979021 – (CVE-2015-3288) VUL-0: CVE-2015-3288: kernel: zero page memory arbitrary modification

Bug 979021 (CVE-2015-3288) - VUL-0: CVE-2015-3288: kernel: zero page memory arbitrary modification

Summary: VUL-0: CVE-2015-3288: kernel: zero page memory arbitrary modification

Status:	RESOLVED FIXED

Alias:	CVE-2015-3288

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/168681/
Whiteboard:	CVSSv2:SUSE:CVE-2015-3288:5.6:(AV:L/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-05-09 08:59 UTC by Sebastian Krahmer
Modified:	2020-06-08 23:22 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-05-09 08:59:49 UTC

rh#1333830



References:
https://bugzilla.redhat.com/show_bug.cgi?id=1333830
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3288
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3288

Comment 1 Marcus Meissner 2016-05-09 12:38:31 UTC

A security flaw was found in the Linux kernel that
there is a way to arbitrary change zero page memory. Zero page is a page
which kernel maps into virtual address space on read page fault if the
page was not allocated before. Kernel has one zero page which used
everywhere. Programs that map 0 page are affected and code execution can
be gained. Upon running the exploit the system may become unusable as the
linker memory pages gets tainted. Furthermore, if the right code is put
in the 0 page, code execution is possible.

Upstream patch:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d

Comment 3 Michal Hocko 2016-05-13 08:58:24 UTC

(In reply to Marcus Meissner from comment #1)
> A security flaw was found in the Linux kernel that
> there is a way to arbitrary change zero page memory. Zero page is a page
> which kernel maps into virtual address space on read page fault if the
> page was not allocated before. Kernel has one zero page which used
> everywhere. Programs that map 0 page are affected and code execution can
> be gained. Upon running the exploit the system may become unusable as the
> linker memory pages gets tainted. Furthermore, if the right code is put
> in the 0 page, code execution is possible.

This sounds quite dangerous but the description is missing one important aspect. All non-anon vmas _should_ and the vast majority _have_ vm_ops defined. So we are talking about broken drivers which do not follow the general rules.

Certain special mappings do not have vm_ops but they do not fault either so they should be mostly OK - well as b53306285466 ("mm: introduce vma_is_anonymous(vma) helper") notes
"
    special_mapping_fault() is absolutely broken.  It seems it was always
    wrong, but this didn't matter until vdso/vvar started to use more than
    one page.
"
 
> Upstream patch:
> 
> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/
> ?id=6b7339f4c31ad69c8e9c0b2859276e22cf72176d

In short the patch should be OK to backport but it would be better to know whether this really has any real security implications in the real life.

Comment 4 Michal Hocko 2016-05-13 09:51:25 UTC

I have checked 2.6.32, 3.0 based kernels and there doesn't seem to be any single device driver which would define vm_ops without the fault handler or doing some pfn remapping, aka:
\.fault[[:space:]]*= \|remap_pfn\|vm_insert_page\|remap_vmalloc_range"

So I do not think it is worth bothering with old kernels. Or do we want to protect users from buggy external drivers?

In other words is this really worth backporting into longterm branches? I will push it to SLE12 and openSUSE*. Do we want SLE11-SP4 as well?

Comment 5 Michal Hocko 2016-05-13 11:52:26 UTC

SLE12 and openSUSE-42.1 already have the fix from the stable tree
sent pull request for openSUSE-13.2

Comment 6 Marcus Meissner 2016-05-13 13:35:35 UTC

buggy external drivers might be an issue. but i think i am fine with sle12 onwards fixing.

Comment 7 Michal Hocko 2016-05-13 13:47:38 UTC

(In reply to Marcus Meissner from comment #6)
> buggy external drivers might be an issue. 

Just to clarify. Such an driver would have to be ultimately broken. Not having a bug that needs a small fix.

> but i think i am fine with sle12
> onwards fixing.

OK, we should be done then.

Comment 8 Swamp Workflow Management 2016-08-24 13:18:27 UTC

openSUSE-SU-2016:2144-1: An update that solves 53 vulnerabilities and has 28 fixes is now available.

Category: security (important)
Bug References: 901754,941113,942702,945219,955654,957052,957988,959709,960561,961512,963762,963765,966245,966437,966693,966849,967972,967973,967974,967975,968010,968011,968012,968013,968018,968670,969354,969355,970114,970275,970892,970909,970911,970948,970955,970956,970958,970970,971124,971125,971126,971360,971628,971799,971919,971944,972174,973378,973570,974308,974418,974646,975945,978401,978445,978469,978821,978822,979021,979213,979548,979867,979879,979913,980348,980363,980371,980725,981267,982706,983143,983213,984464,984755,984764,986362,986365,986377,986572,986573,986811
CVE References: CVE-2012-6701,CVE-2013-7446,CVE-2014-9904,CVE-2015-3288,CVE-2015-6526,CVE-2015-7566,CVE-2015-8709,CVE-2015-8785,CVE-2015-8812,CVE-2015-8816,CVE-2015-8830,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2187,CVE-2016-2188,CVE-2016-2384,CVE-2016-2543,CVE-2016-2544,CVE-2016-2545,CVE-2016-2546,CVE-2016-2547,CVE-2016-2548,CVE-2016-2549,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4470,CVE-2016-4482,CVE-2016-4485,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4580,CVE-2016-4581,CVE-2016-4805,CVE-2016-4913,CVE-2016-4997,CVE-2016-5244,CVE-2016-5829
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.20.3, cloop-2.639-14.20.3, crash-7.0.8-20.3, hdjmod-1.28-18.21.3, ipset-6.23-20.3, kernel-debug-3.16.7-42.1, kernel-default-3.16.7-42.1, kernel-desktop-3.16.7-42.1, kernel-docs-3.16.7-42.2, kernel-ec2-3.16.7-42.1, kernel-obs-build-3.16.7-42.2, kernel-obs-qa-3.16.7-42.1, kernel-obs-qa-xen-3.16.7-42.1, kernel-pae-3.16.7-42.1, kernel-source-3.16.7-42.1, kernel-syms-3.16.7-42.1, kernel-vanilla-3.16.7-42.1, kernel-xen-3.16.7-42.1, pcfclock-0.44-260.20.2, vhba-kmp-20140629-2.20.2, virtualbox-5.0.20-48.5, xen-4.4.4_02-46.2, xtables-addons-2.6-22.3

