Bug 968697 (CVE-2016-2117)

Summary:	VUL-0: CVE-2016-2117: kernel: memory disclosure into ethernet frames due to incorrect driver handling of scatter/gather IO
Product:	[Novell Products] SUSE Security Incidents	Reporter:	Alexander Bergmann <abergmann>
Component:	Incidents	Assignee:	Security Team bot <security-team>
Status:	RESOLVED FIXED	QA Contact:	Security Team bot <security-team>
Severity:	Major
Priority:	P3 - Medium	CC:	bpetkov, jsegitz, krahmer, meissner, mhocko, mkubecek
Version:	unspecified
Target Milestone:	---
Hardware:	Other
OS:	Other
Whiteboard:	CVSSv2:RedHat:CVE-2016-2117:2.6:(AV:N/AC:H/Au:N/C:P/I:N/A:N) CVSSv2:NVD:CVE-2016-2117:5.0:(AV:N/AC:L/Au:N/C:P/I:N/A:N) CVSSv3:NVD:CVE-2016-2117:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By:	---	Services Priority:
Business Priority:		Blocker:	---
Marketing QA Status:	---	IT Deployment:	---

Comment 1 Swamp Workflow Management 2016-02-29 23:00:27 UTC

bugbot adjusting priority

Comment 4 Marcus Meissner 2016-03-16 12:59:04 UTC

public via oss-sec

CVE-2016-2117 memory disclosure to ethernet due to unchecked scatter/gather IO


Affects:
In-tree Linux ethernet drivers:

atheros/atlx/atl2.c  confirmed in versions 3.8 thru 4.5 (possibly earlier)
* see description for more details on other potential less severe impacts


Description:
When scatter/gather IO is enabled (NETIF_F_SG), the ethernet driver may be passed a list of buffers containing the packet to be sent, rather than a single contiguous buffer in order to improve performance.  If a driver claims to support scatter/gather but does a simple memcpy, dma_map_single, or similar call from skb->data to skb->len the result is that the outgoing packet will be sent containing the first full fragment followed by whatever kernel memory was at the end of that first fragment.  This data is likely to be other data from other skb's, but other sensitive data has been seen.  If hardware checksumming is enabled, the resulting ethernet frame will be valid other than containing the disclosed memory.

This bug is remotely exploitable in the atl2 driver whenever scatter/gather IO is triggered, which can be done in some common applications (pcap samples available upon request).

Note that this bug was originally found in an out of tree driver (CVE-2016-2553), and may go unnoticed in similar drivers until the right conditions for scatter/gather IO are hit.

Apart from the atl2 driver that can be remotely exploited, other in-tree drivers are not remotely exploitable but a local privileged user with access to kernel runtime memory may be able to cause a driver that does not check for skb fragments to start to behave improperly.

Mitigation:

1) If using atl2 driver run the following at each boot (not confirmed due to lack of hardware availability):

    ethtool -K <ethX> sg off

2) Other drivers that don't expect scatter/gather, ensure appropriate local permissions.


Recommended fixes:

1) remove NETIF_F_SG from atl2.c
2) if an ethernet driver does not handle scatter/gather, consider a run-time check for fragments in the ndo_start_xmit handler rather than a compile time-assumption for maximum security.


Patches:
None available currently, although in atl2 simply remove the NETIF_F_SG identifier from the hw_features of the net device structure.

Credits:
Justin Yackoski @ Cryptonite

Comment 5 Michal Hocko 2016-05-26 06:50:38 UTC

ping

Comment 6 Marcus Meissner 2016-08-03 12:53:24 UTC

hello?

Comment 7 Marcus Meissner 2017-03-01 13:03:45 UTC

Michal?

Comment 8 Michal Kubeček 2017-03-02 09:27:31 UTC

> 8390/lib8390.c

Doesn't seem to actually set NETIF_F_SG, as far as I can say.

> aeroflex/greth.c

Sparc only.

> atheros/atlx/atl2.c

Fixed by commit f43bfaeddc79 (mainline since v4.6-rc5). The issue only affects
kernels with commit ec5f06156423 (mainline v3.10-rc1): without it,
scatter/gather is automatically disabled if the device doesn't support
checksum offloading (which is the case here).

> mellanox/mlx4/en_tx.c

Checked again, the way memcpy() is used here seems OK, it copies contents of
first skb frag if nr_frags = 1.

> micrel/ksz884.c

The memcpy() is only used as a workaround for "small packet bug" and applied
if skb->len <= 48 (which would be linear anyway, AFAICS).

So the plan is to push f43bfaeddc79 to branches with kernel 3.12 - 4.4.

Comment 9 Michal Kubeček 2017-03-02 13:27:42 UTC

Actually, the fix is already in all affected branches:

  SLE12-SP2               4.4.11
  openSUSE-42.1           4.1.28
  cve/linux-3.12          3.12.60

So I'm only going to add CVE and bugzilla references to relevant patches.

