Bugzilla – Bug 808358
VUL-1: kernel: CVE-2013-1792 Linux kernel: KEYS: race with concurrent install_user_keyrings()
Last modified: 2015-02-18 21:32:40 UTC
Hi. There is a security bug in package 'kernel'. This information is from 'oss-security'. This bug is public. There is no coordinated release date (CRD) set. CVE number: CVE-2013-1792 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1792 Original posting: with concurrent install_user_keyrings() -------- Original-Nachricht -------- Betreff: [oss-security] CVE-2013-1792 Linux kernel: KEYS: race with concurrent install_user_keyrings() Datum: Thu, 7 Mar 2013 13:05:37 +0530 (IST) Von: P J P <ppandit@redhat.com> Antwort an: oss-security@lists.openwall.com An: oss security list <oss-security@lists.openwall.com> Hello, Mateusz Guzik of Red Hat discovered a race condition in install_user_keyrings() routine, leading to a NULL pointer dereference. It occurs during parallel invocation of the install_user_keyrings & lookup_user_key routines, for the same user, if `uid' and `uid-session' keyrings are not yet created. An unprivileged user could use this flaw to crash the system, resulting in DoS. Upstream fix: ------------- -> https://lkml.org/lkml/2013/3/6/535 Reference: ---------- -> https://bugzilla.redhat.com/show_bug.cgi?id=916646 Thank you. -- Prasad J Pandit / Red Hat Security Response Team DB7A 84C5 D3F9 7CD1 B5EB C939 D048 7860 3655 602B
*** Bug 807428 has been marked as a duplicate of this bug. ***
I am doing to backport from James Morris's tree: https://git.kernel.org/cgit/linux/kernel/git/jmorris/linux-security.git/commit/?h=for-linus&id=0da9dfdd2cd9889201bc6f6f43580c99165cd087
Created attachment 531719 [details] keys-fix-race-with-concurrent-install_user_keyrings.patch Backport and sent this patch to kernel@suse.de for review
This patch was already included in patches.kernel.org/patch-3.0.68-69 update. Set this bug to FIXED.
pushed to SLE11-SP1-TD. Is SLES10 affected as well? I guess the issue was introduced by http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=69664cf1 around 2.6.26 but I have no idea whether the issue was there even before. Could you double check Joey, please?
yes please check SLES 10 ... it has some traces of the user keyrings too. We also need fixes in the openSUSE kernel trees (12.1, 12.2 and 12.3).
I checked branch linux-2.6.16-SLES10_SP4_BRANCH, but didn't see 69664cf1 changed in the code. Please collect me if I didn't search right branch. I will also check openSUSE tree for fix this issue.
(In reply to comment #7) > I checked branch linux-2.6.16-SLES10_SP4_BRANCH, but didn't see 69664cf1 > changed in the code. I am not sure I understand. Does this mean that the issue has been really introduced by 69664cf1 and the fact it is not present in the SLES10_SP4_BRANCH means that this branch is not affected?
(In reply to comment #8) > (In reply to comment #7) > > I checked branch linux-2.6.16-SLES10_SP4_BRANCH, but didn't see 69664cf1 > > changed in the code. > > I am not sure I understand. Does this mean that the issue has been really > introduced by 69664cf1 and the fact it is not present in the SLES10_SP4_BRANCH > means that this branch is not affected? Yes, I double checked the 69664cf1 patch that moved the logic of generate user and user session keyrings to lookup_user_key() when userspace try to access it. This changed causes a concurrence issue is CVE-2013-1792. SLES10 SP4 doesn't apply 69664cf1, so it allocate the keyrings of UID when allocate uid.
OK, I read this as SLES10_SP4 is not vulnerable. Thanks for double checking!
The SWAMPID for this issue is 52297. This issue was rated as important. Please submit fixed packages until 2013-05-03. Also create a patchinfo file using this link: https://swamp.suse.de/webswamp/wf/52297
Update released for: kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, xen-kmp-default, xen-kmp-trace Products: SLE-SERVER 11-SP1-TERADATA (x86_64)
We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this bug. The released kernel version is 3.0.74-0.6.6.2.
