Bug 1039349 – VUL-0: CVE-2017-1000370 CVE-2017-1000371: kernel-source: offset2lib bypass: Qualys new root/setuid privilege escalation method 05-2017

Bug 1039349 - (CVE-2017-1000370) VUL-0: CVE-2017-1000370 CVE-2017-1000371: kernel-source: offset2lib bypass: Qualys new root/setuid privilege escalation method 05-2017

(CVE-2017-1000370)
Summary:	VUL-0: CVE-2017-1000370 CVE-2017-1000371: kernel-source: offset2lib bypass: Q...

Status:	RESOLVED WONTFIX

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Michal Hocko
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:SUSE:CVE-2017-1000370:1.2:(AV:...
Keywords:

Depends on:
Blocks:	1037551 1039346
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-05-16 15:23 UTC by Marcus Meissner
Modified:	2020-06-16 18:01 UTC (History)
CC List:	13 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Linux_offset2lib.c (5.20 KB, patch) 2017-05-17 12:31 UTC, Marcus Meissner	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 8 Marcus Meissner 2017-05-17 12:31:36 UTC

Created attachment 725384 [details]
Linux_offset2lib.c

QA REPRODUCER:

gcc -o Linux_offset2lib Linux_offset2lib.c
./Linux_offset2lib 0x3f800000

or 
$ ./Linux_offset2lib

Comment 9 Michal Hocko 2017-05-17 13:42:32 UTC

(In reply to Marcus Meissner from comment #8)
> Created attachment 725384 [details]
> Linux_offset2lib.c
> 
> QA REPRODUCER:
> 
> gcc -o Linux_offset2lib Linux_offset2lib.c
> ./Linux_offset2lib 0x3f800000
> 
> or 
> $ ./Linux_offset2lib

this seems to be targeting 32b and won't do anything on 64b. The more I think about this the more I am convinced that such an attack is not realistic on 64b much. The gap between stack and the mmap bases is really large (mmap_base() ~5/6 address space aka TASK_SIZE) and new mmaps grow down. Unless the machine has close enough memory to fill up the fulll TASK_SIZE then the whole thing seems moot to me. Or do I miss anything?

Comment 12 Marcus Meissner 2017-05-23 11:58:48 UTC

Embargo was changed to:

CRD: 2017-06-19

Comment 13 Marcus Meissner 2017-06-19 11:50:08 UTC

CVE-2017-1000370 CVE-2017-FOTL
The offset2lib patch as used in the Linux Kernel contains a
vulnerability that allows a PIE binary to be execve()'ed with 1GB of
arguments or environmental strings then the stackoccupies the address
0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the
protection of the offset2lib patch. This affects Linux Kernel version
XXXX. This is a different issue than CVE-2017-1000371.

CVE-2017-1000371 CVE-2017-SOTL
The offset2lib patch as used by the Linux Kernel contains a
vulnerability, if RLIMIT_STACK is set to RLIMIT_INFINITY and 1 Gigabyte
of memory is allocated (the maximum under the 1/4 restriction) then the
stack will grown down to 0x80000000, and as the PIE binary is mapped
above 0x80000000 the minimum distance between the end of the PIE
binary's read-write segment and the start of the stack becomes small
enough that the stack guard page can be jumped over by an attacker. This
affects Linux Kernel version XXXX. This is a different issue than
CVE-2017-1000370 and CVE-2017-1000365.

Comment 14 Marcus Meissner 2017-06-19 15:20:08 UTC

This issue is now public:

https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt

Comment 15 Marcus Meissner 2017-06-20 09:41:16 UTC

Michal or someone , can you elaborate on what we need of those and where we are affected?

Comment 22 Marcus Meissner 2017-09-04 14:28:17 UTC

The Upstream Kernel is solving this problem differently.

The approach will be resetting ulimits for setuid binaries so this kind of atatck trick is no longer working.

