Bug 1027179 - (CVE-2017-6347) VUL-1: CVE-2017-6347: kernel-source: ip: fix IP_CHECKSUM handling
(CVE-2017-6347)
VUL-1: CVE-2017-6347: kernel-source: ip: fix IP_CHECKSUM handling
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/180982/
CVSSv2:SUSE:CVE-2017-6347:1.2:(AV:L/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-28 09:08 UTC by Marcus Meissner
Modified: 2018-07-03 18:25 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2017-02-28 09:08:59 UTC
CVE-2017-6347

was assigned to:

commit ca4ef4574f1ee5252e2cd365f8f5d5bafd048f32
Author: Paolo Abeni <pabeni@redhat.com>
Date:   Tue Feb 21 09:33:18 2017 +0100

    ip: fix IP_CHECKSUM handling
    
    The skbs processed by ip_cmsg_recv() are not guaranteed to
    be linear e.g. when sending UDP packets over loopback with
    MSGMORE.
    Using csum_partial() on [potentially] the whole skb len
    is dangerous; instead be on the safe side and use skb_checksum().
    
    Thanks to syzkaller team to detect the issue and provide the
    reproducer.
    
    v1 -> v2:
     - move the variable declaration in a tighter scope
    
    Fixes: ad6f939ab193 ("ip: Add offset parameter to ip_cmsg_recv")
    Reported-by: Andrey Konovalov <andreyknvl@google.com>
    Signed-off-by: Paolo Abeni <pabeni@redhat.com>
    Acked-by: Eric Dumazet <edumazet@google.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>


References:
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-6347.html
Comment 1 Marcus Meissner 2017-02-28 09:09:40 UTC
introducer commit was in 4.0.
Comment 2 Marcus Meissner 2017-02-28 09:21:35 UTC
Quick google search did not find the syzkaller code / output.

This makes it hard to determine what could happen here?

Can a buffer overwrite happen? or just an overread?
Comment 3 Swamp Workflow Management 2017-02-28 23:00:34 UTC
bugbot adjusting priority
Comment 4 Michal Kubeček 2017-03-02 12:54:47 UTC
(In reply to Marcus Meissner from comment #2)
> Can a buffer overwrite happen? or just an overread?

Just a read, csum_partial() only calculates the checksum over part of the
packet data. What can happen would be either wrong result (which is only passed
to userspace here so it shouldn't cause packet drop in kernel) or a page fault.
Comment 5 Michal Kubeček 2017-03-03 09:27:55 UTC
  introduced              ad6f939ab193    v4.0-rc1
  fixed                   ca4ef4574f1e    v4.11-rc1

The fix is now present in or submitted to (*) all relevant branches:

  stable                  4.10.1
  SLE12-SP2               4.4.52
  openSUSE-42.1           ca6376ee889c *

It's not in master yet but it's going to get there with 4.11-rc1 next week.

