Bug 1297475 (CVE-2016-0728)
Summary: | CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Adam Mariš <amaris> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | high | Docs Contact: | |||||||
Priority: | high | ||||||||
Version: | unspecified | CC: | agordeev, ajb, alexander.strachan, alwin.warringa, anazmy, aquini, baumanmo, bhu, blc, ctowsley, dgross, dhoward, dhowells, didier.fabert, emilovanov, eric.eisenhart, esammons, fche, fdeutsch, fhrbata, gagriogi, gbailey, gnaik, hannsj_uhl, hartsjc, iboverma, jaeshin, james.eckersall, jkacur, joelsmith, jonathan.moore, jross, jsmith.fedora, kernel-mgr, kstutsma, leon, lgoncalv, liko, lwang, marcvanwageningen, matt, mcressma, mdshaikh, mguzik, mlangsdo, mmilgram, mschena, mszpak, nmurray, pasteur, pdwyer, pholasek, pim, plougher, pmatouse, rcernin, redhat, riehecky, rik.theys, rvdwees, rvrbovsk, scolebrook, security-response-team, slawomir, slong, swat, syangsao, tadej.j, t.h.amundsen, timm2k, toracat, vchepkov, williams, wliu, wmealing, yozone | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: |
A use-after-free flaw was found in the way the Linux kernel's key management subsystem handled keyring object reference counting in certain error path of the join_session_keyring() function. A local, unprivileged user could use this flaw to escalate their privileges on the system.
|
Story Points: | --- | ||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2016-01-29 13:49:29 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 1296623, 1298035, 1298036, 1298037, 1298038, 1298039, 1298040, 1298931 | ||||||||
Bug Blocks: | 1297482 | ||||||||
Attachments: |
|
Description
Adam Mariš
2016-01-11 15:42:09 UTC
Acknowledgements: Name: the Perception Point research team Statement: This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6. Refer to https://access.redhat.com/node/2131021 for further information. Created attachment 1116284 [details]
prototype systemtap band-aid mk. e
Further investigation with larger versions of the systemtap band-aid script suggest that the larger exploit manages somehow to increment the key refcount by 2 (!!) per iteration - one of which the stap band-aid does successfully roll back.
The smaller exploit increments it by 1 per iteration, so after the band-aid application, the visible /proc/keys refcount stays static.
Further experiments with the systemtap band-aid from comment #13 indicate: - fedora22 4.2.6-200.fc22.x86_64: stap band-aid works for both exploits (refcounts on /proc/keys fluctuates up & down during big exploit, within reasonable O(10000) ranges, then keyring is gc'd at exploit interrupt) - git linux + patch, no stap band-aid: identical behaviour - rhel7 3.10.0-327.4.4.el7.x86_64: stap band-aid works for both exploits, identical behaviour I can't explain my previous observations in comment #11; am suspecting that the rhel7 VM being tested was already subtly corrupted during prior testing. The new results are post-reboot. So, this appears to provide protection: # debuginfo-install kernel (or equivalent) # stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp Created attachment 1116563 [details]
Proposed patch
External References: https://access.redhat.com/node/2131021 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0065 https://rhn.redhat.com/errata/RHSA-2016-0065.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0064 https://rhn.redhat.com/errata/RHSA-2016-0064.html This issue has been addressed in the following products: MRG for RHEL-6 v.2 Via RHSA-2016:0068 https://rhn.redhat.com/errata/RHSA-2016-0068.html kernel-4.3.3-303.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. kernel-4.3.4-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only Via RHSA-2016:0103 https://rhn.redhat.com/errata/RHSA-2016-0103.html |