Bug 38008 - linux: Multiple security issues (3.2)
linux: Multiple security issues (3.2)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 3.2
Other Linux
: P3 normal (vote)
: UCS 3.2-6-errata
Assigned To: Stefan Gohmann
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-11 13:19 CET by Moritz Muehlenhoff
Modified: 2015-08-21 13:11 CEST (History)
3 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Moritz Muehlenhoff univentionstaff 2015-03-11 13:19:29 CET
After Bug 37353 has been released, these issues are still open in the 3.10 kernel in UCS 3.2:

Denial of service in KVM instruction emulation (CVE-2014-3647)
Denial of service in the dcache in the fs layer (CVE-2014-8559)
iptables doesn't handle SCTP rules unless the SCTP module is loaded (CVE-2014-8160)
ext4 denial of service (CVE-2014-7822)
Incorrect implementation of SYSENTER emulation (CVE-2015-0239)
Memory leak to userspace due to incorrect data type in rds_sysctl_rds_table (CVE-2015-2042)
Memory leak to userspace due to incorrect data type in llc2_timeout_table (CVE-2015-2041)
Soft lockup in AIO (CVE-2014-8172)
chown can be abused to remove xattr permissions of files (CVE-2015-1350)
Race condition in file handle support (CVE-2015-1420)
Comment 1 Arvid Requate univentionstaff 2015-03-11 22:15:46 CET
Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
Comment 2 Moritz Muehlenhoff univentionstaff 2015-03-13 10:47:25 CET
infiniband: uverbs: unprotected physical memory access (CVE-2014-8159)
Comment 3 Arvid Requate univentionstaff 2015-04-07 15:57:41 CEST
These are fixed as of 3.10.72:

Linux mishandles int80 fork from 64-bit tasks (CVE-2015-2830)

These are fixed as of 3.10.73:

Xen: Non-maskable interrupts triggerable by guests (CVE-2015-2150)
Comment 4 Arvid Requate univentionstaff 2015-04-27 13:25:12 CEST
Also fixed in 3.10.73:

* Buffer overruns in Linux kernel RFC4106 implementation using AESNI (CVE-2015-3331)


Currently not yet backported to upstream version 3.10.75:

* TCP Fast Open local DoS (CVE-2015-3332)
  Patch: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=782515#61

* chown() was racy relative to execve() (CVE-2015-3339)
Comment 5 Arvid Requate univentionstaff 2015-04-27 15:27:48 CEST
DoS -- OOPS NULL pointer dereference in nf_nat_setup_info+0x471 (CVE-2014-9715)
Comment 6 Arvid Requate univentionstaff 2015-05-18 11:04:07 CEST
One new issue:

* privilege escalation via ping sockets due to use-after-free (CVE-2015-3636)


Fixed in 3.10.75: CVE-2014-8159
Fixed in 3.10.76: CVE-2015-0239, CVE-2014-8160 CVE-2014-7822
Comment 7 Arvid Requate univentionstaff 2015-07-13 16:54:55 CEST
Fixed in 3.10.77:
* privilege escalation via ping sockets due to use-after-free (CVE-2015-3636)

Fixed in 3.10.81:
• Linux UDP checksum DoS (CVE-2015-5364)
• Linux UDP checksum DoS EGAIN part (CVE-2015-5366)

Fixed in 3.10.83:
• btrfs: non-atomic xattr replace operation (CVE-2014-9710)
• Kernel execution in the early microcode loader via crafted microcode (CVE-2015-2666)
• chown() was racy relative to execve() (CVE-2015-3339)
• Soft lockup in AIO (CVE-2014-8172)

Additional issues:

• USERNS allows circumventing MNT_LOCKED (CVE-2014-9717)
• It is possible to escape from bind mounts (CVE-2015-2925)
• SCTP race condition allows list corruption and panic from userlevel (CVE-2015-3212)
• drivers/vhost/scsi.c: potential memory corruption (CVE-2015-4036)
* udf: Check length of extended attributes and allocation descriptors (CVE-2015-4167)
• kvm: x86: NULL pointer dereference in kvm_apic_has_events function (CVE-2015-4692)
• Crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700)
Comment 8 Arvid Requate univentionstaff 2015-07-13 17:05:26 CEST
Note: this commit

v3.10.73: e64a85197b3f tcp: make connect() mem charging friendly

also introduces (backports):

