Bug 823260 (CVE-2013-2147) - VUL-1: kernel: CVE-2013-2147: cpqarray/cciss: info leak via ioctl(2)
Summary: VUL-1: kernel: CVE-2013-2147: cpqarray/cciss: info leak via ioctl(2)
Status: RESOLVED FIXED
Alias: CVE-2013-2147
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2013-11-20
Assignee: Shirish Pargaonkar
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:53932 main...
Keywords:
Depends on:
Blocks:
 
Reported: 2013-06-05 01:52 UTC by Alexander Bergmann
Modified: 2015-04-30 19:10 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-06-05 01:52:24 UTC 
Public via oss-security:

Date: Wed, 5 Jun 2013 12:53:33 +0530 (IST)
From: P J P
Subject: [oss-security] CVE request: kernel: cpqarray/c: info leak in ida_locked_ioctl()

A Linux kernel built with the Compaq SMART2(CONFIG_BLK_CPQ_DA) & Compaq Smart
Array 5xxx(CONFIG_BLK_CPQ_CISS_DA) support is vulnerable to an information
leakage flaw. This could occur while doing an ioctl(2) calls on the block
device with command `IDAGETPCIINFO' or `CCISS_PASSTHRU32'.

A user/program could use this flaw to leak kernel memory bytes.

Upstream fixes:
---------------
  -> https://lkml.org/lkml/2013/6/3/131
  -> https://lkml.org/lkml/2013/6/3/127
Comment 1 Alexander Bergmann 2013-06-05 02:06:06 UTC 
Upstream fix: 

https://lkml.org/lkml/2013/6/3/127

SLE10-SP3-TD: missing
SLE10-SP4: patches.fixes/cciss-kdump-fix.patch
SLE11-SP1-TD: missing
SLE11-SP2: patches.drivers/cciss-update-to-4.6.28.patch
SLE11-SP3: patches.drivers/cciss-update-to-4.6.28.patch

https://lkml.org/lkml/2013/6/3/131

Is missing on all SLE versions.
Comment 2 Swamp Workflow Management 2013-06-05 16:00:17 UTC 
bugbot adjusting priority
Comment 3 Alexander Bergmann 2013-06-06 01:32:05 UTC 
CVE-2013-2147 was assigned.
Comment 5 Michal Hocko 2013-08-05 12:09:47 UTC 
pushed to SLE11-SP1-TD, SLES10-SP3-TD and SLES9-SP3-TD branches
Comment 7 Swamp Workflow Management 2013-08-06 08:49:47 UTC 
The SWAMPID for this issue is 53931.
This issue was rated as important.
Please submit fixed packages until 2013-08-13.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 8 Swamp Workflow Management 2013-08-09 10:04:39 UTC 
Update released for: kernel-bigsmp, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-dummy, kernel-iseries64, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-ppc64, kernel-s390, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-um, kernel-vmi, kernel-vmipae, kernel-xen, kernel-xen-debuginfo
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 9 Swamp Workflow Management 2013-08-16 15:22:56 UTC 
The SWAMPID for this issue is 54107.
This issue was rated as moderate.
Please submit fixed packages until 2013-08-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 10 Swamp Workflow Management 2013-08-21 15:04:21 UTC 
Update released for: kernel-default, kernel-default-debug, kernel-dummy, kernel-smp, kernel-smp-debug, kernel-source, kernel-syms, um-host-kernel, kernel-update.ycp, install-kernel-non-interactive.sh
Products:
SUSE-CORE 9-SP3-TERADATA (x86_64)
Comment 13 Swamp Workflow Management 2013-09-20 11:55:27 UTC 
The SWAMPID for this issue is 54469.
This issue was rated as important.
Please submit fixed packages until 2013-09-27.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 14 Marcus Meissner 2013-09-25 14:18:11 UTC 
is in mainline:

commit 627aad1c01da6f881e7f98d71fd928ca0c316b1a
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Sep 24 15:27:44 2013 -0700

    cpqarray: fix info leak in ida_locked_ioctl()
    
    The pciinfo struct has a two byte hole after ->dev_fn so stack
    information could be leaked to the user.
    
