Red Hat Bugzilla – Bug 1428353
CVE-2017-2647 kernel: Null pointer dereference in search_keyring
Last modified: 2017-07-13 04:45:40 EDT
A null pointer dereference vulnerability that can be triggered in keyring_search_iterator in keyring.c if type->match is NULL by unprivileged local user was found. It is possible that an attacker could crash the system or escalate privileges using this vulnerability.
Fixed in upstream:
Name: Igor Redko (Virtuozzo), Andrey Ryabinin (Virtuozzo)
Created attachment 1259126 [details]
This issue does not affect the Linux kernel packages as shipped with Red Hat Enterprise Linux 5 as the code which can trigger the flaw is not present in the products listed.
This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and MRG-2. Future Linux kernel updates for the respective releases might address this issue.
This seems to be the same issue as CVE-2017-6951. Is there really any difference between the two?
(In reply to Ben Hutchings from comment #9)
> This seems to be the same issue as CVE-2017-6951. Is there really any
> difference between the two?
We haven't fully analyzed CVE-2017-6951 yet. We'll do so soon.
Re: Ben Hutchings
They do appear to be the same flaw, this issue in Red Hat Enterprise Linux 7 seem to have a greater impact (RIP modification). EL6 doesn't has the same privesc capability with the reproducer that I have, it doesn't mean it can't be tricked into privesc.
It looks as though the fix for EL6 fixes both CVE's. I'm going to mark both as fixed in the same errata. I will continue my investigation on Wednesday to confirm this.
At this time Red Hat is not interested in correcting the double allocation. The end user shouldn't be affected.
Well, after investigating both. I'm going to call it a different flaw.
The fix propsed by David does solve both issues.