Bug 1462158 - (CVE-2017-1000371) CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over
CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jum...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20170619,reported=2...
: Security
Depends On: 1485758 1485759 1462829 1485760 1485761
Blocks: 1473655
  Show dependency treegraph
 
Reported: 2017-06-16 06:42 EDT by Andrej Nemec
Modified: 2017-11-08 18:42 EST (History)
42 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of mapping ELF PIE binary loading to allow evasion of the stack-guard page protection mechanisms that intend to mitigate this behavior.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2017-06-16 06:42:55 EDT
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365.


Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=eab09532d40090698b05a07c1c87f39fdbc5fab5
Comment 1 Andrej Nemec 2017-06-16 06:43:07 EDT
Acknowledgments:

Name: Qualys Inc
Comment 2 Andrej Nemec 2017-06-16 06:44:00 EDT
External References:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
Comment 3 Petr Matousek 2017-06-19 12:08:31 EDT
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1462829]
Comment 5 Wade Mealing 2017-08-27 23:05:41 EDT
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat
Enterprise Linux 7, MRG-2 and realtime kernels.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6.
Future Linux kernel updates for the respective releases may address this issue.

Note You need to log in before you can comment on or make changes to this bug.