ucs139-686-pae 3.10.0-ucs139-amd64 OK: dmesg OK: zless /usr/share/doc/linux-image-3.10.0-ucs139-686-pae/changelog.Debian.gz OK: amd64@kvm i386@kvm amd64@hw FIXED: 2015-08-17-univention-kernel-image.yaml FIXED: 2015-08-17-linux.yaml OK: errata-announce -V 2015-08-17-univention-kernel-image.yaml OK: errata-announce -V 2015-08-17-linux.yaml Missing from Bug #38008 comment 0: > Denial of service in KVM instruction emulation (CVE-2014-3647) FAIL: not fixed, missing in Bug #39209 <https://security-tracker.debian.org/tracker/CVE-2014-3647> <no-dsa> (KVM not supported in Squeeze LTS) is is problematic for UCS FAIL: 56-stable-72-to-88.patch: there is no 3.10.88 yet; latest is .87! OK: <https://security-tracker.debian.org/tracker/CVE-2014-8172> <no-dsa> (Too intrusive to backport) -> Bug #39209 FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-2830> is fixed $ git log v3.10.71..v3.10.87 -- arch/x86/kernel^/entry_64.S commit 22e764ee4bafa7dbf5edd2580de006e32e671e93 FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3331> is fixed $ git log v3.10.71..v3.10.87 -- arch/x86/crypto/aesni-intel_glue.c commit 31c06b946ce68c0792288f456f0e57e45c19b322 FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3339> is fixed $ git log v3.10.71..v3.10.87 -- fs/exec.c commit 9eae8ac6ab40b896b472c526afe7847e798f4f36 OK: <https://security-tracker.debian.org/tracker/CVE-2015-2666> -> Bug #39209 OK: <https://security-tracker.debian.org/tracker/CVE-2015-5157> -> Bug #39209 OK: <https://security-tracker.debian.org/tracker/CVE-2015-3291> -> Bug #39209
(In reply to Philipp Hahn from comment #13) > Missing from Bug #38008 comment 0: > > Denial of service in KVM instruction emulation (CVE-2014-3647) > FAIL: not fixed, missing in Bug #39209 > > <https://security-tracker.debian.org/tracker/CVE-2014-3647> <no-dsa> (KVM > not supported in Squeeze LTS) > is is problematic for UCS Kernel 3.10 is not part of any Debian release. I've used the upstream kernel patches. I've added CVE-2014-3647 to Bug #39209. > FAIL: 56-stable-72-to-88.patch: there is no 3.10.88 yet; latest is .87! OK, I've renamed the patch. But I've not rebuild the package. > FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-2830> is fixed > $ git log v3.10.71..v3.10.87 -- arch/x86/kernel^/entry_64.S > commit 22e764ee4bafa7dbf5edd2580de006e32e671e93 > > FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3331> is fixed > $ git log v3.10.71..v3.10.87 -- arch/x86/crypto/aesni-intel_glue.c > commit 31c06b946ce68c0792288f456f0e57e45c19b322 > > FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3339> is fixed > $ git log v3.10.71..v3.10.87 -- fs/exec.c > commit 9eae8ac6ab40b896b472c526afe7847e798f4f36 I've added CVE-2015-2830 + CVE-2015-3331 + CVE-2015-3339 to the YAML files: r63120
OK: amd64@hw KVM OK: YAML OK: Bug #39209 FAIL: xen-dom0 [ 604.965186] INFO: rcu_sched self-detected stall on CPU { 6} (t=5250 jiffies g=5053 c=5052 q=542) [ 604.965192] sending NMI to all CPUs: [ 604.965195] xen: vector 0x2 is not implemented [ 604.981187] INFO: rcu_sched detected stalls on CPUs/tasks: { 6} (detected by 3, t=5254 jiffies, g=5053, c=5052, q=542) [ 614.886125] BUG: soft lockup - CPU#6 stuck for 26s! [qemu-dm:3489] [ 614.886171] Modules linked in: xt_physdev xen_blkback tun xen_netback ebtable_nat ebtables xen_gntdev ip6t_REJECT ipt_REJECT xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_filter ip6_tables xt_state iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 nfs fscache dns_resolver lockd sunrpc bridge stp llc loop blktap xen_blkfront xenfs xen_privcmd xen_evtchn quota_v2 quota_tree coretemp psmouse snd_hda_intel snd_hda_codec crc32c_intel snd_hwdep i7core_edac mperf snd_pcm tpm_tis i2c_i801 tpm pcspkr i2c_core lpc_ich serio_raw tpm_bios processor edac_core mfd_core snd_timer evdev thermal_sys snd microcode soundcore snd_page_alloc ext4 jbd2 crc16 dm_snapshot dm_mirror dm_region_hash dm_log dm_mod sg sr_mod sd_mod cdrom crc_t10dif ahci libahci libata ehci_pci