Bug 1575853 (CVE-2018-1126) - CVE-2018-1126 procps-ng, procps: incorrect integer size in proc/alloc.* leading to truncation / integer overflow issues
Summary: CVE-2018-1126 procps-ng, procps: incorrect integer size in proc/alloc.* leadi...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20180517:1700,...
Depends On: 1579638 1577025 1577026 1579637 1580581 1580582 1602221 1602998 1719426
Blocks: 1575455
TreeView+ depends on / blocked
 
Reported: 2018-05-08 05:57 UTC by Doran Moppert
Modified: 2019-07-30 09:08 UTC (History)
7 users (show)

Fixed In Version: procps-ng 3.3.15
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found where procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed. The only known exploitable vector for this issue is CVE-2018-1124.
Clone Of:
Environment:
Last Closed: 2018-06-04 09:19:01 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:1700 None None None 2018-05-23 15:52:34 UTC
Red Hat Product Errata RHSA-2018:1777 None None None 2018-05-31 13:59:32 UTC
Red Hat Product Errata RHSA-2018:1820 None None None 2018-06-11 06:56:56 UTC
Red Hat Product Errata RHSA-2018:2267 None None None 2018-07-26 12:02:30 UTC
Red Hat Product Errata RHSA-2018:2268 None None None 2018-07-26 13:15:15 UTC
Red Hat Product Errata RHSA-2019:1944 None None None 2019-07-30 09:08:31 UTC

Description Doran Moppert 2018-05-08 05:57:57 UTC
procps-ng provides wrappers for standard C allocators that took `unsigned int` instead of `size_t` parameters. On platforms where these differ (such as x86_64), this could cause integer truncation, leading to undersized regions being returned to callers that could then be overflowed.

This flaw is related to CVE-2018-1124. As stated in the patch provided by Qualys:

> this .. is one of the reasons the integer overflows in file2strvec() are exploitable at all.

Comment 2 Albert Cahalan 2018-05-08 18:02:32 UTC
This really needs a size limit in the kernel. It is not possible to pass more than 2 MiB of arguments to a process. (see "getconf ARG_MAX") If that limit were enforced by the /proc filesystem, then an "unsigned int" would be fine here.

Supporting more than INT_MAX is incorrect, since that introduces a denial of service. The procps tools are commonly run on systems that are low on memory, and this is an important use case. The size of cmdline needs to be limited. The denial of service is somewhat mitigated by the fact that the default output for procps tools does not include command line arguments, and thus the files are not parsed by default.

Comment 3 Doran Moppert 2018-05-11 02:33:10 UTC
> This really needs a size limit in the kernel.

I agree, ultimately kernel is the best place to address it.  ARG_MAX is derived from RLIMIT_STACK, thus can be increased, but actual arguments passed to exec*() face a hard limit in MAX_ARG_STRLEN, which is only 128KiB on x86_64.

Having the kernel apply the same limits to data coming out of /proc makes sense.  But that is going to take time.  Meanwhile I think addressing this in procps by aligning the allocator arguments with their underlying libc calls seems like a good mitigation.

Comment 6 Adam Mariš 2018-05-16 11:18:20 UTC
Acknowledgments:

Name: Qualys Research Labs

Comment 7 Doran Moppert 2018-05-18 05:13:28 UTC
Public via: http://seclists.org/oss-sec/2018/q2/122

Comment 8 Doran Moppert 2018-05-18 05:13:35 UTC
External References:

https://www.qualys.com/2018/05/17/procps-ng-audit-report-advisory.txt

Comment 9 Doran Moppert 2018-05-18 05:14:13 UTC
Created procps-ng tracking bugs for this issue:

Affects: fedora-all [bug 1579638]

Comment 13 errata-xmlrpc 2018-05-23 15:52:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:1700 https://access.redhat.com/errata/RHSA-2018:1700

Comment 14 errata-xmlrpc 2018-05-31 13:59:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2018:1777 https://access.redhat.com/errata/RHSA-2018:1777

Comment 15 errata-xmlrpc 2018-06-11 06:56:50 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for RHEL-7

Via RHSA-2018:1820 https://access.redhat.com/errata/RHSA-2018:1820

Comment 17 errata-xmlrpc 2018-07-26 12:02:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.7 Extended Update Support

Via RHSA-2018:2267 https://access.redhat.com/errata/RHSA-2018:2267

Comment 18 errata-xmlrpc 2018-07-26 13:15:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support
  Red Hat Enterprise Linux 6.6 Telco Extended Update Support

Via RHSA-2018:2268 https://access.redhat.com/errata/RHSA-2018:2268

Comment 20 errata-xmlrpc 2019-07-30 09:08:30 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.4 Extended Update Support

Via RHSA-2019:1944 https://access.redhat.com/errata/RHSA-2019:1944


Note You need to log in before you can comment on or make changes to this bug.