Bug 922944 (CVE-2015-2666)

Summary: VUL-1: CVE-2015-2666: kernel: overflow in microcode loader
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Borislav Petkov <bpetkov>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: mhocko, sascha.wessels
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/232563/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Meissner 2015-03-18 12:32:42 UTC 
via oss-sec

crafted microcode could overflow kernel stack. (needs root to exploit)

From: Quentin Casasnovas <quentin.casasnovas@oracle.com>
Subject: [oss-security] CVE Request: Linux kernel execution in the early microcode loader.

Hi,

The Linux kernel Intel early microcode loader was vulnerable to a stack
overflow.  This issue was fixed in upstream commit f84598bd7c

  https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=f84598bd7c851f8b0bf8cd0d7c3be0d73c432ff4

And was introduced in kernel 3.8+ in ec400dd ("x86/microcode_intel_early.c:
Early update ucode on Intel's CPU").

It potentially allows kernel execution using a specially crafted microcode,
and I could not see that CONFIG_CC_STACKPROTECTOR_REGULAR was of any help
since it left get_matching_model_microcode() unprotected on my build.  It
was protected using CONFIG_CC_STACKPROTECTOR_STRONG with gcc-4.9.2.

It is not relevant that the tampered microcode would be refused by the CPU
(since it is signed by Intel) because kernel execution would happen before
that.

The attack vector could be from anyone between Intel and people
shipping/packaging the microcode, or could potentially be used to get a
resilient backdoor on system already compromised by sticking a tampered
microcode on the initrd.  It would also allow root to get kernel execution
by recreating the initrd.  I admit these are overly paranoid scenarios, but
I _think_ there's still a privilege crossing from root to kernel exec which
could make sense on certain security model.

I could not see an answer from cve-assign when this issue was discussed on
security@kernel.org.  Could a CVE be assigned to this please?

Quentin
Comment 1 Marcus Meissner 2015-03-18 15:47:20 UTC 
We seem to have backported to problem to SLES 12.

patches.arch/x86-microcode-move-to-a-proper-location.patch
Comment 2 Michal Hocko 2015-03-18 16:08:16 UTC 
No TD branch seems to be affected
Comment 3 Borislav Petkov 2015-03-18 16:17:37 UTC 
No, this was broken since it got added:

ec400dd ("x86/microcode_intel_early.c: Early update ucode on Intel's CPU")

in 3.9.

I'll backport it to the relevant trees.
Comment 4 Borislav Petkov 2015-03-18 17:11:05 UTC 
Backported to cve/linux-3.12 and the opensusies. Closing.
Comment 5 Marcus Meissner 2015-03-23 09:38:10 UTC 
mitere assigned CVE-2015-2666

can you add this to the references?
Comment 6 Borislav Petkov 2015-03-23 10:11:00 UTC 
Done.
Comment 7 Swamp Workflow Management 2015-04-13 12:17:15 UTC 
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
Comment 8 Marcus Meissner 2015-04-15 09:09:15 UTC 
This issue affects SUSE Linux Enterprise 12 and openSUSE.
Older versions of SUSE Linux Enterprise are not affected.
Comment 9 Swamp Workflow Management 2015-06-16 12:08:06 UTC 
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 10 Swamp Workflow Management 2016-02-01 15:17:03 UTC 
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1