Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1451685 - (CVE-2017-1000363) CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c
CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c
Status: CLOSED NOTABUG
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20170522,repor...
: Security
Depends On: 1456454 1456493 1456495 1456496 1456497 1456499
Blocks: 1451686
  Show dependency treegraph
 
Reported: 2017-05-17 05:54 EDT by Adam Mariš
Modified: 2018-01-29 12:05 EST (History)
24 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A vulnerability was found in the Linux kernel's lp_setup() function where it doesn't apply any bounds checking when passing "lp=none". This can result into overflow of the parport_nr[] array. An attacker with control over kernel command line can overwrite kernel code and data with fixed (0xff) values.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-07-25 08:18:08 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2017-05-17 05:54:18 EDT 
lp_setup() functions doesn't apply any bounds checking when passing "lp=none" which can result into overflow of parport_nr[] array. Adversary having partial control over secure boot kernel command line can insert malicious code directly into kernel.

References:

https://alephsecurity.com/vulns/aleph-2017023

http://seclists.org/oss-sec/2017/q2/335

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e21f4af170bebf47c187c1ff8bf155583c9f3b1
Comment 1 Adam Mariš 2017-05-17 05:54:32 EDT 
Acknowledgments:

Name: Roee Hay (HCL Technologies)
Comment 2 Vladis Dronov 2017-05-29 08:33:41 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1456454]
Comment 4 Vladis Dronov 2017-05-29 09:27:25 EDT 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, as the code with the flaw is not built and shipped with the products listed.
Comment 9 Denys Vlasenko 2017-06-28 10:59:11 EDT 
Our kernels have CONFIG_PRINTER=m, this bug shouldn't be affecting us: the function we patch sits inside "#ifndef MODULE" block.
Comment 10 Denys Vlasenko 2017-06-29 12:23:12 EDT 
This bug can only be triggered if someone recompiles the kernel with CONFIG_PRINTER=y, and then boots with "lp=none,none,none,none,none,none,none,none,none" (i.e. with more than 8 "none" parameters for lp=) on the kernel command line.
I don't think this scenario is important for us.

I propose WONTFIXing this.
Comment 11 Justin M. Forbes 2018-01-29 12:05:50 EST 
This was fixed for fedora with 4.12 rebases.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.