proc_keys_show crash when reading /proc/keys

Bug #1634496 reported by Colin Ian King on 2016-10-18
264
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Linux
Fix Released
Medium
linux (Ubuntu)
High
Colin Ian King
Precise
High
Colin Ian King
Trusty
High
Colin Ian King
Vivid
High
Colin Ian King
Xenial
High
Colin Ian King
Yakkety
High
Colin Ian King

Bug Description

Running stress-ng /proc test trips the following crash:

[ 5315.044206] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff8956b1ae
[ 5315.044206]
[ 5315.044883] CPU: 0 PID: 4820 Comm: Tainted: P OE 4.8.0-25-generic #27-Ubuntu
[ 5315.045361] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu2 04/01/2014
[ 5315.045911] 0000000000000086 00000000b337622b ffff8fe574f37c78 ffffffff8962f5d2
[ 5315.046371] 00000000b3405b00 ffffffff89e83530 ffff8fe574f37d00 ffffffff8939e71c
[ 5315.046841] ffff8fe500000010 ffff8fe574f37d10 ffff8fe574f37ca8 00000000b337622b
[ 5315.047305] Call Trace:
[ 5315.047457] [<ffffffff8962f5d2>] dump_stack+0x63/0x81
[ 5315.047763] [<ffffffff8939e71c>] panic+0xe4/0x226
[ 5315.048049] [<ffffffff8956b1ae>] ? proc_keys_show+0x3ce/0x3d0
[ 5315.048398] [<ffffffff89282b89>] __stack_chk_fail+0x19/0x30
[ 5315.048735] [<ffffffff8956b1ae>] proc_keys_show+0x3ce/0x3d0
[ 5315.049072] [<ffffffff895686b0>] ? key_validate+0x50/0x50
[ 5315.049396] [<ffffffff89565d70>] ? key_default_cmp+0x20/0x20
[ 5315.049737] [<ffffffff89459832>] seq_read+0x102/0x3c0
[ 5315.050042] [<ffffffff894a6302>] proc_reg_read+0x42/0x70
[ 5315.050363] [<ffffffff89432448>] __vfs_read+0x18/0x40
[ 5315.050674] [<ffffffff89432ba6>] vfs_read+0x96/0x130
[ 5315.050977] [<ffffffff89434085>] SyS_read+0x55/0xc0
[ 5315.051275] [<ffffffff89a9f076>] entry_SYSCALL_64_fastpath+0x1e/0xa8
[ 5315.051735] Kernel Offset: 0x8200000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff)
[ 5315.052563] ---[ end Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff8956b1ae
[ 5315.052563]

"The proc_keys_show function in security/keys/proc.c in the Linux kernel through 4.8.2, when the GNU Compiler Collection (gcc) stack protector is enabled, uses an incorrect buffer size for certain timeout data, which allows local users to cause a denial of service (stack memory corruption and panic) by reading the /proc/keys file."

Fix detailed in: https://bugzilla.redhat.com/show_bug.cgi?id=1373966
see: https://bugzilla.redhat.com/attachment.cgi?id=1200212&action=diff

It was found that when gcc stack protector is turned on, proc_keys_show() can cause a panic due to stack corruption. This happens because xbuf[] is not big enough to hold a 64-bit timeout rendered as weeks.

Product bug:

https://bugzilla.redhat.com/show_bug.cgi?id=1373499

Acknowledgments:

Name: Ondrej Kozina (Red Hat)

Statement:

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 5. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

This issue affects the Linux kernel packages as shipped with Red Hat Enterprise Linux 6, 7 and Red Hat Enterprise MRG-2. Future Linux kernel updates for the respective releases might address this issue.

Created attachment 1200212
Fix for buffer overflow in proc_keys_show

cve-id CVE-2016-7042 was assigned to this flaw internally by the Red Hat. please, use it in the public communications regarding this flaw.

