Bug 1284450 (CVE-2015-8539) - CVE-2015-8539 kernel: local privesc in key management
Summary: CVE-2015-8539 kernel: local privesc in key management
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8539
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1284059 1411618 1411619 1411620 1411621 1411622 1411623 1411624 1466457
Blocks: 1284354
TreeView+ depends on / blocked
 
Reported: 2015-11-23 11:33 UTC by Wade Mealing
Modified: 2021-06-01 08:09 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A flaw was found in the Linux kernel's key management system where it was possible for an attacker to escalate privileges or crash the machine. If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:45:48 UTC

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0151 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 16:17:48 UTC
Red Hat Product Errata RHSA-2018:0152 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 16:18:22 UTC
Red Hat Product Errata RHSA-2018:0181 0 normal SHIPPED_LIVE Important: kernel-rt security and bug fix update 2018-01-25 16:26:34 UTC

Description Wade Mealing 2015-11-23 11:33:15 UTC 
A flaw was found in  the Linux kernels key management
system where it was possible for an attacker to escalate privileges
or crash the machine.  

If a user key gets negatively instantiated, an error code is cached in the
payload area.  A negatively instantiated key may be then be positively
instantiated by updating it with valid data.  However, the ->update key
type method must be aware that the error code may be there.

Key management subsystems can abused to escalate privileges through memory corruption.

Upstream:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd
Comment 2 Wade Mealing 2015-12-09 00:57:32 UTC 
Acknowledgment:

Red Hat would like to thank Dmitry Vyukov of Google engineering for reporting this issue to Red Hat.
Comment 3 Adam Mariš 2015-12-14 13:53:59 UTC 
CVE-2015-8539 was assigned:

http://seclists.org/oss-sec/2015/q4/465
Comment 5 Wade Mealing 2017-01-10 06:15:18 UTC 
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 4 and 5.  This issue does affect the kernels shipped with Red Hat Enterprise Linux 6, 7, MRG-2 and realtime kernels and plans to be addressed in a future update.
Comment 6 Wade Mealing 2017-01-10 06:28:12 UTC 
External References:

https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd
Comment 11 errata-xmlrpc 2018-01-25 11:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151
Comment 12 errata-xmlrpc 2018-01-25 11:29:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0152 https://access.redhat.com/errata/RHSA-2018:0152
Comment 13 errata-xmlrpc 2018-01-25 11:32:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2018:0181 https://access.redhat.com/errata/RHSA-2018:0181
Note You need to log in before you can comment on or make changes to this bug.