First Last Prev Next    This bug is not in your last search results.
Bug 904899 - VUL-1: kernel: ability to read out more memory than allowed in evdev ioctl
VUL-1: kernel: ability to read out more memory than allowed in evdev ioctl
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
x86-64 SLES 12
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-11-11 16:08 UTC by Oliver Neukum
Modified: 2021-12-01 20:26 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Neukum 2014-11-11 16:08:07 UTC 
This is from upstream:

commit 7c4f56070fde2367766fa1fb04852599b5e1ad35
Author: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Date:   Mon Oct 6 10:55:49 2014 -0700

    Input: evdev - fix EVIOCG{type} ioctl
    
    The 'max' size passed into the function is measured in number of bits
    (KEY_MAX, LED_MAX, etc) so we need to convert it accordingly before trying
    to copy the data out, otherwise we will try copying too much and end up
    with up with a page fault.

The fix has not gone into stable. The current kernel for SLE12 doesn't have the fix.
Comment 1 Marcus Meissner 2014-12-18 13:22:07 UTC 
it is a buffer overread of e.g. input_dev->keybit  right?

where does the page fault happen?

so we might leak information from the input_dev structure or potentially stuff after it to the outside?
Comment 2 Swamp Workflow Management 2014-12-18 23:00:13 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2015-01-17 08:37:34 UTC 
for jiri slaby and stable to collect
Comment 4 Jiri Slaby 2015-01-28 14:09:06 UTC 
It is in 3.12.34 already, in SLE12 since:
commit 28b39e4e484ab3d538ccac12373976d6fb630ca2
Author: Jiri Slaby <jslaby@suse.cz>
Date:   Fri Dec 5 13:54:25 2014 +0100

    - Linux 3.12.34 (CVE-2014-3673 CVE-2014-3687 CVE-2014-7841
      bnc#875220 bnc#902346 bnc#902349 bnc#905100).
Comment 5 Jiri Slaby 2015-01-28 14:13:01 UTC 
stable & factory have this naturally (it's included in 3.18).
Comment 6 Jiri Slaby 2015-02-04 16:45:29 UTC 
This is introduced by:
commit 483180281f0ac60d1138710eb21f4b9961901294
Author: David Herrmann <dh.herrmann@gmail.com>
Date:   Sun Apr 7 21:13:19 2013 -0700

    Input: evdev - flush queues during EVIOCGKEY-like ioctls

in 3.11. So SLE11 is out of danger.
Comment 7 Jiri Slaby 2015-02-04 16:46:53 UTC 
Pushed:
   6e1df930de53..4868fee635a8  openSUSE-13.1 -> openSUSE-13.1
   fa16c953e94b..1c8e5bf53628  openSUSE-13.2 -> openSUSE-13.2

and be done with it.
Comment 8 Swamp Workflow Management 2015-03-18 21:08:47 UTC 
SUSE-SU-2015:0529-1: An update that solves 8 vulnerabilities and has 53 fixes is now available.

Category: security (important)
Bug References: 799216,800255,860346,875220,877456,884407,895805,896484,897736,898687,900270,902286,902346,902349,903640,904177,904883,904899,904901,905100,905304,905329,905482,905783,906196,907069,908069,908322,908825,908904,909829,910322,911326,912202,912654,912705,913059,914112,914126,914254,914291,914294,914300,914457,914464,914726,915188,915322,915335,915425,915454,915456,915550,915660,916107,916513,916646,917089,917128,918161,918255
CVE References: CVE-2014-3673,CVE-2014-3687,CVE-2014-7822,CVE-2014-7841,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9584
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.38-44.5, kernel-obs-build-3.12.38-44.1
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_3-1-2.2
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.38-44.1, kernel-syms-3.12.38-44.1
Comment 9 Johannes Segitz 2015-03-25 15:46:05 UTC 
Fixed in SLE 12, openSUSE will receive it with the next regular kernel update
Comment 10 Marcus Meissner 2015-04-01 17:03:56 UTC 
being disputed , needs actual exploitability review http://article.gmane.org/gmane.comp.security.oss.general/15457
Comment 11 Swamp Workflow Management 2015-04-13 12:06:29 UTC 
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available.

Category: security (important)
Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944
CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
Comment 12 Swamp Workflow Management 2015-04-13 12:17:45 UTC 
openSUSE-SU-2015:0714-1: An update that solves 11 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 903640,904899,907988,909078,910150,911325,911326,912202,912654,912705,913059,913695,914175,915322,917839,920901
CVE References: CVE-2014-7822,CVE-2014-8134,CVE-2014-8160,CVE-2014-8173,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-1593
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.19.1, crash-7.0.2-2.19.1, hdjmod-1.28-16.19.1, ipset-6.21.1-2.23.1, iscsitarget-1.4.20.3-13.19.1, kernel-docs-3.11.10-29.2, kernel-source-3.11.10-29.1, kernel-syms-3.11.10-29.1, ndiswrapper-1.58-19.1, pcfclock-0.44-258.19.1, vhba-kmp-20130607-2.20.1, virtualbox-4.2.28-2.28.1, xen-4.3.3_04-37.1, xtables-addons-2.3-2.19.1
Comment 13 Swamp Workflow Management 2021-12-01 20:26:08 UTC 
SUSE-SU-2021:14849-1: An update that solves 17 vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1183089,1184673,1186109,1187050,1187215,1188172,1188563,1188601,1188876,1189057,1189262,1189399,1190117,1190351,1191315,1191660,1191958,1192036,1192267,904899,905100
CVE References: CVE-2014-7841,CVE-2020-36385,CVE-2021-20265,CVE-2021-33033,CVE-2021-3542,CVE-2021-3609,CVE-2021-3640,CVE-2021-3653,CVE-2021-3655,CVE-2021-3679,CVE-2021-37159,CVE-2021-3772,CVE-2021-38160,CVE-2021-38198,CVE-2021-42008,CVE-2021-42739,CVE-2021-43389
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    kernel-bigmem-3.0.101-108.132.1, kernel-default-3.0.101-108.132.1, kernel-ec2-3.0.101-108.132.1, kernel-pae-3.0.101-108.132.1, kernel-ppc64-3.0.101-108.132.1, kernel-source-3.0.101-108.132.1, kernel-syms-3.0.101-108.132.1, kernel-trace-3.0.101-108.132.1, kernel-xen-3.0.101-108.132.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.132.1, kernel-pae-3.0.101-108.132.1, kernel-ppc64-3.0.101-108.132.1, kernel-trace-3.0.101-108.132.1, kernel-xen-3.0.101-108.132.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.132.1, kernel-default-3.0.101-108.132.1, kernel-ec2-3.0.101-108.132.1, kernel-pae-3.0.101-108.132.1, kernel-ppc64-3.0.101-108.132.1, kernel-trace-3.0.101-108.132.1, kernel-xen-3.0.101-108.132.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
First Last Prev Next    This bug is not in your last search results.