Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CA+fCnZd4OdWkWzh6e9t67MJysyQi=qXY2PQsDwczobS1U5Ln-g@mail.gmail.com>
Date: Tue, 30 Oct 2018 16:24:54 +0100
From: Andrey Konovalov <andreyknvl@...il.com>
To: oss-security@...ts.openwall.com
Cc: Kostya Serebryany <kcc@...gle.com>, Dmitry Vyukov <dvyukov@...gle.com>, 
	Alexander Potapenko <glider@...gle.com>, Kees Cook <keescook@...gle.com>
Subject: Re: Linux kernel: CVE-2017-18344: arbitrary-read vulnerability in the
 timer subsystem

On Thu, Aug 2, 2018 at 8:57 PM Andrey Konovalov <andreyknvl@...il.com> wrote:
>
> Hi!
>
> Syzkaller/syzbot found a global-out-of-bounds bug in the timer
> subsystem of the Linux kernel [1], that is exploitable and can be used
> to gain an arbitrary-read primitive. This allows to access kernel
> memory and leak keys, credentials or other sensitive information that
> is stored there (so the bug has a similar impact to Meltdown). I'll
> share a PoC exploit in a week.
>
> The bug was introduced in commit 57b8015e ("posix-timers: Show
> sigevent info in proc file") [2] in 3.10 and fixed by commit cef31d9a
> ("posix-timer: Properly check sigevent->sigev_notify") [3] in
> 4.15-rc4. The bug only affects kernels that have CONFIG_POSIX_TIMERS
> and CONFIG_CHECKPOINT_RESTORE enabled, which is done by a lot of
> modern distros.
>
> This bug has been fixed in Ubuntu 16.04 [7], but still affects at
> least CentOS 7 at this moment (at least 3.10.0-862.9.1.el7.x86_64 that
> I've checked). I haven't checked the other distros.

[...]

> Then I decided to take a look at the CentOS kernel. I was quite
> surprised to find out that this bug hasn't been fixed there at all. I
> was under the impression that most Linux distros either follow stable
> kernel branches or monitor upstream commits for security related fixes
> themselves. It seems that this is not the case. Perhaps this fix was
> missed because CentOS 7 kernel is based on the 3.10 kernel version,
> and the 3.10 stable kernel release stopped being supported in November
> 2017.

This bug has finally been fixed in the Red Hat kernels [1] (so it's
probably fixed in CentOS as well, do they use the same kernel?), which
took another 3 months since my announcement on oss-security and 11
months since the initial syzbot bug report.

[1] https://access.redhat.com/errata/RHSA-2018:3083

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.