Bug 1498067 (CVE-2017-1000255)

Summary: CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted signal frame
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, eparis, esandeen, fhrbata, gduarte, hannsj_uhl, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, plougher, quintela, rt-maint, rvrbovsk, sbest, security-response-team, steved, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:26:27 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1498763, 1500335    
Bug Blocks: 1498072    
Attachments:
Description Flags
Proposed patch
none
Proposed patch 2 none

Description Adam Mariš 2017-10-03 12:35:18 UTC 
A flaw was found in the Linux kernels handling of signal frame processing where any user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written.

This flaw only affects PowerPC systems running on Power8 or later processors.

References:

http://seclists.org/oss-sec/2017/q4/51

This issue was introduced by commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d176f751ee3

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=265e60a170d0a0ecfc2d20490134ed2c48dd45ab
Comment 2 Adam Mariš 2017-10-03 12:37:30 UTC 
Created attachment 1333629 [details]
Proposed patch
Comment 4 Wade Mealing 2017-10-05 07:59:29 UTC 
Statement:

This issue does not affect the Linux kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Comment 7 Adam Mariš 2017-10-06 09:28:43 UTC 
Created attachment 1335172 [details]
Proposed patch 2

This is a supplement to the first patch, not a replacement.
Comment 8 Adam Mariš 2017-10-10 12:06:44 UTC 
Public via:

seclists.org/oss-sec/2017/q4/51
Comment 9 Adam Mariš 2017-10-10 12:07:25 UTC 
Acknowledgments:

Name: Michael Ellerman, Gustavo Romero, Breno Leitao, Paul Mackerras, Cyril Bur
Comment 10 Adam Mariš 2017-10-10 12:08:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1500335]
Comment 11 Fedora Update System 2017-10-24 05:28:47 UTC 
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2017-10-25 21:20:53 UTC 
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2017-10-25 23:13:46 UTC 
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2018-04-10 05:05:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654