kernel: Linux local privilege escalation in compat_setsockopt (CVE-2016-4997)
This document (7017773) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 LTSS (SLES 12 LTSS)
SUSE Linux Enterprise Server 12 LTSS (SLES 12 LTSS)
Situation
When processing an IPT_SO_SET_REPLACE setsockopt request made with the compat_setsockopt system call (which requires CONFIG_COMPAT=y and CONFIG_IP_NF_IPTABLES=m or CONFIG_IP_NF_IPTABLES=y), the kernel will alter arbitrary kernel memory through pointers provided by the caller (if CONFIG_MODULE_UNLOAD=y is configured). This can be leveraged to elevate privileges or to gain arbitrary code execution in the kernel. This call requires root permissions, but can be invoked by an arbitrary user if CONFIG_USER_NS=y and CONFIG_NET_NS=y are enabled in the kernel.
Due to incomplete validation of target_offset values in check_compat_entry_size_and_hooks() in net/ipv4/netfilter/ip_tables.c, a critical offset can be corrupted. As a result, several important structures are referenced from unvalidated memory during error cleanup. These structures are meant to contain kernel-provided data, but a malicious user can provide these values. The result is that a malicious user can decrement arbitrary kernel integers when they are positive.
This vulnerability was introduced in the Linux kernel 3.8, which means only SUSE Linux Enterprise 12 and newer are affected.
Due to incomplete validation of target_offset values in check_compat_entry_size_and_hooks() in net/ipv4/netfilter/ip_tables.c, a critical offset can be corrupted. As a result, several important structures are referenced from unvalidated memory during error cleanup. These structures are meant to contain kernel-provided data, but a malicious user can provide these values. The result is that a malicious user can decrement arbitrary kernel integers when they are positive.
This vulnerability was introduced in the Linux kernel 3.8, which means only SUSE Linux Enterprise 12 and newer are affected.
Resolution
SUSE has released the following patches:
SLES 12 SP1SLES 12
- kernel-default-3.12.59-60.45.2
- release date 30th of June 2016
- kernel-default-3.12.60-52.54.2
- release date 30th of June 2016
Cause
Additional Information
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017773
- Creation Date: 24-Jun-2016
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
