Bug 1461333 - (CVE-2017-1000364) CVE-2017-1000364 kernel: heap/stack gap jumping via unbounded stack allocations
CVE-2017-1000364 kernel: heap/stack gap jumping via unbounded stack allocations
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170619,repo...
: Security
Depends On: 1452730 1461915 1462819 1452722 1452723 1452724 1452725 1452726 1452727 1452728 1452729 1452731 1452732 1452733 1455397 1458802 1461495 1461496 1461497 1462320 1462321 1462354 1462355 1463241 1463823 1464260
Blocks: 1449010
  Show dependency treegraph
 
Reported: 2017-06-14 04:54 EDT by Petr Matousek
Modified: 2017-09-05 00:21 EDT (History)
57 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack guard gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system. This is a kernel-side mitigation which increases the stack guard gap size from one page to 1 MiB to make successful exploitation of this issue more difficult.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-06-29 12:44:27 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Petr Matousek 2017-06-14 04:54:40 EDT
A flaw was found in the way memory was being allocated on the stack for user space binaries. If heap (or different memory region) and stack memory regions were adjacent to each other, an attacker could use this flaw to jump over the stack gap, cause controlled memory corruption on process stack or the adjacent memory region, and thus increase their privileges on the system.

This is a tracking bug for the kernel part of the mitigation.

Upstream kernel patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=1be7107fbe18eed3e319a6c3e83c78254b693acb
Comment 1 Petr Matousek 2017-06-14 04:54:48 EDT
Acknowledgments:

Name: Qualys Research Labs
Comment 14 Petr Matousek 2017-06-19 11:45:52 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1462819]
Comment 15 errata-xmlrpc 2017-06-19 11:46:58 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:1489 https://access.redhat.com/errata/RHSA-2017:1489
Comment 16 errata-xmlrpc 2017-06-19 13:18:38 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:1487 https://access.redhat.com/errata/RHSA-2017:1487
Comment 17 errata-xmlrpc 2017-06-19 13:44:12 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:1490 https://access.redhat.com/errata/RHSA-2017:1490
Comment 18 errata-xmlrpc 2017-06-19 13:58:20 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:1486 https://access.redhat.com/errata/RHSA-2017:1486
Comment 19 errata-xmlrpc 2017-06-19 14:39:41 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2017:1482 https://access.redhat.com/errata/RHSA-2017:1482
Comment 20 errata-xmlrpc 2017-06-19 14:40:33 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:1485 https://access.redhat.com/errata/RHSA-2017:1485
Comment 21 errata-xmlrpc 2017-06-19 14:51:41 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:1488 https://access.redhat.com/errata/RHSA-2017:1488
Comment 22 errata-xmlrpc 2017-06-19 15:00:53 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:1491 https://access.redhat.com/errata/RHSA-2017:1491
Comment 23 errata-xmlrpc 2017-06-19 15:14:23 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:1483 https://access.redhat.com/errata/RHSA-2017:1483
Comment 24 errata-xmlrpc 2017-06-19 20:15:08 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1484 https://access.redhat.com/errata/RHSA-2017:1484
Comment 25 errata-xmlrpc 2017-06-21 11:12:12 EDT
This issue has been addressed in the following products:

  CDK 3.0

Via RHSA-2017:1567 https://access.redhat.com/errata/RHSA-2017:1567
Comment 26 customercare 2017-06-22 05:28:38 EDT
24h test run under Fedora 24 result:

kernel-4.11.6-101.fc24.x86_64  *works*
Comment 27 Fedora Update System 2017-06-23 16:52:42 EDT
kernel-4.11.6-201.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 28 Fedora Update System 2017-06-23 23:06:35 EDT
kernel-4.11.6-301.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 29 David Howells 2017-06-26 08:54:56 EDT
This fix causes bug 1464237.
Comment 30 Chris Reed 2017-06-26 11:34:52 EDT
This is almost certainly the cause of https://bugzilla.redhat.com/show_bug.cgi?id=1464185 as well.
Comment 32 errata-xmlrpc 2017-06-28 12:36:55 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:1647 https://access.redhat.com/errata/RHSA-2017:1647
Comment 33 errata-xmlrpc 2017-06-28 13:09:21 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1616 https://access.redhat.com/errata/RHSA-2017:1616
Comment 34 Petr Matousek 2017-08-25 05:00:50 EDT
Statement:

This is a kernel-side mitigation. For a related glibc mitigation please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-1000366 .

Note You need to log in before you can comment on or make changes to this bug.