Bug 1284450 (CVE-2015-8539)

Summary: CVE-2015-8539 kernel: local privesc in key management
Product: [Other] Security Response Reporter: Wade Mealing <wmealing>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aquini, bhu, carnil, dhoward, dhowells, fhrbata, iboverma, jforbes, jkacur, jross, jwboyer, labbott, lgoncalv, matt, mcressma, nmurray, pholasek, plougher, rvrbovsk, security-response-team, vgoyal, vvs, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=important,public=20151209,reported=20151120,source=google,cvss2=7.2/AV:L/AC:L/Au:N/C:C/I:C/A:C,cvss3=7.8/CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H,cwe=CWE-667,fedora-all/kernel=notaffected,rhel-4/kernel=notaffected,rhel-5/kernel=notaffected,rhel-6/kernel=notaffected,rhel-7/kernel=affected,rhel-7/kernel-rt=affected,rhelsa-7/kernel-biscayne=notaffected,mrg-2/realtime-kernel=affected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there.
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1284059, 1411618, 1411619, 1411620, 1411621, 1411622, 1411623, 1411624, 1466457    
Bug Blocks: 1284354    

Description Wade Mealing 2015-11-23 11:33:15 UTC
A flaw was found in  the Linux kernels key management
system where it was possible for an attacker to escalate privileges
or crash the machine.  

If a user key gets negatively instantiated, an error code is cached in the
payload area.  A negatively instantiated key may be then be positively
instantiated by updating it with valid data.  However, the ->update key
type method must be aware that the error code may be there.

Key management subsystems can abused to escalate privileges through memory corruption.

Upstream:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd

Comment 2 Wade Mealing 2015-12-09 00:57:32 UTC
Acknowledgment:

Red Hat would like to thank Dmitry Vyukov of Google engineering for reporting this issue to Red Hat.

Comment 3 Adam Mariš 2015-12-14 13:53:59 UTC
CVE-2015-8539 was assigned:

http://seclists.org/oss-sec/2015/q4/465

Comment 5 Wade Mealing 2017-01-10 06:15:18 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4 and 5.  This issue does affect the kernels shipped with Red Hat Enterprise Linux 6, 7, MRG-2 and realtime kernels and plans to be addressed in a future update.

Comment 10 Eric Christensen 2018-01-08 19:28:54 UTC
Acknowledgments:

Comment 11 errata-xmlrpc 2018-01-25 11:25:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151

Comment 12 errata-xmlrpc 2018-01-25 11:29:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0152 https://access.redhat.com/errata/RHSA-2018:0152

Comment 13 errata-xmlrpc 2018-01-25 11:32:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:0181 https://access.redhat.com/errata/RHSA-2018:0181