* TCP Fast Open local DoS (CVE-2015-3332)

See http://bugs.debian.org/782515
Comment 9 Arvid Requate univentionstaff 2015-07-14 12:59:36 CEST
Also fixed in 3.10.82:

* pipe: iovec: Fix memory corruption when retrying atomic copy as non-atomic (CVE-2015-1805)
Comment 10 Arvid Requate univentionstaff 2015-08-14 09:50:12 CEST
DSA 3313-1 mentions these as fixed in 3.16.7-ckt11-1+deb8u3, introduced in 3.3, so they probably affect the 3.10 version too:

* Denial of service and possible privilege escalation by local unprivileged user due to incorrect handling of a NMI that interrupts userspace and encounters an IRET (CVE-2015-5157)

* Denial of service due to skiped NMIs triggered by a malicious userspace program (CVE-2015-3291)
Comment 11 Arvid Requate univentionstaff 2015-08-14 10:10:58 CEST
* Potential privilege escalation due to an integer overflow in the SCSI generic driver, exploitable by a local user with write permission on a SCSI generic device (CVE-2015-5707)

* Information leak in the md driver (CVE-2015-5697)
Comment 12 Stefan Gohmann univentionstaff 2015-08-19 10:10:25 CEST
Fixed. I've patched to the latest upstream 3.10 kernel: 3.10.87.

I had some trouble with the aufs patches.

Fore the outstanding issues: Bug #39209

YAML files:
 2015-08-17-linux.yaml
 2015-08-17-univention-kernel-image.yaml
Comment 13 Philipp Hahn univentionstaff 2015-08-19 15:27:34 CEST
OK: univention-install univention-kernel-image
OK: uname -r # 3.10.0-ucs139-686-pae 3.10.0-ucs139-amd64
OK: dmesg
OK: zless  /usr/share/doc/linux-image-3.10.0-ucs139-686-pae/changelog.Debian.gz

OK: amd64@kvm i386@kvm amd64@hw

FIXED: 2015-08-17-univention-kernel-image.yaml
FIXED: 2015-08-17-linux.yaml
OK: errata-announce -V 2015-08-17-univention-kernel-image.yaml
OK: errata-announce -V 2015-08-17-linux.yaml

Missing from Bug #38008 comment 0:
> Denial of service in KVM instruction emulation (CVE-2014-3647)
FAIL: not fixed, missing in Bug #39209

<https://security-tracker.debian.org/tracker/CVE-2014-3647> <no-dsa> (KVM not supported in Squeeze LTS)
is is problematic for UCS


FAIL: 56-stable-72-to-88.patch: there is no 3.10.88 yet; latest is .87!

OK: <https://security-tracker.debian.org/tracker/CVE-2014-8172> <no-dsa> (Too intrusive to backport) -> Bug #39209

FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-2830> is fixed
$ git log v3.10.71..v3.10.87 -- arch/x86/kernel^/entry_64.S
commit 22e764ee4bafa7dbf5edd2580de006e32e671e93

FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3331> is fixed
$ git log v3.10.71..v3.10.87 -- arch/x86/crypto/aesni-intel_glue.c
commit 31c06b946ce68c0792288f456f0e57e45c19b322

FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3339> is fixed
$ git log v3.10.71..v3.10.87 -- fs/exec.c
commit 9eae8ac6ab40b896b472c526afe7847e798f4f36

OK: <https://security-tracker.debian.org/tracker/CVE-2015-2666> -> Bug #39209

OK: <https://security-tracker.debian.org/tracker/CVE-2015-5157> -> Bug #39209

OK: <https://security-tracker.debian.org/tracker/CVE-2015-3291> -> Bug #39209
Comment 14 Stefan Gohmann univentionstaff 2015-08-19 16:37:48 CEST
(In reply to Philipp Hahn from comment #13)
> Missing from Bug #38008 comment 0:
> > Denial of service in KVM instruction emulation (CVE-2014-3647)
> FAIL: not fixed, missing in Bug #39209
> 
> <https://security-tracker.debian.org/tracker/CVE-2014-3647> <no-dsa> (KVM
> not supported in Squeeze LTS)
> is is problematic for UCS

Kernel 3.10 is not part of any Debian release. I've used the upstream kernel patches.

I've added CVE-2014-3647 to Bug #39209.
 
