Bug 1492212 (CVE-2017-1000253) - CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
Summary: CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000253
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1492954 1492955 1492956 1492957 1492958 1492959 1492960 1492961 1492962 1492982 1492983 1492987 1493063
Blocks: 1492211 1492683
TreeView+ depends on / blocked
 
Reported: 2017-09-15 19:30 UTC by Kurt Seifried
Modified: 2021-02-17 01:29 UTC (History)
36 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
Clone Of:
Environment:
Last Closed: 2017-09-26 19:58:28 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2793 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:15:27 UTC
Red Hat Product Errata RHSA-2017:2794 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:13:32 UTC
Red Hat Product Errata RHSA-2017:2795 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 23:38:26 UTC
Red Hat Product Errata RHSA-2017:2796 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:17:03 UTC
Red Hat Product Errata RHSA-2017:2797 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:01:15 UTC
Red Hat Product Errata RHSA-2017:2798 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:00:55 UTC
Red Hat Product Errata RHSA-2017:2799 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:00:24 UTC
Red Hat Product Errata RHSA-2017:2800 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 21:05:55 UTC
Red Hat Product Errata RHSA-2017:2801 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 22:27:45 UTC
Red Hat Product Errata RHSA-2017:2802 0 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 23:25:19 UTC

Description Kurt Seifried 2017-09-15 19:30:51 UTC 
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.

Upstream patch:

https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86
Comment 12 Petr Matousek 2017-09-19 19:22:37 UTC 
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 prior to kernel version 3.10.0-693, that is Red Hat Enterprise Linux 7.4 GA kernel version. Kernel versions after 3.10.0-693 contain the fix and are thus not vulnerable.

This issue affects the Linux kernel-rt packages prior to the kernel version 3.10.0-693.rt56.617 (Red Hat Enteprise Linux for Realtime) and 3.10.0-693.2.1.rt56.585.el6rt (Red Hat Enterprise MRG 2). The latest Linux kernel-rt packages as shipped with Red Hat Enterprise Linux for Realtime and Red Hat Enterprise MRG 2 are not vulnerable.

Future Linux kernel updates for the respective releases will address this issue.
Comment 14 Petr Matousek 2017-09-25 06:37:31 UTC 
Acknowledgments:

Name: Qualys Research Labs
Comment 15 Petr Matousek 2017-09-26 14:04:30 UTC 
External References:

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt
Comment 16 errata-xmlrpc 2017-09-26 17:06:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:2800 https://access.redhat.com/errata/RHSA-2017:2800
Comment 17 errata-xmlrpc 2017-09-26 18:01:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:2799 https://access.redhat.com/errata/RHSA-2017:2799
Comment 18 errata-xmlrpc 2017-09-26 18:02:31 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:2798 https://access.redhat.com/errata/RHSA-2017:2798
Comment 19 errata-xmlrpc 2017-09-26 18:03:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:2797 https://access.redhat.com/errata/RHSA-2017:2797
Comment 20 errata-xmlrpc 2017-09-26 18:14:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:2794 https://access.redhat.com/errata/RHSA-2017:2794
Comment 21 errata-xmlrpc 2017-09-26 18:16:11 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2793 https://access.redhat.com/errata/RHSA-2017:2793
Comment 22 errata-xmlrpc 2017-09-26 18:17:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:2796 https://access.redhat.com/errata/RHSA-2017:2796
Comment 23 errata-xmlrpc 2017-09-26 18:28:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2017:2801 https://access.redhat.com/errata/RHSA-2017:2801
Comment 24 errata-xmlrpc 2017-09-26 19:26:06 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:2802 https://access.redhat.com/errata/RHSA-2017:2802
Comment 25 errata-xmlrpc 2017-09-26 19:39:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2795 https://access.redhat.com/errata/RHSA-2017:2795
Comment 26 Petr Matousek 2017-09-26 20:07:01 UTC 
Mitigation:

By setting vm.legacy_va_layout to 1 we can effectively disable the exploitation of this issue by switching to the legacy mmap layout. The mmap allocations start much lower in the process address space and follow the bottom-up allocation model. As such, the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.

64-bit processes on Red Hat Enterprise Linux 5 are forced to use the legacy virtual address space layout regardless of the vm.legacy_va_layout value.

Note: Applications that have demands for a large linear address space (such as certain databases) may be unable to handle the legacy memory layout proposed using this mitigation. We recommend to test your systems and applications before deploying this mitigation on production systems.

Edit the /etc/sysctl.conf file as root, and add or amend:

    vm.legacy_va_layout = 1
    								

To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.

Verify that vm.legacy_va_layout is now set to defined value:

    $ /sbin/sysctl vm.legacy_va_layout
    vm.legacy_va_layout = 1
Note You need to log in before you can comment on or make changes to this bug.