CLD-122 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-12193 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) linux
Deficiency Type SECURITY
Date Created 2017-11-02 10:17:20
Date Last Modified 2017-11-12 12:58:08

Version Specific Information:

Cucumber 1.0 i686 fixed in linux-4.9.60-i686-1
Cucumber 1.0 x86_64 fixed in linux-4.9.60-x86_64-1

Cucumber 1.1 i686 fixed in linux-4.9.61-i686-1
Cucumber 1.1 x86_64 fixed in linux-4.9.61-x86_64-1

Details:

From https://cdn.kernel.org/pub/linux/kernel/v4.x/ChangeLog-4.9.60:

commit 67bcc5e530d55e646b7324038c926c2bde735a7e
Author: David Howells 
Date:   Wed Oct 11 23:32:27 2017 +0100

    assoc_array: Fix a buggy node-splitting case
    
    commit ea6789980fdaa610d7eb63602c746bf6ec70cd2b upstream.
    
    This fixes CVE-2017-12193.
    
    Fix a case in the assoc_array implementation in which a new leaf is
    added that needs to go into a node that happens to be full, where the
    existing leaves in that node cluster together at that level to the
    exclusion of new leaf.
    
    What needs to happen is that the existing leaves get moved out to a new
    node, N1, at level + 1 and the existing node needs replacing with one,
    N0, that has pointers to the new leaf and to N1.
    
    The code that tries to do this gets this wrong in two ways:
    
     (1) The pointer that should've pointed from N0 to N1 is set to point
         recursively to N0 instead.
    
     (2) The backpointer from N0 needs to be set correctly in the case N0 is
         either the root node or reached through a shortcut.
    
    Fix this by removing this path and using the split_node path instead,
    which achieves the same end, but in a more general way (thanks to Eric
    Biggers for spotting the redundancy).
    
    The problem manifests itself as:
    
      BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
      IP: assoc_array_apply_edit+0x59/0xe5
    
    Fixes: 3cb989501c26 ("Add a generic associative array implementation.")
    Reported-and-tested-by: WU Fan 
    Signed-off-by: David Howells 
    Signed-off-by: Linus Torvalds 
    Signed-off-by: Greg Kroah-Hartman