Changed in linux (Ubuntu):
importance: Undecided → High
status: New → In Progress
information type: Private Security → Public Security
Changed in linux (Ubuntu):
assignee: nobody → Colin Ian King (colin-king)
Seth Forshee (sforshee) on 2016-10-20
Changed in linux (Ubuntu Precise):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Trusty):
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Vivid):
assignee: nobody → Colin Ian King (colin-king)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Precise):
assignee: nobody → Colin Ian King (colin-king)
Changed in linux (Ubuntu Trusty):
assignee: nobody → Colin Ian King (colin-king)
Changed in linux (Ubuntu Xenial):
assignee: nobody → Colin Ian King (colin-king)
importance: Undecided → High
status: New → In Progress
Changed in linux (Ubuntu Yakkety):
assignee: nobody → Colin Ian King (colin-king)
importance: Undecided → High
status: New → In Progress
Seth Forshee (sforshee) on 2016-10-20
Changed in linux (Ubuntu Yakkety):
status: In Progress → Fix Committed
Changed in linux (Ubuntu Xenial):
status: In Progress → Fix Committed
Seth Forshee (sforshee) on 2016-10-20
Changed in linux (Ubuntu Vivid):
status: In Progress → Fix Committed
Seth Forshee (sforshee) on 2016-10-20
Changed in linux (Ubuntu Trusty):
status: In Progress → Fix Committed
Seth Forshee (sforshee) on 2016-10-20
Changed in linux (Ubuntu Precise):
status: In Progress → Fix Committed
Seth Forshee (sforshee) wrote :

Verified that this is fixed in all -proposed kernels. In precise /proc/keys is not present as a result of CONFIG_KEYS_DEBUG_PROC_KEYS=n, however it's a trivial fix and there's no harm in carrying the patch.

tags: added: verification-done-precise verification-done-trusty verification-done-vivid verification-done-xenial verification-done-yakkety
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.2.0-115.157

---------------
linux (3.2.0-115.157) precise; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1636537

  * CVE-2016-5195
    - Revert "UBUNTU:SAUCE: mm: remove gup_flags FOLL_WRITE games from
      __get_user_pages()"
    - mm, gup: close FOLL MAP_PRIVATE race

linux (3.2.0-114.156) precise; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635436

  * proc_keys_show crash when reading /proc/keys (LP: #1634496)
    - SAUCE: KEYS: ensure xbuf is large enough to fix buffer overflow in
      proc_keys_show (LP: #1634496)

  * CVE-2016-7117
    - net: Fix use after free in the recvmmsg exit path

  * CVE-2015-7833
    - usbvision: revert commit 588afcc1

 -- Seth Forshee <email address hidden> Tue, 25 Oct 2016 09:58:32 -0500

Changed in linux (Ubuntu Precise):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (12.7 KiB)

This bug was fixed in the package linux - 3.13.0-101.148

---------------
linux (3.13.0-101.148) trusty; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635430

