First Last Prev Next    This bug is not in your last search results.
Bug 1138263 - (CVE-2019-12817) VUL-0: CVE-2019-12817: kernel-source: powerpc: access to other processes memory
(CVE-2019-12817)
VUL-0: CVE-2019-12817: kernel-source: powerpc: access to other processes memory
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P1 - Urgent : Critical
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv3:SUSE:CVE-2019-12817:8.1:(AV:L/...
:
Depends on:
Blocks: 1139619
  Show dependency treegraph
 
Reported: 2019-06-14 09:29 UTC by Marcus Meissner
Modified: 2019-09-23 22:50 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
CVE-2019-12817.patch (5.35 KB, patch)
2019-06-14 09:30 UTC, Marcus Meissner 		Details | Diff
CVE-2019-12817.c (1.67 KB, text/x-csrc)
2019-06-14 09:31 UTC, Marcus Meissner 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-06-14 09:29:03 UTC 
embargoed via distros

CRD: 2019-06-24

From: Michael Ellerman <mpe@ellerman.id.au>
subject: ***UNCHECKED*** [vs-plain] Linux kernel for powerpc mm bug
Date: Fri, 14 Jun 2019 02:41:38 +1000

The Linux kernel for powerpc since 4.17 has a bug where unrelated processes may
be able to read/write to each other's virtual memory under certain conditions.

This bug only affects machines using 64-bit CPUs with the hash page table MMU,
see below for more detail on affected CPUs.

To trigger the bug a process must allocate memory above 512TB. That only happens
if userspace explicitly requests it with mmap(). That process must then fork(),
at this point the child incorrectly inherits the "context id" of the parent
associated with the mapping above 512TB. It may then be possible for the
parent/child to write to each other's mappings above 512TB, which should not be
possible, and constitutes memory corruption.

If instead the child process exits, all its context ids are freed, including the
context id that is still in use by the parent for the mapping above 512TB. That
id can then be reallocated to a third process, that process can then read/write
to the parent's mapping above 512TB. Additionally if the freed id is used for
the third process's primary context id, then the parent is able to read/write to
the third process's mappings *below* 512TB.

If the parent and child both exit before another process is allocated the freed
context id, the kernel will notice the double free of the id and print a warning
such as:

  ida_free called for id=103 which is not allocated.
  WARNING: CPU: 8 PID: 7293 at lib/idr.c:520 ida_free_rc+0x1b4/0x1d0

The bug was introduced in commit:
  f384796c40dc ("powerpc/mm: Add support for handling > 512TB address in SLB miss")

Which was originally merged in v4.17.

I have applied for a CVE via the online form but have not heard back yet.

My amateur attempt at calculating a CVSS score results in:
  8.1 High
  CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:L

Though I'm happy to be told otherwise on that.

I propose an embargo period until Sunday June 23rd, at 12:00 UTC.

Only machines using the hash page table (HPT) MMU are affected, eg. PowerPC 970
(G5), PA6T, Power5/6/7/8/9. By default Power9 bare metal machines (powernv) use
the Radix MMU and are not affected, unless the machine has been explicitly
booted in HPT mode (using disable_radix on the kernel command line). KVM guests
on Power9 may be affected if the host or guest is configured to use the HPT MMU.
LPARs under PowerVM on Power9 are affected as they always use the HPT MMU.
Kernels built with PAGE_SIZE=4K are not affected.
The fix against v5.1 is included below, and below that is a test case.

cheers
Comment 1 Marcus Meissner 2019-06-14 09:30:21 UTC 
Created attachment 807593 [details]
CVE-2019-12817.patch

CVE-2019-12817.patch from email
Comment 2 Marcus Meissner 2019-06-14 09:31:03 UTC 
Created attachment 807594 [details]
CVE-2019-12817.c

CVE-2019-12817.c

reproducer attached to email
Comment 3 Marcus Meissner 2019-06-14 09:34:12 UTC 
sle15 sp1 has it backported.

patches.arch/powerpc-mm-Add-support-for-handling-512TB-address-in.patch:From f384796c40dc55b3dba25e0ee9c1afd98c6d24d1 Mon Sep 17 00:00:00 2001
Comment 4 Marcus Meissner 2019-06-14 09:52:49 UTC 
CRD: 2019-06-26 most likely currently
Comment 5 Michal Suchanek 2019-06-14 12:01:34 UTC 
ok, so it's the last bigmem patchset with multiple user context support in 15 SP1 which brings in this bug. We had some nice crashes of SAP using this kernel with the reported context double-free in bug 1134601

