Bug 1501215 (CVE-2017-12193) - CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitting in assoc_array implementation
Summary: CVE-2017-12193 kernel: Null pointer dereference due to incorrect node-splitti...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-12193
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1501286 1502620 1502621 1502622 1502623 1502624 1502625 1502626 1502627 1508717
Blocks: 1501233
TreeView+ depends on / blocked
 
Reported: 2017-10-12 08:59 UTC by Adam Mariš
Modified: 2021-02-17 01:23 UTC (History)
47 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Linux kernel's implementation of associative arrays introduced in 3.13. This functionality was backported to the 3.10 kernels in Red Hat Enterprise Linux 7. The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation. This affects the keyring key type and thus key addition and link creation operations may cause the kernel to panic.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:29:20 UTC
Embargoed:

Attachments (Terms of Use)
Proposed upstream patch (2.82 KB, patch)
2017-10-12 09:10 UTC, Adam Mariš 		no flags Details | Diff
View All


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:0151 0 normal SHIPPED_LIVE Important: kernel security and bug fix update 2018-01-25 16:17:48 UTC

Description Adam Mariš 2017-10-12 08:59:53 UTC 
A flaw was found in the Linux kernels implementation of associative arrays introduced in 3.13.  The Red Hat Enterprise Linux 7 kernel had back ported this functionality to the 3.10 kernels and was affected by this flaw.  The flaw involved a null pointer dereference in assoc_array_apply_edit() due to incorrect node-splitting in assoc_array implementation.  This did not affect all callers of of the associative array code, only those that would try todereference the assigned value, a kernel panic will occur.

Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=ea6789980fdaa610d7eb63602c746bf6ec70cd2b

Oss-security:
http://seclists.org/oss-sec/2017/q4/181
Comment 2 Adam Mariš 2017-10-12 09:10:39 UTC 
Created attachment 1337630 [details]
Proposed upstream patch
Comment 4 Adam Mariš 2017-10-12 14:12:19 UTC 
Acknowledgments:

Name: Fan Wu (University of Hong Kong), Haoran Qiu (University of Hong Kong), Shixiong Zhao (University of Hong Kong), Heming Cui (University of Hong Kong)
Comment 8 Wade Mealing 2017-10-16 11:07:54 UTC 
Statement:

This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 and 6.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 7,MRG-2 and realtime kernels. Future Linux kernel updates for the respective releases may address this issue.
Comment 10 David Howells 2017-10-28 22:02:12 UTC 
This is now public, commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b in Linus tree.
Comment 11 Wade Mealing 2017-11-02 03:05:55 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 1508717]
Comment 12 errata-xmlrpc 2018-01-25 11:26:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0151 https://access.redhat.com/errata/RHSA-2018:0151
Note You need to log in before you can comment on or make changes to this bug.