Bugzilla – Bug 627447
VUL-1: CVE-2010-2524: kernel: dns_resolver upcall security issue
Last modified: 2017-03-20 21:21:16 UTC
Hi. There is a security bug in package 'kernel'. This information is from 'oss-security'. This bug is public. There is no coordinated release date (CRD) set. More information can be found here: https://bugzilla.redhat.com/CVE-2010-2524 CVE number: CVE-2010-2524 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2524 CVSS v2 Base Score: 4.4 (moderate) (AV:L/AC:M/Au:N/C:P/I:P/A:P) Original posting: ---------- Weitergeleitete Nachricht ---------- Betreff: [oss-security] CVE-2010-2524 kernel: dns_resolver upcall security issue Datum: Montag 02 August 2010, 05:47:54 Von: Eugene Teo <eugeneteo@kernel.sg> An: oss-security@lists.openwall.com Kopie: "Steven M. Christey" <coley@linus.mitre.org> CIFS has the ability to chase MS-DFS referrals. In order to do this it has to be able to resolve hostnames into IP addresses. For this, it uses the keys API to upcall to the cifs.upcall userspace helper. It then resolves the name and hands the address back to the kernel. The dns_resolver upcall currently used by CIFS is susceptible to cache stuffing. It's possible for a malicious user to stuff the keyring with the results of a lookup, and then trick the server into mounting a server of his choosing. I have assigned this with CVE-2010-2524. To be susceptible to this, you need CONFIG_CIFS_DFS_UPCALL enabled. Interesting bug. https://bugzilla.redhat.com/CVE-2010-2524 Upstream commit: http://git.kernel.org/linus/4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i); } ------------------------------------------------------------- -- Thomas Biege <thomas@novell.com>, SUSE LINUX, Security Support & Auditing SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
Re: [oss-security] CVE-2010-2524 kernel: dns_resolver upcall security issue (Eugene Teo, Kopie: akuster, Steven M. Christey, Tue Aug 3 05:52:05 2010) On 08/03/2010 04:29 AM, akuster wrote: > Eugene, > > So would it mean git commit 6103335de8afa5d780dcd512abe85c696af7b040 > introduced the problem? Yes. 2.6.25-rc1 onwards. Thanks, Eugene -- main(i) { putchar(182623909 >> (i-1) * 5&31|!!(i<7)<<6) && main(++i);
mass change P5->P3
Applied to openSUSE 11.2. The fix is in SLE11 SP1 via 2.6.32.17. The fix is in openSUSE 11.3 via 2.6.34.2 The fix in in Factory via 2.6.35. SLE11 will need a rather different approach. 2.6.29 introduced the credentials infrastructure which separated credentials (and keyrings) from the task struct. I expect Mike might need to use this fix for SLERT 10, which is based on 2.6.22 IIRC. Suresh, can you review the attached patches for correctness?
Created attachment 382050 [details] keys: add override_thread_keyring This patch adds a override_thread_keyring call to allow the caller to temporarily override the thread keyring. This is intended to be used only by the CIFS code to workaround an issue where a malicious user can inject incorrect DNS mappings into the keyring, forcing a CIFS share to be mounted from a different server than the one intended. The idea is that the call will return the old keyring so that it can be re-added to the task.
Created attachment 382057 [details] keys: add override_thread_keyring Much simpler version.
Oops, I realized I still needed the more complicated one that does the inline allocs. The CIFS part will be coming soon. I just realized a pretty major problem I had with it.
Jeff: I'm not sure whether I follow your fix. Looks like your fix provides override_thread_keyring() which could be used by CIFS (but we seem to be passing always NULL key to this function i.e. always doing fresh alloc which makes the purpose of the function questionable). Also, it seems the old key is not added to the task. Did you mean you in Comment #6 that you plan to post the complete later?
