Bug 1317576 (CVE-2016-0823)

Summary: CVE-2016-0823 kernel: Leakage of physical address mappings to non-privileged userspace
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aquini, bhu, blc, dhoward, fhrbata, gansalmon, iboverma, itamar, jforbes, jkacur, joelsmith, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, kstutsma, lgoncalv, madhu.chinakonda, mchehab, mcressma, mlangsdo, nmurray, rt-maint, rvrbovsk, slawomir, vgoyal, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 3.19.3 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-21 00:51:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1327066, 1327067    
Bug Blocks: 1317580    

Description Adam Mariš 2016-03-14 15:21:14 UTC 
It was reported that pagemap_open function in fs/proc/task_mmu.c in the Linux kernel before 3.19.3 allows local users to obtain sensitive physical-address information by reading a /proc/<pid>/pagemap file.

The initial fix (commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce) put the privilege check directly in the pagemap_open function, which was considered too coarse.  Upstream later moved the check into pagemap_read with commit 1c90308e7a77af6742a97d1021cca923b23b7f0d.  This allows /proc/<pid>/pagemap to be opened and read by non-root users but it does not expose the physical addresses that could be used by the rowhammer exploit.

Upstream patch:

https://github.com/torvalds/linux/commit/ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce

Introduced in commit: 
https://github.com/torvalds/linux/commit/85863e475e59afb027b0113290e3796ee6020b7d

External Reference:

https://googleprojectzero.blogspot.cz/2015/03/exploiting-dram-rowhammer-bug-to-gain.html
Comment 2 Wade Mealing 2016-04-14 08:25:02 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1327067]
Comment 4 Wade Mealing 2016-04-14 08:29:43 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5.

This has been rated as having Low security impact and is not currently
planned to be addressed in future updates of 6, 7, and MRG-2. For additional
information, refer to the Red Hat Enterprise Linux Life Cycle:
https://access.redhat.com/support/policy/updates/errata/ .