Bug 912705 (CVE-2014-9585)

Summary:	VUL-0: CVE-2014-9585: kernel-source: ASLR bruteforce possible for vdso library
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Victor Pereira <vpereira>
Component:	Incidents	Assignee:	Jiri Kosina <jkosina>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Minor
Priority:	P3 - Medium	CC:	andreas.taschner, bpetkov, meissner, mhocko, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/112171/
Whiteboard:	maint:released:sle11-sp1:60464 maint:released:sle10-sp3:60432 maint:released:sle11-sp2:60466 maint:released:sle11-sp2:60465 maint:released:sle11-sp2:60467 maint:released:sle11-sp2:60468 maint:released:sle11-sp3:60951 maint:released:sle11-sp3:60952 maint:released:sle11-sp3:60953 maint:released:sle11-sp3:60954 maint:released:sle11-sp3:60956 maint:released:sle11-sp3:60955 maint:released:sle11-sp3:60958 maint:released:sle11-sp3:60959 maint:released:sle11-sp3:60957 maint:released:sle11-sp1:60689 maint:released:sle11-sp1:60690 maint:released:sle11-sp1:60691 maint:released:sle11-sp3:61403
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Victor Pereira 2015-01-12 12:30:35 UTC

CVE-2014-9585

The vdso_addr function in arch/x86/vdso/vma.c in the Linux kernel through 3.18.2
does not properly choose memory locations for the vDSO area, which makes it
easier for local users to bypass the ASLR protection mechanism by guessing a
location at the end of a PMD.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1181054
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9585
http://www.openwall.com/lists/oss-security/2015/01/09/8
http://www.openwall.com/lists/oss-security/2014/12/09/10
http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9585.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9585
http://www.cvedetails.com/cve/CVE-2014-9585/
http://v0ids3curity.blogspot.in/2014/12/return-to-vdso-using-elf-auxiliary.html
http://git.kernel.org/?p=linux/kernel/git/tip/tip.git;a=commit;h=fbe1bf140671619508dfa575d74a185ae53c5dbb
http://git.kernel.org/?p=linux/kernel/git/luto/linux.git;a=commit;h=bc3b94c31d65e761ddfe150d02932c65971b74e2

Comment 1 Swamp Workflow Management 2015-01-12 23:00:24 UTC

bugbot adjusting priority

Comment 2 Michal Hocko 2015-01-13 12:35:39 UTC

pushed to SLE11-SP1-TD and SLES10-SP3-TD branches

Comment 3 Michal Marek 2015-01-19 13:12:56 UTC

The commit id in Linus' tree is 394f56fe480140877304d342dec46d50dc823d46.

Comment 4 Borislav Petkov 2015-01-19 18:00:24 UTC

without patch:
==============

$ for i in $(seq 10000); do grep -P vdso /proc/self/maps | cut -d- -f1; done | sort | uniq -d > res
$ wc -l res
1449 res

$ less res
7fff001fe000
7fff00ffe000
7fff011fe000
7fff013fe000
7fff015fe000
7fff017fe000
7fff019fe000
7fff01ffe000
7fff021fe000
7fff025fe000
7fff02bfe000
7fff02dfe000
...

$ grep -E ".*fe000$" res | wc -l
1428

$ grep -Ev ".*fe000$" res
7fff0eb60000
7fff1038b000
7fff189cb000
7fff5258e000
7fff5b394000
7fff623d5000
7fff7a2e9000
7fff88d56000
7fff89bd6000
7fff8d49b000
7fffa05e6000
7fffabcc8000
7fffb4bcd000
7fffcfef2000
7fffd2916000
7fffd6da7000
7fffd8570000
7fffd87c3000
7fffde7d9000
7fffee32f000
7fffffffd000

Percentage: 1428/1449 = 0.98550724637681159420

with patch:
===========

$ for i in $(seq 10000); do grep -P vdso /proc/self/maps | cut -d- -f1; done | sort | uniq -d > res
$ wc -l res
92 res

The repeated ones' count is:

$ uniq -dc res | wc -l
110

which is much better :-)

Comment 5 Borislav Petkov 2015-01-19 18:28:59 UTC

Applied to SLE12.

