965794 – (CVE-2016-0617) VUL-0: CVE-2016-0617: kernel: hugetlbfs: fix bugs in hugetlb_vmtruncate_list()

Bug 965794 (CVE-2016-0617) - VUL-0: CVE-2016-0617: kernel: hugetlbfs: fix bugs in hugetlb_vmtruncate_list()

Summary: VUL-0: CVE-2016-0617: kernel: hugetlbfs: fix bugs in hugetlb_vmtruncate_list()

Status:	RESOLVED FIXED

Alias:	CVE-2016-0617

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/161670/
Whiteboard:	CVSSv2:SUSE:CVE-2016-0617:1.5:(AV:L/A...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2016-02-09 09:06 UTC by Sebastian Krahmer
Modified:	2018-07-03 21:06 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2016-02-09 09:06:47 UTC

Quoting from OSS-sec:

"There was a bug in the linux kernel's hugetlbfs handling of punching
holes in huegtlbfs files with either truncate or fallocate.  The problem
was introduced in 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list()
needs to take a range", 4.3-rc1) and, I think, fixed in 9aacdd354d19
("fs/hugetlbfs/inode.c: fix bugs in hugetlb_vmtruncate_list(), 4.5-rc1).

This issue was assigned CVE-2016-0617.

jch"


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0617
http://seclists.org/oss-sec/2016/q1/295
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0617.html

Comment 1 Sebastian Krahmer 2016-02-09 09:14:24 UTC

Introduced:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=1bfad99ab42569807d0ca1698449cae5e8c0334a

Fixed:


https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=9aacdd354d197ad64685941b36d28ea20ab88757


Given the time of introduction of that feature, its possible that
this does not affect us. Looks like a local DoS.

Comment 3 Swamp Workflow Management 2016-02-09 23:00:27 UTC

bugbot adjusting priority

Comment 4 Vlastimil Babka 2016-02-12 17:50:13 UTC

The commit 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list()
needs to take a range", 4.3-rc1) doesn't seem to be present in any SLE12 or SLE12-SP1 if I can trust our patch headers. Michal can you please recheck? (I'll be on vacation next week). SLE12-SP2 will need the fix, but that's not urgent so I can do it when I return. Thanks.

Comment 5 Michal Hocko 2016-02-15 14:01:12 UTC

(In reply to Vlastimil Babka from comment #4)
> The commit 1bfad99ab (" hugetlbfs: hugetlb_vmtruncate_list()
> needs to take a range", 4.3-rc1) doesn't seem to be present in any SLE12 or
> SLE12-SP1 if I can trust our patch headers. Michal can you please recheck?
> (I'll be on vacation next week). SLE12-SP2 will need the fix, but that's not
> urgent so I can do it when I return. Thanks.

Yes we are indeed safe here because we do not have punch hole code in SLE12{-SP1}. This all has been merged in 4.3-rc1 as pointed out above and we haven't backported it. The truncation code makes sure to purge the whole mapping. This means that none of our branches is affected.

Bouncing back to the security team.

Comment 6 Michal Hocko 2016-02-15 15:05:08 UTC

forgot about SLE12, will push it there.

Comment 7 Michal Hocko 2016-02-15 15:53:42 UTC

sent pull request as users/mhocko/SLE12-SP2/for-next branch

No we should be done for real...

Comment 8 Marcus Meissner 2016-08-01 13:19:12 UTC

released