  * [arm64] nova instances can't boot with 3.13.0-92 (LP: #1608854)
    - Revert "efi: Disable interrupts around EFI calls, not in the epilog/prolog
      calls"
    - Revert "x86/efi: Use all 64 bit of efi_memmap in setup_e820()"
    - Revert "x86/efi: Store upper bits of command line buffer address in
      ext_cmd_line_ptr"
    - Revert "efivarfs: Ensure VariableName is NUL-terminated"
    - Revert "efi/libstub: Fix boundary checking in efi_high_alloc()"
    - Revert "arm64: efi: only attempt efi map setup if booting via EFI"
    - Revert "UBUNTU: arm64: Implement efi_enabled()"
    - Revert "efi/arm64: ignore dtb= when UEFI SecureBoot is enabled"
    - Revert "doc: arm64: add description of EFI stub support"
    - Revert "UBUNTU: Move get_dram_base to arm private file"
    - Revert "arm64: efi: add EFI stub"
    - Revert "arm64: add EFI runtime services"
    - Revert "efi: Add shared FDT related functions for ARM/ARM64"
    - Revert "efi: add helper function to get UEFI params from FDT"
    - Revert "doc: efi-stub.txt updates for ARM"
    - Revert "efi: Add get_dram_base() helper function"
    - Revert "efi: create memory map iteration helper"
    - Revert "x86, ia64: Move EFI_FB vga_default_device() initialization to
      pci_vga_fixup()"
    - Revert "firmware: Do not use WARN_ON(!spin_is_locked())"
    - Revert "efi-pstore: Fix an overflow on 32-bit builds"
    - Revert "x86/efi: Fix 32-bit fallout"
    - Revert "x86/efi: Check krealloc return value"
    - Revert "x86/efi: Runtime services virtual mapping"
    - Revert "x86/efi: Fix off-by-one bug in EFI Boot Services reservation"
    - x86/efi: Simplify EFI_DEBUG
    - x86/efi: Runtime services virtual mapping
    - x86/efi: Check krealloc return value
    - SAUCE: Merge tag 'efi-next' of
      git://git.kernel.org/pub/scm/linux/kernel/git/mfleming/efi into x86/efi
    - doc: Fix trivial spelling mistake in efi-stub.txt
    - x86/efi: Remove unused variables in __map_region()
    - x86/efi: Add a wrapper function efi_map_region_fixed()
    - x86/efi: Fix off-by-one bug in EFI Boot Services reservation
    - x86/efi: Cleanup efi_enter_virtual_mode() function
    - efi: Export more EFI table variables to sysfs
    - [Config] CONFIG_EFI_RUNTIME_MAP=y
    - efi: Export EFI runtime memory mapping to sysfs
    - x86/efi: Pass necessary EFI data for kexec via setup_data
    - x86/efi: Delete superfluous global variables
    - x86/efi: parse_efi_setup() build fix
    - SAUCE: Merge tag 'v3.13-rc7' into x86/efi-kexec to resolve conflicts
    - x86/efi: Allow mapping BGRT on x86-32
    - x86/efi: Fix 32-bit fallout
    - x86/efi: Check status field to validate BGRT header
    - x86/efi: Quirk out SGI UV
    - v3.14 - Bacported EFI up to v3.14
    - efi: Move facility flags to struct efi
    - efi: Set feature flags inside feature init functions
    - efivarfs: 'efivarfs_file_write' function reorganization
    - x86/efi: Delete out-of-date comments of efi_query_variable_store
    - x86/efi: Style neatening
    - x8...

Changed in linux (Ubuntu Trusty):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 3.19.0-74.82

---------------
linux (3.19.0-74.82) vivid; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635424

  * proc_keys_show crash when reading /proc/keys (LP: #1634496)
    - SAUCE: KEYS: ensure xbuf is large enough to fix buffer overflow in
      proc_keys_show (LP: #1634496)

  * CVE-2015-7833
    - usbvision: revert commit 588afcc1

  * CVE-2015-7837
    - SAUCE: (no-up) kexec/uefi: copy secure_boot flag in boot params across kexec
      reboot

 -- Seth Forshee <email address hidden> Thu, 20 Oct 2016 16:26:38 -0500

Changed in linux (Ubuntu Vivid):
status: Fix Committed → Fix Released
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package linux - 4.4.0-47.68

---------------
linux (4.4.0-47.68) xenial; urgency=low

  [ Kamal Mostafa ]

  * Release Tracking Bug
    - LP: #1636941

  * Add a driver for Amazon Elastic Network Adapters (ENA) (LP: #1635721)
    - lib/bitmap.c: conversion routines to/from u32 array
    - net: ethtool: add new ETHTOOL_xLINKSETTINGS API
    - net: ena: Add a driver for Amazon Elastic Network Adapters (ENA)
    - [config] enable CONFIG_ENA_ETHERNET=m (Amazon ENA driver)

  * unexpectedly large memory usage of mounted snaps (LP: #1636847)
    - [Config] switch squashfs to single threaded decode

 -- Kamal Mostafa <email address hidden> Wed, 26 Oct 2016 10:47:55 -0700

Changed in linux (Ubuntu Xenial):
status: Fix Committed → Fix Released
Launchpad Janitor (janitor) wrote :
Download full text (3.4 KiB)

This bug was fixed in the package linux - 4.8.0-27.29

---------------
linux (4.8.0-27.29) yakkety; urgency=low

  [ Seth Forshee ]

  * Release Tracking Bug
    - LP: #1635377

  * proc_keys_show crash when reading /proc/keys (LP: #1634496)
    - SAUCE: KEYS: ensure xbuf is large enough to fix buffer overflow in
      proc_keys_show (LP: #1634496)

  * Revert "If zone is so small that watermarks are the same, stop zone balance"
    in yakkety (LP: #1632894)
    - Revert "UBUNTU: SAUCE: (no-up) If zone is so small that watermarks are the
      same, stop zone balance."

