Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1297475 (CVE-2016-0728) - CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
Summary: CVE-2016-0728 kernel: Possible use-after-free vulnerability in keyring facility
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0728
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1298035 1298036 1298037 1298038 1298039 1298040 1298931
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-01-11 15:42 UTC by Adam Mariš
Modified: 2021-02-17 04:31 UTC (History)
76 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-01-29 13:49:29 UTC
Embargoed:


Attachments (Terms of Use)
prototype systemtap band-aid mk. e (deleted)
2016-01-19 17:25 UTC, Frank Ch. Eigler
no flags Details
Proposed patch (deleted)
2016-01-20 09:53 UTC, Wade Mealing
no flags Details


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Article) 2131021 0 None None None 2016-01-25 01:52:13 UTC
Red Hat Knowledge Base (Solution) 2130791 0 None None None 2016-01-20 01:12:40 UTC
Red Hat Product Errata RHSA-2016:0064 0 normal SHIPPED_LIVE Important: kernel security update 2016-01-26 00:27:41 UTC
Red Hat Product Errata RHSA-2016:0065 0 normal SHIPPED_LIVE Important: kernel-rt security update 2016-01-26 00:13:36 UTC
Red Hat Product Errata RHSA-2016:0068 0 normal SHIPPED_LIVE Important: kernel-rt security update 2016-01-26 18:59:44 UTC
Red Hat Product Errata RHSA-2016:0103 0 normal SHIPPED_LIVE Important: kernel security, bug fix, and enhancement update 2016-02-02 21:58:30 UTC

Description Adam Mariš 2016-01-11 15:42:09 UTC
It was reported that possible use-after-free vulnerability in keyring facility, possibly leading to local privilege escalation, was found. Function join_session_keyring in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring is the same as the one being currently used by the process, the kernel wouldn't decrease keyring->usage before returning to userspace. The usage field can be possibly overflowed causing use-after-free on the keyring object.

Introduced by:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=3a50597de8635cd05133bd12c95681c82fe7b878

References:
http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/

Red Hat KCS article:
https://access.redhat.com/articles/2131021

Upstream patch:
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=23567fd052a9abb6d67fe8e7a9ccdd9800a540f2

Comment 5 Wade Mealing 2016-01-13 04:49:43 UTC
Acknowledgements:

Name: the Perception Point research team

Comment 6 Wade Mealing 2016-01-14 06:54:17 UTC
Statement:

This issue does not affect the Linux kernels as shipped with Red Hat Enterprise Linux 5 and 6. 

Refer to https://access.redhat.com/node/2131021 for further information.

Comment 13 Frank Ch. Eigler 2016-01-19 17:25:15 UTC
Created attachment 1116284 [details]
prototype systemtap band-aid mk. e

Further investigation with larger versions of the systemtap band-aid script suggest that the larger exploit manages somehow to increment the key refcount by 2 (!!) per iteration - one of which the stap band-aid does successfully roll back.

The smaller exploit increments it by 1 per iteration, so after the band-aid application, the visible /proc/keys refcount stays static.

Comment 15 Frank Ch. Eigler 2016-01-19 19:52:32 UTC
Further experiments with the systemtap band-aid from comment #13 indicate:

- fedora22 4.2.6-200.fc22.x86_64: stap band-aid works for both exploits
  (refcounts on /proc/keys fluctuates up & down during big exploit, within
  reasonable O(10000) ranges, then keyring is gc'd at exploit interrupt)

- git linux + patch, no stap band-aid: identical behaviour

- rhel7 3.10.0-327.4.4.el7.x86_64: stap band-aid works for both exploits,
  identical behaviour

I can't explain my previous observations in comment #11; am suspecting
that the rhel7 VM being tested was already subtly corrupted during prior
testing.  The new results are post-reboot.

So, this appears to provide protection:

# debuginfo-install kernel     (or equivalent)
# stap -vgt -Gfix_p=1 -Gtrace_p=0 cve20160728e.stp

Comment 17 Wade Mealing 2016-01-20 09:53:22 UTC
Created attachment 1116563 [details]
Proposed patch

Comment 24 Vincent Danen 2016-01-21 16:50:53 UTC
External References:

https://access.redhat.com/node/2131021

Comment 25 errata-xmlrpc 2016-01-25 19:14:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0065 https://rhn.redhat.com/errata/RHSA-2016-0065.html

Comment 26 errata-xmlrpc 2016-01-25 19:28:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0064 https://rhn.redhat.com/errata/RHSA-2016-0064.html

Comment 29 errata-xmlrpc 2016-01-26 14:00:38 UTC
This issue has been addressed in the following products:

  MRG for RHEL-6 v.2

Via RHSA-2016:0068 https://rhn.redhat.com/errata/RHSA-2016-0068.html

Comment 30 Fedora Update System 2016-01-26 18:22:11 UTC
kernel-4.3.3-303.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

Comment 31 Fedora Update System 2016-02-01 06:25:09 UTC
kernel-4.3.4-200.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 32 errata-xmlrpc 2016-02-02 17:03:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7.1 EUS - Server and Compute Node Only

Via RHSA-2016:0103 https://rhn.redhat.com/errata/RHSA-2016-0103.html


Note You need to log in before you can comment on or make changes to this bug.