Use-after-free vulnerability in keyring facility (CVE-2016-0728)

This document (7017169) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12)

Situation

The "Perception Point" research team has identified a 0-day local privilege escalation vulnerability in the Linux kernel.
This "use-after-free" vulnerability in keyring facility can possible lead to a local privilege escalation.
Function join_sesssion-keyring in security/keys/process_keys.c holds a reference to the requested keyring, but if that keyring is the same as the one being currently used by the process, the kernel would not decrease keyring->usage before returning to userspace.
The usage field can be possibly overflowed causing use-after-free on the keyring object.

Resolution

Both SLES 12 and SLES 12 SP1 are affected by this bug.

SLES 12 SP1:

SUSE has released a patch on 20th of January 2016
kernel version 3.12.51-60.25.1

SLES 12:

SUSE has released a patch on 22nd of January 2016
kernel version 3.12.51-52.39.1

To solve the problem install the above kernel patch.

Cause

Additional Information

For further details please review this blog entry from Perception Point.

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.