Comment 6 Borislav Petkov 2015-01-19 21:55:00 UTC

Applied to 11SP3.

Comment 7 Borislav Petkov 2015-01-23 17:47:23 UTC

Opensusies got it too, closing.

Comment 9 Swamp Workflow Management 2015-01-28 13:52:48 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-02-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60426

Comment 11 Swamp Workflow Management 2015-01-28 14:10:52 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-02-11.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60430

Comment 12 Swamp Workflow Management 2015-01-30 10:16:39 UTC

SUSE-SU-2015:0178-1: An update that solves 5 vulnerabilities and has 59 fixes is now available.

Category: security (important)
Bug References: 800255,809493,829110,856659,862374,873252,875220,884407,887108,887597,889192,891086,891277,893428,895387,895814,902232,902346,902349,903279,903640,904053,904177,904659,904969,905087,905100,906027,906140,906545,907069,907325,907536,907593,907714,907818,907969,907970,907971,907973,908057,908163,908198,908803,908825,908904,909077,909092,909095,909829,910249,910697,911181,911325,912129,912278,912281,912290,912514,912705,912946,913233,913387,913466
CVE References: CVE-2014-3687,CVE-2014-3690,CVE-2014-8559,CVE-2014-9420,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.36-38.3, kernel-obs-build-3.12.36-38.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.36-38.1, kernel-syms-3.12.36-38.1
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.36-38.1, kernel-syms-3.12.36-38.1

Comment 13 Swamp Workflow Management 2015-02-26 10:01:23 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-03-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/60808

Comment 14 Swamp Workflow Management 2015-03-11 19:14:33 UTC

SUSE-SU-2015:0481-1: An update that solves 34 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,779488,833588,835839,847652,857643,864049,865442,867531,867723,870161,875051,876633,880892,883096,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,909078,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9584,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Server 11 SP2 LTSS (src):    kernel-default-3.0.101-0.7.29.1, kernel-ec2-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-source-3.0.101-0.7.29.1, kernel-syms-3.0.101-0.7.29.1, kernel-trace-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1, xen-4.1.6_08-0.5.19
SLE 11 SERVER Unsupported Extras (src):    ext4-writeable-0-0.14.142, kernel-default-3.0.101-0.7.29.1, kernel-pae-3.0.101-0.7.29.1, kernel-xen-3.0.101-0.7.29.1

Comment 15 Swamp Workflow Management 2015-03-18 21:12:15 UTC

SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1

Comment 16 Swamp Workflow Management 2015-03-21 14:15:38 UTC

openSUSE-SU-2015:0566-1: An update that solves 38 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 771619,778463,833588,835839,847652,853040,864049,865442,867531,867723,870161,875051,876633,880892,883096,883724,883948,887082,892490,892782,895680,896382,896390,896391,896392,897995,898693,899192,901885,902232,902346,902349,902351,902675,903640,904013,904700,905100,905312,905799,906586,907189,907338,907396,907818,909077,909078,910251,912654,912705,915335
CVE References: CVE-2012-4398,CVE-2013-2893,CVE-2013-2897,CVE-2013-2899,CVE-2013-2929,CVE-2013-7263,CVE-2014-0131,CVE-2014-0181,CVE-2014-2309,CVE-2014-3181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3186,CVE-2014-3601,CVE-2014-3610,CVE-2014-3646,CVE-2014-3647,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4508,CVE-2014-4608,CVE-2014-4943,CVE-2014-5471,CVE-2014-5472,CVE-2014-7826,CVE-2014-7841,CVE-2014-7842,CVE-2014-8133,CVE-2014-8134,CVE-2014-8369,CVE-2014-8559,CVE-2014-8709,CVE-2014-9090,CVE-2014-9322,CVE-2014-9584,CVE-2014-9585
Sources used:
openSUSE Evergreen 11.4 (src):    kernel-docs-3.0.101-99.2, kernel-source-3.0.101-99.1, kernel-syms-3.0.101-99.1, preload-1.2-6.77.1