Reassigning back to the security team.
Comment 6 Swamp Workflow Management 2017-04-01 13:09:39 UTC
openSUSE-SU-2017:0906-1: An update that solves 15 vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1019851,1020602,1022785,1023377,1025235,1026722,1026914,1027066,1027178,1027179,1027189,1027190,1027565,1028415,1029986,1030118,1030573,968697
CVE References: CVE-2016-10200,CVE-2016-10208,CVE-2016-2117,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-5669,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.1 (src):    kernel-debug-4.1.39-53.1, kernel-default-4.1.39-53.1, kernel-docs-4.1.39-53.2, kernel-ec2-4.1.39-53.1, kernel-obs-build-4.1.39-53.1, kernel-obs-qa-4.1.39-53.1, kernel-pae-4.1.39-53.1, kernel-pv-4.1.39-53.1, kernel-source-4.1.39-53.1, kernel-syms-4.1.39-53.1, kernel-vanilla-4.1.39-53.1, kernel-xen-4.1.39-53.1
Comment 7 Swamp Workflow Management 2017-04-01 13:18:01 UTC
openSUSE-SU-2017:0907-1: An update that solves 11 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1007959,1007962,1008842,1011913,1012910,1013994,1015609,1017461,1017641,1018263,1018419,1019163,1019618,1020048,1022785,1023866,1024015,1025235,1025683,1026405,1026462,1026505,1026509,1026692,1026722,1027054,1027066,1027179,1027189,1027190,1027195,1027273,1027565,1027575,1028017,1028041,1028158,1028217,1028325,1028372,1028415,1028819,1028895,1029220,1029986,1030573,1030575,951844,968697,969755,982783,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-9191,CVE-2017-2596,CVE-2017-2636,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184
Sources used:
openSUSE Leap 42.2 (src):    kernel-debug-4.4.57-18.3.1, kernel-default-4.4.57-18.3.1, kernel-docs-4.4.57-18.3.2, kernel-obs-build-4.4.57-18.3.1, kernel-obs-qa-4.4.57-18.3.1, kernel-source-4.4.57-18.3.1, kernel-syms-4.4.57-18.3.1, kernel-vanilla-4.4.57-18.3.1
Comment 8 Swamp Workflow Management 2017-05-05 13:18:52 UTC
SUSE-SU-2017:1183-1: An update that solves 16 vulnerabilities and has 69 fixes is now available.

Category: security (important)
Bug References: 1007959,1007962,1008842,1010032,1011913,1012382,1012910,1013994,1014136,1015609,1017461,1017641,1018263,1018419,1019163,1019614,1019618,1020048,1021762,1022340,1022785,1023866,1024015,1025683,1026024,1026405,1026462,1026505,1026509,1026692,1026722,1027054,1027066,1027153,1027179,1027189,1027190,1027195,1027273,1027616,1028017,1028027,1028041,1028158,1028217,1028325,1028415,1028819,1028895,1029220,1029514,1029634,1029986,1030118,1030213,1031003,1031052,1031200,1031206,1031208,1031440,1031481,1031579,1031660,1031662,1031717,1031831,1032006,1032673,1032681,897662,951844,968697,969755,970083,977572,977860,978056,980892,981634,982783,987899,988281,991173,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-9191,CVE-2017-2596,CVE-2017-2671,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7374
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.59-92.17.3
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.59-92.17.8, kernel-obs-build-4.4.59-92.17.3
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_7-1-2.3
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.59-92.17.3
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.59-92.17.3, kernel-source-4.4.59-92.17.2, kernel-syms-4.4.59-92.17.2
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.59-92.17.3
Comment 11 Marcus Meissner 2017-06-23 10:41:57 UTC
released
Comment 12 Swamp Workflow Management 2017-07-28 13:32:14 UTC
SUSE-SU-2017:1990-1: An update that solves 43 vulnerabilities and has 282 fixes is now available.

