Bugzilla – Bug 917830
VUL-0: CVE-2015-0777: kernel: xen/usbback/usbback.c information leak to guest
Last modified: 2019-07-08 10:24:42 UTC
bugbot adjusting priority
When will the embargo end? I'm not intending to commit this to any non-public branches, as that's completely against normal flow of patches against the old upstream linux-2.6.18-xen.hg tree.
Is the loss of the urb->status == 0 check in usbbk_urb_complete() really intended? Also the patch lacks you S-o-b - please clarify whether I may add it prior to eventually committing.
(In reply to Jan Beulich from comment #2) There is no date yet. Why is this different than other EMBARGOED kernel issues?
I have no idea how other embargoed kernel issues get handled (and on the hypervisor side we don't play such games). I can only state that pushing to separate branches is not a business I want to get into. I.e. if that's needed, perhaps having a kernel engineer familiar with that process deal with it would the the better (less error prone and less time consuming) route.
The handling of embargoed kernel patches is described in the README file in the kernel-source repository, under "Embargoed Patches". Pushing to an _EMBARGO branch is preferable over keeping patches in private clones or as bugzilla attachments, because the _EMBARGO branches are test built and can be merged by anybody with push access once the embargo has expired.
Okay, I'll drop them from the revised patch again then, but such non-obvious changes should always be explained in the description.
Not sure, these two Feb 10 09:27:38 lpxenp013 lldpd[23047]: iface_eth_recv: error while receiving frame on vif120.0: Network is down Feb 10 09:27:38 lpxenp013 lldpd[23047]: iface_eth_recv: error while receiving frame on vif120.1: Network is down could be connected, should there be some error path not doing certain cleanup operations as needed. But that's at best a hint in what direction to target repro attempts.
Oops, wrong bug - please disregard.
Any chance the embargo here could be aligned with that of XSA-120 (bug 919463)? Also, Jürgen, I'm still missing a statement regarding the S-o-b on the patch.
(In reply to Jan Beulich from comment #12) I think we should keep this under embargo until we release a kernel that has the fix. The other embargo can't be changed so aligning them is probably not a good idea.
(In reply to Johannes Segitz from comment #13) > I think we should keep this under embargo until we release a kernel that has > the fix. The other embargo can't be changed so aligning them is probably not > a good idea. So how's that going to work then? Can I push the patch to a non-embargoed branch nevertheless? As already said, I'd very much like to avoid the hassle of having to first push this to embargoed branches and then having the re-arrange things so they can cleanly go onto non-embargoed ones. (Besides that I don't see the point of an embargo when no ending point is being set - when receiving vulnerability notifications from elsewhere, we don't normally issue updates the moment the embargo expires anyway.)
Jan, sorry for overlloking the S-o-b question. Yes, please add my Signed-off-by.
(In reply to Jan Beulich from comment #14) No, please don't put this issue into a public repository. Can you please explain why this is different then all the other embargoed kernel issues? Not having an embargo date is an advantage. We don't release normally when an embargo ends because usually we can't do it in time. Here we can decide when we open the bug to the public, which will be once we release the first kernel containing the fix (or shortly before that once we move it to a public repo).
The Xen patches get updated in batches every once in a while. While for the particular issue here it may be possible to not do so, having to do things differently here than for all the other Xen work I'm doing means (perhaps significant) extra amounts of work. Hence I'd suggest that if this is to be treated like any other kernel issue, than someone on the kernel teams should take care of it (assuming they're used to that work flow), while if I'm to take care of it, I'd prefer it to follow the normal Xen patches workflow (and there was no prior instance of kernel side Xen security issues having to be handled the way you outline).
With Jürgen's posting of the usbif patches against upstream Linux I think the issue should now be considered public (by virtue of the fix here being integrated there), i.e. the embargo ended. Please correct me if I'm wrong.
Interesting. In the Xen community we try to make sure problematic code (from a security pov) doesn't get attention drawn to it when we know there's a security issue pending, i.e. we tell people to postpone sending of (perhaps only remotely) related patches (be it follow-up cleanup or other, non-security bug fixes) until after the embargo got lifted.
The patch just went to SLE12 and SLE11 SP3 kernel.git. It's not immediately clear whether any of the LTSS branches need updating too, and if so whether the respective branch maintainers would take care of this, or whether I would need to.
pushed to SLE11-SP3-TD branch. Do we need it for older branches as well?
I don't see why this question was sent my way rather than the security team's.
Applicability: All trees having the usbback driver. Risk: I have no idea how important fixing a little used (and in earlier versions not even supported) backend is. That's why I suggested the security team to give an assessment.
Pushed to cve/linux-2.6.32. SLE11-SP1-TD has it from there.
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-03-26. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61218
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-04-01. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61308
opening bug as various opensuse are running already, its in the kernel git, etc.