  * lts-yakkety 4.8 cannot mount lvm raid1 (LP: #1631298)
    - SAUCE: (no-up) dm raid: fix compat_features validation

  * kswapd0 100% CPU usage (LP: #1518457)
    - SAUCE: (no-up) If zone is so small that watermarks are the same, stop zone
      balance.

  * [Trusty->Yakkety] powerpc/64: Fix incorrect return value from
    __copy_tofrom_user (LP: #1632462)
    - SAUCE: (no-up) powerpc/64: Fix incorrect return value from
      __copy_tofrom_user

  * Ubuntu 16.10: Oops panic in move_page_tables/page_remove_rmap after running
    memory_stress_ng. (LP: #1628976)
    - SAUCE: (no-up) powerpc/pseries: Fix stack corruption in htpe code

  * Paths not failed properly when unmapping virtual FC ports in VIOS (using
    ibmvfc) (LP: #1632116)
    - scsi: ibmvfc: Fix I/O hang when port is not mapped

  * [Ubuntu16.10]KV4.8: kernel livepatch config options are not set
    (LP: #1626983)
    - [Config] Enable live patching on powerpc/ppc64el

  * CONFIG_AUFS_XATTR is not set (LP: #1557776)
    - [Config] CONFIG_AUFS_XATTR=y

  * Yakkety update to 4.8.1 stable release (LP: #1632445)
    - arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
    - Using BUG_ON() as an assert() is _never_ acceptable
    - usb: misc: legousbtower: Fix NULL pointer deference
    - Staging: fbtft: Fix bug in fbtft-core
    - usb: usbip: vudc: fix left shift overflow
    - USB: serial: cp210x: Add ID for a Juniper console
    - Revert "usbtmc: convert to devm_kzalloc"
    - ALSA: hda - Adding one more ALC255 pin definition for headset problem
    - ALSA: hda - Fix headset mic detection problem for several Dell laptops
    - ALSA: hda - Add the top speaker pin config for HP Spectre x360
    - Linux 4.8.1

  * PSL data cache should be flushed before resetting CAPI adapter
    (LP: #1632049)
    - cxl: Flush PSL cache before resetting the adapter

  * thunder nic: avoid link delays due to RX_PACKET_DIS (LP: #1630038)
    - net: thunderx: Don't set RX_PACKET_DIS while initializing

  * crypto/vmx/p8_ghash memory corruption (LP: #1630970)
    - crypto: ghash-generic - move common definitions to a new header file
    - crypto: vmx - Fix memory corruption caused by p8_ghash
    - crypto: vmx - Ensure ghash-generic is enabled

  * arm64: SPCR console not autodetected (LP: #1630311)
    - of/serial: move earlycon early_param handling to serial
    - [Config] CONFIG_ACPI_SPCR_TABLE=y
    - ACPI: parse SPCR and enable matching console
    - ARM64: ACPI: enable ACPI_SPCR_TABLE
    - serial: pl011: add console matching function

  * include/linux/security.h header syntax error with !CONFIG_SECURITYFS
...

Read more...

Changed in linux (Ubuntu Yakkety):
status: Fix Committed → Fix Released
Changed in linux (Ubuntu):
status: In Progress → Fix Released

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0817 https://rhn.redhat.com/errata/RHSA-2017-0817.html

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2077 https://access.redhat.com/errata/RHSA-2017:2077

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1842 https://access.redhat.com/errata/RHSA-2017:1842

This issue has been addressed in the following products:

  Red Hat Enterprise MRG 2

Via RHSA-2017:2669 https://access.redhat.com/errata/RHSA-2017:2669

Changed in linux:
importance: Unknown → Medium
status: Unknown → Confirmed
Changed in linux:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.