Bug 926240 (CVE-2015-2830)

Summary:	VUL-0: CVE-2015-2830: kernel-source: int80 fork from 64-bit tasks mishandling
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Andreas Stieger <astieger>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Normal
Priority:	P3 - Medium	CC:	bpetkov, meissner, mhocko, roberto.angelino, smash_bz
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
URL:	https://smash.suse.de/issue/115520/
Whiteboard:	maint:running:61844:important maint:released:sle11-sp3:61845 maint:released:sle11-sp3:61848 maint:released:sle11-sp3:61849 maint:released:sle11-sp3:61853 maint:released:sle11-sp3:61852 maint:released:sle11-sp3:61909
Found By:	Security Response Team	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Description Andreas Stieger 2015-04-07 14:44:52 UTC

Via rh#1208598

Linux kernel built with the 32-bit emulation support(CONFIG_IA32_EMULATION), is vulnerable to potential privilege escalation flaw. This could occur while calling fork(2) & close(2) system calls with an 'int80' entry, which results in an inappropriate task state in the child process.

An unprivileged user could use this flaw to potentially gain root privileges on a system.

Upstream fix:
-------------
  -> https://git.kernel.org/linus/956421fbb74c3a6261903f3836c0740187cf038b

Reference:
----------
  -> http://seclists.org/oss-sec/2015/q2/8


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1208598
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2830
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-2830.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2830

Comment 1 Swamp Workflow Management 2015-04-07 22:00:53 UTC

bugbot adjusting priority

Comment 2 Michal Hocko 2015-04-08 07:51:29 UTC

Hmm (http://seclists.org/oss-sec/2015/q2/8) claims that:
"
That would likely break the calling process, since it would
incorrectly return in long mode (i.e. CS would have the wrong value).
This particular failure has no security implications.
"

Does that mean that the application would crash because it would be running in the 64b mode which is unexpected?

But then we have:
"
There's another problem, though: setup_thread_stack would propagate
TS_COMPAT (i.e. the indication that the task is in a 32-bit syscall)
to the child, and nothing would clear that bit.  This violates a
general invariant that tasks executing in user mode never have
TS_COMPAT set.

The user task could then do a normal 64-bit syscall, and
is_compat_task() would incorrectly return true.  I don't see any
direct way to escalate privileges as a result, but Ingo Molnar pointed
out that this affects syscall_get_arch.  As a result, both seccomp and
audit could misinterpret the offending syscall, with possibly
dangerous results depending on configuration.

I suspect that this could be used to break out of certain seccomp
sandboxes on kernels older than 3.16.
"

How is the forked task going to run in 64b mode when it is 32b binary? Boris could you have a look at this please

Comment 3 Borislav Petkov 2015-04-08 16:03:11 UTC

Pushed to 3.0 and 3.12 cvs branches.

Comment 4 Borislav Petkov 2015-04-09 06:25:52 UTC

11SP1 got it too:

367c30448fa0..fa0817e31cb5  HEAD -> cve/linux-2.6.32

Comment 5 Borislav Petkov 2015-04-09 06:59:00 UTC

So, 2.6.16 has a bit different entry.S and I'll hold off applying it there until we have figured out a reproducer.

And that is fine because the concern about potential root seems heavily far fetched right now. The only problem of this currently is being able to escape from seccomp sandbox and puzzle audit and syscall tracing. Big deal.

Comment 6 Michal Hocko 2015-04-09 07:29:54 UTC

(In reply to Borislav Petkov from comment #5)
> So, 2.6.16 has a bit different entry.S and I'll hold off applying it there
> until we have figured out a reproducer.
> 
> And that is fine because the concern about potential root seems heavily far
> fetched right now. The only problem of this currently is being able to
> escape from seccomp sandbox and puzzle audit and syscall tracing. Big deal.

Marcus, where has the root part of the story come from?

Comment 7 Borislav Petkov 2015-04-09 12:27:23 UTC

eb8f441c8362..cef7cc61e518  openSUSE-13.1 -> openSUSE-13.1
a7793eded16b..3a397b81bb86  openSUSE-13.2 -> openSUSE-13.2

Comment 8 Marcus Meissner 2015-04-09 13:12:59 UTC

I do not know. looked a bit over it, can the caller get invalid selector states? not sure.

Comment 9 Marcus Meissner 2015-04-09 14:38:23 UTC

there is probably no root exploit, just a seccomp sandbox confusion / escape possibility. which makes it minor.

just apply the patch ;)

Comment 10 Michal Hocko 2015-04-22 12:12:32 UTC

Forgot to mention. Merged into SLE11-SP[13]-TD.

cve/linux-2.6.16 still doesn't have it though. Do you have any plans for this branch Boris, Marcus? If we do not care I would be OK as well, considering the risk for a regression.

