Bug 1501215 (CVE-2017-12193) - CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation
Summary: CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitti...
Status: NEW
Alias: CVE-2017-12193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171102,repor...
Keywords: Security
Depends On: 1502622 1501286 1502620 1502621 1502623 1502624 1502625 1502626 1502627 1508717
Blocks: 1501233
TreeView+ depends on / blocked
 
Reported: 2017-10-12 08:59 UTC by Adam Mariš
Modified: 2019-02-08 15:01 UTC (History)
47 users (show)

(edit)
A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation.  This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)
Proposed upstream patch (2.82 KB, patch)
2017-10-12 09:10 UTC, Adam Mariš
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0151 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 16:17:48 UTC

Description Adam Mariš 2017-10-12 08:59:53 UTC
A flaw was found in the Linux kernels implementation of associative arrays introduced in 3.13.  The Red Hat Enterprise Linux 7 kernel had back ported this functionality to the 3.10 kernels and was affected by this flaw.  The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation.  This did not affect all callers of of the associative array code, only those that would try todereference the assigned value, a kernel panic will occur.

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b

Oss-security:
http://seclists.org/oss-sec/2017/q4/181

Comment 2 Adam Mariš 2017-10-12 09:10 UTC
Created attachment 1337630 [details]
Proposed upstream patch

Comment 4 Adam Mariš 2017-10-12 14:12:19 UTC
Acknowledgments:

Name: Fan Wu (University of Hong Kong), Haoran Qiu (University of Hong Kong), Shixiong Zhao (University of Hong Kong), Heming Cui (University of Hong Kong)

Comment 8 Wade Mealing 2017-10-16 11:07:54 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7,MRG-2 and realtime kernels. Future Linux kernel updates for the respective releases may address this issue.

Comment 10 David Howells 2017-10-28 22:02:12 UTC
This is now public, commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b in Linus tree.

Comment 11 Wade Mealing 2017-11-02 03:05:55 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1508717]

Comment 12 errata-xmlrpc 2018-01-25 11:26:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151


Note You need to log in before you can comment on or make changes to this bug.