Bug 1245684 (CVE-2015-3256) - CVE-2015-3256 polkit: Memory corruption via javascript rule evaluation
Summary: CVE-2015-3256 polkit: Memory corruption via javascript rule evaluation
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-3256
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1271789 1271790
Blocks: 1233809
TreeView+ depends on / blocked
 
Reported: 2015-07-22 14:16 UTC by Vasyl Kaigorodov
Modified: 2019-09-29 13:35 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A denial of service flaw was found in how polkit handled authorization requests. A local, unprivileged user could send malicious requests to polkit, which could then cause the polkit daemon to corrupt its memory and crash.
Clone Of:
Environment:
Last Closed: 2016-02-16 13:40:11 UTC


Attachments (Terms of Use)
0001-Don-t-pass-an-uninitialized-JS-parameter.patch (1.69 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0002-Don-t-add-extra-NULL-group-to-subject.groups.patch (2.67 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0003-Don-t-store-unrooted-jsvals-on-heap.patch (1.73 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0004-Fix-a-per-authorization-memory-leak.patch (2.18 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0005-Fix-a-memory-leak-when-registering-an-authentication.patch (908 bytes, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0006-Wrap-all-JS-usage-within-requests.patch (6.07 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0007-Register-heap-based-JSObject-pointers-to-GC.patch (1.90 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0008-Prevent-builds-against-SpiderMonkey-with-exact-stack.patch (1.54 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0009-Clear-the-JS-operation-callback-before-invoking-JS-i.patch (1.36 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details
0010-Fix-spurious-timeout-exceptions-on-GC.patch (3.92 KB, text/plain)
2015-07-22 14:18 UTC, Vasyl Kaigorodov
no flags Details


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0189 normal SHIPPED_LIVE Moderate: polkit security update 2016-02-16 15:35:34 UTC

Description Vasyl Kaigorodov 2015-07-22 14:16:24 UTC
It was reported that polkit has a bug, that leads to a minor denial of service, or code execution/privilege escalation.
The only privilege necessary is ability to send D-Bus messages, not even necessarily directly to polkitd (usually privileged services ask polkitd for authorization based of a client request: client<->D-Bus<->service<->D-Bus<->polkitd); the attacker does not need special polkit status.
This bug allows a local user (a person on a multi-user system, or a daemon account after successfully attacking a daemon over the network) to corrupt memory of polkitd.
Corrupting polkitd memory can lead to a crash (known to happen), which is a minor DoS: a specific request being handled during the crash will not get a reply, but polkitd will then be automatically started when next polkit request arrives.
In general corrupting memory can lead to arbitrary code execution as polkitd (no proof of concept exists but I can see no reason for this to be impossible), controlling polkitd allows the attacker to grant to anyone access to any polkit-controlled service, including the ability to run any command as root via pkexec.

Initially reported in https://bugzilla.redhat.com/show_bug.cgi?id=910262
The patches are attached.

Comment 1 Vasyl Kaigorodov 2015-07-22 14:18:22 UTC
Created attachment 1054871 [details]
0001-Don-t-pass-an-uninitialized-JS-parameter.patch

Comment 2 Vasyl Kaigorodov 2015-07-22 14:18:25 UTC
Created attachment 1054872 [details]
0002-Don-t-add-extra-NULL-group-to-subject.groups.patch

Comment 3 Vasyl Kaigorodov 2015-07-22 14:18:27 UTC
Created attachment 1054873 [details]
0003-Don-t-store-unrooted-jsvals-on-heap.patch

Comment 4 Vasyl Kaigorodov 2015-07-22 14:18:29 UTC
Created attachment 1054874 [details]
0004-Fix-a-per-authorization-memory-leak.patch

Comment 5 Vasyl Kaigorodov 2015-07-22 14:18:32 UTC
Created attachment 1054875 [details]
0005-Fix-a-memory-leak-when-registering-an-authentication.patch

Comment 6 Vasyl Kaigorodov 2015-07-22 14:18:35 UTC
Created attachment 1054876 [details]
0006-Wrap-all-JS-usage-within-requests.patch

Comment 7 Vasyl Kaigorodov 2015-07-22 14:18:37 UTC
Created attachment 1054877 [details]
0007-Register-heap-based-JSObject-pointers-to-GC.patch

Comment 8 Vasyl Kaigorodov 2015-07-22 14:18:39 UTC
Created attachment 1054878 [details]
0008-Prevent-builds-against-SpiderMonkey-with-exact-stack.patch

Comment 9 Vasyl Kaigorodov 2015-07-22 14:18:42 UTC
Created attachment 1054879 [details]
0009-Clear-the-JS-operation-callback-before-invoking-JS-i.patch

Comment 10 Vasyl Kaigorodov 2015-07-22 14:18:44 UTC
Created attachment 1054880 [details]
0010-Fix-spurious-timeout-exceptions-on-GC.patch

Comment 13 errata-xmlrpc 2016-02-16 10:39:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0189 https://rhn.redhat.com/errata/RHSA-2016-0189.html


Note You need to log in before you can comment on or make changes to this bug.