exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CentOS Stream 9 Missing Kernel Security Fixes

CentOS Stream 9 Missing Kernel Security Fixes
Posted Mar 21, 2023
Authored by Jann Horn, Google Security Research

The kernel tree of CentOS Stream 9 suffers from multiple use-after-free conditions that were already patched in upstream stable trees.

tags | advisory, kernel
systems | linux, centos
advisories | CVE-2023-0590, CVE-2023-1249, CVE-2023-1252
SHA-256 | a5f94e90c58a4d65e7349c5ac6abff2cbc680f758ae71b7d0bf35a8ec6642057

CentOS Stream 9 Missing Kernel Security Fixes

Change Mirror Download
CentOS Stream 9: missing kernel security fixes

Someone reminded me last week that lots of enterprise Linux kernels are
not based on upstream stable trees. The most notable enterprise Linux
distro I'm aware of is RHEL (Red Hat Enterprise Linux), so I decided to
take a look at the kernel tree of CentOS Stream 9 - according to
<https://developers.redhat.com/products/rhel/contribute-to-rhel>
CentOS Stream is the closest freely available thing to RHEL.

The CentOS Stream 9 kernel
(<https://gitlab.com/redhat/centos-stream/src/kernel/centos-stream-9>)
is based on the original upstream 5.14 release, so I decided to look
through for interesting commits in the linux-5.15.y stable tree and
check whether the same commits exist in the CentOS kernel tree.

One interesting candidate I found is
390031c94211 (\"coredump: Use the vma snapshot in fill_files_note\")
which fixes a locking bug that can lead to out-of-bounds writes,
but from what I can tell actually exploiting this would be a big pain
because unless you manage to race with the vulnerable code twice,
a memory write will happen approximately 4GiB out of bounds.

ebda44da44f6 (\"net: sched: fix race condition in qdisc_graft()\")
also looked maybe interesting.

9a2544037600 (\"ovl: fix use after free in struct ovl_aio_req\")
looks like a moderately nice bug, but I think it might only be
hittable on CentOS if an ext4 filesystem is mounted, although
https://access.redhat.com/articles/rhel-limits seems to imply
that ext4 is a supported filesystem on RHEL.


I am reporting this bug under our usual 90-day deadline this time because our
policy currently doesn't have anything stricter for cases where security fixes
aren't backported; we might change our treatment of this type of issue in the
future.
It would be good if upstream Linux and distributions like you could figure out
some kind of solution to keep your security fixes in sync, so that an attacker
who wants to quickly find a nice memory corruption bug in CentOS/RHEL can't
just find such bugs in the delta between upstream stable and your kernel.
(I realize there's probably a lot of history here.)


This bug is subject to a 90-day disclosure deadline. If a fix for this
issue is made available to users before the end of the 90-day deadline,
this bug report will become public 30 days after the fix was made
available. Otherwise, this bug report will become public at the deadline.
The scheduled deadline is 2023-03-19.

Related CVE Numbers: CVE-2023-1249,CVE-2023-0590,CVE-2023-1252.





Found by: jannh@google.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close