> FAIL: 56-stable-72-to-88.patch: there is no 3.10.88 yet; latest is .87!

OK, I've renamed the patch. But I've not rebuild the package.
 
> FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-2830> is fixed
> $ git log v3.10.71..v3.10.87 -- arch/x86/kernel^/entry_64.S
> commit 22e764ee4bafa7dbf5edd2580de006e32e671e93
> 
> FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3331> is fixed
> $ git log v3.10.71..v3.10.87 -- arch/x86/crypto/aesni-intel_glue.c
> commit 31c06b946ce68c0792288f456f0e57e45c19b322
> 
> FAIL: <https://security-tracker.debian.org/tracker/CVE-2015-3339> is fixed
> $ git log v3.10.71..v3.10.87 -- fs/exec.c
> commit 9eae8ac6ab40b896b472c526afe7847e798f4f36

I've added CVE-2015-2830 + CVE-2015-3331 + CVE-2015-3339 to the YAML files: r63120
Comment 15 Philipp Hahn univentionstaff 2015-08-20 16:41:31 CEST
OK: amd64@hw KVM
OK: YAML
OK: Bug #39209

FAIL: xen-dom0
[  604.965186] INFO: rcu_sched self-detected stall on CPU { 6}  (t=5250 jiffies g=5053 c=5052 q=542)
[  604.965192] sending NMI to all CPUs:
[  604.965195] xen: vector 0x2 is not implemented
[  604.981187] INFO: rcu_sched detected stalls on CPUs/tasks: { 6} (detected by 3, t=5254 jiffies, g=5053, c=5052, q=542)
[  614.886125] BUG: soft lockup - CPU#6 stuck for 26s! [qemu-dm:3489]
[  614.886171] Modules linked in: xt_physdev xen_blkback tun xen_netback ebtable_nat ebtables xen_gntdev ip6t_REJECT ipt_REJECT xt_tcpudp nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_mangle ip6table_filter ip6_tables xt_state iptable_mangle iptable_nat nf_conntrack_ipv4 nf_defrag_ipv4 nf_nat_ipv4 nf_nat nf_conntrack iptable_filter ip_tables x_tables nfsd nfs_acl rpcsec_gss_krb5 auth_rpcgss oid_registry nfsv4 nfs fscache dns_resolver lockd sunrpc bridge stp llc loop blktap xen_blkfront xenfs xen_privcmd xen_evtchn quota_v2 quota_tree coretemp psmouse snd_hda_intel snd_hda_codec crc32c_intel snd_hwdep i7core_edac mperf snd_pcm tpm_tis i2c_i801 tpm pcspkr i2c_core lpc_ich serio_raw tpm_bios processor edac_core mfd_core snd_timer evdev thermal_sys snd microcode soundcore snd_page_alloc ext4 jbd2 crc16 dm_snapshot dm_mirror dm_region_hash dm_log dm_mod sg sr_mod sd_mod cdrom crc_t10dif ahci libahci libata ehci_pci ehci_hcd sky2 usbcore usb_common button
[  614.886216] CPU: 6 PID: 3489 Comm: qemu-dm Not tainted 3.10.0-ucs139-amd64 #1 Debian 3.10.11-1.139.201508182015
[  614.886218] Hardware name: System manufacturer System Product Name/P7F-X Series, BIOS 0703    09/24/2010
[  614.886220] task: ffff880220f9b0c0 ti: ffff8801ea8ba000 task.ti: ffff8801ea8ba000
[  614.886221] RIP: e030:[<ffffffff8106021a>]  [<ffffffff8106021a>] mspin_lock+0x2c/0x33
[  614.886226] RSP: e02b:ffff8801ea8bbbc0  EFLAGS: 00000246
[  614.886228] RAX: 0000000000000000 RBX: ffff88021de9e760 RCX: 0000000000000000
[  614.886229] RDX: 0000000000000000 RSI: ffff8801ea8bbc00 RDI: ffff88021de9e780
[  614.886230] RBP: ffff88021de9e780 R08: ffffffff813cbc4b R09: 0000000000000000
[  614.886231] R10: ffff88021df6a0a0 R11: ffff88021df6a0a0 R12: ffff8801ea8bbbf8
[  614.886233] R13: ffff880220f9b0c0 R14: 0000000000000002 R15: ffff880220ff2a90
[  614.886237] FS:  00007f44d6b67700(0000) GS:ffff88022eec0000(0000) knlGS:0000000000000000
[  614.886238] CS:  e033 DS: 0000 ES: 0000 CR0: 000000008005003b
[  614.886239] CR2: ffffffffff600000 CR3: 0000000221ba1000 CR4: 0000000000002660
[  614.886241] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[  614.886242] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
[  614.886243] Stack:
[  614.886244]  ffffffff813cb99a ffff88021de9e778 ffff8801ea8ba010 ffff8801ea8bbbd8
[  614.886247]  ffff88022e800480 ffff880222a4d000 ffffffff8110b097 0000000000000000
[  614.886249]  ffff880200000000 0000000100000008 ffff88021de9e760 ffff88021de9e760
[  614.886251] Call Trace:
[  614.886257]  [<ffffffff813cb99a>] ? __mutex_lock_common+0x66/0x251
[  614.886260]  [<ffffffff8110b097>] ? __cache_free+0x187/0x196
[  614.886263]  [<ffffffff813cbc4b>] ? mutex_lock+0x1a/0x2c
[  614.886266]  [<ffffffffa042a3f6>] ? gntdev_release+0x19/0x9a [xen_gntdev]
[  614.886270]  [<ffffffff8111db67>] ? __fput+0xe9/0x1b6
[  614.886273]  [<ffffffff8105b677>] ? task_work_run+0x7f/0x96
[  614.886276]  [<ffffffff810453f7>] ? do_exit+0x406/0x981
[  614.886279]  [<ffffffff810459ed>] ? do_group_exit+0x7b/0xa5
[  614.886282]  [<ffffffff81052396>] ? get_signal_to_deliver+0x47c/0x49f
[  614.886285]  [<ffffffff8100d079>] ? do_signal+0x3b/0x540
[  614.886288]  [<ffffffff813d0abc>] ? __do_page_fault+0x28d/0x3d7
[  614.886291]  [<ffffffff8112a196>] ? do_vfs_ioctl+0x419/0x488
[  614.886295]  [<ffffffff8104f7c9>] ? __set_task_blocked+0x5a/0x61
[  614.886297]  [<ffffffff8100d5a3>] ? do_notify_resume+0x25/0x67
[  614.886299]  [<ffffffff813cda22>] ? retint_signal+0x48/0x86
[  614.886300] Code: 46 08 00 00 00 00 48 c7 06 00 00 00 00 48 89 f0 48 87 07 48 85 c0 75 08 c7 46 08 01 00 00 00 c3 48 89 30 48 83 c6 08 eb 02 f3 90 <8b> 06 85 c0 74 f8 c3 53 48 89 fb 48 8d 7f 04 e8 f3 d3 36 00 83 