SUSE-SU-2015:0658-1: An update that solves two vulnerabilities and has 28 fixes is now available. Category: security (important) Bug References: 898675,903997,904242,909309,909477,909684,910517,913080,914818,915200,915660,917830,918584,918615,918620,918644,919463,919719,919939,920615,920805,920839,921313,921527,921990,922272,922275,922278,922284,924460 CVE References: CVE-2015-0777,CVE-2015-2150 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.39-47.3, kernel-obs-build-3.12.39-47.2 SUSE Linux Enterprise Server 12 (src): kernel-source-3.12.39-47.1, kernel-syms-3.12.39-47.1 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12_Update_4-1-2.1 SUSE Linux Enterprise Desktop 12 (src): kernel-source-3.12.39-47.1, kernel-syms-3.12.39-47.1
openSUSE-SU-2015:0713-1: An update that solves 13 vulnerabilities and has 52 fixes is now available. Category: security (important) Bug References: 867199,893428,895797,900811,901925,903589,903640,904899,905681,907039,907818,907988,908582,908588,908589,908592,908593,908594,908596,908598,908603,908604,908605,908606,908608,908610,908612,909077,909078,909477,909634,910150,910322,910440,911311,911325,911326,911356,911438,911578,911835,912061,912202,912429,912705,913059,913466,913695,914175,915425,915454,915456,915577,915858,916608,917830,917839,918954,918970,919463,920581,920604,921313,922542,922944 CVE References: CVE-2014-8134,CVE-2014-8160,CVE-2014-8559,CVE-2014-9419,CVE-2014-9420,CVE-2014-9428,CVE-2014-9529,CVE-2014-9584,CVE-2014-9585,CVE-2015-0777,CVE-2015-1421,CVE-2015-1593,CVE-2015-2150 Sources used: openSUSE 13.2 (src): bbswitch-0.8-3.6.6, cloop-2.639-14.6.6, crash-7.0.8-6.6, hdjmod-1.28-18.7.6, ipset-6.23-6.6, kernel-docs-3.16.7-13.2, kernel-obs-build-3.16.7-13.7, kernel-obs-qa-3.16.7-13.1, kernel-obs-qa-xen-3.16.7-13.1, kernel-source-3.16.7-13.1, kernel-syms-3.16.7-13.1, pcfclock-0.44-260.6.2, vhba-kmp-20140629-2.6.2, virtualbox-4.3.20-10.2, xen-4.4.1_08-12.2, xtables-addons-2.6-6.2
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-05-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61701
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-06-12. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61844
An update workflow for this issue was started. This issue was rated as important. Please submit fixed packages until 2015-06-15. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/61904
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available. Category: security (moderate) Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850 CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636 Sources used: SUSE Linux Enterprise Server 11 SP3 for VMware (src): kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1 SUSE Linux Enterprise Server 11 SP3 (src): kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1 SUSE Linux Enterprise High Availability Extension 11 SP3 (src): cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21 SUSE Linux Enterprise Desktop 11 SP3 (src): kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1 SLE 11 SERVER Unsupported Extras (src): kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available. Category: security (important) Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850 CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636 Sources used: SUSE Linux Enterprise Real Time Extension 11 SP3 (src): cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available. Category: security (important) Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398 CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE-SU-2015:1592-1: An update that solves 14 vulnerabilities and has 45 fixes is now available. Category: security (important) Bug References: 851068,867362,873385,883380,886785,894936,915517,917830,919463,920110,920250,920733,921430,923245,924701,925705,925881,925903,926240,926953,927355,927786,929142,929143,930092,930761,930934,931538,932348,932458,933429,933896,933904,933907,933936,934742,934944,935053,935572,935705,935866,935906,936077,936423,936637,936831,936875,936925,937032,937402,937444,937503,937641,937855,939910,939994,940338,940398,942350 CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707 Sources used: SUSE Linux Enterprise Real Time Extension 11-SP3 (src): kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1, kernel-source-rt-3.0.101.rt130-0.33.40.1, kernel-syms-rt-3.0.101.rt130-0.33.40.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1
SUSE-SU-2015:1678-1: An update that solves 15 vulnerabilities and has 67 fixes is now available. Category: security (moderate) Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917830,917968,919463,920016,920110,920250,920733,921430,923002,923245,923431,924701,925705,925881,925903,926240,926953,927355,928988,929076,929142,929143,930092,930934,931620,932350,932458,932882,933429,933721,933896,933904,933907,933936,934944,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477 CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6252 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): kernel-docs-3.0.101-65.3 SUSE Linux Enterprise Server 11-SP4 (src): kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1 SUSE Linux Enterprise Server 11-EXTRA (src): kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1 SUSE Linux Enterprise Desktop 11-SP4 (src): kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
released
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available. Category: security (important) Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075 CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728 Sources used: openSUSE 13.1 (src): cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1
(In reply to Jan Beulich from comment #22) > The patch just went to SLE12 and SLE11 SP3 kernel.git. It's not immediately > clear whether any of the LTSS branches need updating too, and if so whether > the respective branch maintainers would take care of this, or whether I > would need to. I do not see any reference to this bug in SLE11-SP4-LTSS branch (note it hasn't been in LTSS back in 2015). Was the fix a part of a different patch or are we missing the fix?
This is changeset 1282:72387b3c2252 in the upstream tree, and the 11SP4 tree had been updated to c/s 1283 at some point. Hence this change is part of xen3-auto-xen-drivers.diff. The additional fix to it (c/s 1293:47161cb7bd45) is there as a separate patch.
Thanks a lot for the clarification Jan! I have updated references accordingly.