642302 – (CVE-2010-3067) VUL-1: CVE-2010-3067: kernel: overflow in AIO io_submit

Bug 642302 (CVE-2010-3067) - VUL-1: CVE-2010-3067: kernel: overflow in AIO io_submit

Summary: VUL-1: CVE-2010-3067: kernel: overflow in AIO io_submit

Status:	RESOLVED FIXED

Alias:	CVE-2010-3067

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	General (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Major
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:11.1:37523 maint:relea...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2010-09-28 14:17 UTC by Marcus Meissner
Modified:	2013-08-13 10:03 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Third Party Developer/Partner
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2010-09-28 14:17:41 UTC

is public, from CVE DB

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3067

Integer overflow in the do_io_submit function in fs/aio.c in the Linux
kernel before 2.6.36-rc4-next-20100915 allows local users to cause a
denial of service or possibly have unspecified other impact via
crafted use of the io_submit system call.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=75e1c70fc31490ef8a373ea2a4bea2524099b478

http://www.kernel.org/pub/linux/kernel/v2.6/next/patch-v2.6.36-rc4-next-20100915.bz2

https://bugzilla.redhat.com/show_bug.cgi?id=629441

Comment 1 Marcus Meissner 2010-09-28 14:19:05 UTC

in sle11 sp1 kernels it is 

SYSCALL_DEFINE3(io_submit, aio_context_t, ctx_id, long, nr,
                struct iocb __user * __user *, iocbpp)

but the code looks affected too, same for SLE11 GA, and SLES 10 SP3.

Comment 2 Thomas Biege 2010-10-15 08:23:39 UTC

P5 -> P3 mass change

Comment 3 Jeff Mahoney 2010-11-08 19:51:53 UTC

Applied to SLES9 SP4.
Applied to SLES 10 SP3.
Applied to SLES 10 SP4.
Fix in SLE11 from 2.6.27.55.
Applied to openSUSE 11.2.
Fix in SLE11 SP1 from 2.6.32.23.
Applied to openSUSE 11.3.

openSUSE Factory is unaffected.

Moblin/Meego and SLERT may be affected.

Comment 4 Mike Galbraith 2010-11-29 07:08:16 UTC

Applied to SLERT10_SP3 and SLE11-SP1-RT

Comment 5 Swamp Workflow Management 2010-12-10 12:17:11 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-docs, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-ps3, kernel-ps3-debuginfo, kernel-ps3-debugsource, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-extra, kernel-vanilla, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra
Products:
openSUSE 11.1 (debug, i586, ppc, x86_64)

Comment 6 Swamp Workflow Management 2010-12-13 14:30:25 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-DESKTOP 10-SP3 (i386)
SLE-SDK 10-SP3 (i386)
SLE-SERVER 10-SP3 (i386)

Comment 7 Marcus Meissner 2010-12-13 14:37:28 UTC

We just released a kernel update for SUSE Linux Enterprise 10 Service Pack 3, which fixes/mentions this bugreport. Released kernel version is 2.6.16.60-0.74.7.

Comment 8 Swamp Workflow Management 2010-12-13 15:03:11 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ia64)
SLE-SDK 10-SP3 (ia64)
SLE-SERVER 10-SP3 (ia64)

Comment 9 Swamp Workflow Management 2010-12-13 15:11:13 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3 (s390x)

Comment 10 Swamp Workflow Management 2010-12-13 15:27:26 UTC

Update released for: kernel-default, kernel-default-debuginfo, kernel-iseries64, kernel-iseries64-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-ppc64, kernel-ppc64-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (ppc)
SLE-SDK 10-SP3 (ppc)
SLE-SERVER 10-SP3 (ppc)

Comment 11 Swamp Workflow Management 2010-12-13 15:56:35 UTC

Update released for: kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (x86_64)
SLE-DESKTOP 10-SP3 (x86_64)
SLE-SAP-APL 10-SP3 (x86_64)
SLE-SDK 10-SP3 (x86_64)
SLE-SERVER 10-SP3 (x86_64)

Comment 12 Swamp Workflow Management 2011-01-03 08:31:36 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.2 (debug, i586, x86_64)