Comment 23 Swamp Workflow Management 2017-09-19 13:16:18 UTC

SUSE-SU-2017:2525-1: An update that solves 40 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1006919,1012422,1013862,1017143,1020229,1021256,1023051,1024938,1025013,1025235,1026024,1026722,1026914,1027066,1027101,1027178,1027179,1027406,1028415,1028880,1029212,1029850,1030213,1030573,1030575,1030593,1031003,1031052,1031440,1031481,1031579,1031660,1033287,1033336,1034670,1034838,1035576,1037182,1037183,1037994,1038544,1038564,1038879,1038883,1038981,1038982,1039349,1039354,1039456,1039594,1039882,1039883,1039885,1040069,1041431,1042364,1042863,1042892,1044125,1045416,1045487,1046107,1048232,1048275,1049483,1049603,1049882,1050677,1052311,1053148,1053152,1053760,1056588,870618,948562,957988,957990,963655,972891,979681,983212,986924,989896,999245
CVE References: CVE-2016-10200,CVE-2016-5243,CVE-2017-1000112,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-11473,CVE-2017-12762,CVE-2017-14051,CVE-2017-2647,CVE-2017-2671,CVE-2017-5669,CVE-2017-5970,CVE-2017-5986,CVE-2017-6074,CVE-2017-6214,CVE-2017-6348,CVE-2017-6353,CVE-2017-6951,CVE-2017-7184,CVE-2017-7187,CVE-2017-7261,CVE-2017-7294,CVE-2017-7308,CVE-2017-7482,CVE-2017-7487,CVE-2017-7533,CVE-2017-7542,CVE-2017-7616,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Server 11-EXTRA (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-source-3.0.101-0.47.106.5.1, kernel-syms-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    kernel-bigsmp-3.0.101-0.47.106.5.1, kernel-default-3.0.101-0.47.106.5.1, kernel-ec2-3.0.101-0.47.106.5.1, kernel-pae-3.0.101-0.47.106.5.1, kernel-trace-3.0.101-0.47.106.5.1, kernel-xen-3.0.101-0.47.106.5.1

Comment 24 Swamp Workflow Management 2017-11-02 17:16:13 UTC

SUSE-SU-2017:2920-1: An update that solves 36 vulnerabilities and has 22 fixes is now available.

Category: security (important)
Bug References: 1008353,1012422,1017941,1029850,1030593,1032268,1034405,1034670,1035576,1035877,1036752,1037182,1037183,1037306,1037994,1038544,1038879,1038981,1038982,1039348,1039349,1039354,1039456,1039721,1039882,1039883,1039885,1040069,1041431,1041958,1044125,1045327,1045487,1045922,1046107,1047408,1048275,1049645,1049882,1052593,1053148,1053152,1056588,1056982,1057179,1058038,1058410,1058507,1058524,1062520,1063667,1064388,938162,975596,977417,984779,985562,990682
CVE References: CVE-2015-9004,CVE-2016-10229,CVE-2016-9604,CVE-2017-1000363,CVE-2017-1000365,CVE-2017-1000380,CVE-2017-10661,CVE-2017-11176,CVE-2017-12153,CVE-2017-12154,CVE-2017-12762,CVE-2017-13080,CVE-2017-14051,CVE-2017-14106,CVE-2017-14140,CVE-2017-15265,CVE-2017-15274,CVE-2017-15649,CVE-2017-2647,CVE-2017-6951,CVE-2017-7482,CVE-2017-7487,CVE-2017-7518,CVE-2017-7541,CVE-2017-7542,CVE-2017-7889,CVE-2017-8106,CVE-2017-8831,CVE-2017-8890,CVE-2017-8924,CVE-2017-8925,CVE-2017-9074,CVE-2017-9075,CVE-2017-9076,CVE-2017-9077,CVE-2017-9242
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    kernel-default-3.12.61-52.101.1, kernel-source-3.12.61-52.101.1, kernel-syms-3.12.61-52.101.1, kernel-xen-3.12.61-52.101.1, kgraft-patch-SLE12_Update_28-1-8.1
SUSE Linux Enterprise Module for Public Cloud 12 (src):    kernel-ec2-3.12.61-52.101.1