Bug 1501215 (CVE-2017-12193)

Summary: CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: airlied, ajax, aquini, bhu, blc, bskeggs, dhoward, dhowells, eparis, esandeen, fhrbata, hdegoede, hkrzesin, hwkernel-mgr, iboverma, ichavero, itamar, jarodwilson, jforbes, jglisse, jkacur, jonathan, josef, jross, jwboyer, kernel-maint, kernel-mgr, labbott, lgoncalv, linville, matt, mchehab, mcressma, mjg59, mlangsdo, nhorman, nmurray, plougher, quintela, rt-maint, rvrbovsk, security-response-team, slawomir, steved, vdronov, williams, wmealing
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:29:20 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1501286, 1502620, 1502621, 1502622, 1502623, 1502624, 1502625, 1502626, 1502627, 1508717    
Bug Blocks: 1501233    
Attachments:
Description Flags
Proposed upstream patch none

Description Adam Mariš 2017-10-12 08:59:53 UTC 
A flaw was found in the Linux kernels implementation of associative arrays introduced in 3.13.  The Red Hat Enterprise Linux 7 kernel had back ported this functionality to the 3.10 kernels and was affected by this flaw.  The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation.  This did not affect all callers of of the associative array code, only those that would try todereference the assigned value, a kernel panic will occur.

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b

Oss-security:
http://seclists.org/oss-sec/2017/q4/181
Comment 2 Adam Mariš 2017-10-12 09:10:39 UTC 
Created attachment 1337630 [details]
Proposed upstream patch
Comment 4 Adam Mariš 2017-10-12 14:12:19 UTC 
Acknowledgments:

Name: Fan Wu (University of Hong Kong), Haoran Qiu (University of Hong Kong), Shixiong Zhao (University of Hong Kong), Heming Cui (University of Hong Kong)
Comment 8 Wade Mealing 2017-10-16 11:07:54 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7,MRG-2 and realtime kernels. Future Linux kernel updates for the respective releases may address this issue.
Comment 10 David Howells 2017-10-28 22:02:12 UTC 
This is now public, commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b in Linus tree.
Comment 11 Wade Mealing 2017-11-02 03:05:55 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1508717]
Comment 12 errata-xmlrpc 2018-01-25 11:26:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151