Bug 1034862 – VUL-0: CVE-2017-7472: kernel-source: kernel: keyctl_set_reqkey_keyring() leaks thread keyrings

Bug 1034862 - (CVE-2017-7472) VUL-0: CVE-2017-7472: kernel-source: kernel: keyctl_set_reqkey_keyring() leaks thread keyrings

(CVE-2017-7472)
Summary:	VUL-0: CVE-2017-7472: kernel-source: kernel: keyctl_set_reqkey_keyring() leak...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Minor
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/183784/
Whiteboard:	CVSSv2:SUSE:CVE-2017-7472:4.9:(AV:L/A...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-04-19 07:34 UTC by Marcus Meissner
Modified:	2022-07-18 15:01 UTC (History)
CC List:	7 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
CVE-2017-7472.c (132 bytes, text/plain) 2017-04-19 07:38 UTC, Marcus Meissner	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2017-04-19 07:34:44 UTC

via redhat bugzilla

A vulnerability was found in the Linux kernel. It was found that keyctl_set_reqkey_keyring() function leaks thread keyring which allows unprivileged local user to exhaust kernel memory.

Proposed patches:

https://lkml.org/lkml/2017/4/1/235
https://lkml.org/lkml/2017/4/3/724

https://bugzilla.redhat.com/show_bug.cgi?id=1442086

Comment 1 Marcus Meissner 2017-04-19 07:38:23 UTC

Created attachment 721710 [details]
CVE-2017-7472.c

QA REPRODUCER:

gcc -O2 -o CVE-2017-7472 CVE-2017-7472.c -lkeyutils
./CVE-2017-7472

(will run the kernel out of memory)

Comment 2 Marcus Meissner 2017-04-19 07:39:09 UTC

d84f4f992cbd is in 2.6.29, so sle11 sp1 and later affected.

Comment 5 Richard Palethorpe 2017-10-02 12:24:06 UTC

The LTP has a test for this which is passing in SLE15 at least: https://openqa.suse.de/tests/1193184#step/run_ltp/226

Comment 6 Ondřej Súkup 2017-10-19 22:37:51 UTC

is present on SLE12SP2, SLE12,  SLE12SP1 according to new LTP results

Comment 12 Swamp Workflow Management 2018-01-04 11:15:37 UTC

SUSE-SU-2018:0011-1: An update that solves 17 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 1013018,1024612,1034862,1045479,1045538,1047487,1048185,1050231,1050431,1056982,1063043,1065180,1065600,1066569,1066693,1066973,1068032,1068671,1068984,1069702,1070771,1070964,1071074,1071470,1071695,1072457,1072561,1072876,1073792,1073874
CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-14106,CVE-2017-15115,CVE-2017-15868,CVE-2017-16534,CVE-2017-16538,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    kernel-docs-3.0.101-108.21.2
SUSE Linux Enterprise Server 11-SP4 (src):    kernel-bigmem-3.0.101-108.21.1, kernel-default-3.0.101-108.21.1, kernel-ec2-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-source-3.0.101-108.21.1, kernel-syms-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-default-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-bigmem-3.0.101-108.21.1, kernel-default-3.0.101-108.21.1, kernel-ec2-3.0.101-108.21.1, kernel-pae-3.0.101-108.21.1, kernel-ppc64-3.0.101-108.21.1, kernel-trace-3.0.101-108.21.1, kernel-xen-3.0.101-108.21.1

Comment 13 Swamp Workflow Management 2018-01-08 20:07:23 UTC

SUSE-SU-2018:0040-1: An update that solves 32 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1010175,1034862,1045327,1050231,1052593,1056982,1057179,1057389,1058524,1062520,1063544,1063667,1066295,1066472,1066569,1066573,1066606,1066618,1066625,1066650,1066671,1066693,1066700,1066705,1067085,1068032,1068671,1069702,1069708,1070771,1071074,1071470,1071695,1072561,1072876,1073792,1073874,1074033,999245
CVE References: CVE-2017-1000251,CVE-2017-11600,CVE-2017-13080,CVE-2017-13167,CVE-2017-14106,CVE-2017-14140,CVE-2017-14340,CVE-2017-15102,CVE-2017-15115,CVE-2017-15265,CVE-2017-15274,CVE-2017-15868,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16534,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16538,CVE-2017-16649,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-ppc64-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-source-3.0.101-0.47.106.11.1, kernel-syms-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.11.1, kernel-default-3.0.101-0.47.106.11.1, kernel-ec2-3.0.101-0.47.106.11.1, kernel-pae-3.0.101-0.47.106.11.1, kernel-trace-3.0.101-0.47.106.11.1, kernel-xen-3.0.101-0.47.106.11.1

Comment 14 Swamp Workflow Management 2018-01-23 17:10:54 UTC

SUSE-SU-2018:0180-1: An update that solves 26 vulnerabilities and has 24 fixes is now available.

