FS#56647 - https://security.archlinux.org/CVE-2017-14954 accuracy

Attached to Project: Arch Linux
Opened by loqs (loqs) - Saturday, 09 December 2017, 16:48 GMT
Last edited by Eli Schwartz (eschwartz) - Saturday, 09 December 2017, 23:48 GMT
Task Type Bug Report
Category Web Sites
Status Closed
Assigned To No-one
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:
The arch advisory seems to contain multiple factual errors. This is not disputing
CVE-2017-14954 but the advisories attribution to various arch packages and versions.
I did not file this for instance as a bug against linux-lts as linux-lts was never affected
by the issue so listing a none bug to correct an issue to me made less sense than filing it
against Web Sites. I tried contacting anthraxx via the email address listed on
https://www.archlinux.org/people/developers/ as he is the only listed developer from the Security Team.
Below is the working I provided by email.

Working:
The orginal report [1] references [2] as the fix which includes the text
"Cc: stable@vger.kernel.org # v4.13" meaning backport for v4.13 only it also
references [3] as the original commit the introduced the issue. [4] shows the
original issue was introduced during v4.13-rc1. [5] shows the fix was fix
was applied during v4.14-rc3. [6] shows the fix was backported in [7] and [8]
shows it was applied with v4.13.5. [9] lists linux 4.13.8-1 as vulnerable
which contradicts the [7] and [8]. [10] and [11] returning no results show the
issue and fix are not referenced in 4.9 which is consistent with upstream only
backporting it to v4.13. This contradicts [9] which lists 4.9.56-1 as
vulnerable. [9] Also lists linux-zen 4.13.9-1 as vulnerable. [12] the
PKGBUILD lists [13] as the linux-zen specific patch contains no patch for
kernel/exit.c so the backported fix is not altered by linuz-zen so linux-zen
4.13.9-1 does not appear vulnerable contradicting [9]. The proof of concept
[14] produces [15] which appears to validate the previous.

1 https://www.cvedetails.com/cve-details.php?cve_id=CVE-2017-14954
2 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
3 https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7e95a225901a5d2fd140f14b4302805cecc22da7
4 git tag --contains 7e95a225901a5d2fd140f14b4302805cecc22da7
v4.13
v4.13-rc1
v4.13-rc2
v4.13-rc3
v4.13-rc4
v4.13-rc5
v4.13-rc6
v4.13-rc7
v4.13.1
v4.13.10
v4.13.11
v4.13.12
v4.13.13
v4.13.14
v4.13.15
v4.13.16
v4.13.2
v4.13.3
v4.13.4
v4.13.5
v4.13.6
v4.13.7
v4.13.8
v4.13.9
v4.14
v4.14-rc1
v4.14-rc2
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.14.1
v4.14.2
v4.14.3
v4.15-rc1

5 git tag --contains 6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
v4.14
v4.14-rc3
v4.14-rc4
v4.14-rc5
v4.14-rc6
v4.14-rc7
v4.14-rc8
v4.14.1
v4.14.2
v4.14.3
v4.15-rc1

6 git checkout v4.13.9
HEAD is now at 5b61412afb66... Linux 4.13.9
git log --grep=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
commit c8b679ba7c65457e45af7c086c5df0748522aa2f
Author: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri Sep 29 13:43:15 2017 -0400

fix infoleak in waitid(2)

commit 6c85501f2fabcfc4fc6ed976543d252c4eaf4be9 upstream.

kernel_waitid() can return a PID, an error or 0. rusage is filled in the first
case and waitid(2) rusage should've been copied out exactly in that case, *not*
whenever kernel_waitid() has not returned an error. Compat variant shares that
braino; none of kernel_wait4() callers do, so the below ought to fix it.

Reported-and-tested-by: Alexander Potapenko <glider@google.com>
Fixes: ce72a16fa705 ("wait4(2)/waitid(2): separate copying rusage to userland")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
7 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable.git/commit/?id=c8b679ba7c65457e45af7c086c5df0748522aa2f
8 git tag --contains c8b679ba7c65457e45af7c086c5df0748522aa2f
v4.13.10
v4.13.11
v4.13.12
v4.13.13
v4.13.14
v4.13.15
v4.13.16
v4.13.5
v4.13.6
v4.13.7
v4.13.8
v4.13.9
[9] https://security.archlinux.org/CVE-2017-14954
[10] $ git log --grep=7e95a225901a5d2fd140f14b4302805cecc22da7
[11] $ git log --grep=6c85501f2fabcfc4fc6ed976543d252c4eaf4be9
[12] https://git.archlinux.org/svntogit/packages.git/tree/trunk/PKGBUILD?h=packages/linux-zen&id=19f26e3ac841240e1bb172546aea33a9746930f9
[13] https://pkgbuild.com/~heftig/zen-patches/zen-4.13.9-db74c362426d1d03ff8c7940757a502b0ea0cc80.diff.xz
[14] https://grsecurity.net/~spender/exploits/wait_for_kaslr_to_be_effective.c
[15] linux-lts 4.9.56-1
Leak size=144 bytes
linux-hardened 4.13.4.a-1
Leak size=144 bytes
Kernel base: 0xffffffffbd000000
linux-zen 4.13.9-1
Leak size=144 bytes
linux 4.13.8-1
Kernel base: 0xffffffffbd000000
This task depends upon

Closed by  Eli Schwartz (eschwartz)
Saturday, 09 December 2017, 23:48 GMT
Reason for closing:  None
Comment by Eli Schwartz (eschwartz) - Saturday, 09 December 2017, 23:47 GMT
I've alerted the security team to this in #archlinux-security, but the bugtracker isn't really the place for this... the security team doesn't work through the bugtracker.

EDIT: fixed

Loading...