ehci_hcd sky2 usbcore usb_common button [ 614.886216] CPU: 6 PID: 3489 Comm: qemu-dm Not tainted 3.10.0-ucs139-amd64 #1 Debian 3.10.11-1.139.201508182015 [ 614.886218] Hardware name: System manufacturer System Product Name/P7F-X Series, BIOS 0703 09/24/2010 [ 614.886220] task: ffff880220f9b0c0 ti: ffff8801ea8ba000 task.ti: ffff8801ea8ba000 [ 614.886221] RIP: e030:[<ffffffff8106021a>] [<ffffffff8106021a>] mspin_lock+0x2c/0x33 [ 614.886226] RSP: e02b:ffff8801ea8bbbc0 EFLAGS: 00000246 [ 614.886228] RAX: 0000000000000000 RBX: ffff88021de9e760 RCX: 0000000000000000 [ 614.886229] RDX: 0000000000000000 RSI: ffff8801ea8bbc00 RDI: ffff88021de9e780 [ 614.886230] RBP: ffff88021de9e780 R08: ffffffff813cbc4b R09: 0000000000000000 [ 614.886231] R10: ffff88021df6a0a0 R11: ffff88021df6a0a0 R12: ffff8801ea8bbbf8 [ 614.886233] R13: ffff880220f9b0c0 R14: 0000000000000002 R15: ffff880220ff2a90 [ 614.886237] FS: 00007f44d6b67700(0000) GS:ffff88022eec0000(0000) knlGS:0000000000000000 [ 614.886238] CS: e033 DS: 0000 ES: 0000 CR0: 000000008005003b [ 614.886239] CR2: ffffffffff600000 CR3: 0000000221ba1000 CR4: 0000000000002660 [ 614.886241] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 614.886242] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 614.886243] Stack: [ 614.886244] ffffffff813cb99a ffff88021de9e778 ffff8801ea8ba010 ffff8801ea8bbbd8 [ 614.886247] ffff88022e800480 ffff880222a4d000 ffffffff8110b097 0000000000000000 [ 614.886249] ffff880200000000 0000000100000008 ffff88021de9e760 ffff88021de9e760 [ 614.886251] Call Trace: [ 614.886257] [<ffffffff813cb99a>] ? __mutex_lock_common+0x66/0x251 [ 614.886260] [<ffffffff8110b097>] ? __cache_free+0x187/0x196 [ 614.886263] [<ffffffff813cbc4b>] ? mutex_lock+0x1a/0x2c [ 614.886266] [<ffffffffa042a3f6>] ? gntdev_release+0x19/0x9a [xen_gntdev] [ 614.886270] [<ffffffff8111db67>] ? __fput+0xe9/0x1b6 [ 614.886273] [<ffffffff8105b677>] ? task_work_run+0x7f/0x96 [ 614.886276] [<ffffffff810453f7>] ? do_exit+0x406/0x981 [ 614.886279] [<ffffffff810459ed>] ? do_group_exit+0x7b/0xa5 [ 614.886282] [<ffffffff81052396>] ? get_signal_to_deliver+0x47c/0x49f [ 614.886285] [<ffffffff8100d079>] ? do_signal+0x3b/0x540 [ 614.886288] [<ffffffff813d0abc>] ? __do_page_fault+0x28d/0x3d7 [ 614.886291] [<ffffffff8112a196>] ? do_vfs_ioctl+0x419/0x488 [ 614.886295] [<ffffffff8104f7c9>] ? __set_task_blocked+0x5a/0x61 [ 614.886297] [<ffffffff8100d5a3>] ? do_notify_resume+0x25/0x67 [ 614.886299] [<ffffffff813cda22>] ? retint_signal+0x48/0x86 [ 614.886300] Code: 46 08 00 00 00 00 48 c7 06 00 00 00 00 48 89 f0 48 87 07 48 85 c0 75 08 c7 46 08 01 00 00 00 c3 48 89 30 48 83 c6 08 eb 02 f3 90 <8b> 06 85 c0 74 f8 c3 53 48 89 fb 48 8d 7f 04 e8 f3 d3 36 00 83 Testes older 3.10.0-ucs114-amd64, which also fails, but differently: [ 480.560445] qemu-dm[2850]: segfault at 7fe34cbf3001 ip 00000000004389b4 sp 00007fff613503b8 error 4 in qemu-dm[400000+12a000]
(In reply to Philipp Hahn from comment #15) > FAIL: xen-dom0 > [ 604.965186] INFO: rcu_sched self-detected stall on CPU { 6} (t=5250 > jiffies g=5053 c=5052 q=542) Can you give more details how to reproduce it?
(In reply to Stefan Gohmann from comment #16) > (In reply to Philipp Hahn from comment #15) > > FAIL: xen-dom0 > > [ 604.965186] INFO: rcu_sched self-detected stall on CPU { 6} (t=5250 > > jiffies g=5053 c=5052 q=542) > > Can you give more details how to reproduce it? Seems to be NFS related: After copying the VM image to local storage, the VM starts fine. As the bug also happens with the previous kernel version, this is not a regression. OK: Xen-domU OK: Xen-dom0
(In reply to Philipp Hahn from comment #17) > Seems to be NFS related: After copying the VM image to local storage, the VM > starts fine. > As the bug also happens with the previous kernel version, this is not a > regression. I've tested again on a NFS storage and on a local storage. It worked in both cases.
<http://errata.univention.de/ucs/3.2/351.html> <http://errata.univention.de/ucs/3.2/352.html>