CVE-2017-15299: Linux kernel: incorrect update of uninstantiated keys can crash a kernel

[Vladis Dronov <vdronov () redhat com>]

Heololo,

> [Suggested description]
> The KEYS subsystem in the Linux kernel through 4.13.7 mishandles use of
> the add_key() for a key that already exists but is uninstantiated, which
> allows local users to cause a denial of service (NULL pointer dereference
> and a system crash) or possibly have unspecified other impact via a crafted
> system call.
>
> ------------------------------------------
>
> [VulnerabilityType Other]
> CWE-476 NULL Pointer Dereference
>
> ------------------------------------------
>
> [Vendor of Product]
> kernel.org: Linux kernel
>
> ------------------------------------------
>
> [Affected Product Code Base]
> Linux kernel - upto v4.14
>
> ------------------------------------------
>
> [Affected Component]
> 'security/keys/keyring.c', 'security/keys/key.c' files, find_key_to_update(),
> key_create_or_update() functions
>
> ------------------------------------------
>
> [Attack Type]
> Local
>
> ------------------------------------------
>
> [Impact Denial of Service]
> true
>
> ------------------------------------------
>
> [Attack Vectors]
> to exploit a vulnerability an attacker should run a certain binary as unprivileged user
>
> ------------------------------------------
>
> [Reference]
> https://bugzilla.redhat.com/show_bug.cgi?id=1498016
> https://www.mail-archive.com/linux-kernel () vger kernel org/msg1499828.html
> https://marc.info/?t=150654188100001&r=1&w=2
> https://marc.info/?t=150783958600011&r=1&w=2
>
> ------------------------------------------
>
> [Has vendor confirmed or acknowledged the vulnerability?]
> true
>
> ------------------------------------------
>
> [Discoverer]
> Eric Biggers <ebiggers () google com>
>
> Use CVE-2017-15299.

Best regards,
Vladis Dronov | Red Hat, Inc. | Product Security Engineer