Bug 1501878 (CVE-2017-15265) - CVE-2017-15265 kernel: Use-after-free in snd_seq_ioctl_create_port()
Summary: CVE-2017-15265 kernel: Use-after-free in snd_seq_ioctl_create_port()
Status: NEW
Alias: CVE-2017-15265
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20171011,repor...
Keywords: Security
Depends On: 1501880 1503379 1503380 1503381 1503382 1503383 1503384 1503385 1503386 1503387 1509092
Blocks: 1501887
TreeView+ depends on / blocked
 
Reported: 2017-10-13 11:59 UTC by Adam Mariš
Modified: 2019-02-28 22:32 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free vulnerability was found when issuing an ioctl to a sound device. This could allow a user to exploit a race condition and create memory corruption or possibly privilege escalation.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0676 None None None 2018-04-10 08:08 UTC
Red Hat Product Errata RHSA-2018:1062 None None None 2018-04-10 09:32 UTC
Red Hat Product Errata RHSA-2018:1130 None None None 2018-04-17 16:20 UTC
Red Hat Product Errata RHSA-2018:1170 None None None 2018-04-17 15:30 UTC
Red Hat Product Errata RHSA-2018:2390 None None None 2018-08-14 18:25 UTC
Red Hat Product Errata RHSA-2018:3822 None None None 2018-12-12 14:53 UTC
Red Hat Product Errata RHSA-2018:3823 None None None 2018-12-12 14:47 UTC

Description Adam Mariš 2017-10-13 11:59:49 UTC
A use-after-free vulnerability was found at creating and deleting a port via an ioctl on /dev/snd/seq. The snd_seq_create_port() function creates a port object and returns its pointer, but it doesn't take a refcount and can be deleted immediately by another thread. 

Meanwhile, snd_seq_ioctl_create_port() still calls the function snd_seq_system_client_ev_port_start() with the created port object that is being deleted, which triggers use-after-free.  An attacker can race this use for memory corruption or possibly privilege escalation.

At the time of writing, the permissions on the device file required a local console user to be issue the ioctl to allow for the exploit to work correctly.  Remote users accessing the system via a shell were not granted permissions to issue an IOCTL that can trigger this condition.

References:

http://seclists.org/oss-sec/2017/q4/58

http://mailman.alsa-project.org/pipermail/alsa-devel/2017-October/126292.html

An upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=71105998845fb012937332fe2e806d443c09e026

Comment 1 Adam Mariš 2017-10-13 12:02:15 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1501880]

Comment 4 Wade Mealing 2017-10-18 02:04:21 UTC
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 5,6, 7, realtime and MRG-2.

Red Hat Enterprise Linux 5 has transitioned to Production phase 3.  
During the Production 3 Phase, Critical impact Security Advisories (RHSAs) 
and selected Urgent Priority Bug Fix Advisories (RHBAs) may be released 
as they become available.

The official life cycle policy can be reviewed here:

http://redhat.com/rhel/lifecycle

Future Linux kernel updates for the respective releases may address this issue.

Comment 8 Wade Mealing 2017-10-18 04:07:07 UTC
Mitigation:

It is possible to prevent the affected code from being loaded by blacklisting the kernel module snd_seq.  Instructions relating to how to blacklist a kernel module are shown here: https://access.redhat.com/solutions/41278 

Alternatively a custom permission set can be created by udev, the correct permissions will depend on your use case.  Please contact Red Hat customer support for creating a rule set that can minimize flaw exposure.

Comment 9 Fedora Update System 2017-10-24 05:27:41 UTC
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2017-10-25 21:19:36 UTC
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.

Comment 11 Fedora Update System 2017-10-25 23:12:41 UTC
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.

Comment 13 Wade Mealing 2017-11-03 01:51:53 UTC
Got pinged on not making 5.9.z trackers, which are required for els trackers.

Comment 15 errata-xmlrpc 2018-04-10 08:08:26 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0676 https://access.redhat.com/errata/RHSA-2018:0676

Comment 16 errata-xmlrpc 2018-04-10 09:32:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1062 https://access.redhat.com/errata/RHSA-2018:1062

Comment 17 errata-xmlrpc 2018-04-17 15:29:45 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:1170 https://access.redhat.com/errata/RHSA-2018:1170

Comment 18 errata-xmlrpc 2018-04-17 16:20:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2018:1130 https://access.redhat.com/errata/RHSA-2018:1130

Comment 19 errata-xmlrpc 2018-08-14 18:25:31 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:2390 https://access.redhat.com/errata/RHSA-2018:2390

Comment 20 errata-xmlrpc 2018-12-12 14:47:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2018:3823 https://access.redhat.com/errata/RHSA-2018:3823

Comment 21 errata-xmlrpc 2018-12-12 14:53:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2018:3822 https://access.redhat.com/errata/RHSA-2018:3822


Note You need to log in before you can comment on or make changes to this bug.