Bug 912202 (CVE-2014-9529)

Summary: VUL-0: CVE-2014-9529: kernel-source: security/keys/gc.c race condition
Product: [Novell Products] SUSE Security Incidents Reporter: Victor Pereira <vpereira>
Component: IncidentsAssignee: Joey Lee <jlee>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: andreas.taschner, meissner, mhocko, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/112082/
Whiteboard: maint:running:61844:important maint:released:sle11-sp3:61845 maint:released:sle11-sp3:61847 maint:released:sle11-sp3:61849 maint:released:sle11-sp3:61853 maint:released:sle11-sp3:61852 maint:released:sle11-sp3:61909
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: 0001-KEYS-close-race-between-key-lookup-and-freeing.patch
0001-KEYS-close-race-between-key-lookup-and-freeing.patch
0001-KEYS-close-race-between-key-lookup-and-freeing.patch

Description Victor Pereira 2015-01-08 09:52:31 UTC 
CVE-2014-9529 has been assigned to this issue in security/keys/gc.c
that can lead to memory corruption or a panic:

  http://marc.info/?l=linux-kernel&m=141986398232547&w=2
  http://marc.info/?l=linux-kernel&m=142047362307894&w=2

(not yet available at
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/security/keys/gc.c)



References:
http://seclists.org/oss-sec/2015/q1/75
Comment 1 Swamp Workflow Management 2015-01-08 23:00:13 UTC 
bugbot adjusting priority
Comment 2 Joey Lee 2015-01-22 04:20:34 UTC 
Patch a3a87844 show in Linus's tree for v3.19-rc4:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/security/keys/gc.c?id=a3a8784454692dd72e5d5d34dcdab17b4420e74c

I will backport to SLE11, SLE12.
Comment 3 Joey Lee 2015-01-22 07:44:03 UTC 
Created attachment 620470 [details]
0001-KEYS-close-race-between-key-lookup-and-freeing.patch

Backported patch to SLE12, sent to kernel@suse.de for reviewing.
Comment 4 Joey Lee 2015-01-30 03:51:03 UTC 
Backported to SLE12.

commit 355a706aa5e5dd150be0ba04f2fec22697b65d62
Author: Lee, Chun-Yi <jlee@suse.com>
Date:   Fri Jan 30 11:46:55 2015 +0800

    KEYS: close race between key lookup and freeing (bnc#912202).
Comment 5 Joey Lee 2015-01-30 03:52:20 UTC 
For SLE11, due to the codes changed in v3.0 kernel. So need send to maintenance kernel upstream for reviewing.
Comment 6 Joey Lee 2015-01-30 16:12:41 UTC 
Backported to openSUSE 13.1/13.2

commit 669722e49f2e6d80d53d5f0f2425449076819918
Author: Lee, Chun-Yi <jlee@suse.com>
Date:   Fri Jan 30 17:00:30 2015 +0800

    KEYS: close race between key lookup and freeing (bnc#912202).


Backported to openSUSE 13.2

commit b0191b238e32268bb3b48b43928c8af3cf509eea
Author: Lee, Chun-Yi <jlee@suse.com>
Date:   Sat Jan 31 00:09:27 2015 +0800

    KEYS: close race between key lookup and freeing (bnc#912202).
Comment 7 Marcus Meissner 2015-02-23 15:00:14 UTC 
The code is not in the SUSE Linux Enterprise Server 10 codebase, so it is not affected.

Also SLES 11 SP1 with 2.6.32 kernel base does not look affected on review.
Comment 8 Joey Lee 2015-03-03 10:25:20 UTC 
Created attachment 625178 [details]
0001-KEYS-close-race-between-key-lookup-and-freeing.patch

Backported patch a3a87844 patch to v3.0 kernel and sent to stable@vger.kernel.org for upstream reviewing.

I simply test the patch by add asymmetric key to user keyring then clear it:

> keyctl list @u
keyring is empty

> keyctl padd asymmetric "" @u < signing_key.x509
674883251

> keyctl list @u
1 key in keyring:
674883251: --als--v  1000   100 asymmetric: Magrathea: Glacier signing key: be0327d832d6b6ac8f8933b232867ee5f9d84ff0

> keyctl clear @u         

> keyctl list @u
keyring is empty
Comment 9 Joey Lee 2015-03-03 10:29:05 UTC 
Link to stable kernel mail:
http://thread.gmane.org/gmane.linux.kernel.stable/125829
Comment 10 Michal Hocko 2015-03-03 12:22:51 UTC 
(In reply to Joey Lee from comment #8)
> Created attachment 625178 [details]
> 0001-KEYS-close-race-between-key-lookup-and-freeing.patch
> 
> Backported patch a3a87844 patch to v3.0 kernel and sent to
> stable@vger.kernel.org for upstream reviewing.