We will need a MU with this fix at the time SP1 is released.
Comment 11 Swamp Workflow Management 2019-07-04 13:16:12 UTC 
SUSE-SU-2019:1744-1: An update that solves three vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 1051510,1071995,1094555,1111666,1112374,1114279,1128432,1134730,1134738,1135153,1135296,1135642,1136156,1136157,1136271,1136333,1137103,1137194,1137366,1137884,1137985,1138263,1138336,1138374,1138375,1138589,1138681,1138719,1138732
CVE References: CVE-2018-16871,CVE-2019-12614,CVE-2019-12817
Sources used:
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.7.1, kernel-livepatch-SLE15-SP1_Update_2-1-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-07-04 13:20:16 UTC 
SUSE-SU-2019:1744-1: An update that solves three vulnerabilities and has 26 fixes is now available.

Category: security (important)
Bug References: 1051510,1071995,1094555,1111666,1112374,1114279,1128432,1134730,1134738,1135153,1135296,1135642,1136156,1136157,1136271,1136333,1137103,1137194,1137366,1137884,1137985,1138263,1138336,1138374,1138375,1138589,1138681,1138719,1138732
CVE References: CVE-2018-16871,CVE-2019-12614,CVE-2019-12817
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    kernel-default-4.12.14-197.7.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    dtb-aarch64-4.12.14-197.7.1, kernel-debug-4.12.14-197.7.1, kernel-default-4.12.14-197.7.1, kernel-docs-4.12.14-197.7.1, kernel-kvmsmall-4.12.14-197.7.1, kernel-obs-qa-4.12.14-197.7.1, kernel-source-4.12.14-197.7.1, kernel-vanilla-4.12.14-197.7.1, kernel-zfcpdump-4.12.14-197.7.1
SUSE Linux Enterprise Module for Live Patching 15-SP1 (src):    kernel-default-4.12.14-197.7.1, kernel-livepatch-SLE15-SP1_Update_2-1-3.3.1
SUSE Linux Enterprise Module for Legacy Software 15-SP1 (src):    kernel-default-4.12.14-197.7.1
SUSE Linux Enterprise Module for Development Tools 15-SP1 (src):    kernel-docs-4.12.14-197.7.1, kernel-obs-build-4.12.14-197.7.1, kernel-source-4.12.14-197.7.1, kernel-syms-4.12.14-197.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    kernel-default-4.12.14-197.7.1, kernel-source-4.12.14-197.7.1, kernel-zfcpdump-4.12.14-197.7.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    kernel-default-4.12.14-197.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Marcus Meissner 2019-07-06 07:35:44 UTC 
released
Comment 15 Swamp Workflow Management 2019-07-15 10:14:53 UTC 
This is an autogenerated message for OBS integration:
This bug (1138263) was mentioned in
https://build.opensuse.org/request/show/715440 15.1 / kernel-source
Comment 16 Swamp Workflow Management 2019-07-20 10:21:42 UTC 
openSUSE-SU-2019:1757-1: An update that solves 9 vulnerabilities and has 82 fixes is now available.

Category: security (important)
Bug References: 1051510,1071995,1088047,1094555,1098633,1103990,1103991,1103992,1106383,1109837,1111666,1112374,1114279,1114685,1119113,1119532,1120423,1125703,1128902,1130836,1132390,1133401,1133738,1134303,1134395,1135296,1135556,1135642,1135897,1136156,1136157,1136161,1136264,1136271,1136333,1136343,1136462,1136935,1137103,1137194,1137366,1137625,1137728,1137884,1137985,1138263,1138589,1138681,1138719,1138732,1138879,1139712,1139771,1139865,1140133,1140228,1140328,1140405,1140424,1140428,1140454,1140463,1140575,1140577,1140637,1140658,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2019-10126,CVE-2019-10638,CVE-2019-10639,CVE-2019-11599,CVE-2019-12614,CVE-2019-12817,CVE-2019-13233
Sources used:
openSUSE Leap 15.1 (src):    kernel-debug-4.12.14-lp151.28.10.1, kernel-default-4.12.14-lp151.28.10.1, kernel-docs-4.12.14-lp151.28.10.1, kernel-kvmsmall-4.12.14-lp151.28.10.1, kernel-obs-build-4.12.14-lp151.28.10.1, kernel-obs-qa-4.12.14-lp151.28.10.1, kernel-source-4.12.14-lp151.28.10.1, kernel-syms-4.12.14-lp151.28.10.1, kernel-vanilla-4.12.14-lp151.28.10.1
Comment 20 Swamp Workflow Management 2019-08-07 05:26:47 UTC 
SUSE-SU-2019:2069-1: An update that solves 18 vulnerabilities and has 157 fixes is now available.

