oss-sec mailing list archives
Re: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem
From: Andrey Konovalov <andreyknvl () gmail com>
Date: Tue, 30 Oct 2018 16:24:54 +0100
On Thu, Aug 2, 2018 at 8:57 PM Andrey Konovalov <andreyknvl () gmail com> wrote:
Hi! Syzkaller/syzbot found a global-out-of-bounds bug in the timer subsystem of the Linux kernel [1], that is exploitable and can be used to gain an arbitrary-read primitive. This allows to access kernel memory and leak keys, credentials or other sensitive information that is stored there (so the bug has a similar impact to Meltdown). I'll share a PoC exploit in a week. The bug was introduced in commit 57b8015e ("posix-timers: Show sigevent info in proc file") [2] in 3.10 and fixed by commit cef31d9a ("posix-timer: Properly check sigevent->sigev_notify") [3] in 4.15-rc4. The bug only affects kernels that have CONFIG_POSIX_TIMERS and CONFIG_CHECKPOINT_RESTORE enabled, which is done by a lot of modern distros. This bug has been fixed in Ubuntu 16.04 [7], but still affects at least CentOS 7 at this moment (at least 3.10.0-862.9.1.el7.x86_64 that I've checked). I haven't checked the other distros.
[...]
Then I decided to take a look at the CentOS kernel. I was quite surprised to find out that this bug hasn't been fixed there at all. I was under the impression that most Linux distros either follow stable kernel branches or monitor upstream commits for security related fixes themselves. It seems that this is not the case. Perhaps this fix was missed because CentOS 7 kernel is based on the 3.10 kernel version, and the 3.10 stable kernel release stopped being supported in November 2017.
This bug has finally been fixed in the Red Hat kernels [1] (so it's probably fixed in CentOS as well, do they use the same kernel?), which took another 3 months since my announcement on oss-security and 11 months since the initial syzbot bug report. [1] https://access.redhat.com/errata/RHSA-2018:3083
Current thread:
- Re: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the timer subsystem Andrey Konovalov (Oct 30)