Bug 1987320 (CVE-2021-37600)

Summary: CVE-2021-37600 util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, caswilli, fjansen, jnakfour, jonathan, kaycoth, kzak, psegedy, tomckay, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An integer truncation flaw was found in util-linux that potentially causes a buffer overflow if an attacker can use system resources that lead to a large number in the /proc/sysvipc/sem file. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-20 09:34:52 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1987322, 1989364, 1995891    
Bug Blocks: 1987323    

Description Guilherme de Almeida Suckevicz 2021-07-29 13:50:39 UTC 
An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.

Reference:
https://github.com/karelzak/util-linux/issues/1395

Upstream patch:
https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c
Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 13:51:21 UTC 
Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1987322]
Comment 3 Doran Moppert 2021-08-11 03:51:49 UTC 
Exploitability of this vuln is limited by the value of SEMMSL.  For any reasonable value of this limit, the overflow is not possible.
Comment 4 Karel Zak 2021-08-16 09:34:58 UTC 
There is no any exploitability at all, the tools do not have any extra permissions, the worst possible case is that it will call calloc() with bad values. This is pretty common in userspace and it does not affect anything.

All this CVE is total non-sense and it seems that everyone can submit whatever to the CVE, a sad thing ...
Comment 5 Doran Moppert 2021-08-19 07:01:12 UTC 
In reply to comment #4:
> There is no any exploitability at all, the tools do not have any extra
> permissions, the worst possible case is that it will call calloc() with bad
> values. This is pretty common in userspace and it does not affect anything.

You are right that util-linux tools do not elevate privileges, but the risk here is that when invoked by a privileged user, the overflow can be triggered by behaviour of another user who has created the semaphores being examined.  If the parameters influencing calloc() were entirely supplied by the user invoking the tool, there would be no CVE.  But in this case they can come from a different privilege domain.
Comment 7 Product Security DevOps Team 2021-08-20 09:34:52 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37600