935705 – (CVE-2015-4700) VUL-0: CVE-2015-4700: kernel: bpf jit optimization flaw can panic kernel.

Bug 935705 (CVE-2015-4700) - VUL-0: CVE-2015-4700: kernel: bpf jit optimization flaw can panic kernel.

Summary: VUL-0: CVE-2015-4700: kernel: bpf jit optimization flaw can panic kernel.

Status:	RESOLVED FIXED

Alias:	CVE-2015-4700

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/117926/
Whiteboard:	CVSSv2:SUSE:CVE-2015-5364:5.0:(AV:N/A...
Keywords:

Depends on:
Blocks:	939273
	Show dependency tree / graph

Clone This Bug

Reported:	2015-06-23 06:50 UTC by Marcus Meissner
Modified:	2022-02-13 11:07 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2015-06-23 06:50:39 UTC

CVE-2015-4700

http://seclists.org/oss-sec/2015/q2/785

Date: Mon, 22 Jun 2015 22:13:14 -0400 (EDT)
From: Wade Mealing <wmealing@redhat.com>
Subject: [oss-security] CVE request: Linux kernel - bpf jit optimization flaw can panic
 kenrel.

Gday,

I would like to request a CVE for a flaw in the BPF code in the Linux kernel. 

The kernels BPF JIT can be used to create a packet filter like mechanism
that can be attached to a socket with the setsockopt() call.  It requires 
JIT to be enabled via sysctl ( /proc/sys/net/core/bpf_jit_enable )

The kernel can turn BPF instructions into native hardware instructions using 
a JIT compiler. In the problematic case, the compiler fails to optimise a set 
of specially crafted instructions. This creates a problem when this faulty
instruction list is used during filtering and the CPU can execute an invalid
instruction (in receive_pkt).

This can be triggered as an non-root user, as they can start a server on a 
ephemeral port and the packet filter with a specially crafted filter.

These incorrect instructions will run when the server receives a packet and execute 
the buggy instructions.

I'm unsure if this can lead to anything more than a DoS, however that
is something I'll try to determine.

This is already fixed upstream in [1], with a regression test case in [2].

Thanks,

Wade Mealing
Red Hat Product Security

Comment 1 Marcus Meissner 2015-06-23 06:52:10 UTC


References:
1] https://git.kernel.org/cgit/linux/kernel/git/davem/net.git/commit/?id=3f7352bf21f8fd7ba3e2fcef9488756f188e12be
2] https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git/commit/?id=bde28bc6ad0c575f8b4eebe8cd27e36d6c3b09c6
3] https://bugzilla.redhat.com/show_bug.cgi?id=1233615

Comment 2 Swamp Workflow Management 2015-06-23 22:00:15 UTC

bugbot adjusting priority

Comment 3 Takashi Iwai 2015-06-25 14:11:25 UTC

Both commits have been already merged to Linus tree as is.

Comment 4 Takashi Iwai 2015-06-25 16:26:11 UTC

BPF JIT was added in 3.0, so it hits since SLE11-SP3.

SLE12 branch already contains it through stable 3.12.44.

Comment 5 Takashi Iwai 2015-06-25 16:28:08 UTC

The patch was backported to openSUSE-13.1 and openSUSE-13.2 branches.

Comment 6 Borislav Petkov 2015-06-26 08:16:55 UTC

Takashi, are you backporting this to 11SP3 too?

Comment 7 Takashi Iwai 2015-06-26 08:22:44 UTC

Yes, pushed for pulling to cve/linux-3.0.

Comment 8 Borislav Petkov 2015-06-26 08:48:34 UTC

Cool, bouncing back to sec team.

Thanks.

Comment 10 Swamp Workflow Management 2015-07-10 14:10:59 UTC

SUSE-SU-2015:1224-1: An update that contains security fixes can now be installed.

Category: security (important)
Bug References: 915517,919007,922583,923908,927355,929525,929647,930786,933429,933896,933904,933907,935705,936831
CVE References: 
Sources used:
SUSE Linux Enterprise Server 11-SP3-TERADATA (src):    kernel-source-3.0.101-57.TDC.2, kernel-syms-3.0.101-57.TDC.2

Comment 12 Swamp Workflow Management 2015-08-14 09:14:58 UTC

openSUSE-SU-2015:1382-1: An update that solves 21 vulnerabilities and has 8 fixes is now available.

