Bugzilla – Bug 353207
VUL-0: CVE-2008-0007: kernel: insufficient range checks of certain fault handlers
Last modified: 2020-04-21 09:48:00 UTC
This issue is not public yet, please keep any information about it inside SUSE. Nick Piggin discovered problems with range checks of certain fault handlers --- Drivers that register a ->fault handler, that does not range-check its offset argument, must set VM_DONTEXPAND in the vm_flags in order to prevent an expanding mremap from overflowing the resource (and potentially causing a kernel crash or access to sesitive data). ---
Created attachment 190236 [details] original mail, includes patch
CVE-2008-0007
Nick, did you get any additional feedback? Do you think we can incliude the patches into the next round of updates?
No additional feedback, although I think it is quite conclusive that it is a security bug. The patches are mostly quite trivial, so yes I think we should include them into the next round of updates. I'll try to have patches for SLES9_SP4, SLES10_SP1 and SLES10_SP2 before the weekend. Do I also need to consider the opensuse branches? Can you give me an idea of which ones? Thanks.
yes, the opensuse ones also need to be considered active at this time are just two: SL102_BRANCH SL103_BRANCH (10.1 uses SLES10 SP1 branch) Did security@kernel.org answer somehow?
OK, I have made patches for SLES9 SP4, SLES10 SP1 and SP2 so far. Attaching now for comments. SL patches will follow tomorrow... Lars, can the SLES9 patch be merged before the next update kernel do you think?
Created attachment 190990 [details] SLES9 SP4 audit
Created attachment 190991 [details] SLES10 SP1 audit
Created attachment 190992 [details] SLES10 SP2 audit
(In reply to comment #5 from Marcus Meissner) > Did security@kernel.org answer somehow? > And to answer this question: no, nobody from security@kernel.org answered.
i would just suggest to push the stuff to mainline then (please include the CVE-2008-0007 id), so it gets upstream review and inclusion
Yes, please merge into SP4.
(In reply to comment #11 from Marcus Meissner) > i would just suggest to push the stuff to mainline then (please include the > CVE-2008-0007 id), so it gets upstream review and inclusion > I will push it upstream, although it previously has had (private) review by all maintainers who's code is touched, as well as some core mm developers and also Linus. And it is agreed that this is a security vulnerability and the patch will fix. So I will commit to all SUSE branches soon. When sending out a public changelog for the patch, is there any sort of non disclosure period where I am supposed to avoid describing details of the bug?
OK, committed as patches.fixes/nopage-range-fix.patch to all the 5 SLES and SL branches. Some branches also have some broken out incremental patches for their xen series.
hmm. so there were reactions and good feedback. Good to hear! :) Since you found the patch you would coordinate the disclosure together with security@kernel.org. I think doing a disclosure delay is not really necessary (and would be too confused), so I would suggest not doing any further delay and go ahead with inclusion.
OK, thanks for all the guidance. I think it makes sense to send it upstream without delay, agreed. I will resend the patch and request inclusion upstream.
Checked into the 10.3 tree. I'll reassign it to Nick to have him handle it for any other kernel trees that are affected.
Nick? did we get it in all branches?
SLES10 SP1/2 SLES9 SP4 SL102/3 As far as I know, that's all that needs to be checked in? The patches are upstream, so SL11 based kernels should all be covered.
SL102_BRANCH SL103_BRANCH got it too as far as I can see (we fix security issues also for openSUSE kernels). all looks good, thanks!
released sles9 updates kernel version is: 2.6.5-7.312
CVE-2008-0007: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)