{"id":705,"date":"2020-05-15T02:21:30","date_gmt":"2020-05-15T00:21:30","guid":{"rendered":"http:\/\/blog.pi3.com.pl\/?p=705"},"modified":"2020-05-15T02:22:41","modified_gmt":"2020-05-15T00:22:41","slug":"cve-2020-12826","status":"publish","type":"post","link":"https:\/\/blog.pi3.com.pl\/?p=705","title":{"rendered":"CVE-2020-12826"},"content":{"rendered":"\n<p>CVE-2020-12826 is assigned to track the problem with Linux kernel which I&#8217;ve described in my previous post:<\/p>\n\n\n\n<figure class=\"wp-block-embed-wordpress wp-block-embed is-type-wp-embed is-provider-pi-3-blog\"><div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"wp-embedded-content\" data-secret=\"kXcIPDMG7j\"><a href=\"https:\/\/blog.pi3.com.pl\/?p=697\">Linux kernel bug &#8211; all kernels insufficiently restrict exit signals<\/a><\/blockquote><iframe loading=\"lazy\" class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; visibility: hidden;\" title=\"&#8220;Linux kernel bug &#8211; all kernels insufficiently restrict exit signals&#8221; &#8212; pi3 blog\" src=\"https:\/\/blog.pi3.com.pl\/?p=697&#038;embed=true#?secret=Wb56IC0jSF#?secret=kXcIPDMG7j\" data-secret=\"kXcIPDMG7j\" width=\"500\" height=\"282\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe>\n<\/div><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p><a rel=\"noreferrer noopener\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2020-12826\" target=\"_blank\">CVE MITRE<\/a> described the problem pretty accurately:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><code>A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include\/linux\/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection mechanism. A child process can send an arbitrary signal to a parent process in a different security domain. Exploitation limitations include the amount of elapsed time before an integer overflow occurs, and the lack of scenarios where signals to a parent process present a substantial operational threat.<\/code><\/td><\/tr><tr><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>RedHat tracks this issue here:<\/p>\n\n\n\n<p><a href=\"https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1822077\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/bugzilla.redhat.com\/show_bug.cgi?id=1822077<\/a><\/p>\n\n\n\n<p>Debian here:<\/p>\n\n\n\n<p><a href=\"https:\/\/security-tracker.debian.org\/tracker\/CVE-2020-12826\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/security-tracker.debian.org\/tracker\/CVE-2020-12826<\/a><\/p>\n\n\n\n<p>Fix can be found here:<\/p>\n\n\n\n<p><a href=\"https:\/\/github.com\/torvalds\/linux\/commit\/7395ea4e65c2a00d23185a3f63ad315756ba9cef\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/torvalds\/linux\/commit\/7395ea4e65c2a00d23185a3f63ad315756ba9cef<\/a><\/p>\n\n\n\n<p>What is interesting, the story of insufficient restriction of the exit signals might not be ended \ud83d\ude09<\/p>\n\n\n\n<figure class=\"wp-block-embed-twitter wp-block-embed is-type-rich is-provider-twitter\"><div class=\"wp-block-embed__wrapper\">\n<div class=\"embed-twitter\"><blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\"><p lang=\"en\" dir=\"ltr\">How did this pass review and get backported to stable kernels? <a href=\"https:\/\/t.co\/WhBrqUZhrw\">https:\/\/t.co\/WhBrqUZhrw<\/a> (Hint: case of right hand not knowing what the left is doing, involving a recent security fix)<\/p>&mdash; grsecurity (@grsecurity) <a href=\"https:\/\/twitter.com\/grsecurity\/status\/1260881542789898241?ref_src=twsrc%5Etfw\">May 14, 2020<\/a><\/blockquote><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/div>\n<\/div><\/figure>\n\n\n\n<p>In short, the following patch reintroduces the same problem:<\/p>\n\n\n\n<p><a href=\"https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=b5f2006144c6ae941726037120fa1001ddede784\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/git.kernel.org\/pub\/scm\/linux\/kernel\/git\/torvalds\/linux.git\/commit\/?id=b5f2006144c6ae941726037120fa1001ddede784<\/a><\/p>\n\n\n\n<p>Best regards,<br>Adam<\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>CVE-2020-12826 is assigned to track the problem with Linux kernel which I&#8217;ve described in my previous post: CVE MITRE described the problem pretty accurately: A signal access-control issue was discovered in the Linux kernel before 5.6.5, aka CID-7395ea4e65c2. Because exec_id in include\/linux\/sched.h is only 32 bits, an integer overflow can interfere with a do_notify_parent protection [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[4,5],"tags":[],"class_list":["post-705","post","type-post","status-publish","format-standard","hentry","category-bughunt","category-exploiting"],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/705","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=705"}],"version-history":[{"count":5,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/705\/revisions"}],"predecessor-version":[{"id":710,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=\/wp\/v2\/posts\/705\/revisions\/710"}],"wp:attachment":[{"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=705"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=705"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.pi3.com.pl\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=705"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}