Bug 896384 (CVE-2014-6416) - VUL-0: CVE-2014-6416: kernel: ceph-kmp: libceph: overflow in auth token
Summary: VUL-0: CVE-2014-6416: kernel: ceph-kmp: libceph: overflow in auth token
Status: RESOLVED FIXED
Alias: CVE-2014-6416
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Lee Duncan
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2014-6418:5.5:(AV:A...
Keywords:
Depends on:
Blocks: 917884
  Show dependency treegraph
 
Reported: 2014-09-12 07:16 UTC by Marcus Meissner
Modified: 2018-02-15 15:37 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2014-09-12 07:16:34 UTC 
via brad spengler of grsecurity

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8

libceph: do not hard code max auth ticket len

We hard code cephx auth ticket buffer size to 256 bytes. This isn't enough for any moderate setups and, in case tickets themselves are not encrypted, leads to buffer overflows (ceph_x_decrypt() errors out, but ceph_decode_copy() doesn't - it's just a memcpy() wrapper). Since the buffer is allocated dynamically anyway, allocated it a bit later, at the point where we know how much is going to be needed. Fixes: http://tracker.ceph.com/issues/8979 Cc: stable@vger.kernel.org 

Signed-off-by: Ilya Dryomov <ilya.dryomov@inktank.com> 
Reviewed-by: Sage Weil <sage@redhat.com>
Comment 1 Michal Hocko 2014-09-12 08:26:16 UTC 
ceph is not present in SLE11-SP1-TD so none of TD branches is affected.
Comment 2 Swamp Workflow Management 2014-09-12 22:00:22 UTC 
bugbot adjusting priority
Comment 3 Marcus Meissner 2014-09-15 21:15:09 UTC 
> https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=c27a3e4d667fdcad3db7b104f75659478e0c68d8
> http://tracker.ceph.com/issues/8979

Bug 8979 says "about 1 month ago ... pushed wip-8979 which removes the
fixed buffer size. but, we still need to make things not crash when
the auth reply processing fails. that could still happen if we get a
huge ticket (>4k) and kmalloc fails on a large page size. or the auth
reply from the mon is simply not understood by the client."

This apparently has multiple known vulnerability types.

Use CVE-2014-6416 for the buffer overflow.

Use CVE-2014-6417 for the issue of incorrect handling of kmalloc
failures.

Use CVE-2014-6418 for ths missing validation of the auth reply.

Our guess is that c27a3e4d667fdcad3db7b104f75659478e0c68d8 is intended
to address all three of these crash issues, but additional CVE IDs
might be needed if there were an incomplete fix.
Comment 4 SMASH SMASH 2014-09-16 13:00:12 UTC 
Affected packages:

SLE-11-SP3: ceph-kmp
SLE-11-SP3-PRODUCTS: ceph-kmp
SLE-11-SP3-UPTU: ceph-kmp
Comment 5 Marcus Meissner 2014-09-17 08:25:08 UTC 
we are actually not maintaining ceph-kmp currently.

there is ceph in the -extra flavour, which is unsupported.
Comment 6 Marcus Meissner 2015-02-17 16:44:34 UTC 
as we ship ceph for SLES 11 SP3 soon, we need to fix them.
Comment 7 Lars Marowsky-Bree 2015-02-17 19:05:57 UTC 
Lee, is this taken care of by your rbd/libceph backports?
Comment 8 Lee Duncan 2015-02-17 19:53:23 UTC 
The patch to fix this issue will be included in the in-kernel update for rbd and libceph for SLE 11 SP3 and for SLE 12.

For SLE 11 SP3, see bug#917884. For SLE 12 see bug#918255.
Comment 9 Lee Duncan 2015-02-18 02:37:54 UTC 
Note: this seems to be fixed in SLE 12 already.
Comment 10 Marcus Meissner 2015-02-18 08:00:34 UTC 
SLE12 fix is in patches.kernel.org/patch-3.12.28-29
Comment 11 Lee Duncan 2015-02-26 22:47:16 UTC 
Fixed in SP3 with changes submitted for bug#917884. Marking as resolved.