Bug 1575853 (CVE-2018-1126)
Summary: | CVE-2018-1126 procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Doran Moppert <dmoppert> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | albert, dmoppert, jaromir.capik, jrybar, kdudka, security-response-team, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | procps-ng 3.3.15 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found where procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed. The only known exploitable vector for this issue is CVE-2018-1124.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2018-06-04 09:19:01 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1577025, 1577026, 1579637, 1579638, 1580581, 1580582, 1602221, 1602998, 1719426, 1910652 | ||
Bug Blocks: | 1575455 |
Description
Doran Moppert
2018-05-08 05:57:57 UTC
This really needs a size limit in the kernel. It is not possible to pass more than 2 MiB of arguments to a process. (see "getconf ARG_MAX") If that limit were enforced by the /proc filesystem, then an "unsigned int" would be fine here. Supporting more than INT_MAX is incorrect, since that introduces a denial of service. The procps tools are commonly run on systems that are low on memory, and this is an important use case. The size of cmdline needs to be limited. The denial of service is somewhat mitigated by the fact that the default output for procps tools does not include command line arguments, and thus the files are not parsed by default. > This really needs a size limit in the kernel.
I agree, ultimately kernel is the best place to address it. ARG_MAX is derived from RLIMIT_STACK, thus can be increased, but actual arguments passed to exec*() face a hard limit in MAX_ARG_STRLEN, which is only 128KiB on x86_64.
Having the kernel apply the same limits to data coming out of /proc makes sense. But that is going to take time. Meanwhile I think addressing this in procps by aligning the allocator arguments with their underlying libc calls seems like a good mitigation.
Acknowledgments: Name: Qualys Research Labs Public via: http://seclists.org/oss-sec/2018/q2/122 External References: https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt Created procps-ng tracking bugs for this issue: Affects: fedora-all [bug 1579638] This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2018:1700 https://access.redhat.com/errata/RHSA-2018:1700 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2018:1777 https://access.redhat.com/errata/RHSA-2018:1777 This issue has been addressed in the following products: Red Hat Virtualization 4 for RHEL-7 Via RHSA-2018:1820 https://access.redhat.com/errata/RHSA-2018:1820 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.7 Extended Update Support Via RHSA-2018:2267 https://access.redhat.com/errata/RHSA-2018:2267 This issue has been addressed in the following products: Red Hat Enterprise Linux 6.6 Advanced Update Support Red Hat Enterprise Linux 6.6 Telco Extended Update Support Via RHSA-2018:2268 https://access.redhat.com/errata/RHSA-2018:2268 This issue has been addressed in the following products: Red Hat Enterprise Linux 7.4 Extended Update Support Via RHSA-2019:1944 https://access.redhat.com/errata/RHSA-2019:1944 |