Bug 1492212 - (CVE-2017-1000253) CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need to allocate sufficient space for the entire binary
CVE-2017-1000253 kernel: load_elf_ binary() does not take account of the need...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20170926,repo...
: Security
Depends On: 1492954 1492955 1492956 1492957 1492958 1492959 1492960 1492961 1492962 1492982 1492983 1492987 1493063
Blocks: 1492211 1492683
  Show dependency treegraph
 
Reported: 2017-09-15 15:30 EDT by Kurt Seifried
Modified: 2017-10-09 09:33 EDT (History)
36 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.
Story Points: ---
Clone Of:
Environment:
Last Closed: 2017-09-26 15:58:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:2793 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:15:27 EDT
Red Hat Product Errata RHSA-2017:2794 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:13:32 EDT
Red Hat Product Errata RHSA-2017:2795 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 19:38:26 EDT
Red Hat Product Errata RHSA-2017:2796 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:17:03 EDT
Red Hat Product Errata RHSA-2017:2797 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:01:15 EDT
Red Hat Product Errata RHSA-2017:2798 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:00:55 EDT
Red Hat Product Errata RHSA-2017:2799 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:00:24 EDT
Red Hat Product Errata RHSA-2017:2800 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 17:05:55 EDT
Red Hat Product Errata RHSA-2017:2801 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 18:27:45 EDT
Red Hat Product Errata RHSA-2017:2802 normal SHIPPED_LIVE Important: kernel security update 2017-09-26 19:25:19 EDT

  None (edit)
Description Kurt Seifried 2017-09-15 15:30:51 EDT
A flaw was found in the way the Linux kernel loaded ELF executables. Provided that an application was built as Position Independent Executable (PIE), the loader could allow part of that application's data segment to map over the memory area reserved for its stack, potentially resulting in memory corruption. An unprivileged local user with access to SUID (or otherwise privileged) PIE binary could use this flaw to escalate their privileges on the system.

Upstream patch:

https://git.kernel.org/linus/a87938b2e246b81b4fb713edb371a9fa3c5c3c86
Comment 12 Petr Matousek 2017-09-19 15:22:37 EDT
Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6. This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7 prior to kernel version 3.10.0-693, that is Red Hat Enterprise Linux 7.4 GA kernel version. Kernel versions after 3.10.0-693 contain the fix and are thus not vulnerable.

This issue affects the Linux kernel-rt packages prior to the kernel version 3.10.0-693.rt56.617 (Red Hat Enteprise Linux for Realtime) and 3.10.0-693.2.1.rt56.585.el6rt (Red Hat Enterprise MRG 2). The latest Linux kernel-rt packages as shipped with Red Hat Enterprise Linux for Realtime and Red Hat Enterprise MRG 2 are not vulnerable.

Future Linux kernel updates for the respective releases will address this issue.
Comment 14 Petr Matousek 2017-09-25 02:37:31 EDT
Acknowledgments:

Name: Qualys Research Labs
Comment 15 Petr Matousek 2017-09-26 10:04:30 EDT
External References:

https://www.qualys.com/2017/09/26/cve-2017-1000253/cve-2017-1000253.txt
Comment 16 errata-xmlrpc 2017-09-26 13:06:46 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.2 Advanced Update Support

Via RHSA-2017:2800 https://access.redhat.com/errata/RHSA-2017:2800
Comment 17 errata-xmlrpc 2017-09-26 14:01:55 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.4 Advanced Update Support

Via RHSA-2017:2799 https://access.redhat.com/errata/RHSA-2017:2799
Comment 18 errata-xmlrpc 2017-09-26 14:02:31 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support
  Red Hat Enterprise Linux 6.5 Telco Extended Update Support

Via RHSA-2017:2798 https://access.redhat.com/errata/RHSA-2017:2798
Comment 19 errata-xmlrpc 2017-09-26 14:03:10 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2017:2797 https://access.redhat.com/errata/RHSA-2017:2797
Comment 20 errata-xmlrpc 2017-09-26 14:14:12 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.2 Extended Update Support

Via RHSA-2017:2794 https://access.redhat.com/errata/RHSA-2017:2794
Comment 21 errata-xmlrpc 2017-09-26 14:16:11 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.3 Extended Update Support

Via RHSA-2017:2793 https://access.redhat.com/errata/RHSA-2017:2793
Comment 22 errata-xmlrpc 2017-09-26 14:17:44 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2017:2796 https://access.redhat.com/errata/RHSA-2017:2796
Comment 23 errata-xmlrpc 2017-09-26 14:28:35 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5 Extended Lifecycle Support

Via RHSA-2017:2801 https://access.redhat.com/errata/RHSA-2017:2801
Comment 24 errata-xmlrpc 2017-09-26 15:26:06 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 5.9 Long Life

Via RHSA-2017:2802 https://access.redhat.com/errata/RHSA-2017:2802
Comment 25 errata-xmlrpc 2017-09-26 15:39:26 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:2795 https://access.redhat.com/errata/RHSA-2017:2795
Comment 26 Petr Matousek 2017-09-26 16:07:01 EDT
Mitigation:

By setting vm.legacy_va_layout to 1 we can effectively disable the exploitation of this issue by switching to the legacy mmap layout. The mmap allocations start much lower in the process address space and follow the bottom-up allocation model. As such, the initial PIE executable mapping is far from the reserved stack area and cannot interfere with the stack.

64-bit processes on Red Hat Enterprise Linux 5 are forced to use the legacy virtual address space layout regardless of the vm.legacy_va_layout value.

Note: Applications that have demands for a large linear address space (such as certain databases) may be unable to handle the legacy memory layout proposed using this mitigation. We recommend to test your systems and applications before deploying this mitigation on production systems.

Edit the /etc/sysctl.conf file as root, and add or amend:

    vm.legacy_va_layout = 1
    								

To apply this setting, run the /sbin/sysctl -p command as the root user to reload the settings from /etc/sysctl.conf.

Verify that vm.legacy_va_layout is now set to defined value:

    $ /sbin/sysctl vm.legacy_va_layout
    vm.legacy_va_layout = 1

Note You need to log in before you can comment on or make changes to this bug.