Comment 10 Michal Kubeček 2017-03-03 09:20:57 UTC

(In reply to Michal Kubeček from comment #9)
> Actually, the fix is already in all affected branches:
> 
>   SLE12-SP2               4.4.11
>   openSUSE-42.1           4.1.28
>   cve/linux-3.12          3.12.60
> 
> So I'm only going to add CVE and bugzilla references to relevant patches.

Submitted for all three. Reassigning back to the security team.

Comment 11 Swamp Workflow Management 2017-04-01 13:11:07 UTC

openSUSE-SU-2017:0906-1: An update that solves 15 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1019851,1020602,1022785,1023377,1025235,1026722,1026914,1027066,1027178,1027179,1027189,1027190,1027565,1028415,1029986,1030118,1030573,968697
CVE References: CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-5669,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.39-53.1, kernel-default-4.1.39-53.1, kernel-docs-4.1.39-53.2, kernel-ec2-4.1.39-53.1, kernel-obs-build-4.1.39-53.1, kernel-obs-qa-4.1.39-53.1, kernel-pae-4.1.39-53.1, kernel-pv-4.1.39-53.1, kernel-source-4.1.39-53.1, kernel-syms-4.1.39-53.1, kernel-vanilla-4.1.39-53.1, kernel-xen-4.1.39-53.1

Comment 12 Swamp Workflow Management 2017-04-01 13:22:31 UTC

openSUSE-SU-2017:0907-1: An update that solves 11 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1007959,1007962,1008842,1011913,1012910,1013994,1015609,1017461,1017641,1018263,1018419,1019163,1019618,1020048,1022785,1023866,1024015,1025235,1025683,1026405,1026462,1026505,1026509,1026692,1026722,1027054,1027066,1027179,1027189,1027190,1027195,1027273,1027565,1027575,1028017,1028041,1028158,1028217,1028325,1028372,1028415,1028819,1028895,1029220,1029986,1030573,1030575,951844,968697,969755,982783,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-9191,CVE-2017-2596,CVE-2017-2636,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.57-18.3.1, kernel-default-4.4.57-18.3.1, kernel-docs-4.4.57-18.3.2, kernel-obs-build-4.4.57-18.3.1, kernel-obs-qa-4.4.57-18.3.1, kernel-source-4.4.57-18.3.1, kernel-syms-4.4.57-18.3.1, kernel-vanilla-4.4.57-18.3.1

Comment 13 Swamp Workflow Management 2017-05-05 13:26:05 UTC

SUSE-SU-2017:1183-1: An update that solves 16 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 1007959,1007962,1008842,1010032,1011913,1012382,1012910,1013994,1014136,1015609,1017461,1017641,1018263,1018419,1019163,1019614,1019618,1020048,1021762,1022340,1022785,1023866,1024015,1025683,1026024,1026405,1026462,1026505,1026509,1026692,1026722,1027054,1027066,1027153,1027179,1027189,1027190,1027195,1027273,1027616,1028017,1028027,1028041,1028158,1028217,1028325,1028415,1028819,1028895,1029220,1029514,1029634,1029986,1030118,1030213,1031003,1031052,1031200,1031206,1031208,1031440,1031481,1031579,1031660,1031662,1031717,1031831,1032006,1032673,1032681,897662,951844,968697,969755,970083,977572,977860,978056,980892,981634,982783,987899,988281,991173,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-9191,CVE-2017-2596,CVE-2017-2671,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7374
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.59-92.17.3
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.59-92.17.8, kernel-obs-build-4.4.59-92.17.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_7-1-2.3
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.59-92.17.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.59-92.17.3

Comment 14 Swamp Workflow Management 2017-05-11 19:14:19 UTC

SUSE-SU-2017:1247-1: An update that solves 25 vulnerabilities and has 10 fixes is now available.

Category: security (important)
Bug References: 1003077,1015703,1021256,1021762,1023377,1023762,1023992,1024938,1025235,1026024,1026722,1026914,1027066,1027149,1027178,1027189,1027190,1028415,1028895,1029986,1030118,1030213,1030901,1031003,1031052,1031440,1031579,1032344,1033336,914939,954763,968697,979215,983212,989056
CVE References: CVE-2015-1350,CVE-2016-10044,CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2016-3070,CVE-2016-5243,CVE-2016-7117,CVE-2016-9588,CVE-2017-2671,CVE-2017-5669,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6348,CVE-2017-6353,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    kernel-default-3.12.61-52.72.1, kernel-source-3.12.61-52.72.1, kernel-syms-3.12.61-52.72.1, kernel-xen-3.12.61-52.72.1, kgraft-patch-SLE12_Update_21-1-2.1
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.72.1, kernel-source-3.12.61-52.72.1, kernel-syms-3.12.61-52.72.1, kernel-xen-3.12.61-52.72.1, kgraft-patch-SLE12_Update_21-1-2.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.72.1

Comment 15 Swamp Workflow Management 2017-05-19 16:25:15 UTC

SUSE-SU-2017:1360-1: An update that solves 30 vulnerabilities and has 72 fixes is now available.

