Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1344721 - (CVE-2016-1583) CVE-2016-1583 kernel: Stack overflow via ecryptfs and /proc/$pid/environ
CVE-2016-1583 kernel: Stack overflow via ecryptfs and /proc/$pid/environ
Status: ASSIGNED
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20160610,repo...
: Security
Depends On: 1344722 1347100 1347101 1347102 1347103 1347104 1351947 1351948 1351950 1351951 1478839
Blocks: 1344248
  Show dependency treegraph
 
Reported: 2016-06-10 10:07 EDT by Adam Mariš
Modified: 2018-08-28 18:06 EDT (History)
35 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that stacking a file system over procfs in the Linux kernel could lead to a kernel stack overflow due to deep nesting, as demonstrated by mounting ecryptfs over procfs and creating a recursion by mapping /proc/environ. An unprivileged, local user could potentially use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Patch (1.08 KB, patch)
2016-06-10 10:11 EDT, Adam Mariš 		no flags Details | Diff
Show Obsolete (1) Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:2124 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-10-28 09:28:10 EDT
Red Hat Product Errata RHSA-2016:2766 normal SHIPPED_LIVE Important: kernel security and bug fix update 2016-11-15 19:36:52 EST
Red Hat Product Errata RHSA-2017:2760 normal SHIPPED_LIVE Important: kernel security and bug fix update 2017-09-19 08:23:35 EDT

  None (edit)
Description Adam Mariš 2016-06-10 10:07:24 EDT 
The ecryptfs mechanism can be used to mmap files that normally wouldn't be mmapable, especially /proc/$pid/{mem,environ,cmdline} files. An attacker could chain e.g. /proc/$pid/environ mappings where process 1 has /proc/2/environ mapped into its environment area, process 2 has /proc/3/environ mapped into its environment area and so on, that can lead to kernel stack overflow.

This can be chained together into a stack overflow and an attacker can escalate their privileges.

Upstream:

 http://seclists.org/oss-sec/2016/q2/522

Upstream patches:

 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9

 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2f36db71009304b3f0b95afacd8eba1f9f046b87

 https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=29d6455178a09e1dc340380c582b13356227e8df
Comment 1 Adam Mariš 2016-06-10 10:08:33 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1344722]
Comment 2 Adam Mariš 2016-06-10 10:11 EDT 
Created attachment 1166655 [details]
Patch
Comment 5 Adam Mariš 2016-06-13 04:54:23 EDT 
According to http://seclists.org/oss-sec/2016/q2/522 , if backporting patches into pre 4.6 kernel, one may need to cherry-pick 6a480a7842545ec520a91730209ec0bae41694c1

https://kernel.googlesource.com/pub/scm/linux/kernel/git/stable/linux-stable/+/6a480a7842545ec520a91730209ec0bae41694c1
Comment 9 Wade Mealing 2016-06-16 01:02:13 EDT 
Statement:

This issue affects the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6 and may addressed in a future update.
Comment 12 Andrej Nemec 2016-06-22 07:20:58 EDT 
Upstream bug (including the reproducer):

https://bugs.chromium.org/p/project-zero/issues/detail?id=836
Comment 13 Fedora Update System 2016-06-30 17:23:38 EDT 
kernel-4.6.3-300.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2016-07-02 15:24:00 EDT 
kernel-4.5.7-202.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2016-07-19 03:19:10 EDT 
kernel-4.4.14-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 20 cdc100 2016-09-29 21:46:27 EDT 
you cannot mount ecryptfs directories with kernel-4.4.14-200.fc22, the message "wrong medium type" appears when you change into the directory and try to list it. Accessing a file works if you know the path.
See also https://bbs.archlinux.org/viewtopic.php?id=214258
Comment 21 cdc100 2016-09-29 21:47:06 EDT 
For the sake of completion, https://www.spinics.net/lists/ecryptfs/msg00816.html
Comment 22 errata-xmlrpc 2016-10-28 05:28:37 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5

Via RHSA-2016:2124 https://rhn.redhat.com/errata/RHSA-2016-2124.html
Comment 23 errata-xmlrpc 2016-11-15 14:39:22 EST 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2766 https://rhn.redhat.com/errata/RHSA-2016-2766.html
Comment 25 errata-xmlrpc 2017-09-19 04:24:27 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:2760 https://access.redhat.com/errata/RHSA-2017:2760
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.