Category: security (important)
Bug References: 1012917,1013018,1024612,1034862,1045205,1045479,1045538,1047487,1048185,1050231,1050431,1051133,1054305,1056982,1063043,1064803,1064861,1065180,1065600,1066471,1066472,1066569,1066573,1066606,1066618,1066625,1066650,1066671,1066693,1066700,1066705,1066973,1067085,1067816,1067888,1068032,1068671,1068984,1069702,1070771,1070964,1071074,1071470,1071695,1072457,1072561,1072876,1073792,1073874,1074709
CVE References: CVE-2017-11600,CVE-2017-13167,CVE-2017-14106,CVE-2017-15102,CVE-2017-15115,CVE-2017-15868,CVE-2017-16525,CVE-2017-16527,CVE-2017-16529,CVE-2017-16531,CVE-2017-16534,CVE-2017-16535,CVE-2017-16536,CVE-2017-16537,CVE-2017-16538,CVE-2017-16649,CVE-2017-16939,CVE-2017-17450,CVE-2017-17558,CVE-2017-17805,CVE-2017-17806,CVE-2017-5715,CVE-2017-5753,CVE-2017-5754,CVE-2017-7472,CVE-2017-8824
Sources used:
SUSE Linux Enterprise Real Time Extension 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.14.1, kernel-rt_trace-3.0.101.rt130-69.14.1, kernel-source-rt-3.0.101.rt130-69.14.1, kernel-syms-rt-3.0.101.rt130-69.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    kernel-rt-3.0.101.rt130-69.14.1, kernel-rt_debug-3.0.101.rt130-69.14.1, kernel-rt_trace-3.0.101.rt130-69.14.1

Comment 15 Marcus Meissner 2018-02-09 06:30:17 UTC

released

Comment 16 Marcus Meissner 2018-03-16 08:46:17 UTC

SLE12 SP2 and SP3 have it via

    patches.kernel.org/patch-4.4.63-64

It is still missign for SLES 12 GA and SP1 trees cve/linux-3.12.

Can you please backport it to those too Joey?

Comment 18 Marcus Meissner 2018-05-18 14:51:08 UTC

ping

Comment 22 Joey Lee 2018-10-02 10:09:34 UTC

(In reply to Marcus Meissner from comment #16)
> SLE12 SP2 and SP3 have it via
> 
>     patches.kernel.org/patch-4.4.63-64
> 
> It is still missign for SLES 12 GA and SP1 trees cve/linux-3.12.
> 
> Can you please backport it to those too Joey?

I have backported c9f838d104 patch to cve/linux-3.12, waiting the patch be merged.

Comment 23 Joey Lee 2018-10-02 14:44:24 UTC

(In reply to Marcus Meissner from comment #17)
> als 2.6.32 ? 2.6.16?

I have backported c9f838d104 patch to cve/linux-2.6.32, waiting the patch be merged.

The v2.6.16 missed more patches, I am looking at that does c9f838d104 patch need by v2.6.16.

Comment 24 Joey Lee 2018-10-03 14:07:17 UTC

(In reply to Joey Lee from comment #23)
> (In reply to Marcus Meissner from comment #17)
> > als 2.6.32 ? 2.6.16?
> 
> I have backported c9f838d104 patch to cve/linux-2.6.32, waiting the patch be
> merged.
> 
> The v2.6.16 missed more patches, I am looking at that does c9f838d104 patch
> need by v2.6.16.

I have checked that the install_thread_keyring() and install_process_keyring() in cve/linux-2.6.16 do not have the keyring memory leak issue. It does not need c9f838d104 patch.

Comment 27 Swamp Workflow Management 2019-05-17 19:17:08 UTC

SUSE-SU-2019:1289-1: An update that solves 33 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 1031240,1034862,1066674,1071021,1086535,1091171,1094825,1100001,1102517,1103097,1104475,1105025,1105296,1106913,1107829,1108498,1110768,1111331,1111516,1113751,1113769,1114648,1114920,1115007,1115038,1116345,1116841,1118152,1118319,1119714,1119946,1120743,1120758,1121621,1122015,1123161,1124010,1124728,1124732,1124735,1126890,1128166,1131416,1131427,1132828,1133188
CVE References: CVE-2016-10741,CVE-2017-1000407,CVE-2017-16533,CVE-2017-7273,CVE-2017-7472,CVE-2018-12126,CVE-2018-12127,CVE-2018-12130,CVE-2018-14633,CVE-2018-15572,CVE-2018-16884,CVE-2018-18281,CVE-2018-18386,CVE-2018-18690,CVE-2018-18710,CVE-2018-19407,CVE-2018-19824,CVE-2018-19985,CVE-2018-20169,CVE-2018-5391,CVE-2018-9516,CVE-2018-9568,CVE-2019-11091,CVE-2019-11486,CVE-2019-3459,CVE-2019-3460,CVE-2019-3882,CVE-2019-6974,CVE-2019-7221,CVE-2019-7222,CVE-2019-8564,CVE-2019-9213,CVE-2019-9503
Sources used:
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    kernel-default-3.12.74-60.64.110.1, kernel-source-3.12.74-60.64.110.1, kernel-syms-3.12.74-60.64.110.1, kernel-xen-3.12.74-60.64.110.1, lttng-modules-2.7.0-4.4.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.74-60.64.110.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 32 Takashi Iwai 2022-05-23 14:25:29 UTC

The fix is already included in cve/linux-4.4 branch via 4.4.x stable, and Joey already backported the fix to cve/linux-3.0 and cve/linux-2.6.32 branches.
The fix went in 4.11 mainline, so cve/linux-4.12 and later are already fixed.

I updated the patch reference for cve/linux-4.4, and that's all.

Reassigned back to security team.

Comment 33 Gabriele Sonnu 2022-07-18 15:01:36 UTC

Done.