Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1498067 - (CVE-2017-1000255) CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted signal frame
CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted s...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20171009,repor...
: Security
Depends On: 1498763 1500335
Blocks: 1498072
  Show dependency treegraph
 
Reported: 2017-10-03 08:35 EDT by Adam Mariš
Modified: 2018-08-28 18:22 EDT (History)
49 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch (3.67 KB, patch)
2017-10-03 08:37 EDT, Adam Mariš 		no flags Details | Diff
Proposed patch 2 (2.67 KB, patch)
2017-10-06 05:28 EDT, Adam Mariš 		no flags Details | Diff
Add an attachment (proposed patch, testcase, etc.)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0654 None None None 2018-04-10 01:06 EDT

  None (edit)
Description Adam Mariš 2017-10-03 08:35:18 EDT 
A flaw was found in the Linux kernels handling of signal frame processing where any user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written.

This flaw only affects PowerPC systems running on Power8 or later processors.

References:

http://seclists.org/oss-sec/2017/q4/51

This issue was introduced by commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d176f751ee3

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=265e60a170d0a0ecfc2d20490134ed2c48dd45ab
Comment 2 Adam Mariš 2017-10-03 08:37 EDT 
Created attachment 1333629 [details]
Proposed patch
Comment 4 Wade Mealing 2017-10-05 03:59:29 EDT 
Statement:

This issue does not affect the Linux kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Comment 7 Adam Mariš 2017-10-06 05:28 EDT 
Created attachment 1335172 [details]
Proposed patch 2

This is a supplement to the first patch, not a replacement.
Comment 8 Adam Mariš 2017-10-10 08:06:44 EDT 
Public via:

seclists.org/oss-sec/2017/q4/51
Comment 9 Adam Mariš 2017-10-10 08:07:25 EDT 
Acknowledgments:

Name: Michael Ellerman, Gustavo Romero, Breno Leitao, Paul Mackerras, Cyril Bur
Comment 10 Adam Mariš 2017-10-10 08:08:30 EDT 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1500335]
Comment 11 Fedora Update System 2017-10-24 01:28:47 EDT 
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2017-10-25 17:20:53 EDT 
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2017-10-25 19:13:46 EDT 
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2018-04-10 01:05:58 EDT 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.