Bug 1575853 (CVE-2018-1126)

Summary: CVE-2018-1126 procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues
Product: [Other] Security Response Reporter: Doran Moppert <dmoppert>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: albert, dmoppert, jaromir.capik, jrybar, kdudka, security-response-team, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: procps-ng 3.3.15 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed. The only known exploitable vector for this issue is CVE-2018-1124.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2018-06-04 09:19:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1577025, 1577026, 1579637, 1579638, 1580581, 1580582, 1602221, 1602998, 1719426, 1910652    
Bug Blocks: 1575455    

Description Doran Moppert 2018-05-08 05:57:57 UTC 
procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed.

This flaw is related to CVE-2018-1124. As stated in the patch provided by Qualys:

> this .. is one of the reasons the integer overflows in file2strvec() are exploitable at all.
Comment 2 Albert Cahalan 2018-05-08 18:02:32 UTC 
This really needs a size limit in the kernel. It is not possible to pass more than 2 MiB of arguments to a process. (see "getconf ARG_MAX") If that limit were enforced by the /proc filesystem, then an "unsigned int" would be fine here.

Supporting more than INT_MAX is incorrect, since that introduces a denial of service. The procps tools are commonly run on systems that are low on memory, and this is an important use case. The size of cmdline needs to be limited. The denial of service is somewhat mitigated by the fact that the default output for procps tools does not include command line arguments, and thus the files are not parsed by default.
Comment 3 Doran Moppert 2018-05-11 02:33:10 UTC 
> This really needs a size limit in the kernel.

I agree, ultimately kernel is the best place to address it.  ARG_MAX is derived from RLIMIT_STACK, thus can be increased, but actual arguments passed to exec*() face a hard limit in MAX_ARG_STRLEN, which is only 128KiB on x86_64.

Having the kernel apply the same limits to data coming out of /proc makes sense.  But that is going to take time.  Meanwhile I think addressing this in procps by aligning the allocator arguments with their underlying libc calls seems like a good mitigation.
Comment 6 Adam Mariš 2018-05-16 11:18:20 UTC 
Acknowledgments:

Name: Qualys Research Labs
Comment 7 Doran Moppert 2018-05-18 05:13:28 UTC 
Public via: http://seclists.org/oss-sec/2018/q2/122
Comment 8 Doran Moppert 2018-05-18 05:13:35 UTC 
External References:

https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt
Comment 9 Doran Moppert 2018-05-18 05:14:13 UTC 
Created procps-ng tracking bugs for this issue:

Affects: fedora-all [bug 1579638]
Comment 13 errata-xmlrpc 2018-05-23 15:52:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1700 https://access.redhat.com/errata/RHSA-2018:1700
Comment 14 errata-xmlrpc 2018-05-31 13:59:27 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1777 https://access.redhat.com/errata/RHSA-2018:1777
Comment 15 errata-xmlrpc 2018-06-11 06:56:50 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1820 https://access.redhat.com/errata/RHSA-2018:1820
Comment 17 errata-xmlrpc 2018-07-26 12:02:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2267 https://access.redhat.com/errata/RHSA-2018:2267
Comment 18 errata-xmlrpc 2018-07-26 13:15:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2268 https://access.redhat.com/errata/RHSA-2018:2268
Comment 20 errata-xmlrpc 2019-07-30 09:08:30 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1944 https://access.redhat.com/errata/RHSA-2019:1944