Category: security (important)
Bug References: 1000092,1003077,1003581,1004003,1007729,1007959,1007962,1008842,1009674,1009718,1010032,1010612,1010690,1011044,1011176,1011913,1012060,1012382,1012422,1012452,1012829,1012910,1012985,1013001,1013561,1013792,1013887,1013994,1014120,1014136,1015342,1015367,1015452,1015609,1016403,1017164,1017170,1017410,1017461,1017641,1018100,1018263,1018358,1018385,1018419,1018446,1018813,1018885,1018913,1019061,1019148,1019163,1019168,1019260,1019351,1019594,1019614,1019618,1019630,1019631,1019784,1019851,1020048,1020214,1020412,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021424,1021455,1021474,1021762,1022181,1022266,1022304,1022340,1022429,1022476,1022547,1022559,1022595,1022785,1022971,1023101,1023175,1023287,1023762,1023866,1023884,1023888,1024015,1024081,1024234,1024508,1024938,1025039,1025235,1025461,1025683,1026024,1026405,1026462,1026505,1026509,1026570,1026692,1026722,1027054,1027066,1027101,1027153,1027179,1027189,1027190,1027195,1027273,1027512,1027565,1027616,1027974,1028017,1028027,1028041,1028158,1028217,1028310,1028325,1028340,1028372,1028415,1028819,1028883,1028895,1029220,1029514,1029607,1029634,1029986,1030057,1030070,1030118,1030213,1030573,1031003,1031040,1031052,1031142,1031147,1031200,1031206,1031208,1031440,1031470,1031500,1031512,1031555,1031579,1031662,1031717,1031796,1031831,1032006,1032141,1032339,1032345,1032400,1032581,1032673,1032681,1032803,1033117,1033281,1033287,1033336,1033340,1033885,1034048,1034419,1034635,1034670,1034671,1034762,1034902,1034995,1035024,1035866,1035887,1035920,1035922,1036214,1036638,1036752,1036763,1037177,1037186,1037384,1037483,1037669,1037840,1037871,1037969,1038033,1038043,1038085,1038142,1038143,1038297,1038458,1038544,1038842,1038843,1038846,1038847,1038848,1038879,1038981,1038982,1039348,1039354,1039700,1039864,1039882,1039883,1039885,1039900,1040069,1040125,1040182,1040279,1040351,1040364,1040395,1040425,1040463,1040567,1040609,1040855,1040929,1040941,1041087,1041160,1041168,1041242,1041431,1041810,1042200,1042286,1042356,1042421,1042517,1042535,1042536,1042863,1042886,1043014,1043231,1043236,1043347,1043371,1043467,1043488,1043598,1043912,1043935,1043990,1044015,1044082,1044120,1044125,1044532,1044767,1044772,1044854,1044880,1044912,1045154,1045235,1045286,1045307,1045340,1045467,1045568,1046105,1046434,1046589,799133,863764,870618,922871,951844,966170,966172,966191,966321,966339,968697,969479,969755,970083,971975,982783,985561,986362,986365,987192,987576,988065,989056,989311,990058,990682,991273,993832,995542,995968,998106
CVE References: CVE-2016-10200,CVE-2016-2117,CVE-2016-4997,CVE-2016-4998,CVE-2016-7117,CVE-2016-9191,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-2583,CVE-2017-2584,CVE-2017-2596,CVE-2017-2636,CVE-2017-2671,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6345,CVE-2017-6346,CVE-2017-6347,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7346,CVE-2017-7374,CVE-2017-7487,CVE-2017-7616,CVE-2017-7618,CVE-2017-8890,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9150,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 12-SP2 (src):    kernel-rt-4.4.74-7.10.1, kernel-rt_debug-4.4.74-7.10.1, kernel-source-rt-4.4.74-7.10.1, kernel-syms-rt-4.4.74-7.10.1
Comment 13 Swamp Workflow Management 2017-09-19 13:10:45 UTC
SUSE-SU-2017:2525-1: An update that solves 40 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1006919,1012422,1013862,1017143,1020229,1021256,1023051,1024938,1025013,1025235,1026024,1026722,1026914,1027066,1027101,1027178,1027179,1027406,1028415,1028880,1029212,1029850,1030213,1030573,1030575,1030593,1031003,1031052,1031440,1031481,1031579,1031660,1033287,1033336,1034670,1034838,1035576,1037182,1037183,1037994,1038544,1038564,1038879,1038883,1038981,1038982,1039349,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1041431,1042364,1042863,1042892,1044125,1045416,1045487,1046107,1048232,1048275,1049483,1049603,1049882,1050677,1052311,1053148,1053152,1053760,1056588,870618,948562,957988,957990,963655,972891,979681,983212,986924,989896,999245
CVE References: CVE-2016-10200,CVE-2016-5243,CVE-2017-1000112,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-11473,CVE-2017-12762,CVE-2017-14051,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1