Comment 13 Swamp Workflow Management 2011-01-03 08:32:30 UTC

Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-base-debuginfo, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-extra-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi, kernel-vmi-base, kernel-vmi-base-debuginfo, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-devel, kernel-vmi-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop
Products:
openSUSE 11.3 (debug, i586, x86_64)

Comment 14 Swamp Workflow Management 2011-02-07 11:52:14 UTC

Update released for: brocade-bna-kmp-rt, iscsitarget-kmp-rt, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-source-rt, kernel-source-rt-debuginfo, kernel-syms-rt, ofed-kmp-rt
Products:
SLE-RT 11-SP1 (x86_64)

Comment 15 Marcus Meissner 2011-02-10 16:38:09 UTC

A SLES 9 kernel update mentioning/fixing this bug was just released. The released
kernel version is 2.6.5-7.325.

closing

Comment 16 Swamp Workflow Management 2011-02-10 18:50:13 UTC

Update released for: kernel-s390x, kernel-s390x-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (s390x)

Comment 17 Swamp Workflow Management 2011-02-10 18:57:33 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel, xen-kmp
Products:
Open-Enterprise-Server 9 (i386)

Comment 18 Swamp Workflow Management 2011-02-10 19:02:47 UTC

Update released for: kernel-default, kernel-default-debug, kernel-iseries64, kernel-iseries64-debug, kernel-pmac64, kernel-pmac64-debug, kernel-pseries64, kernel-pseries64-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ppc)

Comment 19 Swamp Workflow Management 2011-02-10 19:08:10 UTC

Update released for: kernel-64k-pagesize, kernel-64k-pagesize-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-sn2, kernel-sn2-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (ia64)

Comment 20 Swamp Workflow Management 2011-02-10 19:12:38 UTC

Update released for: kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-xen, kernel-xen-debug, um-host-kernel, xen-kmp, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (x86_64)

Comment 21 Swamp Workflow Management 2011-02-10 19:24:09 UTC

Update released for: kernel-bigsmp, kernel-bigsmp-debug, kernel-debug, kernel-debug-debug, kernel-default, kernel-default-debug, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, kernel-um, kernel-um-debug, kernel-xen, kernel-xen-debug, kernel-xenpae, kernel-xenpae-debug, um-host-install-initrd, um-host-kernel, xen-kmp, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
Novell-Linux-POS 9 (i386)
SUSE-CORE 9 (i386)

Comment 22 Swamp Workflow Management 2011-02-10 19:29:42 UTC

Update released for: kernel-s390, kernel-s390-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9 (s390)

Comment 23 Swamp Workflow Management 2011-04-29 03:13:22 UTC

Update released for: ib-bonding-kmp-debug, ib-bonding-kmp-rt, ib-bonding-kmp-rt_bigsmp, ib-bonding-kmp-rt_bigsmp_shield, ib-bonding-kmp-rt_bigsmp_shield_trace, ib-bonding-kmp-rt_debug, ib-bonding-kmp-rt_shield, ib-bonding-kmp-rt_shield_trace, ib-bonding-kmp-rt_timing, intel-igb, intel-igb-kmp-rt, intel-igb-kmp-rt_bigsmp, intel-igb-kmp-rt_debug, intel-igb-kmp-rt_timing, kernel-rt, kernel-rt_bigsmp, kernel-rt_debug, kernel-rt_timing, kernel-source, kernel-syms, ofed, ofed-cxgb3-NIC-kmp-rt, ofed-cxgb3-NIC-kmp-rt_bigsmp, ofed-cxgb3-NIC-kmp-rt_debug, ofed-cxgb3-NIC-kmp-rt_timing, ofed-devel, ofed-doc, ofed-kmp-rt, ofed-kmp-rt_bigsmp, ofed-kmp-rt_bigsmp_shield, ofed-kmp-rt_bigsmp_shield_trace, ofed-kmp-rt_debug, ofed-kmp-rt_shield, ofed-kmp-rt_shield_trace, ofed-kmp-rt_timing
Products:
SLE-RT 10-SP3 (i386, x86_64)