Bug 1098726 (CVE-2018-12633) - VUL-0: CVE-2018-12633: kernel-source,virtualbox: An issue was discovered in the Linux kernel through 4.17.2.vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads thesame user data twice with copy_from_user. The header part of the
Summary: VUL-0: CVE-2018-12633: kernel-source,virtualbox: An issue was discovered in t...
Status: RESOLVED WORKSFORME
Alias: CVE-2018-12633
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Larry Finger
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/208631/
Whiteboard: CVSSv3:RedHat:CVE-2018-12633:6.1:(AV...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-06-22 06:25 UTC by Marcus Meissner
Modified: 2018-06-28 11:49 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-06-22 06:25:00 UTC 
CVE-2018-12633

An issue was discovered in the Linux kernel through 4.17.2.
vbg_misc_device_ioctl() in drivers/virt/vboxguest/vboxguest_linux.c reads the
same user data twice with copy_from_user. The header part of the user data is
double-fetched, and a malicious user thread can tamper with the critical
variables (hdr.size_in and hdr.size_out) in the header between the two fetches
because of a race condition, leading to severe kernel errors, such as buffer
over-accesses. This bug can cause a local denial of service and information
leakage.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-12633
https://github.com/torvalds/linux/commit/bd23a7269834dc7c1f93e83535d16ebc44b75eba
https://bugzilla.kernel.org/show_bug.cgi?id=200131
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd23a7269834dc7c1f93e83535d16ebc44b75eba
Comment 1 Marcus Meissner 2018-06-22 06:26:32 UTC 
added in 4.16, so only tumbleweed affected.

needs to cross check virtualbox itself.
Comment 2 Marcus Meissner 2018-06-22 06:32:03 UTC 
larry, are any of our virtualbox versions in Leap / tumbleweed also still affected?
Comment 3 Larry Finger 2018-06-22 20:49:28 UTC 
(In reply to Marcus Meissner from comment #2)
> larry, are any of our virtualbox versions in Leap / tumbleweed also still
> affected?

I think that Leap 15.0 and 42.x may be affected as they use the guest drivers from the VB package, not the ones in the kernel. I am checking with Oracle to see if they have a fix. If they do, I will update the Leap 15.0 and 42.3 versions.
Comment 4 Larry Finger 2018-06-28 11:49:14 UTC 
I asked Klaus Espenlaub of Oracle whether their similar code similar has this problem. His reply was "We also read the request header twice, but we remember the size from the first read and check if the 2nd read gives the same or smaller size. This is guaranteed to prevent buffer overruns due to runtime manipulations.".

With this, Oracle's security group is confident that CVE-2018-12633 does not apply to the Oracle version of vboxguest.ko.