Bug 1492212 (CVE-2017-1000253)
| Summary: | CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Kurt Seifried <kseifried> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | agordeev, aquini, bhe, bhsharma, bhu, blc, cye, dbaker, dhoward, dvlasenk, esammons, fhrbata, hkrzesin, hwkernel-mgr, iboverma, jkacur, joe.lawrence, jpoimboe, jross, kernel-mgr, lgoncalv, lwang, matt, mcressma, mguzik, mjc, mlangsdo, nmurray, onestero, plougher, pmatouse, rvrbovsk, security-response-team, skontar, williams, wmealing |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2017-09-26 19:58:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1492954, 1492955, 1492956, 1492957, 1492958, 1492959, 1492960, 1492961, 1492962, 1492982, 1492983, 1492987, 1493063 | ||
| Bug Blocks: | 1492211, 1492683 | ||
|
Description
Kurt Seifried
2017-09-15 19:30:51 UTC
Statement: This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 prior to kernel version 3.10.0-693, that is Red Hat Enterprise Linux 7.4 GA kernel version. Kernel versions after 3.10.0-693 contain the fix and are thus not vulnerable. This issue affects the Linux kernel-rt packages prior to the kernel version 3.10.0-693.rt56.617 (Red Hat Enteprise Linux for Realtime) and 3.10.0-693.2.1.rt56.585.el6rt (Red Hat Enterprise MRG 2). The latest Linux kernel-rt packages as shipped with Red Hat Enterprise Linux for Realtime and Red Hat Enterprise MRG 2 are not vulnerable. Future Linux kernel updates for the respective releases will address this issue. Acknowledgments: Name: Qualys Research Labs External References: https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt This issue has been addressed in the following products: Red Hat Enterprise Linux 6.2 Advanced Update Support Via RHSA-2017:2800 https://access.redhat.com/errata/RHSA-2017:2800 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.4 Advanced Update Support Via RHSA-2017:2799 https://access.redhat.com/errata/RHSA-2017:2799 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.5 Advanced Update Support Red Hat Enterprise Linux 6.5 Telco Extended Update Support Via RHSA-2017:2798 https://access.redhat.com/errata/RHSA-2017:2798 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Via RHSA-2017:2797 https://access.redhat.com/errata/RHSA-2017:2797 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.2 Extended Update Support Via RHSA-2017:2794 https://access.redhat.com/errata/RHSA-2017:2794 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.3 Extended Update Support Via RHSA-2017:2793 https://access.redhat.com/errata/RHSA-2017:2793 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2017:2796 https://access.redhat.com/errata/RHSA-2017:2796 This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Extended Lifecycle Support Via RHSA-2017:2801 https://access.redhat.com/errata/RHSA-2017:2801 This issue has been addressed in the following products: Red Hat Enterprise Linux 5.9 Long Life Via RHSA-2017:2802 https://access.redhat.com/errata/RHSA-2017:2802 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2795 https://access.redhat.com/errata/RHSA-2017:2795 Mitigation:
By setting vm.legacy_va_layout to 1 we can effectively disable the exploitation of this issue by switching to the legacy mmap layout. The mmap allocations start much lower in the process address space and follow the bottom-up allocation model. As such, the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.
64-bit processes on Red Hat Enterprise Linux 5 are forced to use the legacy virtual address space layout regardless of the vm.legacy_va_layout value.
Note: Applications that have demands for a large linear address space (such as certain databases) may be unable to handle the legacy memory layout proposed using this mitigation. We recommend to test your systems and applications before deploying this mitigation on production systems.
Edit the /etc/sysctl.conf file as root, and add or amend:
vm.legacy_va_layout = 1
To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.
Verify that vm.legacy_va_layout is now set to defined value:
$ /sbin/sysctl vm.legacy_va_layout
vm.legacy_va_layout = 1
|