Yeah, but I haven't had a chance to get back to it. I needed to think about it some more, so at this point I don't have much to pass you. The issue is the callout shouldn't be using the user's keyring since it's trivial to inject invalid lookups in there. I haven't come up with a way to both fix that issue and cache the results. That's mostly because I haven't figured out the appropriate locking for sharing keyrings between processes and how to properly handle the lifetimes of them. Can you take this one from here? I'm not going to have time to work up the fix after all.
After spending quite sometime, still have not figured out a saner way to fix this problem. Asking David Howells and keyrings mailing list for suggestions..
From discussion with David, it seems as suspected, there seem to be no saner way to do this without credentials interface. Infact, one of the main reason behind introducing creds is that to make it possible to override the subjective context for some time by a kernel service. The alternative approach is to prevent people from using add_key() on that key type on kernel < 2.6.29. Jeff Layton has already patches for doing this. I'll attach those patches.
Created attachment 388225 [details] Patch for SLES11 This patch makes the CIFS DNS upcall reject add_key requests from userspace.
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-devel, kernel-ec2-devel, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-vmi-devel, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop Products: openSUSE 11.3 (debug, i586, x86_64)
Patch committed to SLES11 (with a typo fixed). This is not exploitable in 2.6.22 as the CIFS dns resolver code didn't exist then. Marking this as RESOLVED FIXED.
I'm a bit late, but the fix is also in SLE11-RT-SP1 via stable commit 9603eda.
seems applied also in 11.2 and sle11_branch, so all done
Yes, all done. Can this be marked as FIXED, yet?
Update released for: btrfs-kmp-default, btrfs-kmp-ppc64, cluster-network-kmp-default, cluster-network-kmp-ppc64, ext4dev-kmp-default, ext4dev-kmp-ppc64, gfs2-kmp-default, gfs2-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-devel, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ppc64) SLE-HAE 11-SP1 (ppc64) SLE-SERVER 11-SP1 (ppc64)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra Products: SLE-DEBUGINFO 11-SP1 (ia64) SLE-HAE 11-SP1 (ia64) SLE-SERVER 11-SP1 (ia64)
A SUSE Linux Enterprise 11 SP1 kernel update was released that mentions/fixes this bug. The released version is 2.6.32.19-0.2.1.
Update released for: btrfs-kmp-default, btrfs-kmp-pae, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-pae, gfs2-kmp-xen, hyper-v-kmp-default, hyper-v-kmp-pae, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-extra, kernel-desktop-devel, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-devel, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (i386) SLE-DESKTOP 11-SP1 (i386) SLE-HAE 11-SP1 (i386) SLE-SERVER 11-SP1 (i386) SLES4VMWARE 11-SP1 (i386)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-trace-man Products: SLE-DEBUGINFO 11-SP1 (s390x) SLE-HAE 11-SP1 (s390x) SLE-SERVER 11-SP1 (s390x)
Update released for: btrfs-kmp-default, btrfs-kmp-xen, cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, gfs2-kmp-default, gfs2-kmp-xen, hyper-v-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-default-extra, kernel-desktop-devel, kernel-source, kernel-source-debuginfo, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-trace-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, kernel-xen-extra Products: SLE-DEBUGINFO 11-SP1 (x86_64) SLE-DESKTOP 11-SP1 (x86_64) SLE-HAE 11-SP1 (x86_64) SLE-SERVER 11-SP1 (x86_64) SLES4VMWARE 11-SP1 (x86_64)
Update released for: kernel-default-extra, kernel-pae-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (i386)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (s390x)
Update released for: kernel-default-extra, kernel-xen-extra Products: SLE-SERVER 11-EXTRA (x86_64)