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (s390x) SLE-HAE 11-SP2 (s390x) SLE-SERVER 11-SP2 (s390x)
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11-SP2 (i386) SLE-DESKTOP 11-SP2 (i386) SLE-HAE 11-SP2 (i386) SLE-SERVER 11-SP2 (i386) SLES4VMWARE 11-SP2 (i386)
Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ppc64) SLE-HAE 11-SP2 (ppc64) SLE-SERVER 11-SP2 (ppc64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ia64) SLE-HAE 11-SP2 (ia64) SLE-SERVER 11-SP2 (ia64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
openSUSE-SU-2013:1187-1: An update that solves 13 vulnerabilities and has 35 fixes is now available. Category: security (important) Bug References: 763968,769685,788590,789359,792584,797175,800907,802642,804609,804656,805804,805945,806238,806980,808358,808647,808827,809122,809895,809902,809903,810473,810580,810624,810722,812281,814719,815356,815444,815745,816443,816451,816586,817010,817339,818053,818327,818371,818514,818516,818798,819295,819519,819655,820434,821930,822431,822722 CVE References: CVE-2012-6548,CVE-2012-6549,CVE-2013-0160,CVE-2013-0268,CVE-2013-0311,CVE-2013-0914,CVE-2013-1772,CVE-2013-1792,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-2634,CVE-2013-2635 Sources used: openSUSE 11.4 (src): kernel-docs-3.0.80-52.2, kernel-source-3.0.80-52.1, kernel-syms-3.0.80-52.1, preload-1.2-6.35.1
openSUSE still open I think
looks like in 13.1 it was already fixed, however in 12.3 it wasn't. Will it be fixed in 12.3?
(In reply to comment #25) > looks like in 13.1 it was already fixed, however in 12.3 it wasn't. Will it be > fixed in 12.3? Thanks for your remind, I just pushed patch to 12.3: commit b6bdf38246dfe122eb20d9ad934dcea35697fdf6 Author: Lee, Chun-Yi <jlee@suse.com> Date: Thu Jan 9 17:30:28 2014 +0800 keys: fix race with concurrent install_user_keyrings() (bnc#808358)(CVE-2013-1792).
I think we can set this bug to FIXED after patch pushed to openSUSE 12.3
This is an autogenerated message for OBS integration: This bug (808358) was mentioned in https://build.opensuse.org/request/show/220752 12.3 / kernel-source
openSUSE-SU-2014:0204-1: An update that solves 16 vulnerabilities and has 12 fixes is now available. Category: security (important) Bug References: 804950,805226,808358,811746,825006,831836,838024,840226,840656,844513,848079,848255,849021,849023,849029,849034,849362,852373,852558,852559,853050,853051,853052,853053,854173,854634,854722,860993 CVE References: CVE-2013-0343,CVE-2013-1792,CVE-2013-4348,CVE-2013-4511,CVE-2013-4513,CVE-2013-4514,CVE-2013-4515,CVE-2013-4587,CVE-2013-6367,CVE-2013-6368,CVE-2013-6376,CVE-2013-6378,CVE-2013-6380,CVE-2013-6431,CVE-2013-7027,CVE-2014-0038 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.28.2, kernel-source-3.7.10-1.28.1, kernel-syms-3.7.10-1.28.1
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-trace, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-trace, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, hyper-v-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11-SP1 (i386) SLE-SERVER 11-SP1-LTSS (i386)
Update released for: btrfs-kmp-default, btrfs-kmp-trace, cluster-network-kmp-default, cluster-network-kmp-trace, ext4dev-kmp-default, ext4dev-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP1 (s390x) SLE-SERVER 11-SP1-LTSS (s390x)
