1451685 – (CVE-2017-1000363) CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c

Bug 1451685 (CVE-2017-1000363) - CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c

Summary: CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2017-1000363
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1456454 1456493 1456495 1456496 1456497 1456499
Blocks:	1451686
TreeView+	depends on / blocked

Reported:	2017-05-17 09:54 UTC by Adam Mariš
Modified:	2021-02-17 02:08 UTC (History)
CC List:	24 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:	A vulnerability was found in the Linux kernel's lp_setup() function where it doesn't apply any bounds checking when passing "lp=none". This can result into overflow of the parport_nr[] array. An attacker with control over kernel command line can overwrite kernel code and data with fixed (0xff) values.
Clone Of:
Environment:
Last Closed:	2017-07-25 12:18:08 UTC
Embargoed:

Attachments	(Terms of Use)

Description Adam Mariš 2017-05-17 09:54:18 UTC

lp_setup() functions doesn't apply any bounds checking when passing "lp=none" which can result into overflow of parport_nr[] array. Adversary having partial control over secure boot kernel command line can insert malicious code directly into kernel.

References:

https://alephsecurity.com/vulns/aleph-2017023

http://seclists.org/oss-sec/2017/q2/335

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e21f4af170bebf47c187c1ff8bf155583c9f3b1

Comment 1 Adam Mariš 2017-05-17 09:54:32 UTC

Acknowledgments:

Name: Roee Hay (HCL Technologies)

Comment 2 Vladis Dronov 2017-05-29 12:33:41 UTC

Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1456454]

Comment 4 Vladis Dronov 2017-05-29 13:27:25 UTC

Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, as the code with the flaw is not built and shipped with the products listed.

Comment 9 Denys Vlasenko 2017-06-28 14:59:11 UTC

Our kernels have CONFIG_PRINTER=m, this bug shouldn't be affecting us: the function we patch sits inside "#ifndef MODULE" block.

Comment 10 Denys Vlasenko 2017-06-29 16:23:12 UTC

This bug can only be triggered if someone recompiles the kernel with CONFIG_PRINTER=y, and then boots with "lp=none,none,none,none,none,none,none,none,none" (i.e. with more than 8 "none" parameters for lp=) on the kernel command line.
I don't think this scenario is important for us.

I propose WONTFIXing this.

Comment 11 Justin M. Forbes 2018-01-29 17:05:50 UTC

This was fixed for fedora with 4.12 rebases.

Note You need to log in before you can comment on or make changes to this bug.

agordeev
aquini
bhu
dhoward
dominik.mierzejewski
dvlasenk
esammons
fhrbata
iboverma
jforbes
jkacur
jross
lgoncalv
lwang
matt
mcressma
mguzik
nmurray
pholasek
plougher
rvrbovsk
security-response-team
vdronov
williams