Bug 919018 - (CVE-2015-2042) VUL-0: CVE-2015-2042: kernel: Incorrect data type in rds_sysctl_rds_table
(CVE-2015-2042)
VUL-0: CVE-2015-2042: kernel: Incorrect data type in rds_sysctl_rds_table
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/114141/
maint:running:61844:important maint:r...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-02-23 10:25 UTC by Johannes Segitz
Modified: 2016-02-08 14:54 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2015-02-23 10:25:31 UTC
CVE-2015-2042

Max unacked packets/bytes is an int while sizeof(long) was used in the sysctl table. This means that when they were getting read we'd also leak kernel memory to userspace along with the timeout values.

Fix: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=db27ebb111e9f69efece08e4cb6a34ff980f8896

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2042
http://seclists.org/oss-sec/2015/q1/624
Comment 1 Swamp Workflow Management 2015-02-23 23:00:55 UTC
bugbot adjusting priority
Comment 2 Michal Hocko 2015-02-24 08:37:56 UTC
Seem to be introduced by 3e5048495c85 (RDS: sysctls) around 2.6.30.

Pushed to SLE11-SP1-TD
Comment 3 Swamp Workflow Management 2015-03-25 14:41:58 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-04-01.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61308
Comment 4 Michal Kubeček 2015-04-09 05:45:34 UTC
I wonder why nobody noticed (for more than 5 years) that those procfs files
show two values rather than one. Personally, I would be more worried about
writes than about reads:

unicorn:~ # cat /proc/sys/net/rds/max_unacked_bytes 
16777216        8
unicorn:~ # cat /proc/sys/net/rds/max_unacked_packets 
8       0
unicorn:~ # echo '1111 2222' >/proc/sys/net/rds/max_unacked_bytes      
unicorn:~ # cat /proc/sys/net/rds/max_unacked_bytes               
1111    2222
unicorn:~ # cat /proc/sys/net/rds/max_unacked_packets 
2222    0
Comment 5 Michal Kubeček 2015-04-09 09:10:07 UTC
A simple testcase:

BAD:
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
16777216        1
8       16777216
1
11sp1:~ # echo '1111 2222' >/proc/sys/net/rds/max_unacked_packets
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
2222    1
1111    2222
1
11sp1:~ # echo '3333 4444' >/proc/sys/net/rds/max_unacked_bytes
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
3333    4444
1111    3333
4444


GOOD:
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
16777216
8
1
11sp1:~ # echo '1111 2222' >/proc/sys/net/rds/max_unacked_packets
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
16777216
2222
1
11sp1:~ # echo '3333 4444' >/proc/sys/net/rds/max_unacked_bytes
11sp1:~ # cat /proc/sys/net/rds/max_unacked_* /proc/sys/net/rds/ping_enable
4444
2222
1


Fix pushed into

  cve/linux-3.12
  cve/linux-3.0
  cve/linux-2.6.32

SLE11-SP1-LTSS case is a bit more complicated as rds.ko is only in kernel-$flavor-extra
and ofed-kmp-$flavor there.

I'm going to push the fix into openSUSE-13.1 and openSUSE-13.2 now.
Comment 6 Swamp Workflow Management 2015-05-12 20:54:34 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-05-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61701
Comment 7 Swamp Workflow Management 2015-05-29 09:55:33 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-06-12.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61844
Comment 8 Swamp Workflow Management 2015-06-08 12:05:02 UTC
An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2015-06-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61904
Comment 9 Swamp Workflow Management 2015-06-16 12:07:11 UTC
SUSE-SU-2015:1071-1: An update that solves 13 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 899192,900881,909312,913232,914742,915540,916225,917125,919007,919018,920262,921769,922583,922734,922944,924664,924803,924809,925567,926156,926240,926314,927084,927115,927116,927257,927285,927308,927455,928122,928130,928135,928141,928708,929092,929145,929525,929883,930224,930226,930669,930786,931014,931130
CVE References: CVE-2014-3647,CVE-2014-8086,CVE-2014-8159,CVE-2015-1465,CVE-2015-2041,CVE-2015-2042,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3332,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    kernel-docs-3.12.43-52.6.2, kernel-obs-build-3.12.43-52.6.2
SUSE Linux Enterprise Server 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12_Update_5-1-2.3
SUSE Linux Enterprise Desktop 12 (src):    kernel-source-3.12.43-52.6.1, kernel-syms-3.12.43-52.6.1
Comment 10 Michal Kubeček 2015-06-23 13:03:28 UTC
Out of sight, out of mind... I completely forgot about this. As the fix is in
all relevant branches

  SLE12-SP1
  SLE12
  SLE11-SP4
  SLE11-SP3
  SLE11-SP3-TD
  SLE11-SP2-LTSS
  SLE11-SP1-LTSS
  SLE11-SP1-TD
  openSUSE-13.1
  openSUSE-13.2

for some time, closing.
Comment 11 Swamp Workflow Management 2015-07-02 15:17:12 UTC
SUSE-SU-2015:1174-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (moderate)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
SUSE Linux Enterprise Server 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-ec2-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SUSE Linux Enterprise High Availability Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.21, gfs2-2-0.17.1.21, ocfs2-1.6-0.21.1.21
SUSE Linux Enterprise Desktop 11 SP3 (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-source-3.0.101-0.47.55.1, kernel-syms-3.0.101-0.47.55.1, kernel-trace-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1, xen-4.2.5_08-0.7.1
SLE 11 SERVER Unsupported Extras (src):    kernel-bigsmp-3.0.101-0.47.55.1, kernel-default-3.0.101-0.47.55.1, kernel-pae-3.0.101-0.47.55.1, kernel-ppc64-3.0.101-0.47.55.1, kernel-xen-3.0.101-0.47.55.1
Comment 12 Swamp Workflow Management 2015-08-12 17:20:10 UTC
SUSE-SU-2015:1376-1: An update that solves 15 vulnerabilities and has 71 fixes is now available.

Category: security (important)
Bug References: 831029,877456,889221,891212,891641,900881,902286,904242,904883,904901,906027,908706,909309,909312,909477,909684,910517,911326,912202,912741,913080,913598,914726,914742,914818,914987,915045,915200,915577,916521,916848,917093,917120,917648,917684,917830,917839,918333,919007,919018,919357,919463,919589,919682,919808,921769,922583,923344,924142,924271,924333,924340,925012,925370,925443,925567,925729,926016,926240,926439,926767,927190,927257,927262,927338,928122,928130,928142,928333,928970,929145,929148,929283,929525,929647,930145,930171,930226,930284,930401,930669,930786,930788,931014,931015,931850
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2015-0777,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3339,CVE-2015-3636
Sources used:
SUSE Linux Enterprise Real Time Extension 11 SP3 (src):    cluster-network-1.4-2.28.1.22, drbd-kmp-8.4.4-0.23.1.22, iscsitarget-1.4.20-0.39.1.22, kernel-rt-3.0.101.rt130-0.33.38.1, kernel-rt_trace-3.0.101.rt130-0.33.38.1, kernel-source-rt-3.0.101.rt130-0.33.38.1, kernel-syms-rt-3.0.101.rt130-0.33.38.1, lttng-modules-2.1.1-0.12.1.20, ocfs2-1.6-0.21.1.22, ofed-1.5.4.1-0.14.1.22
Comment 13 Swamp Workflow Management 2015-09-02 13:15:40 UTC
SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
Comment 14 Swamp Workflow Management 2016-02-01 15:15:30 UTC
openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1