Update released for: btrfs-kmp-default, btrfs-kmp-trace, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-trace, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-trace, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-trace, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-trace, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11-SP1 (x86_64) SLE-SERVER 11-SP1-LTSS (x86_64)
SUSE-SU-2014:0287-1: An update that solves 84 vulnerabilities and has 41 fixes is now available. Category: security (moderate) Bug References: 714906,715250,735347,744955,745640,748896,752544,754898,760596,761774,762099,762366,763463,763654,767610,767612,768668,769644,769896,770695,771706,771992,772849,773320,773383,773577,773640,773831,774523,775182,776024,776144,776885,777473,780004,780008,780572,782178,785016,786013,787573,787576,789648,789831,795354,797175,798050,800280,801178,802642,803320,804154,804653,805226,805227,805945,806138,806976,806977,806980,807320,808358,808827,809889,809891,809892,809893,809894,809898,809899,809900,809901,809902,809903,810045,810473,811354,812364,813276,813735,814363,814716,815352,815745,816668,817377,818337,818371,820338,822575,822579,823260,823267,823618,824159,824295,825227,826707,827416,827749,827750,828012,828119,833820,835094,835481,835839,840226,840858,845028,847652,847672,848321,849021,851095,851103,852558,852559,853050,853051,853052,856917,858869,858870,858872 CVE References: CVE-2011-1083,CVE-2011-3593,CVE-2012-1601,CVE-2012-2137,CVE-2012-2372,CVE-2012-2745,CVE-2012-3375,CVE-2012-3412,CVE-2012-3430,CVE-2012-3511,CVE-2012-4444,CVE-2012-4530,CVE-2012-4565,CVE-2012-6537,CVE-2012-6538,CVE-2012-6539,CVE-2012-6540,CVE-2012-6541,CVE-2012-6542,CVE-2012-6544,CVE-2012-6545,CVE-2012-6546,CVE-2012-6547,CVE-2012-6548,CVE-2012-6549,CVE-2013-0160,CVE-2013-0216,CVE-2013-0231,CVE-2013-0268,CVE-2013-0310,CVE-2013-0343,CVE-2013-0349,CVE-2013-0871,CVE-2013-0914,CVE-2013-1767,CVE-2013-1773,CVE-2013-1774,CVE-2013-1792,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1827,CVE-2013-1928,CVE-2013-1943,CVE-2013-2015,CVE-2013-2141,CVE-2013-2147,CVE-2013-2164,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2634,CVE-2013-2851,CVE-2013-2852,CVE-2013-2888,CVE-2013-2889,CVE-2013-2892,CVE-2013-2893,CVE-2013-2897,CVE-2013-2929,CVE-2013-3222,CVE-2013-3223,CVE-2013-3224,CVE-2013-3225,CVE-2013-3228,CVE-2013-3229,CVE-2013-3231,CVE-2013-3232,CVE-2013-3234,CVE-2013-3235,CVE-2013-4345,CVE-2013-4470,CVE-2013-4483,CVE-2013-4511,CVE-2013-4587,CVE-2013-4588,CVE-2013-4591,CVE-2013-6367,CVE-2013-6368,CVE-2013-6378,CVE-2013-6383,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446 Sources used: SUSE Linux Enterprise Server 11 SP1 LTSS (src): btrfs-0-0.3.151, ext4dev-0-7.9.118, hyper-v-0-0.18.37, kernel-default-2.6.32.59-0.9.1, kernel-ec2-2.6.32.59-0.9.1, kernel-pae-2.6.32.59-0.9.1, kernel-source-2.6.32.59-0.9.1, kernel-syms-2.6.32.59-0.9.1, kernel-trace-2.6.32.59-0.9.1, kernel-xen-2.6.32.59-0.9.1 SLE 11 SERVER Unsupported Extras (src): kernel-default-2.6.32.59-0.9.1, kernel-pae-2.6.32.59-0.9.1, kernel-xen-2.6.32.59-0.9.1
Update released for: kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)