Bug 1498067 (CVE-2017-1000255) - CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted signal frame
Summary: CVE-2017-1000255 kernel: Arbitrary stack overwrite causing oops via crafted s...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-1000255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1498763 1500335
Blocks: 1498072
TreeView+ depends on / blocked
 
Reported: 2017-10-03 12:35 UTC by Adam Mariš
Modified: 2021-02-17 01:27 UTC (History)
48 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's handling of signal frame on PowerPC systems. A malicious local user process could craft a signal frame allowing an attacker to corrupt memory.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:26:27 UTC
Embargoed:

Attachments (Terms of Use)
Proposed patch (3.67 KB, patch)
2017-10-03 12:37 UTC, Adam Mariš 		no flags Details | Diff
Proposed patch 2 (2.67 KB, patch)
2017-10-06 09:28 UTC, Adam Mariš 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0654 0 None None None 2018-04-10 05:06:18 UTC

Description Adam Mariš 2017-10-03 12:35:18 UTC 
A flaw was found in the Linux kernels handling of signal frame processing where any user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written.

This flaw only affects PowerPC systems running on Power8 or later processors.

References:

http://seclists.org/oss-sec/2017/q4/51

This issue was introduced by commit:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5d176f751ee3

An upstream fix:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=265e60a170d0a0ecfc2d20490134ed2c48dd45ab
Comment 2 Adam Mariš 2017-10-03 12:37:30 UTC 
Created attachment 1333629 [details]
Proposed patch
Comment 4 Wade Mealing 2017-10-05 07:59:29 UTC 
Statement:

This issue does not affect the Linux kernel and kernel-rt packages as shipped with Red Hat Enterprise Linux 5, 6, and 7.
Comment 7 Adam Mariš 2017-10-06 09:28:43 UTC 
Created attachment 1335172 [details]
Proposed patch 2

This is a supplement to the first patch, not a replacement.
Comment 8 Adam Mariš 2017-10-10 12:06:44 UTC 
Public via:

seclists.org/oss-sec/2017/q4/51
Comment 9 Adam Mariš 2017-10-10 12:07:25 UTC 
Acknowledgments:

Name: Michael Ellerman, Gustavo Romero, Breno Leitao, Paul Mackerras, Cyril Bur
Comment 10 Adam Mariš 2017-10-10 12:08:30 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1500335]
Comment 11 Fedora Update System 2017-10-24 05:28:47 UTC 
kernel-4.13.8-300.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
Comment 12 Fedora Update System 2017-10-25 21:20:53 UTC 
kernel-4.13.8-100.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2017-10-25 23:13:46 UTC 
kernel-4.13.8-200.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 errata-xmlrpc 2018-04-10 05:05:58 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0654 https://access.redhat.com/errata/RHSA-2018:0654
Note You need to log in before you can comment on or make changes to this bug.