An Integer overflow vulnerability has been disclosed by Qualys Research Labs. The vulnerability is assigned CVE-2018-14634. The issue affects kernels with commit b6a2fea39318 without da029c11e6b1. Red Hat Enterprise Linux and CentOS are vulnerable. Upon successful exploitation a local attacker can gain root privileges on the target machine. A PoC is available online. Red Hat has addressed this issue in RHSA-2018:2763 and RHSA-2018:2748.
Background
– A traditional C program begins its execution from main(int argc, char **argv) in most cases. argc and argv respectively represent the no. of command line arguments and the array containing the arguments.
– A program can also utilize environment variables. These are dynamic values that affect the way an application executes within the context of the OS. envc represents the no. of environment variables.
– Both argc and envc are limited to 0x7FFFFFFF.
– When a program/process is executed on the shell, it calls kernel system call execve(). Which in turn calls the respective system call handler.
– One of the functions of the system call handler is to allocate user mode stack for the process and calls create_elf_tables() to push argc, argv, pointer to environment variable array pointer on to the stack.
– A traditional stack grows down, meaning it grows from higher address to lower address. As data is pushed on to the stack, the stack pointer(sp, top of the stack) points to a lower address.
Vulnerability
An integer overflow vulnerability is present in the Linux kernel’s create_elf_tables() function. As mentioned earlier it pushes argc, argv pointer environment variable array pointer on to the stack.
//binfmt_elf.c
static int create_elf_tables(struct linux_binprm *bprm, struct elfhdr *exec,unsigned long load_addr, unsigned long interp_load_addr)
{
.
.
int items;
.
.
items = (argc + 1) + (envc + 1) + 1;
bprm->p = STACK_ROUND(sp, items);
.
.
}
In the code snippet above variable items is used to calculate the stack pointer’s(sp) location. items can be overflowed by using a combination of argc and envc values. The statement below moves the stack pointer (sp, top of stack) based on items. If items is negative the stack pointer value increases instead of decreasing.
//binfmt_elf.c
#ifdef CONFIG_STACK_GROWSUP
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) + (items))
#define STACK_ROUND(sp, items) \
((15 + (unsigned long) ((sp) + (items))) &~ 15UL)
#define STACK_ALLOC(sp, len) ({ \
elf_addr_t __user *old_sp = (elf_addr_t __user *)sp; sp += len; \
old_sp; })
#else
#define STACK_ADD(sp, items) ((elf_addr_t __user *)(sp) - (items))
#define STACK_ROUND(sp, items) \
(((unsigned long) (sp - items)) &~ 15UL)
A negative value for items would move the stack pointer to higher address and will not be pointing to the top of the user stack.
Mitigation
Please apply the latest patches addressing CVE-2018-14634. Qualys customers can scan their network with the QIDs listed below to detect vulnerable machines.
| QID | Description |
| 351389 | Amazon Linux Security Advisory for kernel: ALAS-2018-1087 |
| 236977 | Red Hat Update for kernel-rt (RHSA-2018:2763) |
| 197262 | Ubuntu Security Notification for Linux Vulnerabilities (USN-3775-1) |
| 157805 | Oracle Enterprise Linux Security Update for kernel (ELSA-2018-2748) |
| 171601 | SUSE Enterprise Linux Security Update for the Linux Kernel (SUSE-SU-2018:2879-1) |
| 236971 | Red Hat Update for kernel (RHSA-2018:2748) |
Please continue to follow Qualys Threat Protection for more information on this vulnerability.
References
Mutagen Astronomy: Integer overflow in Linux’s create_elf_tables() (CVE-2018-14634)
Integer overflow in Linux’s create_elf_tables() (CVE-2018-14634)
CVE-2018-14634