    This was assigned CVE-2013-2147.
   

and

commit 58f09e00ae095e46ef9edfcf3a5fd9ccdfad065e
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Sep 24 15:27:45 2013 -0700

    cciss: fix info leak in cciss_ioctl32_passthru()
    
    The arg64 struct has a hole after ->buf_size which isn't cleared.  Or if
    any of the calls to copy_from_user() fail then that would cause an
    information leak as well.
    
    This was assigned CVE-2013-2147.
Comment 15 Swamp Workflow Management 2013-10-01 12:05:19 UTC 
Update released for: kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-docs, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
Comment 16 Marcus Meissner 2013-10-22 15:11:20 UTC 
patches.kernel.org/patch-3.0.99-100 has this fix.

can you add this CVE to the references of the patch?
Comment 17 Swamp Workflow Management 2013-11-06 14:36:44 UTC 
The SWAMPID for this issue is 54954.
This issue was rated as moderate.
Please submit fixed packages until 2013-11-20.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 18 Marcus Meissner 2013-12-06 15:40:00 UTC 
we released kernel updates containing this fix for SLE11 SP2 and SP3.
Comment 19 Swamp Workflow Management 2013-12-06 23:52:51 UTC 
Update released for: kernel-default, kernel-default-debuginfo, kernel-source, kernel-syms
Products:
SLE-DEBUGINFO 10-SP3 (s390x)
SLE-SERVER 10-SP3-LTSS (s390x)
Comment 20 Swamp Workflow Management 2013-12-07 01:47:18 UTC 
Update released for: kernel-bigsmp, kernel-bigsmp-debuginfo, kernel-debug, kernel-debug-debuginfo, kernel-default, kernel-default-debuginfo, kernel-kdump, kernel-kdump-debuginfo, kernel-kdumppae, kernel-kdumppae-debuginfo, kernel-smp, kernel-smp-debuginfo, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-syms-debuginfo, kernel-vmi, kernel-vmi-debuginfo, kernel-vmipae, kernel-vmipae-debuginfo, kernel-xen, kernel-xen-debuginfo, kernel-xenpae, kernel-xenpae-debuginfo
Products:
SLE-DEBUGINFO 10-SP3 (i386)
SLE-SERVER 10-SP3-LTSS (i386)
Comment 21 Swamp Workflow Management 2014-02-24 08:55:50 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-trace, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-trace, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, hyper-v-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11-SP1 (i386)
SLE-SERVER 11-SP1-LTSS (i386)
Comment 22 Swamp Workflow Management 2014-02-24 08:56:20 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-trace, cluster-network-kmp-default, cluster-network-kmp-trace, ext4dev-kmp-default, ext4dev-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace
Products:
SLE-DEBUGINFO 11-SP1 (s390x)
SLE-SERVER 11-SP1-LTSS (s390x)
Comment 23 Swamp Workflow Management 2014-02-24 09:56:34 UTC 
Update released for: btrfs-kmp-default, btrfs-kmp-trace, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-trace, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-trace, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-trace, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, ocfs2-kmp-default, ocfs2-kmp-trace, ocfs2-kmp-xen
Products:
SLE-DEBUGINFO 11-SP1 (x86_64)
SLE-SERVER 11-SP1-LTSS (x86_64)
Comment 24 Swamp Workflow Management 2014-02-24 14:26:52 UTC 
SUSE-SU-2014:0287-1: An update that solves 84 vulnerabilities and has 41 fixes is now available.