Category: security (important)
Bug References: 1051510,1055117,1071995,1083647,1083710,1088047,1094555,1098633,1103990,1103991,1103992,1104745,1106383,1109837,1111666,1112374,1114279,1114685,1119113,1119222,1119532,1120423,1123080,1125703,1127034,1127315,1127611,1128432,1128902,1129770,1130836,1132390,1133021,1133401,1133738,1134090,1134097,1134390,1134395,1134399,1134730,1134738,1135153,1135296,1135335,1135556,1135642,1135897,1136156,1136157,1136161,1136217,1136264,1136271,1136333,1136342,1136343,1136345,1136348,1136460,1136461,1136462,1136467,1137103,1137194,1137224,1137366,1137429,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137811,1137827,1137884,1137985,1138263,1138291,1138293,1138336,1138374,1138375,1138589,1138681,1138719,1138732,1138874,1138879,1139358,1139619,1139712,1139751,1139771,1139865,1140133,1140139,1140228,1140322,1140328,1140405,1140424,1140428,1140454,1140463,1140559,1140575,1140577,1140637,1140652,1140658,1140676,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141312,1141401,1141402,1141452,1141453,1141454,1141478,1141558,1142023,1142052,1142083,1142112,1142115,1142119,1142220,1142221,1142265,1142350,1142351,1142354,1142359,1142450,1142623,1142673,1142701,1142868,1143003,1143105,1143185,1143189,1143191,1143209,1143507
CVE References: CVE-2018-16871,CVE-2018-20836,CVE-2018-20855,CVE-2019-10638,CVE-2019-10639,CVE-2019-1125,CVE-2019-11478,CVE-2019-11599,CVE-2019-11810,CVE-2019-12614,CVE-2019-12817,CVE-2019-12818,CVE-2019-12819,CVE-2019-13233,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284
Sources used:
SUSE Linux Enterprise Module for Public Cloud 15-SP1 (src):    kernel-azure-4.12.14-8.13.1, kernel-source-azure-4.12.14-8.13.1, kernel-syms-azure-4.12.14-8.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2019-09-23 14:14:51 UTC 
SUSE-SU-2019:2430-1: An update that solves 45 vulnerabilities and has 474 fixes is now available.

