Bug 1462147 (CVE-2017-1000365)

Summary: CVE-2017-1000365 kernel: RLIMIT_STACK/RLIMIT_INFINITY string size limitation bypass
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: apmukher, aquini, bhu, blc, dhoward, fhrbata, gansalmon, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jforbes, jkacur, jonathan, jross, jwboyer, kernel-maint, kernel-mgr, lgoncalv, madhu.chinakonda, mchehab, mcressma, mlangsdo, nmurray, pholasek, pmatouse, ravpatil, rt-maint, rvrbovsk, sbalasub, security-response-team, slawomir, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY, but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:53:00 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1462827    
Bug Blocks: 1473651    

Description Andrej Nemec 2017-06-16 10:31:25 UTC 
The Linux Kernel imposes a size restriction on the arguments and environmental strings passed through RLIMIT_STACK/RLIMIT_INFINITY (1/4 of the size), but does not take the argument and environment pointers into account, which allows attackers to bypass this limitation.

This method in itself is not an exploit, but bypassing this mechanism is the flaw/issue being tracked.

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=98da7d08850fb8bdeb395d6368ed15753304aa0c
Comment 1 Andrej Nemec 2017-06-16 10:32:50 UTC 
Acknowledgments:

Name: Qualys Inc.
Comment 2 Andrej Nemec 2017-06-16 10:32:59 UTC 
External References:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Comment 3 Petr Matousek 2017-06-19 16:08:25 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1462827]
Comment 4 Wade Mealing 2017-08-07 05:31:07 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 5,6, 7 and MRG-2.

Future Linux kernel updates for the respective releases may address this issue.
Comment 6 Ravindra Patil 2017-09-14 17:27:18 UTC 
Hello 

Any ETA for errata for this vulnerability. RHEL 5,6,7 are affected by this bug. No errata has been released, any possible ETA would help to pass on information to customer.
Comment 9 Wade Mealing 2020-06-23 07:19:59 UTC 
Looking back through my mail, I had lodged a dispute with mitre about this being an actual flaw, it was turned down

EL7 was fixed in commit 2ddf8223ea49e280967762dc2d954aea2d497c80 Which was fixed in kernel-3.10.0-1000.el7 or newer.

This low wouldn't qualify for a fix in el5 and 6. at this point (or then) either.