Date: Tue, 30 Oct 2018 16:24:54 +0100 From: Andrey Konovalov <andreyknvl@...il.com> To: oss-security@...ts.openwall.com Cc: Kostya Serebryany <kcc@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, Alexander Potapenko <glider@...gle.com>, Kees Cook <keescook@...gle.com> Subject: Re: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem On Thu, Aug 2, 2018 at 8:57 PM Andrey Konovalov <andreyknvl@...il.com> wrote: > > Hi! > > Syzkaller/syzbot found a global-out-of-bounds bug in the timer > subsystem of the Linux kernel , that is exploitable and can be used > to gain an arbitrary-read primitive. This allows to access kernel > memory and leak keys, credentials or other sensitive information that > is stored there (so the bug has a similar impact to Meltdown). I'll > share a PoC exploit in a week. > > The bug was introduced in commit 57b8015e ("posix-timers: Show > sigevent info in proc file")  in 3.10 and fixed by commit cef31d9a > ("posix-timer: Properly check sigevent->sigev_notify")  in > 4.15-rc4. The bug only affects kernels that have CONFIG_POSIX_TIMERS > and CONFIG_CHECKPOINT_RESTORE enabled, which is done by a lot of > modern distros. > > This bug has been fixed in Ubuntu 16.04 , but still affects at > least CentOS 7 at this moment (at least 3.10.0-862.9.1.el7.x86_64 that > I've checked). I haven't checked the other distros. [...] > Then I decided to take a look at the CentOS kernel. I was quite > surprised to find out that this bug hasn't been fixed there at all. I > was under the impression that most Linux distros either follow stable > kernel branches or monitor upstream commits for security related fixes > themselves. It seems that this is not the case. Perhaps this fix was > missed because CentOS 7 kernel is based on the 3.10 kernel version, > and the 3.10 stable kernel release stopped being supported in November > 2017. This bug has finally been fixed in the Red Hat kernels  (so it's probably fixed in CentOS as well, do they use the same kernel?), which took another 3 months since my announcement on oss-security and 11 months since the initial syzbot bug report.  https://access.redhat.com/errata/RHSA-2018:3083
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.