806238 – (CVE-2013-1772) VUL-1: CVE-2013-1772: kernel: Linux kernel: call_console_drivers() Function Log Prefix Stripping buffer overflow

Bug 806238 (CVE-2013-1772) - VUL-1: CVE-2013-1772: kernel: Linux kernel: call_console_drivers() Function Log Prefix Stripping buffer overflow

Summary: VUL-1: CVE-2013-1772: kernel: Linux kernel: call_console_drivers() Function ...

Status:	RESOLVED FIXED
Duplicates (1):	807441 (view as bug list)

Alias:	CVE-2013-1772

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle11-sp2:52260 maint:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-02-26 12:51 UTC by Marcus Meissner
Modified:	2014-06-11 15:31 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2013-02-26 12:51:41 UTC

is public, via oss-security

From: Petr Matousek <pmatouse@redhat.com>
Subject: [oss-security] CVE request -- Linux kernel: call_console_drivers() Function Log Prefix Stripping buffer overflow
Date: Tue, 26 Feb 2013 12:39:05 +0100

A buffer overflow flaw was found in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().

This bug existed in previous releases but has been revealed with commit
162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0) that made
changes about how to allocate memory for early printk buffer (use of
memblock_alloc). It disappears with commit
7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5) that does a
refactoring of printk buffer management.

In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing
"&LOG_BUF(cur_index)" where the index must be masked to do not exceed
the buffer's boundary.

Note: /dev/kmsg is root writable only (at least on RHEL/Fedora), but it
still might cause issues in restricted root environments.

References:
https://bugs.gentoo.org/458780
https://secunia.com/advisories/52366/

Comment 1 Marcus Meissner 2013-02-26 14:45:50 UTC

patches.kernel.org/patch-3.0.65-66 looks like the fix for this in SLES 11 SP2.

Comment 2 Swamp Workflow Management 2013-02-26 23:00:18 UTC

bugbot adjusting priority

Comment 3 Marcus Meissner 2013-03-08 17:40:55 UTC

*** Bug 807441 has been marked as a duplicate of this bug. ***

Comment 5 Marcus Meissner 2013-05-07 11:41:57 UTC

We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this bug. The released kernel version is 3.0.74-0.6.6.2.

Comment 6 Swamp Workflow Management 2013-05-07 14:15:59 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (s390x)
SLE-HAE 11-SP2 (s390x)
SLE-SERVER 11-SP2 (s390x)

Comment 7 Swamp Workflow Management 2013-05-07 14:39:04 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11-SP2 (i386)
SLE-DESKTOP 11-SP2 (i386)
SLE-HAE 11-SP2 (i386)
SLE-SERVER 11-SP2 (i386)
SLES4VMWARE 11-SP2 (i386)

Comment 8 Swamp Workflow Management 2013-05-07 14:41:14 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ppc64)
SLE-HAE 11-SP2 (ppc64)
SLE-SERVER 11-SP2 (ppc64)

Comment 9 Swamp Workflow Management 2013-05-07 15:28:40 UTC

Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP2 (ia64)
SLE-HAE 11-SP2 (ia64)
SLE-SERVER 11-SP2 (ia64)

Comment 10 Swamp Workflow Management 2013-05-07 19:11:10 UTC

Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)

Comment 11 Swamp Workflow Management 2013-05-07 20:11:15 UTC

Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)

Comment 12 Swamp Workflow Management 2013-05-07 21:12:48 UTC

Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)

Comment 13 Swamp Workflow Management 2013-05-07 22:13:10 UTC

Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra
Products:
SLE-SERVER 11-EXTRA (ppc64)

Comment 14 Swamp Workflow Management 2013-05-07 23:14:19 UTC

Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (ia64)

Comment 15 Swamp Workflow Management 2013-07-12 07:09:36 UTC

openSUSE-SU-2013:1187-1: An update that solves 13 vulnerabilities and has 35 fixes is now available.

Category: security (important)
Bug References: 763968,769685,788590,789359,792584,797175,800907,802642,804609,804656,805804,805945,806238,806980,808358,808647,808827,809122,809895,809902,809903,810473,810580,810624,810722,812281,814719,815356,815444,815745,816443,816451,816586,817010,817339,818053,818327,818371,818514,818516,818798,819295,819519,819655,820434,821930,822431,822722
CVE References: CVE-2012-6548,CVE-2012-6549,CVE-2013-0160,CVE-2013-0268,CVE-2013-0311,CVE-2013-0914,CVE-2013-1772,CVE-2013-1792,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-2634,CVE-2013-2635
Sources used:
openSUSE 11.4 (src):    kernel-docs-3.0.80-52.2, kernel-source-3.0.80-52.1, kernel-syms-3.0.80-52.1, preload-1.2-6.35.1

Comment 16 Jeff Mahoney 2013-07-31 19:59:03 UTC

Applied to openSUSE 12.3 via 3.4.33

Comment 17 Marcus Meissner 2013-10-04 16:16:49 UTC

done