Control: retitle 854421 [CVE-2017-5550] kernel dumps arbitrary memory when splice()ing from /dev/null
On Tue 2017-02-07 20:21:31 -0500, Ben Hutchings wrote: > Control: reassign -1 src:linux 4.9.2-2 > Control: close -1 4.9.6-3 > Control: severity -1 serious > Control: tag -1 security > > On Tue, 2017-02-07 at 11:14 -0500, Daniel Kahn Gillmor wrote: >> On Tue 2017-02-07 10:49:39 -0500, Daniel Kahn Gillmor wrote: >> > git clone https://0xacab.org/dkg/debian-bug-854421 >> > cd debian-bug-854421 >> > make >> >> interestingly, on at least one machine i try this on, getting it to >> reproduce is very infrequent with plain "make", even with the 20 tries >> on kernel version 4.9.2-2. > > It's much less likely to happen if there's only one CPU. > >> however, "make strace" seems to tickle the bug further, and makes it >> much more likely to reproduce on 4.9.2-2, even though it's only one >> try. >> >> with kernel 4.9.6-3 i haven't been able to reproduce it with either >> "make" or "make strace". > > This is CVE-2017-5550, fixed by: > https://git.kernel.org/linus/b9dc6f65bc5e232d1c05fe34b5daadc7e8bbf1fb Thanks for tracking that down, Ben. I can confirm that it's an infoleak of the worst kind, unfortunately -- i filled the RAM of a root-owned userspace process with an arbitrary string, and then triggered the dump From a non-privileged process and managed to get copies of the arbitrary string :( --dkg
signature.asc
Description: PGP signature