Update released for: kernel-default-extra, kernel-ppc64-extra Products: SLE-SERVER 11-EXTRA (ppc64)
Update released for: kernel-default-extra Products: SLE-SERVER 11-EXTRA (ia64)
Update released for: kernel-debug, kernel-debug-base, kernel-debug-base-debuginfo, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-devel, kernel-debug-devel-debuginfo, kernel-default, kernel-default-base, kernel-default-base-debuginfo, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-devel, kernel-default-devel-debuginfo, kernel-desktop, kernel-desktop-base, kernel-desktop-base-debuginfo, kernel-desktop-debuginfo, kernel-desktop-debugsource, kernel-desktop-devel, kernel-desktop-devel-debuginfo, kernel-pae, kernel-pae-base, kernel-pae-base-debuginfo, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-devel, kernel-pae-devel-debuginfo, kernel-source, kernel-source-vanilla, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-base-debuginfo, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-devel, kernel-trace-devel-debuginfo, kernel-vanilla, kernel-vanilla-base, kernel-vanilla-base-debuginfo, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-vanilla-devel, kernel-vanilla-devel-debuginfo, kernel-xen, kernel-xen-base, kernel-xen-base-debuginfo, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-devel, kernel-xen-devel-debuginfo, preload-kmp-default, preload-kmp-desktop Products: openSUSE 11.2 (debug, i586, x86_64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-pae, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-pae, ext4dev-kmp-vmi, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-vmi, kernel-vmi-base, kernel-vmi-debuginfo, kernel-vmi-debugsource, kernel-vmi-extra, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra Products: SLE-DEBUGINFO 11 (i386) SLE-DESKTOP 11 (i386) SLE-HAE 11 (i386) SLE-SERVER 11 (i386)
Update released for: cluster-network-kmp-default, ext4dev-kmp-default, ext4dev-kmp-ppc64, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 11 (ppc64) SLE-HAE 11 (ppc64) SLE-SERVER 11 (ppc64)
Update released for: cluster-network-kmp-default, ext4dev-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms Products: SLE-DEBUGINFO 11 (ia64) SLE-HAE 11 (ia64) SLE-SERVER 11 (ia64)
Update released for: cluster-network-kmp-default, cluster-network-kmp-xen, ext4dev-kmp-default, ext4dev-kmp-xen, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra Products: SLE-DEBUGINFO 11 (x86_64) SLE-DESKTOP 11 (x86_64) SLE-HAE 11 (x86_64) SLE-SERVER 11 (x86_64)
Update released for: btrfs-kmp-default, cluster-network-kmp-default, drbd-kmp-default, ext4dev-kmp-default, gfs2-kmp-default, iscsitarget-kmp-default, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-default-man, kernel-source, kernel-source-debuginfo, kernel-syms, ocfs2-kmp-default, oracleasm-kmp-default, samplekmp-source Products: SLE-DEBUGINFO 11 (s390x) SLE-HAE 11 (s390x) SLE-SERVER 11 (s390x)
We just released an update for SUSE Linux Enterprise 11 GA that mentions/fixes this bug. The released kernel version is 2.6.27.54-0.2.1.
Update released for: kernel-debug, kernel-debug-base, kernel-debug-debuginfo, kernel-debug-debugsource, kernel-debug-extra, kernel-default, kernel-default-base, kernel-default-debuginfo, kernel-default-debugsource, kernel-default-extra, kernel-docs, kernel-kdump, kernel-kdump-debuginfo, kernel-kdump-debugsource, kernel-pae, kernel-pae-base, kernel-pae-debuginfo, kernel-pae-debugsource, kernel-pae-extra, kernel-ppc64, kernel-ppc64-base, kernel-ppc64-debuginfo, kernel-ppc64-debugsource, kernel-ppc64-extra, kernel-ps3, kernel-ps3-debuginfo, kernel-ps3-debugsource, kernel-source, kernel-source-debuginfo, kernel-syms, kernel-trace, kernel-trace-base, kernel-trace-debuginfo, kernel-trace-debugsource, kernel-trace-extra, kernel-vanilla, kernel-vanilla-debuginfo, kernel-vanilla-debugsource, kernel-xen, kernel-xen-base, kernel-xen-debuginfo, kernel-xen-debugsource, kernel-xen-extra Products: openSUSE 11.1 (debug, i586, ppc, x86_64)