Category: security (important)
Bug References: 1050242,1050549,1051510,1052904,1053043,1055117,1055121,1055186,1056787,1058115,1061840,1064802,1065600,1065729,1066129,1070872,1071995,1075020,1082387,1082555,1083647,1083710,1085535,1085536,1088047,1088804,1093389,1094555,1096003,1098633,1099658,1102247,1103186,1103259,1103990,1103991,1103992,1104745,1106011,1106284,1106383,1106751,1108193,1108838,1108937,1109837,1110946,1111331,1111666,1111696,1112063,1112128,1112178,1112374,1113722,1113956,1114279,1114427,1114542,1114638,1114685,1115688,1117114,1117158,1117561,1118139,1119113,1119222,1119532,1119680,1120091,1120318,1120423,1120566,1120843,1120902,1122767,1122776,1123080,1123454,1123663,1124503,1124839,1125703,1126206,1126356,1126704,1127034,1127175,1127315,1127371,1127374,1127611,1127616,1128052,1128415,1128432,1128544,1128902,1128904,1128971,1128979,1129138,1129273,1129693,1129770,1129845,1130195,1130425,1130527,1130567,1130579,1130699,1130836,1130937,1130972,1131326,1131427,1131438,1131451,1131467,1131488,1131530,1131565,1131574,1131587,1131645,1131659,1131673,1131847,1131848,1131851,1131900,1131934,1131935,1132044,1132219,1132226,1132227,1132365,1132368,1132369,1132370,1132372,1132373,1132384,1132390,1132397,1132402,1132403,1132404,1132405,1132407,1132411,1132412,1132413,1132414,1132426,1132527,1132531,1132555,1132558,1132561,1132562,1132563,1132564,1132570,1132571,1132572,1132589,1132618,1132673,1132681,1132726,1132828,1132894,1132943,1132982,1133005,1133016,1133021,1133094,1133095,1133115,1133149,1133176,1133188,1133190,1133311,1133320,1133401,1133486,1133529,1133547,1133584,1133593,1133612,1133616,1133667,1133668,1133672,1133674,1133675,1133698,1133702,1133731,1133738,1133769,1133772,1133774,1133778,1133779,1133780,1133825,1133850,1133851,1133852,1133897,1134090,1134097,1134160,1134162,1134199,1134200,1134201,1134202,1134203,1134204,1134205,1134223,1134303,1134354,1134390,1134393,1134395,1134397,1134399,1134459,1134460,1134461,1134597,1134600,1134607,1134618,1134651,1134671,1134730,1134738,1134743,1134760,1134806,1134810,1134813,1134848,1134936,1134945,1134946,1134947,1134948,1134949,1134950,1134951,1134952,1134953,1134972,1134974,1134975,1134980,1134981,1134983,1134987,1134989,1134990,1134994,1134995,1134998,1134999,1135006,1135007,1135008,1135018,1135021,1135024,1135026,1135027,1135028,1135029,1135031,1135033,1135034,1135035,1135036,1135037,1135038,1135039,1135041,1135042,1135044,1135045,1135046,1135047,1135049,1135051,1135052,1135053,1135055,1135056,1135058,1135100,1135120,1135153,1135278,1135281,1135296,1135309,1135312,1135314,1135315,1135316,1135320,1135323,1135330,1135335,1135492,1135542,1135556,1135603,1135642,1135661,1135758,1135897,1136156,1136157,1136161,1136188,1136206,1136215,1136217,1136264,1136271,1136333,1136342,1136343,1136345,1136347,1136348,1136353,1136424,1136428,1136430,1136432,1136434,1136435,1136438,1136439,1136456,1136460,1136461,1136462,1136467,1136469,1136477,1136478,1136498,1136573,1136586,1136598,1136881,1136922,1136935,1136978,1136990,1137103,1137151,1137152,1137153,1137162,1137194,1137201,1137224,1137232,1137233,1137236,1137366,1137372,1137429,1137444,1137458,1137534,1137535,1137584,1137586,1137609,1137625,1137728,1137739,1137752,1137811,1137827,1137884,1137985,1137995,1137996,1137998,1137999,1138000,1138002,1138003,1138005,1138006,1138007,1138008,1138009,1138010,1138011,1138012,1138013,1138014,1138015,1138016,1138017,1138018,1138019,1138263,1138291,1138293,1138336,1138374,1138375,1138589,1138681,1138719,1138732,1138874,1138879,1139358,1139619,1139712,1139751,1139771,1139865,1140133,1140139,1140228,1140322,1140328,1140405,1140424,1140428,1140454,1140463,1140559,1140575,1140577,1140637,1140652,1140658,1140676,1140715,1140719,1140726,1140727,1140728,1140814,1140887,1140888,1140889,1140891,1140893,1140903,1140945,1140948,1140954,1140955,1140956,1140957,1140958,1140959,1140960,1140961,1140962,1140964,1140971,1140972,1140992,1141312,1141401,1141402,1141452,1141453,1141454,1141478,1141558,1142023,1142052,1142083,1142112,1142115,1142119,1142220,1142221,1142254,1142350,1142351,1142354,1142359,1142450,1142623,1142673,1142701,1142868,1143003,1143045,1143105,1143185,1143189,1143191,1143209,1143507
CVE References: CVE-2017-5753,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-16871,CVE-2018-16880,CVE-2018-20836,CVE-2018-20855,CVE-2018-7191,CVE-2019-10124,CVE-2019-10638,CVE-2019-10639,CVE-2019-11085,CVE-2019-11091,CVE-2019-1125,CVE-2019-11477,CVE-2019-11478,CVE-2019-11479,CVE-2019-11486,CVE-2019-11487,CVE-2019-11599,CVE-2019-11810,CVE-2019-11811,CVE-2019-11815,CVE-2019-11833,CVE-2019-11884,CVE-2019-12380,CVE-2019-12382,CVE-2019-12456,CVE-2019-12614,CVE-2019-12817,CVE-2019-12818,CVE-2019-12819,CVE-2019-13233,CVE-2019-13631,CVE-2019-13648,CVE-2019-14283,CVE-2019-14284,CVE-2019-3846,CVE-2019-3882,CVE-2019-5489,CVE-2019-8564,CVE-2019-9003,CVE-2019-9500,CVE-2019-9503
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP1 (src):    kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1, kernel-source-rt-4.12.14-14.8.1, kernel-syms-rt-4.12.14-14.8.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    kernel-rt-4.12.14-14.8.1, kernel-rt_debug-4.12.14-14.8.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.