Category: security (important)
Bug References: 907092,907714,915517,916225,919007,919596,921769,922583,925567,925961,927786,928693,929624,930488,930599,931580,932348,932844,933934,934202,934397,934755,935530,935542,935705,935913,937226,938976,939394
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-1420,CVE-2015-1465,CVE-2015-2041,CVE-2015-2922,CVE-2015-3212,CVE-2015-3290,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366
Sources used:
openSUSE 13.2 (src):    bbswitch-0.8-3.11.1, cloop-2.639-14.11.1, crash-7.0.8-11.1, hdjmod-1.28-18.12.1, ipset-6.23-11.1, kernel-debug-3.16.7-24.1, kernel-default-3.16.7-24.1, kernel-desktop-3.16.7-24.1, kernel-docs-3.16.7-24.2, kernel-ec2-3.16.7-24.1, kernel-obs-build-3.16.7-24.2, kernel-obs-qa-3.16.7-24.1, kernel-obs-qa-xen-3.16.7-24.1, kernel-pae-3.16.7-24.1, kernel-source-3.16.7-24.1, kernel-syms-3.16.7-24.1, kernel-vanilla-3.16.7-24.1, kernel-xen-3.16.7-24.1, pcfclock-0.44-260.11.1, vhba-kmp-20140629-2.11.1, xen-4.4.2_06-25.1, xtables-addons-2.6-11.1

Comment 13 Marcus Meissner 2015-08-14 13:16:42 UTC

Fixed in SUSE Linux Enterprise 12 kernel by stable update to 3.12.44.

Comment 14 Marcus Meissner 2015-08-14 13:28:27 UTC

i think all done.

Comment 15 Marcus Meissner 2015-08-31 05:58:25 UTC

perl bin/addnote CVE-2015-4700 "This issue affects BPF JIT optimisation which was added in Linux Kernel 3.0. Older kernels are not affected, so SUSE Linux Enterprise 11 SP1 and older products/service packs are not affected."

Comment 16 Swamp Workflow Management 2015-09-02 13:19:16 UTC

SUSE-SU-2015:1478-1: An update that solves 18 vulnerabilities and has 25 fixes is now available.

Category: security (important)
Bug References: 798406,821931,860593,879878,891087,897995,898693,900881,904671,908870,909477,912916,914742,915200,915517,915577,916010,917093,917830,918333,919007,919018,919463,921769,922583,923245,926240,927257,928801,929148,929283,929360,929525,930284,930934,931474,933429,935705,936831,937032,937986,940338,940398
CVE References: CVE-2014-8086,CVE-2014-8159,CVE-2014-9683,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-1805,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2830,CVE-2015-2922,CVE-2015-3331,CVE-2015-3636,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-source-3.0.101-0.7.37.1, kernel-syms-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    kernel-default-3.0.101-0.7.37.1, kernel-ec2-3.0.101-0.7.37.1, kernel-pae-3.0.101-0.7.37.1, kernel-trace-3.0.101-0.7.37.1, kernel-xen-3.0.101-0.7.37.1

Comment 17 Swamp Workflow Management 2015-09-22 08:20:46 UTC

SUSE-SU-2015:1592-1: An update that solves 14 vulnerabilities and has 45 fixes is now available.

Category: security (important)
Bug References: 851068,867362,873385,883380,886785,894936,915517,917830,919463,920110,920250,920733,921430,923245,924701,925705,925881,925903,926240,926953,927355,927786,929142,929143,930092,930761,930934,931538,932348,932458,933429,933896,933904,933907,933936,934742,934944,935053,935572,935705,935866,935906,936077,936423,936637,936831,936875,936925,937032,937402,937444,937503,937641,937855,939910,939994,940338,940398,942350
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1, kernel-source-rt-3.0.101.rt130-0.33.40.1, kernel-syms-rt-3.0.101.rt130-0.33.40.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-rt-3.0.101.rt130-0.33.40.1, kernel-rt_trace-3.0.101.rt130-0.33.40.1

Comment 18 Swamp Workflow Management 2015-10-05 15:22:14 UTC

SUSE-SU-2015:1678-1: An update that solves 15 vulnerabilities and has 67 fixes is now available.

Category: security (moderate)
Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917830,917968,919463,920016,920110,920250,920733,921430,923002,923245,923431,924701,925705,925881,925903,926240,926953,927355,928988,929076,929142,929143,930092,930934,931620,932350,932458,932882,933429,933721,933896,933904,933907,933936,934944,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477
CVE References: CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0777,CVE-2015-1420,CVE-2015-1805,CVE-2015-2150,CVE-2015-2830,CVE-2015-4167,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6252
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-65.3
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-source-3.0.101-65.1, kernel-syms-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-default-3.0.101-65.1, kernel-ec2-3.0.101-65.1, kernel-pae-3.0.101-65.1, kernel-ppc64-3.0.101-65.1, kernel-trace-3.0.101-65.1, kernel-xen-3.0.101-65.1

Comment 19 Swamp Workflow Management 2015-12-02 14:18:36 UTC

SUSE-SU-2015:2167-1: An update that solves 7 vulnerabilities and has 59 fixes is now available.

