Vulnerabilities > CVE-2017-1000255 - Out-of-bounds Write vulnerability in Linux Kernel

047910
CVSS 6.6 - MEDIUM
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
linux
ibm
CWE-787
nessus

Summary

On Linux running on PowerPC hardware (Power8 or later) a user process can craft a signal frame and then do a sigreturn so that the kernel will take an exception (interrupt), and use the r1 value *from the signal frame* as the kernel stack pointer. As part of the exception entry the content of the signal frame is written to the kernel stack, allowing an attacker to overwrite arbitrary locations with arbitrary values. The exception handling does produce an oops, and a panic if panic_on_oops=1, but only after kernel memory has been over written. This flaw was introduced in commit: "5d176f751ee3 (powerpc: tm: Enable transactional memory (TM) lazily for userspace)" which was merged upstream into v4.9-rc1. Please note that kernels built with CONFIG_PPC_TRANSACTIONAL_MEM=n are not vulnerable.

Vulnerable Configurations

Part Description Count
OS
Linux
1
Hardware
Ibm
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-C110AC0EB1.NASL
    descriptionThe 4.13.8 update contains a number of important fixes across the tree. ---- The 4.13.6 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-10-26
    plugin id104158
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104158
    titleFedora 26 : kernel (2017-c110ac0eb1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3487-1.NASL
    descriptionIt was discovered that the KVM subsystem in the Linux kernel did not properly keep track of nested levels in guest page tables. A local attacker in a guest VM could use this to cause a denial of service (host OS crash) or possibly execute arbitrary code in the host OS. (CVE-2017-12188) It was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-1000255) Bo Zhang discovered that the netlink wireless configuration interface in the Linux kernel did not properly validate attributes when handling certain requests. A local attacker with the CAP_NET_ADMIN could use this to cause a denial of service (system crash). (CVE-2017-12153) It was discovered that the nested KVM implementation in the Linux kernel in some situations did not properly prevent second level guests from reading and writing the hardware CR8 register. A local attacker in a guest could use this to cause a denial of service (system crash). (CVE-2017-12154) Vitaly Mayatskikh discovered that the SCSI subsystem in the Linux kernel did not properly track reference counts when merging buffers. A local attacker could use this to cause a denial of service (memory exhaustion). (CVE-2017-12190) It was discovered that the key management subsystem in the Linux kernel did not properly restrict key reads on negatively instantiated keys. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-12192) It was discovered that the ATI Radeon framebuffer driver in the Linux kernel did not properly initialize a data structure returned to user space. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14156) ChunYu Wang discovered that the iSCSI transport implementation in the Linux kernel did not properly validate data structures. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14489) Alexander Potapenko discovered an information leak in the waitid implementation of the Linux kernel. A local attacker could use this to expose sensitive information (kernel memory). (CVE-2017-14954) It was discovered that a race condition existed in the ALSA subsystem of the Linux kernel when creating and deleting a port via ioctl(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-15265) Dmitry Vyukov discovered that the Floating Point Unit (fpu) subsystem in the Linux kernel did not properly handle attempts to set reserved bits in a task
    last seen2020-06-01
    modified2020-06-02
    plugin id104737
    published2017-11-22
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104737
    titleUbuntu 17.10 : linux, linux-raspi2 vulnerabilities (USN-3487-1)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3443-2.NASL
    descriptionUSN-3443-1 fixed vulnerabilities in the Linux kernel for Ubuntu 17.04. This update provides the corresponding updates for the Linux Hardware Enablement (HWE) kernel from Ubuntu 17.04 for Ubuntu 16.04 LTS. It was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-1000255) Andrey Konovalov discovered that a divide-by-zero error existed in the TCP stack implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103776
    published2017-10-11
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103776
    titleUbuntu 16.04 LTS : linux-hwe vulnerabilities (USN-3443-2)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-CAFCDBDDE5.NASL
    descriptionThe 4.13.8 update contains a number of important fixes across the tree. ---- The 4.13.6 stable kernel update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-10-26
    plugin id104160
    published2017-10-26
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/104160
    titleFedora 25 : kernel (2017-cafcdbdde5)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2017-925.NASL
    descriptionIncorrect updates of uninstantiated keys crash the kernel A vulnerability was found in the key management subsystem of the Linux kernel. An update on an uninstantiated key could cause a kernel panic, leading to denial of service (DoS). (CVE-2017-15299) Memory leak when merging buffers in SCSI IO vectors It was found that in the Linux kernel through v4.14-rc5, bio_map_user_iov() and bio_unmap_user() in
    last seen2020-06-01
    modified2020-06-02
    plugin id104707
    published2017-11-21
    reporterThis script is Copyright (C) 2017-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/104707
    titleAmazon Linux AMI : kernel (ALAS-2017-925)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0654.NASL
    descriptionAn update for kernel-alt is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The kernel-alt packages provide the Linux kernel version 4.x. The following packages have been upgraded to a later upstream version: kernel-alt (4.14.0). (BZ#1492717) Security Fix(es) : * An industry-wide issue was found in the way many modern microprocessor designs have implemented speculative execution of instructions (a commonly used performance optimization). There are three primary variants of the issue which differ in the way the speculative execution can be exploited. Variant CVE-2017-5715 triggers the speculative execution by utilizing branch target injection. It relies on the presence of a precisely-defined instruction sequence in the privileged code as well as the fact that memory accesses may cause allocation into the microprocessor
    last seen2020-06-01
    modified2020-06-02
    plugin id108942
    published2018-04-10
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108942
    titleRHEL 7 : kernel-alt (RHSA-2018:0654)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3443-1.NASL
    descriptionIt was discovered that on the PowerPC architecture, the kernel did not properly sanitize the signal stack when handling sigreturn(). A local attacker could use this to cause a denial of service (system crash) or possibly execute arbitrary code. (CVE-2017-1000255) Andrey Konovalov discovered that a divide-by-zero error existed in the TCP stack implementation in the Linux kernel. A local attacker could use this to cause a denial of service (system crash). (CVE-2017-14106). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103775
    published2017-10-11
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103775
    titleUbuntu 17.04 : linux, linux-raspi2 vulnerabilities (USN-3443-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-AA9927961F.NASL
    descriptionThe 4.13.8 update contains a number of important fixes across the tree. ---- The 4.13.6 stable update contains a number of important fixes across the tree. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2018-01-15
    plugin id105948
    published2018-01-15
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/105948
    titleFedora 27 : kernel (2017-aa9927961f)

