Bug 1451685 (CVE-2017-1000363)

Summary: CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: agordeev, aquini, bhu, dhoward, dominik.mierzejewski, dvlasenk, esammons, fhrbata, iboverma, jforbes, jkacur, jross, lgoncalv, lwang, matt, mcressma, mguzik, nmurray, pholasek, plougher, rvrbovsk, security-response-team, vdronov, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
A vulnerability was found in the Linux kernel's lp_setup() function where it doesn't apply any bounds checking when passing "lp=none". This can result into overflow of the parport_nr[] array. An attacker with control over kernel command line can overwrite kernel code and data with fixed (0xff) values.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-25 12:18:08 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1456454, 1456493, 1456495, 1456496, 1456497, 1456499    
Bug Blocks: 1451686    

Description Adam Mariš 2017-05-17 09:54:18 UTC 
lp_setup() functions doesn't apply any bounds checking when passing "lp=none" which can result into overflow of parport_nr[] array. Adversary having partial control over secure boot kernel command line can insert malicious code directly into kernel.

References:

https://alephsecurity.com/vulns/aleph-2017023

http://seclists.org/oss-sec/2017/q2/335

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e21f4af170bebf47c187c1ff8bf155583c9f3b1
Comment 1 Adam Mariš 2017-05-17 09:54:32 UTC 
Acknowledgments:

Name: Roee Hay (HCL Technologies)
Comment 2 Vladis Dronov 2017-05-29 12:33:41 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1456454]
Comment 4 Vladis Dronov 2017-05-29 13:27:25 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, as the code with the flaw is not built and shipped with the products listed.
Comment 9 Denys Vlasenko 2017-06-28 14:59:11 UTC 
Our kernels have CONFIG_PRINTER=m, this bug shouldn't be affecting us: the function we patch sits inside "#ifndef MODULE" block.
Comment 10 Denys Vlasenko 2017-06-29 16:23:12 UTC 
This bug can only be triggered if someone recompiles the kernel with CONFIG_PRINTER=y, and then boots with "lp=none,none,none,none,none,none,none,none,none" (i.e. with more than 8 "none" parameters for lp=) on the kernel command line.
I don't think this scenario is important for us.

I propose WONTFIXing this.
Comment 11 Justin M. Forbes 2018-01-29 17:05:50 UTC 
This was fixed for fedora with 4.12 rebases.