Bug 1272371 (CVE-2015-7872) - CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user
Summary: CVE-2015-7872 kernel: Keyrings crash triggerable by unprivileged user
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-7872
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1272172 1273463 1273465 1275926 1275927 1275928 1275929 1275930 1275931 1275932 1275933 1275934 1291660
Blocks: 1272373
TreeView+ depends on / blocked
 
Reported: 2015-10-16 09:35 UTC by Adam Mariš
Modified: 2021-02-17 04:50 UTC (History)
39 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
It was found that the Linux kernel's keys subsystem did not correctly garbage collect uninstantiated keyrings. A local attacker could use this flaw to crash the system or, potentially, escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:44:10 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2636 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2015-12-15 18:57:46 UTC
Red Hat Product Errata RHSA-2016:0185 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-02-16 16:15:39 UTC
Red Hat Product Errata RHSA-2016:0212 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-02-16 15:46:40 UTC
Red Hat Product Errata RHSA-2016:0224 0 normal SHIPPED_LIVE Important: kernel-rt security, bug fix, and enhancement update 2016-02-16 19:59:08 UTC

Description Adam Mariš 2015-10-16 09:35:42 UTC 
A vulnerability in the Linux kernel's keyrings garbage collector allowing any local user account to trigger a kernel panic.

Problem arrises when using request_key() or keyctl request2.

This code sequence tries to invoke an upcall to instantiate a keyring if one doesn't already exist by that name within the user's keyring set. However, if the upcall fails, the code sets keyring->type_data.reject_error to -ENOKEY or some other error code.  When the key is garbage collected, the key destroy function is called unconditionally and keyring_destroy() uses list_empty() on keyring->type_data.link - which is in a union with reject_error. Subsequently, the kernel tries to unlink the keyring from the keyring names list, which leads to an oops.
Comment 1 Adam Mariš 2015-10-20 10:56:28 UTC 
Upstream patch:

http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce1fad2740c648a4340f6f6c391a8a83769d2e8c
Comment 2 Adam Mariš 2015-10-20 11:43:54 UTC 
CVE request:

http://seclists.org/oss-sec/2015/q4/111
Comment 4 Wade Mealing 2015-10-30 05:41:58 UTC 
Statement:

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 6 , 7 and Red Hat MRG 2. Future updates for the respective releases may address this flaw.
Comment 10 errata-xmlrpc 2015-12-15 13:59:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2015:2636 https://rhn.redhat.com/errata/RHSA-2015-2636.html
Comment 12 errata-xmlrpc 2016-02-16 10:48:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0212 https://rhn.redhat.com/errata/RHSA-2016-0212.html
Comment 13 errata-xmlrpc 2016-02-16 11:19:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0185 https://rhn.redhat.com/errata/RHSA-2016-0185.html
Comment 14 errata-xmlrpc 2016-02-16 15:05:22 UTC 
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:0224 https://rhn.redhat.com/errata/RHSA-2016-0224.html
Note You need to log in before you can comment on or make changes to this bug.