Category: security (moderate)
Bug References: 714906,715250,735347,744955,745640,748896,752544,754898,760596,761774,762099,762366,763463,763654,767610,767612,768668,769644,769896,770695,771706,771992,772849,773320,773383,773577,773640,773831,774523,775182,776024,776144,776885,777473,780004,780008,780572,782178,785016,786013,787573,787576,789648,789831,795354,797175,798050,800280,801178,802642,803320,804154,804653,805226,805227,805945,806138,806976,806977,806980,807320,808358,808827,809889,809891,809892,809893,809894,809898,809899,809900,809901,809902,809903,810045,810473,811354,812364,813276,813735,814363,814716,815352,815745,816668,817377,818337,818371,820338,822575,822579,823260,823267,823618,824159,824295,825227,826707,827416,827749,827750,828012,828119,833820,835094,835481,835839,840226,840858,845028,847652,847672,848321,849021,851095,851103,852558,852559,853050,853051,853052,856917,858869,858870,858872
CVE References: CVE-2011-1083,CVE-2011-3593,CVE-2012-1601,CVE-2012-2137,CVE-2012-2372,CVE-2012-2745,CVE-2012-3375,CVE-2012-3412,CVE-2012-3430,CVE-2012-3511,CVE-2012-4444,CVE-2012-4530,CVE-2012-4565,CVE-2012-6537,CVE-2012-6538,CVE-2012-6539,CVE-2012-6540,CVE-2012-6541,CVE-2012-6542,CVE-2012-6544,CVE-2012-6545,CVE-2012-6546,CVE-2012-6547,CVE-2012-6548,CVE-2012-6549,CVE-2013-0160,CVE-2013-0216,CVE-2013-0231,CVE-2013-0268,CVE-2013-0310,CVE-2013-0343,CVE-2013-0349,CVE-2013-0871,CVE-2013-0914,CVE-2013-1767,CVE-2013-1773,CVE-2013-1774,CVE-2013-1792,CVE-2013-1796,CVE-2013-1797,CVE-2013-1798,CVE-2013-1827,CVE-2013-1928,CVE-2013-1943,CVE-2013-2015,CVE-2013-2141,CVE-2013-2147,CVE-2013-2164,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2634,CVE-2013-2851,CVE-2013-2852,CVE-2013-2888,CVE-2013-2889,CVE-2013-2892,CVE-2013-2893,CVE-2013-2897,CVE-2013-2929,CVE-2013-3222,CVE-2013-3223,CVE-2013-3224,CVE-2013-3225,CVE-2013-3228,CVE-2013-3229,CVE-2013-3231,CVE-2013-3232,CVE-2013-3234,CVE-2013-3235,CVE-2013-4345,CVE-2013-4470,CVE-2013-4483,CVE-2013-4511,CVE-2013-4587,CVE-2013-4588,CVE-2013-4591,CVE-2013-6367,CVE-2013-6368,CVE-2013-6378,CVE-2013-6383,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446
Sources used:
SUSE Linux Enterprise Server 11 SP1 LTSS (src):    btrfs-0-0.3.151, ext4dev-0-7.9.118, hyper-v-0-0.18.37, kernel-default-2.6.32.59-0.9.1, kernel-ec2-2.6.32.59-0.9.1, kernel-pae-2.6.32.59-0.9.1, kernel-source-2.6.32.59-0.9.1, kernel-syms-2.6.32.59-0.9.1, kernel-trace-2.6.32.59-0.9.1, kernel-xen-2.6.32.59-0.9.1
SLE 11 SERVER Unsupported Extras (src):    kernel-default-2.6.32.59-0.9.1, kernel-pae-2.6.32.59-0.9.1, kernel-xen-2.6.32.59-0.9.1
Comment 25 Swamp Workflow Management 2014-02-24 14:42:47 UTC 
Update released for: kernel-default-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (x86_64)
Comment 26 Swamp Workflow Management 2014-02-24 15:12:54 UTC 
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra
Products:
SLE-SERVER 11-EXTRA (i386)
Comment 27 Swamp Workflow Management 2014-02-24 16:14:34 UTC 
Update released for: kernel-default-extra
Products:
SLE-SERVER 11-EXTRA (s390x)
Comment 28 Swamp Workflow Management 2014-06-06 10:07:01 UTC 
openSUSE-SU-2014:0766-1: An update that solves 30 vulnerabilities and has 37 fixes is now available.

