oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE request - Linux kernel - Fix handling of stored error in a negatively instantiated user key

From: Wade Mealing <wmealing () redhat com>
Date: Tue, 8 Dec 2015 20:32:03 -0500 (EST)
Gday,

A bug was found by Dmitry Vyukov (of Google engineering) in the Linux
kernel key management code.

A malicious user with a local account may be able to escalate privileges
and take control of local system by abusing the user key subsystem.


From the patch: 


--
If a user key gets negatively instantiated, an error code is cached in the
payload area.  A negatively instantiated key may be then be positively
instantiated by updating it with valid data.  However, the ->update key
type method must be aware that the error code may be there.
--

The paging address is predictable and mappable as userspace memory and can
be used by abused by an attacker to escalate privileges.

This is not the same issue as CVE-2015-7872, this issue persists
after the fix is applied.  I have only seen this affected on the 4.4 
release candidates.


Thanks,

Wade Mealing

Upstream fix
------------
- https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=096fe9eaea40a17e125569f9e657e34cdb6d73bd

Red Hat Bugzilla:
- https://bugzilla.redhat.com/show_bug.cgi?id=1284450
Previous By Date Next
Previous By Thread Next

Current thread: