oss-sec mailing list archives
CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key
From: Wade Mealing <wmealing () redhat com>
Date: Tue, 8 Dec 2015 20:32:03 -0500 (EST)
Gday, A bug was found by Dmitry Vyukov (of Google engineering) in the Linux kernel key management code. A malicious user with a local account may be able to escalate privileges and take control of local system by abusing the user key subsystem.
From the patch:
-- If a user key gets negatively instantiated, an error code is cached in the payload area. A negatively instantiated key may be then be positively instantiated by updating it with valid data. However, the ->update key type method must be aware that the error code may be there. -- The paging address is predictable and mappable as userspace memory and can be used by abused by an attacker to escalate privileges. This is not the same issue as CVE-2015-7872, this issue persists after the fix is applied. I have only seen this affected on the 4.4 release candidates. Thanks, Wade Mealing Upstream fix ------------ - https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd Red Hat Bugzilla: - https://bugzilla.redhat.com/show_bug.cgi?id=1284450
Current thread:
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key Wade Mealing (Dec 08)
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key xiaoqixue_1 (Dec 09)
- CVE request - a out of bound read bug is found in libdwarf xiaoqixue_1 (Dec 09)
- Re: CVE request - a out of bound read bug is found in libdwarf cve-assign (Dec 09)
- CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) xiaoqixue_1 (Dec 10)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 10)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 17)
- Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) cve-assign (Dec 11)
- Re: Re: CVE request - read underflow in libpng 1.2.55, 1.0.65, 1.4.18, and 1.5.25 (pngwutil.c) Glenn Randers-Pehrson (Dec 11)
- CVE request - a out of bound read bug is found in libdwarf xiaoqixue_1 (Dec 09)
- CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key xiaoqixue_1 (Dec 09)