Bugzilla – Bug 821560
VUL-0: kernel: CVE-2013-2850: iSCSI target heap overflow
Last modified: 2018-07-03 20:44:52 UTC
Created attachment 541075 [details] iscsi-target-fix-heap-buffer-overflow-on-error.patch
is public http://git.kernel.org/cgit/linux/kernel/git/nab/target-pending.git/commit/?id=cea4dcfdad926a27a18e188720efe0f2c9403456 iscsi-target: fix heap buffer overflow on error If a key was larger than 64 bytes, as checked by iscsi_check_key(), the error response packet, generated by iscsi_add_notunderstood_response(), would still attempt to copy the entire key into the packet, overflowing the structure on the heap. Remote preauthentication kernel memory corruption was possible if a target was configured and listening on the network. CVE-2013-2850 Signed-off-by: Kees Cook <keescook@chromium.org> Cc: stable@vger.kernel.org Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
This problem was introduced with commit e48354ce (v3.1-rc1~41) and backported to the SLES 11 Service Pack 2 codebase. It does not exist in SUSE Linux Enterprise 11 SP1 and earlier versions. SUSE Linux Enterprise 10 is also not affected.
FWIW I also checked the iscsitarget KMPs we offer (iscsitarget-kmp-FLAVOUR), they do not have the affected code.
Update released for: cluster-network-kmp-default, cluster-network-kmp-ppc64, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-ppc64, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-ppc64-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-ppc64, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ppc64) SLE-HAE 11-SP2 (ppc64) SLE-SERVER 11-SP2 (ppc64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-trace-man, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (s390x) SLE-HAE 11-SP2 (s390x) SLE-SERVER 11-SP2 (s390x)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-debuginfo, kernel-ec2-debugsource, kernel-ec2-devel, kernel-ec2-devel-debuginfo, kernel-ec2-extra, kernel-ec2-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-trace, ocfs2-kmp-xen, xen-kmp-default, xen-kmp-pae, xen-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (x86_64) SLE-DESKTOP 11-SP2 (x86_64) SLE-HAE 11-SP2 (x86_64) SLE-SERVER 11-SP2 (x86_64) SLES4VMWARE 11-SP2 (x86_64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-trace, cluster-network-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-trace, gfs2-kmp-xen, kernel-default, kernel-default-base, kernel-default-devel, kernel-default-extra, kernel-default-hmac, kernel-desktop-devel, kernel-ec2, kernel-ec2-base, kernel-ec2-devel, kernel-ec2-extra, kernel-ec2-hmac, kernel-pae, kernel-pae-base, kernel-pae-devel, kernel-pae-extra, kernel-pae-hmac, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-trace-hmac, kernel-xen, kernel-xen-base, kernel-xen-devel, kernel-xen-extra, kernel-xen-hmac, ocfs2-kmp-default, ocfs2-kmp-pae, ocfs2-kmp-trace, ocfs2-kmp-xen Products: SLE-DEBUGINFO 11-SP2 (i386) SLE-DESKTOP 11-SP2 (i386) SLE-HAE 11-SP2 (i386) SLE-SERVER 11-SP2 (i386) SLES4VMWARE 11-SP2 (i386)
Update released for: cluster-network-kmp-default, cluster-network-kmp-trace, gfs2-kmp-default, gfs2-kmp-trace, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-hmac, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-hmac, ocfs2-kmp-default, ocfs2-kmp-trace Products: SLE-DEBUGINFO 11-SP2 (ia64) SLE-HAE 11-SP2 (ia64) SLE-SERVER 11-SP2 (ia64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-ppc64, ext4-writeable-kmp-trace, kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace Products: SLE-RT 11-SP2 (x86_64)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-trace, kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: ext4-writeable-kmp-default, ext4-writeable-kmp-pae, ext4-writeable-kmp-trace, ext4-writeable-kmp-xen, kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
openSUSE-SU-2013:1005-1: An update that solves one vulnerability and has two fixes is now available. Category: security (critical) Bug References: 790920,821560,822722 CVE References: CVE-2013-2850 Sources used: openSUSE 12.1 (src): kernel-docs-3.1.10-1.29.2, kernel-source-3.1.10-1.29.1, kernel-syms-3.1.10-1.29.1
12.2 and 12.3 are also in the queue and will be released soon
We have just released a kernel update for SUSE Linux Enterprise 11 SP2 that mentions/fixes this problem. Released kernel version is 3.0.80-0.5.1. (rerelease with stable fix)
openSUSE-SU-2013:1042-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (critical) Bug References: 790920,803931,815745,818327,819519,819789,821560,822722 CVE References: CVE-2013-0290,CVE-2013-2094,CVE-2013-2850 Sources used: openSUSE 12.2 (src): kernel-docs-3.4.47-2.38.2, kernel-source-3.4.47-2.38.1, kernel-syms-3.4.47-2.38.1
openSUSE-SU-2013:1043-1: An update that solves one vulnerability and has two fixes is now available. Category: security (critical) Bug References: 790920,821560,822722 CVE References: CVE-2013-2850 Sources used: openSUSE 12.3 (src): kernel-docs-3.7.10-1.16.1, kernel-source-3.7.10-1.16.1, kernel-syms-3.7.10-1.16.1
openSUSE-SU-2013:1045-1: An update that fixes one vulnerability is now available. Category: security (low) Bug References: 821560 CVE References: CVE-2013-2850 Sources used: openSUSE 11.4 (src): kernel-docs-3.0.74-40.3, kernel-source-3.0.74-40.1, kernel-syms-3.0.74-40.1
Update released for: cluster-network-kmp-rt, cluster-network-kmp-rt_trace, drbd-kmp-rt, drbd-kmp-rt_trace, iscsitarget-kmp-rt, iscsitarget-kmp-rt_trace, kernel-rt, kernel-rt-base, kernel-rt-debuginfo, kernel-rt-debugsource, kernel-rt-devel, kernel-rt-devel-debuginfo, kernel-rt-extra, kernel-rt-hmac, kernel-rt_trace, kernel-rt_trace-base, kernel-rt_trace-debuginfo, kernel-rt_trace-debugsource, kernel-rt_trace-devel, kernel-rt_trace-devel-debuginfo, kernel-rt_trace-extra, kernel-rt_trace-hmac, kernel-source-rt, kernel-syms-rt, lttng-modules-kmp-rt, lttng-modules-kmp-rt_trace, ocfs2-kmp-rt, ocfs2-kmp-rt_trace, ofed-kmp-rt, ofed-kmp-rt_trace Products: SLE-DEBUGINFO 11-SP3 (x86_64) SLE-RT 11-SP3 (x86_64)
openSUSE-SU-2013:1619-1: An update that solves 12 vulnerabilities and has 17 fixes is now available. Category: security (moderate) Bug References: 783858,785542,787649,789598,794988,801178,806976,807153,807471,814336,815320,817377,818053,821560,821612,822575,823342,823517,824171,824295,827749,827750,828119,828714,831055,831058,833321,835414,838346 CVE References: CVE-2013-0231,CVE-2013-1774,CVE-2013-1819,CVE-2013-2148,CVE-2013-2164,CVE-2013-2232,CVE-2013-2234,CVE-2013-2237,CVE-2013-2850,CVE-2013-2851,CVE-2013-4162,CVE-2013-4163 Sources used: openSUSE 12.2 (src): kernel-docs-3.4.63-2.44.2, kernel-source-3.4.63-2.44.1, kernel-syms-3.4.63-2.44.1