Bug 1451685 (CVE-2017-1000363) - CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c
Summary: CVE-2017-1000363 kernel: Out-of-bounds write in lp_setup in drivers/char/lp.c
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-1000363
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1456454 1456493 1456495 1456496 1456497 1456499
Blocks: 1451686
TreeView+ depends on / blocked
 
Reported: 2017-05-17 09:54 UTC by Adam Mariš
Modified: 2021-02-17 02:08 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
A vulnerability was found in the Linux kernel's lp_setup() function where it doesn't apply any bounds checking when passing "lp=none". This can result into overflow of the parport_nr[] array. An attacker with control over kernel command line can overwrite kernel code and data with fixed (0xff) values.
Clone Of:
Environment:
Last Closed: 2017-07-25 12:18:08 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2017-05-17 09:54:18 UTC
lp_setup() functions doesn't apply any bounds checking when passing "lp=none" which can result into overflow of parport_nr[] array. Adversary having partial control over secure boot kernel command line can insert malicious code directly into kernel.

References:

https://alephsecurity.com/vulns/aleph-2017023

http://seclists.org/oss-sec/2017/q2/335

Upstream patch:

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=3e21f4af170bebf47c187c1ff8bf155583c9f3b1

Comment 1 Adam Mariš 2017-05-17 09:54:32 UTC
Acknowledgments:

Name: Roee Hay (HCL Technologies)

Comment 2 Vladis Dronov 2017-05-29 12:33:41 UTC
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1456454]

Comment 4 Vladis Dronov 2017-05-29 13:27:25 UTC
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2, as the code with the flaw is not built and shipped with the products listed.

Comment 9 Denys Vlasenko 2017-06-28 14:59:11 UTC
Our kernels have CONFIG_PRINTER=m, this bug shouldn't be affecting us: the function we patch sits inside "#ifndef MODULE" block.

Comment 10 Denys Vlasenko 2017-06-29 16:23:12 UTC
This bug can only be triggered if someone recompiles the kernel with CONFIG_PRINTER=y, and then boots with "lp=none,none,none,none,none,none,none,none,none" (i.e. with more than 8 "none" parameters for lp=) on the kernel command line.
I don't think this scenario is important for us.

I propose WONTFIXing this.

Comment 11 Justin M. Forbes 2018-01-29 17:05:50 UTC
This was fixed for fedora with 4.12 rebases.


Note You need to log in before you can comment on or make changes to this bug.