Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 8 Dec 2015 20:32:03 -0500 (EST)
From: Wade Mealing <wmealing@...hat.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: CVE request - Linux kernel - Fix handling of stored error in a
 negatively instantiated user key

Gday,

A bug was found by Dmitry Vyukov (of Google engineering) in the Linux
kernel key management code.

A malicious user with a local account may be able to escalate privileges
and take control of local system by abusing the user key subsystem.

>From the patch: 

--
If a user key gets negatively instantiated, an error code is cached in the
payload area.  A negatively instantiated key may be then be positively
instantiated by updating it with valid data.  However, the ->update key
type method must be aware that the error code may be there.
--

The paging address is predictable and mappable as userspace memory and can
be used by abused by an attacker to escalate privileges.

This is not the same issue as CVE-2015-7872, this issue persists
after the fix is applied.  I have only seen this affected on the 4.4 
release candidates.


Thanks,

Wade Mealing

Upstream fix
------------
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd

Red Hat Bugzilla:
- https://bugzilla.redhat.com/show_bug.cgi?id=1284450

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