Are you planning to push this to SLE11-SP3 or do you plan to wait for the stable update?
Comment 11 Joey Lee 2015-03-04 04:17:32 UTC 
Created attachment 625290 [details]
0001-KEYS-close-race-between-key-lookup-and-freeing.patch

Backported patch to SLE11-SP3 and sent to kernel@suse.de for review.
Comment 12 Joey Lee 2015-03-04 04:22:59 UTC 
(In reply to Michal Hocko from comment #10)
> (In reply to Joey Lee from comment #8)
> > Created attachment 625178 [details]
> > 0001-KEYS-close-race-between-key-lookup-and-freeing.patch
> > 
> > Backported patch a3a87844 patch to v3.0 kernel and sent to
> > stable@vger.kernel.org for upstream reviewing.
> 
> Are you planning to push this to SLE11-SP3 or do you plan to wait for the
> stable update?

I checked the codes of keys in v3.0 kernel compare with v3.19, the codes a bit changed but I think still need this patch to avoid the potential risk of kernel panic. 

Due the the patch need modify for v3.0 kernel, so I sent the patch to upstream for review and hope get comment from keys experts.

I also sent patch to kernel@suse.de this morning, if no problem, I will push this backported patch to SLE11-SP3 kernel git after 3 days.
Comment 13 Joey Lee 2015-03-11 02:46:55 UTC 
Patch pushed to SLE11 SP3 kernel.

commit cb8fe1d3e8cdc58eaf6f9c907ff2110989ee4a8d
Author: Lee, Chun-Yi <jlee@suse.com>
Date:   Wed Mar 11 10:42:34 2015 +0800

    KEYS: close race between key lookup and freeing (bnc#912202, CVE-2014-9529).

Set this bug to FIXED.
Comment 14 Michal Hocko 2015-03-11 12:36:53 UTC 
I will take care about SLE11*TD branches after I will be back from conference.
Comment 15 Joey Lee 2015-03-11 14:13:27 UTC 
Hi,

(In reply to Michal Hocko from comment #14)
> I will take care about SLE11*TD branches after I will be back from
> conference.

I just checked the key.c codes in SLE11-SP3-TD, looks the same with SLE11-SP3. Do you mind I direct push the backported patch to SLE11-SP3-TD git?
Comment 16 Michal Hocko 2015-03-12 13:23:04 UTC 
(In reply to Joey Lee from comment #15)
> Hi,
> 
> (In reply to Michal Hocko from comment #14)
> > I will take care about SLE11*TD branches after I will be back from
> > conference.
> 
> I just checked the key.c codes in SLE11-SP3-TD, looks the same with
> SLE11-SP3. Do you mind I direct push the backported patch to SLE11-SP3-TD
> git?

This kernel branch is configured to accept pushes only from me as a maintainer. Please send me a pull request if you have your tree accessible somewhere or simply send me git format-patch style email. Thanks a lot for your help!
Comment 20 Swamp Workflow Management 2015-03-16 13:50:11 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-23.
https://swamp.suse.de/webswamp/wf/61108
Comment 21 Swamp Workflow Management 2015-03-18 21:11:53 UTC 
SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
Comment 22 Swamp Workflow Management 2015-04-13 12:13:00 UTC 
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
Comment 23 Swamp Workflow Management 2015-04-13 12:18:56 UTC 
openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1
Comment 24 Joey Lee 2015-04-20 04:47:29 UTC 
Set to FIXED because backported patches merged to kernel git.
Comment 25 Swamp Workflow Management 2015-05-29 09:56:11 UTC 
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 26 Swamp Workflow Management 2015-06-08 12:17:43 UTC 
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 27 Swamp Workflow Management 2015-07-02 15:12:00 UTC 
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 28 Swamp Workflow Management 2015-08-12 17:15:11 UTC 
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 29 Swamp Workflow Management 2016-02-01 15:14:04 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
Comment 30 Swamp Workflow Management 2016-02-03 14:12:40 UTC 
openSUSE-SU-2016:0318-1: An update that solves 19 vulnerabilities and has 18 fixes is now available.

Category: security (important)
Bug References: 814440,906545,912202,921949,937969,937970,938706,944296,945825,949936,950998,951627,951638,952384,952579,952976,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-8989,CVE-2014-9529,CVE-2015-5157,CVE-2015-5307,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.15.1, cloop-2.639-14.15.1, crash-7.0.8-15.1, hdjmod-1.28-18.16.1, ipset-6.23-15.1, kernel-debug-3.16.7-32.1, kernel-default-3.16.7-32.1, kernel-desktop-3.16.7-32.1, kernel-docs-3.16.7-32.2, kernel-ec2-3.16.7-32.1, kernel-obs-build-3.16.7-32.2, kernel-obs-qa-3.16.7-32.1, kernel-obs-qa-xen-3.16.7-32.1, kernel-pae-3.16.7-32.1, kernel-source-3.16.7-32.1, kernel-syms-3.16.7-32.1, kernel-vanilla-3.16.7-32.1, kernel-xen-3.16.7-32.1, pcfclock-0.44-260.15.1, vhba-kmp-20140629-2.15.1, virtualbox-4.3.34-37.1, xen-4.4.3_08-38.1, xtables-addons-2.6-15.1