Category: security (moderate)
Bug References: 777565,867362,873385,883380,884333,886785,891116,894936,915517,917968,920016,920110,920733,923002,923431,924701,925705,925881,925903,927355,929076,929142,929143,930092,930934,931620,932350,933721,935053,935055,935572,935705,935866,935906,936077,936095,936118,936423,936637,936831,936875,936921,936925,937032,937256,937402,937444,937503,937641,937855,938485,939910,939994,940338,940398,940925,940966,942204,942305,942350,942367,942404,942605,942688,942938,943477
CVE References: CVE-2015-1420,CVE-2015-4700,CVE-2015-5364,CVE-2015-5366,CVE-2015-5697,CVE-2015-5707,CVE-2015-6252
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-45.1, kernel-rt_trace-3.0.101.rt130-45.1, kernel-source-rt-3.0.101.rt130-45.1, kernel-syms-rt-3.0.101.rt130-45.1

Comment 20 Swamp Workflow Management 2016-02-01 15:20:12 UTC

openSUSE-SU-2016:0301-1: An update that solves 57 vulnerabilities and has 21 fixes is now available.

Category: security (important)
Bug References: 814440,851610,869564,873385,906545,907818,909077,909477,911326,912202,915517,915577,917830,918333,919007,919018,919463,919596,921313,921949,922583,922936,922944,926238,926240,927780,927786,928130,929525,930399,931988,932348,933896,933904,933907,933934,935542,935705,936502,936831,937032,937033,937969,938706,940338,944296,945825,947155,949936,950998,951194,951440,951627,952384,952579,952976,953052,953527,954138,954404,955224,955354,955422,956708,956934,957988,957990,958504,958510,958886,958951,959190,959399,959568,960839,961509,961739,962075
CVE References: CVE-2014-2568,CVE-2014-8133,CVE-2014-8989,CVE-2014-9090,CVE-2014-9419,CVE-2014-9529,CVE-2014-9683,CVE-2014-9715,CVE-2014-9728,CVE-2014-9729,CVE-2014-9730,CVE-2014-9731,CVE-2015-0272,CVE-2015-0777,CVE-2015-1420,CVE-2015-1421,CVE-2015-2041,CVE-2015-2042,CVE-2015-2150,CVE-2015-2666,CVE-2015-2830,CVE-2015-2922,CVE-2015-2925,CVE-2015-3212,CVE-2015-3339,CVE-2015-3636,CVE-2015-4001,CVE-2015-4002,CVE-2015-4003,CVE-2015-4004,CVE-2015-4036,CVE-2015-4167,CVE-2015-4692,CVE-2015-4700,CVE-2015-5157,CVE-2015-5283,CVE-2015-5307,CVE-2015-5364,CVE-2015-5366,CVE-2015-5707,CVE-2015-6937,CVE-2015-7550,CVE-2015-7799,CVE-2015-7833,CVE-2015-7872,CVE-2015-7885,CVE-2015-7990,CVE-2015-8104,CVE-2015-8215,CVE-2015-8543,CVE-2015-8550,CVE-2015-8551,CVE-2015-8552,CVE-2015-8569,CVE-2015-8575,CVE-2015-8767,CVE-2016-0728
Sources used:
openSUSE 13.1 (src):    cloop-2.639-11.22.2, crash-7.0.2-2.22.2, hdjmod-1.28-16.22.2, ipset-6.21.1-2.26.2, iscsitarget-1.4.20.3-13.22.2, kernel-debug-3.11.10-32.1, kernel-default-3.11.10-32.1, kernel-desktop-3.11.10-32.1, kernel-docs-3.11.10-32.3, kernel-ec2-3.11.10-32.1, kernel-pae-3.11.10-32.1, kernel-source-3.11.10-32.1, kernel-syms-3.11.10-32.1, kernel-trace-3.11.10-32.1, kernel-vanilla-3.11.10-32.1, kernel-xen-3.11.10-32.1, ndiswrapper-1.58-22.1, pcfclock-0.44-258.22.1, vhba-kmp-20130607-2.23.1, virtualbox-4.2.36-2.55.1, xen-4.3.4_10-56.1, xtables-addons-2.3-2.22.1