Category: security (important)
Bug References: 1003077,1008842,1009682,1012620,1012985,1015703,1015787,1015821,1017512,1018100,1018263,1018419,1018446,1019168,1019514,1020048,1020795,1021256,1021374,1021762,1021913,1022559,1022971,1023164,1023207,1023377,1023762,1023824,1023888,1023992,1024081,1024234,1024309,1024508,1024788,1025039,1025235,1025354,1025802,1026024,1026722,1026914,1027066,1027178,1027189,1027190,1027974,1028041,1028415,1028595,1028648,1028895,1029470,1029850,1029986,1030118,1030213,1030593,1030901,1031003,1031052,1031080,1031440,1031567,1031579,1031662,1031842,1032125,1032141,1032344,1032345,1033336,1034670,103470,1034700,1035576,1035699,1035738,1035877,1036752,1038261,799133,857926,914939,917630,922853,930399,931620,937444,940946,954763,968697,970083,971933,979215,982783,983212,984530,985561,988065,989056,993832
CVE References: CVE-2015-1350,CVE-2016-10044,CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2016-3070,CVE-2016-5243,CVE-2016-7117,CVE-2016-9191,CVE-2016-9588,CVE-2016-9604,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5897,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616,CVE-2017-7645,CVE-2017-8106
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    kernel-docs-3.12.74-60.64.40.4, kernel-obs-build-3.12.74-60.64.40.1
SUSE Linux Enterprise Server 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1, kernel-source-3.12.74-60.64.40.1, kernel-syms-3.12.74-60.64.40.1, kernel-xen-3.12.74-60.64.40.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.40.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP1_Update_15-1-4.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    kernel-default-3.12.74-60.64.40.1, kernel-source-3.12.74-60.64.40.1, kernel-syms-3.12.74-60.64.40.1, kernel-xen-3.12.74-60.64.40.1

Comment 16 Swamp Workflow Management 2017-07-28 13:59:06 UTC

SUSE-SU-2017:1990-1: An update that solves 43 vulnerabilities and has 282 fixes is now available.

Category: security (important)
Bug References: 1000092,1003077,1003581,1004003,1007729,1007959,1007962,1008842,1009674,1009718,1010032,1010612,1010690,1011044,1011176,1011913,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013001,1013561,1013792,1013887,1013994,1014120,1014136,1015342,1015367,1015452,1015609,1016403,1017164,1017170,1017410,1017461,1017641,1018100,1018263,1018358,1018385,1018419,1018446,1018813,1018885,1018913,1019061,1019148,1019163,1019168,1019260,1019351,1019594,1019614,1019618,1019630,1019631,1019784,1019851,1020048,1020214,1020412,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021424,1021455,1021474,1021762,1022181,1022266,1022304,1022340,1022429,1022476,1022547,1022559,1022595,1022785,1022971,1023101,1023175,1023287,1023762,1023866,1023884,1023888,1024015,1024081,1024234,1024508,1024938,1025039,1025235,1025461,1025683,1026024,1026405,1026462,1026505,1026509,1026570,1026692,1026722,1027054,1027066,1027101,1027153,1027179,1027189,1027190,1027195,1027273,1027512,1027565,1027616,1027974,1028017,1028027,1028041,1028158,1028217,1028310,1028325,1028340,1028372,1028415,1028819,1028883,1028895,1029220,1029514,1029607,1029634,1029986,1030057,1030070,1030118,1030213,1030573,1031003,1031040,1031052,1031142,1031147,1031200,1031206,1031208,1031440,1031470,1031500,1031512,1031555,1031579,1031662,1031717,1031796,1031831,1032006,1032141,1032339,1032345,1032400,1032581,1032673,1032681,1032803,1033117,1033281,1033287,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042200,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045340,1045467,1045568,1046105,1046434,1046589,799133,863764,870618,922871,951844,966170,966172,966191,966321,966339,968697,969479,969755,970083,971975,982783,985561,986362,986365,987192,987576,988065,989056,989311,990058,990682,991273,993832,995542,995968,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-4997,CVE-2016-4998,CVE-2016-7117,CVE-2016-9191,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-2671,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7346,CVE-2017-7374,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.74-7.10.1, kernel-rt_debug-4.4.74-7.10.1, kernel-source-rt-4.4.74-7.10.1, kernel-syms-rt-4.4.74-7.10.1

Comment 17 Johannes Segitz 2017-08-15 11:50:05 UTC

fixed