Comment 17 Swamp Workflow Management 2015-03-24 06:20:27 UTC

SUSE-SU-2015:0581-1: An update that solves 21 vulnerabilities and has 67 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-ec2-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.7, gfs2-2-0.17.1.7, ocfs2-1.6-0.21.1.7
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-source-3.0.101-0.47.50.1, kernel-syms-3.0.101-0.47.50.1, kernel-trace-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1, xen-4.2.5_04-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.50.1, kernel-default-3.0.101-0.47.50.1, kernel-pae-3.0.101-0.47.50.1, kernel-ppc64-3.0.101-0.47.50.1, kernel-xen-3.0.101-0.47.50.1

Comment 18 Swamp Workflow Management 2015-04-02 00:11:30 UTC

SUSE-SU-2015:0652-1: An update that solves 17 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 771619,833820,846404,857643,875051,885077,891211,892235,896390,896391,896779,899338,902346,902349,902351,904700,905100,905312,907822,908870,911325,912654,912705,912916,913059,915335,915826
CVE References: CVE-2010-5313,CVE-2012-6657,CVE-2013-4299,CVE-2013-7263,CVE-2014-0181,CVE-2014-3184,CVE-2014-3185,CVE-2014-3673,CVE-2014-3687,CVE-2014-3688,CVE-2014-7841,CVE-2014-7842,CVE-2014-8160,CVE-2014-8709,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    kernel-default-2.6.32.59-0.19.1, kernel-ec2-2.6.32.59-0.19.1, kernel-pae-2.6.32.59-0.19.1, kernel-source-2.6.32.59-0.19.1, kernel-syms-2.6.32.59-0.19.1, kernel-trace-2.6.32.59-0.19.1, kernel-xen-2.6.32.59-0.19.1, xen-4.0.3_21548_18-0.9.17
SLE 11 SERVER Unsupported Extras (src):    kernel-default-2.6.32.59-0.19.1, kernel-pae-2.6.32.59-0.19.1, kernel-xen-2.6.32.59-0.19.1

Comment 19 Swamp Workflow Management 2015-04-13 12:13:22 UTC

openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2

Comment 20 Swamp Workflow Management 2015-04-13 12:19:18 UTC

openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1

Comment 21 Swamp Workflow Management 2015-04-20 19:21:00 UTC

SUSE-SU-2015:0736-1: An update that solves 21 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 771619,816099,829110,833588,833820,846656,853040,856760,864401,864404,864409,864411,865419,875051,876086,876594,877593,882470,883948,884817,887597,891277,894213,895841,896484,900279,900644,902232,902349,902351,902675,903096,903640,904053,904242,904659,904671,905304,905312,905799,906586,907196,907338,907551,907611,907818,908069,908163,908393,908550,908551,908572,908825,909077,909078,909088,909092,909093,909095,909264,909565,909740,909846,910013,910150,910159,910251,910321,910322,910517,911181,911325,911326,912171,912705,913059,914355,914423,914726,915209,915322,915335,915791,915826,916515,916982,917839,917884,920250,924282
CVE References: CVE-2013-7263,CVE-2014-0181,CVE-2014-3687,CVE-2014-3688,CVE-2014-3690,CVE-2014-4608,CVE-2014-7822,CVE-2014-7842,CVE-2014-7970,CVE-2014-8133,CVE-2014-8134,CVE-2014-8160,CVE-2014-8369,CVE-2014-8559,CVE-2014-9090,CVE-2014-9322,CVE-2014-9419,CVE-2014-9420,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.14, drbd-kmp-8.4.4-0.23.1.14, iscsitarget-1.4.20-0.39.1.14, kernel-rt-3.0.101.rt130-0.33.36.1, kernel-rt_trace-3.0.101.rt130-0.33.36.1, kernel-source-rt-3.0.101.rt130-0.33.36.1, kernel-syms-rt-3.0.101.rt130-0.33.36.1, lttng-modules-2.1.1-0.12.1.13, ocfs2-1.6-0.21.1.14, ofed-1.5.4.1-0.14.1.14