[PATCH 0/1][T] CVE-2017-2647 - DoS or privesc in kernel keyring
Tyler Hicks
tyhicks at canonical.com
Tue Nov 20 02:22:33 UTC 2018
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2647.html
The KEYS subsystem in the Linux kernel before 3.18 allows local users to
gain privileges or cause a denial of service (NULL pointer dereference and
system crash) via vectors involving a NULL value for a certain match field,
related to the keyring_search_iterator function in keyring.c.
Clean cherry pick from linux-stable. I tested with the reproducer in the
upstream bug report on the keyring mailing list[1] as well as simple keyring
regression testing using test-ecryptfs-utils.py from QRT.
I actually think that Trusty kernel commit 5661a2f3b583 ("KEYS: Change the name
of the dead type to ".dead" to prevent user access"), which fixes
CVE-2017-6951, is sufficient in addressing CVE-2017-2647 but feel more
comfortable applying this fix in addition.
Tyler
[1] https://www.spinics.net/lists/keyrings/msg01845.html
More information about the kernel-team
mailing list