1987320 – (CVE-2021-37600) CVE-2021-37600 util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c

Bug 1987320 (CVE-2021-37600) - CVE-2021-37600 util-linux: integer overflow can lead to buffer overflow in get_sem_elements() in sys-utils/ipcutils.c

Summary: CVE-2021-37600 util-linux: integer overflow can lead to buffer overflow in ge...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2021-37600
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	low
Severity:	low
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1987322 1989364 1995891
Blocks:	1987323
TreeView+	depends on / blocked

Reported:	2021-07-29 13:50 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-08-20 09:34 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An integer truncation flaw was found in util-linux that potentially causes a buffer overflow if an attacker can use system resources that lead to a large number in the /proc/sysvipc/sem file. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-08-20 09:34:52 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-07-29 13:50:39 UTC

An integer overflow in util-linux through 2.37.1 can potentially cause a buffer overflow if an attacker were able to use system resources in a way that leads to a large number in the /proc/sysvipc/sem file.

Reference:
https://github.com/karelzak/util-linux/issues/1395

Upstream patch:
https://github.com/karelzak/util-linux/commit/1c9143d0c1f979c3daf10e1c37b5b1e916c22a1c

Comment 1 Guilherme de Almeida Suckevicz 2021-07-29 13:51:21 UTC

Created util-linux tracking bugs for this issue:

Affects: fedora-all [bug 1987322]

Comment 3 Doran Moppert 2021-08-11 03:51:49 UTC

Exploitability of this vuln is limited by the value of SEMMSL.  For any reasonable value of this limit, the overflow is not possible.

Comment 4 Karel Zak 2021-08-16 09:34:58 UTC

There is no any exploitability at all, the tools do not have any extra permissions, the worst possible case is that it will call calloc() with bad values. This is pretty common in userspace and it does not affect anything.

All this CVE is total non-sense and it seems that everyone can submit whatever to the CVE, a sad thing ...

Comment 5 Doran Moppert 2021-08-19 07:01:12 UTC

In reply to comment #4:
> There is no any exploitability at all, the tools do not have any extra
> permissions, the worst possible case is that it will call calloc() with bad
> values. This is pretty common in userspace and it does not affect anything.

You are right that util-linux tools do not elevate privileges, but the risk here is that when invoked by a privileged user, the overflow can be triggered by behaviour of another user who has created the semaphores being examined.  If the parameters influencing calloc() were entirely supplied by the user invoking the tool, there would be no CVE.  But in this case they can come from a different privilege domain.

Comment 7 Product Security DevOps Team 2021-08-20 09:34:52 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-37600

Note You need to log in before you can comment on or make changes to this bug.