Comment 9 Marcus Meissner 2017-03-01 13:30:35 UTC

released

Comment 11 Michal Hocko 2017-03-21 17:43:49 UTC

After some reconsideration I've decided to backport the fix to 
- 11-sp3 users/mhocko/cve/linux-3.0/for-next and 
- 11-sp1 users/mhocko/cve/linux-2.6.32/for-next
- older kernels would require more tweaks and the attack vector doesn't apply to that old kernels so I am skipping it

Comment 12 Swamp Workflow Management 2017-05-15 19:43:05 UTC

SUSE-SU-2017:1301-1: An update that solves 18 vulnerabilities and has 41 fixes is now available.

Category: security (important)
Bug References: 1005651,1008374,1008893,1013018,1013070,1013800,1013862,1016489,1017143,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1028415,1028880,1029212,1029770,1030213,1030573,1031003,1031052,1031440,1031579,1032141,1033336,1033771,1033794,1033804,1033816,1034026,909486,911105,931620,979021,982783,983212,985561,988065,989056,995542,999245
CVE References: CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-5243,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7616
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-100.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-source-3.0.101-100.1, kernel-syms-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-100.1, kernel-default-3.0.101-100.1, kernel-ec2-3.0.101-100.1, kernel-pae-3.0.101-100.1, kernel-ppc64-3.0.101-100.1, kernel-trace-3.0.101-100.1, kernel-xen-3.0.101-100.1

Comment 13 Swamp Workflow Management 2017-06-19 19:12:16 UTC

SUSE-SU-2017:1613-1: An update that fixes two vulnerabilities is now available.

Category: security (critical)
Bug References: 1039348,979021
CVE References: CVE-2015-3288,CVE-2017-1000364
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-source-3.0.101-0.47.102.1, kernel-syms-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-ppc64-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-source-3.0.101-0.47.102.1, kernel-syms-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.102.1, kernel-default-3.0.101-0.47.102.1, kernel-ec2-3.0.101-0.47.102.1, kernel-pae-3.0.101-0.47.102.1, kernel-trace-3.0.101-0.47.102.1, kernel-xen-3.0.101-0.47.102.1

Comment 14 Swamp Workflow Management 2017-09-04 19:39:10 UTC

SUSE-SU-2017:2342-1: An update that solves 44 vulnerabilities and has 135 fixes is now available.

Category: security (important)
Bug References: 1003077,1005651,1008374,1008850,1008893,1012422,1013018,1013070,1013800,1013862,1016489,1017143,1018074,1018263,1018446,1019168,1020229,1021256,1021913,1022971,1023014,1023051,1023163,1023888,1024508,1024788,1024938,1025235,1025702,1026024,1026260,1026722,1026914,1027066,1027101,1027178,1027565,1028372,1028415,1028880,1029140,1029212,1029770,1029850,1030213,1030552,1030573,1030593,1030814,1031003,1031052,1031440,1031579,1032141,1032340,1032471,1033287,1033336,1033771,1033794,1033804,1033816,1034026,1034670,1035576,1035777,1035920,1036056,1036288,1036629,1037182,1037183,1037191,1037193,1037227,1037232,1037233,1037356,1037358,1037359,1037441,1038544,1038879,1038981,1038982,1039258,1039348,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1040351,1041160,1041431,1041762,1041975,1042045,1042200,1042615,1042633,1042687,1042832,1043014,1043234,1043935,1044015,1044125,1044216,1044230,1044854,1044882,1044913,1044985,1045154,1045340,1045356,1045406,1045416,1045525,1045538,1045547,1045615,1046107,1046122,1046192,1046715,1047027,1047053,1047343,1047354,1047487,1047523,1047653,1048185,1048221,1048232,1048275,1049483,1049603,1049688,1049882,1050154,1050431,1051478,1051515,1051770,784815,792863,799133,870618,909486,909618,911105,919382,928138,931620,938352,943786,948562,962257,970956,971975,972891,979021,982783,983212,985561,986362,986365,986924,988065,989056,990682,991651,995542,999245
CVE References: CVE-2014-9922,CVE-2015-3288,CVE-2015-8970,CVE-2016-10200,CVE-2016-2188,CVE-2016-4997,CVE-2016-4998,CVE-2016-5243,CVE-2016-7117,CVE-2017-1000363,CVE-2017-1000364,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-11176,CVE-2017-11473,CVE-2017-2636,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1, kernel-source-rt-3.0.101.rt130-69.5.1, kernel-syms-rt-3.0.101.rt130-69.5.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.5.1, kernel-rt_debug-3.0.101.rt130-69.5.1, kernel-rt_trace-3.0.101.rt130-69.5.1