Testes older 3.10.0-ucs114-amd64, which also fails, but differently:
[  480.560445] qemu-dm[2850]: segfault at 7fe34cbf3001 ip 00000000004389b4 sp 00007fff613503b8 error 4 in qemu-dm[400000+12a000]
Comment 16 Stefan Gohmann univentionstaff 2015-08-21 06:06:50 CEST
(In reply to Philipp Hahn from comment #15)
> FAIL: xen-dom0
> [  604.965186] INFO: rcu_sched self-detected stall on CPU { 6}  (t=5250
> jiffies g=5053 c=5052 q=542)

Can you give more details how to reproduce it?
Comment 17 Philipp Hahn univentionstaff 2015-08-21 08:40:14 CEST
(In reply to Stefan Gohmann from comment #16)
> (In reply to Philipp Hahn from comment #15)
> > FAIL: xen-dom0
> > [  604.965186] INFO: rcu_sched self-detected stall on CPU { 6}  (t=5250
> > jiffies g=5053 c=5052 q=542)
> 
> Can you give more details how to reproduce it?

Seems to be NFS related: After copying the VM image to local storage, the VM starts fine.
As the bug also happens with the previous kernel version, this is not a regression.

OK: Xen-domU
OK: Xen-dom0
Comment 18 Stefan Gohmann univentionstaff 2015-08-21 10:36:33 CEST
(In reply to Philipp Hahn from comment #17)
> Seems to be NFS related: After copying the VM image to local storage, the VM
> starts fine.
> As the bug also happens with the previous kernel version, this is not a
> regression.

I've tested again on a NFS storage and on a local storage. It worked in both cases.