Comment 11 Borislav Petkov 2015-04-22 13:07:54 UTC

Considering the low sec. risk and the regression risk, I wanna say no.

I'll let Marcus decide.

Comment 12 Marcus Meissner 2015-04-22 13:58:34 UTC

arch/x86_64/kernel/entry.S has

        RESTORE_REST
        testl $3,CS-ARGOFFSET(%rsp)     # from kernel_thread?
        je   int_ret_from_sys_call
        testl $_TIF_IA32,threadinfo_flags(%rcx)
        jnz  int_ret_from_sys_call
        RESTORE_TOP_OF_STACK %rdi,ARGOFFSET
        jmp ret_from_sys_call


-	testl $_TIF_IA32, TI_flags(%rcx)	# 32-bit compat task needs IRET
-	jnz  int_ret_from_sys_call
-
-	RESTORE_TOP_OF_STACK %rdi, -ARGOFFSET
-	jmp ret_from_sys_call			# go to the SYSRET fastpath
+	/*
+	 * By the time we get here, we have no idea whether our pt_regs,
+	 * ti flags, and ti status came from the 64-bit SYSCALL fast path,
+	 * the slow path, or one of the ia32entry paths.
+	 * Use int_ret_from_sys_call to return, since it can safely handle
+	 * all of the above.
+	 */
+	jmp  int_ret_from_sys_call


it does not look that different?

Comment 13 Borislav Petkov 2015-04-22 16:20:26 UTC

I was thrown off by the rff_trace/rff_action labels and since they're
not upstream anymore, was afraid not to break some SYSCALL tracing use
case from back then. But then I dug deeper and I found this one:

  5b3eec0c8003 ("x86: ret_from_fork - get rid of jump back")

which basically removes that because it is dead code. Apparently we
don't set any of the _TIF* flags on fork so we don't really execute that
SYSCALL auditing piece here but only later, in int_ret_from_sys_call.

So I guess I can backport to 2.6.16 after all.

And still(!), please make sure to run those kernels through QA - I
always get nervous when touching entry.S. Ok?

Thanks.

Comment 17 Borislav Petkov 2015-05-01 08:58:51 UTC

Done, resetting assignee.

Comment 20 Swamp Workflow Management 2015-05-12 20:54:07 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61701

Comment 21 Swamp Workflow Management 2015-05-19 15:55:37 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61770

Comment 23 Swamp Workflow Management 2015-05-29 09:52:58 UTC

An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844

Comment 24 Swamp Workflow Management 2015-06-08 12:03:57 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904

Comment 25 Swamp Workflow Management 2015-06-16 12:09:23 UTC

SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1

Comment 26 Swamp Workflow Management 2015-07-02 15:21:41 UTC

SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1

Comment 27 Swamp Workflow Management 2015-08-12 17:24:36 UTC

SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22

Comment 28 Swamp Workflow Management 2015-09-02 13:16:45 UTC

SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1

Comment 29 Swamp Workflow Management 2015-09-22 08:16:19 UTC

SUSE-SU-2015:1592-1: An update that solves 14 vulnerabilities and has 45 fixes is now available.

Category: security (important)
Bug References: 851068,867362,873385,883380,886785,894936,915517,917830,919463,920110,920250,920733,921430,923245,924701,925705,925881,925903,926240,926953,927355,927786,929142,929143,930092,930761,930934,931538,932348,932458,933429,933896,933904,933907,933936,934742,934944,935053,935572,935705,935866,935906,936077,936423,936637,936831,936875,936925,937032,937402,937444,937503,937641,937855,939910,939994,940338,940398,942350
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1, kernel-source-rt-3.0.101.rt130-0.33.40.1, kernel-syms-rt-3.0.101.rt130-0.33.40.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1

Comment 30 Swamp Workflow Management 2015-10-05 15:17:08 UTC

SUSE-SU-2015:1678-1: An update that solves 15 vulnerabilities and has 67 fixes is now available.

Category: security (moderate)
Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917830,917968,919463,920016,920110,920250,920733,921430,923002,923245,923431,924701,925705,925881,925903,926240,926953,927355,928988,929076,929142,929143,930092,930934,931620,932350,932458,932882,933429,933721,933896,933904,933907,933936,934944,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6252
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-65.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1

Comment 31 Swamp Workflow Management 2016-02-01 15:17:33 UTC

openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1