Redhat

advisories
rhsa
idRHSA-2018:0654
rpms
  • kernel-0:4.14.0-49.el7a
  • kernel-abi-whitelists-0:4.14.0-49.el7a
  • kernel-bootwrapper-0:4.14.0-49.el7a
  • kernel-debug-0:4.14.0-49.el7a
  • kernel-debug-debuginfo-0:4.14.0-49.el7a
  • kernel-debug-devel-0:4.14.0-49.el7a
  • kernel-debuginfo-0:4.14.0-49.el7a
  • kernel-debuginfo-common-aarch64-0:4.14.0-49.el7a
  • kernel-debuginfo-common-ppc64le-0:4.14.0-49.el7a
  • kernel-debuginfo-common-s390x-0:4.14.0-49.el7a
  • kernel-debuginfo-common-x86_64-0:4.14.0-49.el7a
  • kernel-devel-0:4.14.0-49.el7a
  • kernel-doc-0:4.14.0-49.el7a
  • kernel-headers-0:4.14.0-49.el7a
  • kernel-kdump-0:4.14.0-49.el7a
  • kernel-kdump-debuginfo-0:4.14.0-49.el7a
  • kernel-kdump-devel-0:4.14.0-49.el7a
  • kernel-tools-0:4.14.0-49.el7a
  • kernel-tools-debuginfo-0:4.14.0-49.el7a
  • kernel-tools-libs-0:4.14.0-49.el7a
  • kernel-tools-libs-devel-0:4.14.0-49.el7a
  • perf-0:4.14.0-49.el7a
  • perf-debuginfo-0:4.14.0-49.el7a
  • python-perf-0:4.14.0-49.el7a
  • python-perf-debuginfo-0:4.14.0-49.el7a