Category: security (moderate)
Bug References: 708296,736697,746500,758813,813733,814788,817377,819351,823260,831029,836347,840226,841402,843185,844513,847672,849021,849364,850263,851426,852488,852553,852558,852967,853455,854025,855347,855885,856083,857499,857643,858280,858534,858604,858869,858870,858872,862023,862429,863300,863335,864025,864833,865307,865310,865330,865342,865783,866102,867139,867255,867953,868049,868528,868653,869033,869563,870801,871252,871325,871561,871861,873061,874108,875690,875798,876102
CVE References: CVE-2012-2313,CVE-2013-0343,CVE-2013-1929,CVE-2013-2015,CVE-2013-2147,CVE-2013-4345,CVE-2013-4470,CVE-2013-4511,CVE-2013-4579,CVE-2013-6382,CVE-2013-6383,CVE-2013-6763,CVE-2013-6885,CVE-2013-7263,CVE-2013-7264,CVE-2013-7265,CVE-2013-7339,CVE-2014-00691,CVE-2014-0101,CVE-2014-0196,CVE-2014-1444,CVE-2014-1445,CVE-2014-1446,CVE-2014-1737,CVE-2014-1738,CVE-2014-1874,CVE-2014-2039,CVE-2014-2523,CVE-2014-2678,CVE-2014-3122
Sources used:
openSUSE 11.4 (src):    kernel-docs-3.0.101-83.3, kernel-source-3.0.101-83.1, kernel-syms-3.0.101-83.1, preload-1.2-6.61.1
Comment 29 Swamp Workflow Management 2015-04-30 19:10:05 UTC 
SUSE-SU-2015:0812-1: An update that fixes 39 vulnerabilities is now available.

Category: security (important)
Bug References: 677286,679812,681175,681999,683282,685402,687812,730118,730200,738400,758813,760902,769784,823260,846404,853040,854722,863335,874307,875051,880484,883223,883795,885422,891844,892490,896390,896391,896779,902346,907818,908382,910251,911325
CVE References: CVE-2011-1090,CVE-2011-1163,CVE-2011-1476,CVE-2011-1477,CVE-2011-1493,CVE-2011-1494,CVE-2011-1495,CVE-2011-1585,CVE-2011-4127,CVE-2011-4132,CVE-2011-4913,CVE-2011-4914,CVE-2012-2313,CVE-2012-2319,CVE-2012-3400,CVE-2012-6657,CVE-2013-2147,CVE-2013-4299,CVE-2013-6405,CVE-2013-6463,CVE-2014-0181,CVE-2014-1874,CVE-2014-3184,CVE-2014-3185,CVE-2014-3673,CVE-2014-3917,CVE-2014-4652,CVE-2014-4653,CVE-2014-4654,CVE-2014-4655,CVE-2014-4656,CVE-2014-4667,CVE-2014-5471,CVE-2014-5472,CVE-2014-9090,CVE-2014-9322,CVE-2014-9420,CVE-2014-9584,CVE-2015-2041
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    kernel-bigsmp-2.6.16.60-0.132.1, kernel-debug-2.6.16.60-0.132.1, kernel-default-2.6.16.60-0.132.1, kernel-kdump-2.6.16.60-0.132.1, kernel-kdumppae-2.6.16.60-0.132.1, kernel-smp-2.6.16.60-0.132.1, kernel-source-2.6.16.60-0.132.1, kernel-syms-2.6.16.60-0.132.1, kernel-vmi-2.6.16.60-0.132.1, kernel-vmipae-2.6.16.60-0.132.1, kernel-xen-2.6.16.60-0.132.1, kernel-xenpae-2.6.16.60-0.132.1