Bug 1488329 (CVE-2017-14140)

Summary: CVE-2017-14140 kernel: Missing permission check in move_pages system call
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, eparis, esandeen, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, plougher, quintela, rt-maint, rvrbovsk, slawomir, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: kernel 4.13 Doc Type: If docs needed, set a value
Doc Text:
The move_pages system call in mm/migrate.c in the Linux kernel doesn't check the effective uid of the target process. This enables a local attacker to learn the memory layout of a setuid executable allowing mitigation of ASLR.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:24:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1488330, 1499610, 1499611, 1499612, 1499613, 1499614    
Bug Blocks: 1488331    

Description Adam Mariš 2017-09-05 07:45:23 UTC 
The move_pages system call in mm/migrate.c in the Linux kernel before
4.12.9 doesn't check the effective uid of the target process, enabling
a local attacker to learn the memory layout of a setuid executable
despite ASLR.

Upstream patch:

https://github.com/torvalds/linux/commit/197e7e521384a23b9e585178f3f11c9fa08274b9
Comment 1 Adam Mariš 2017-09-05 07:46:29 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1488330]
Comment 2 Justin M. Forbes 2017-09-05 14:02:39 UTC 
This was fixed in 4.12.9 stable which is currently available across all supported Fedora releases.
Comment 4 Wade Mealing 2017-10-09 05:36:40 UTC 
Statement:
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5,6,7 and MRG-2.

Red Hat Enterprise Linux 5 and 6 are in the Production 3 Phase. During the
Production 3 Phase, Critical impact Security Advisories (RHSAs) and
selected Urgent Priority Bug Fix Advisories (RHBAs) may be released as
they become available.

The official life cycle policy can be reviewed here:

https://access.redhat.com/support/policy/updates/errata/


This issue does not meet the inclusion criteria for the Production 3 Phase
and will be marked as CLOSED/WONTFIX. If this remains a critical
requirement, please contact Red Hat Customer Support to request
a re-evaluation of the issue, citing a clear business justification. Note
that a strong business justification will be required for re-evaluation.
Red Hat Customer Support can be contacted via the Red Hat Customer Portal.
  
Future Linux kernel updates for Red Hat Enterprise Linux 7 may address this issue.
Comment 8 errata-xmlrpc 2018-04-10 08:05:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676
Comment 9 errata-xmlrpc 2018-04-10 09:29:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062