CVE-2017-1000371
published 2017-06-19CVE-2017-1000371: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the…
PriorityP346high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EXPLOIT
EPSS
2.43%
82.2th percentile
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | linux | < linux 4.11.11-1 (bookworm) | linux 4.11.11-1 (bookworm) |
| linux | linux_kernel | >= 0 < 4.11.11-1 | 4.11.11-1 |
| linux | linux_kernel | >= 0 < 4.11.11-1 | 4.11.11-1 |
| linux | linux_kernel | >= 0 < 4.11.11-1 | 4.11.11-1 |
| linux | linux_kernel | >= 0 < 4.11.11-1 | 4.11.11-1 |
| linux | linux_kernel | >= 4.1 < 4.1.43 | 4.1.43 |
| linux | linux_kernel | >= 4.10 < 4.11.12 | 4.11.12 |
| linux | linux_kernel | >= 4.12 < 4.12.3 | 4.12.3 |
| linux | linux_kernel | >= 4.2 < 4.4.78 | 4.4.78 |
| linux | linux_kernel | >= 4.5 < 4.9.39 | 4.9.39 |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
kernel: offset2lib patch protection bypass
vendor_redhat·2017-06-19·CVSS 7.8
CVE-2017-1000370 [HIGH] CWE-20 kernel: offset2lib patch protection bypass
kernel: offset2lib patch protection bypass
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
The offset2lib patch as used in the i686 32-bit Linux kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings. the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protecti
Red Hat
kernel: offset2lib allows for the stack guard page to be jumped over
vendor_redhat·2017-06-19·CVSS 7.8
CVE-2017-1000371 [HIGH] CWE-20 kernel: offset2lib allows for the stack guard page to be jumped over
kernel: offset2lib allows for the stack guard page to be jumped over
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
A flaw was found in the Linux kernel's implementation of mapping ELF PIE binary loadi
Debian
CVE-2017-1000371: linux - The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RL...
vendor_debian·2017·CVSS 7.8
CVE-2017-1000371 [HIGH] CVE-2017-1000371: linux - The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RL...
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
Scope: local
bookworm: resolved (fixed in 4.11.11-1)
bullseye: resolved (fixed in 4.11.11-1)
forky: resolved (fixed in 4.11.11-1)
sid: resolved (fixed in 4.
Debian
CVE-2017-1000370: linux - The offset2lib patch as used in the Linux Kernel contains a vulnerability that a...
vendor_debian·2017·CVSS 7.8
CVE-2017-1000370 [HIGH] CVE-2017-1000370: linux - The offset2lib patch as used in the Linux Kernel contains a vulnerability that a...
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
Scope: local
bookworm: resolved (fixed in 4.11.11-1)
bullseye: resolved (fixed in 4.11.11-1)
forky: resolved (fixed in 4.11.11-1)
sid: resolved (fixed in 4.11.11-1)
trixie: resolved (fixed in 4.11.11-1)
GHSA
GHSA-wgvc-2mqw-6w3w: The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environm
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-1000370 [HIGH] GHSA-wgvc-2mqw-6w3w: The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environm
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
GHSA
GHSA-wr3q-fcxj-4873: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocat
ghsa_unreviewed·2022-05-13·CVSS 7.8
CVE-2017-1000371 [HIGH] GHSA-wr3q-fcxj-4873: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocat
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
Kernel
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
kernel_security·2017-07-10·CVSS 7.8
CVE-2017-1000370 [HIGH] binfmt_elf: use ELF_ET_DYN_BASE only for PIE
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
The ELF_ET_DYN_BASE position was originally intended to keep loaders
away from ET_EXEC binaries. (For example, running "/lib/ld-linux.so.2
/bin/cat" might cause the subsequent load of /bin/cat into where the
loader had been loaded.)
With the advent of PIE (ET_DYN binaries with an INTERP Program Header),
ELF_ET_DYN_BASE continued to be used since the kernel was only looking
at ET_DYN. However, since ELF_ET_DYN_BASE is traditionally set at the
top 1/3rd of the TASK_SIZE, a substantial portion of the address space
is unused.
For 32-bit tasks when RLIMIT_STACK is set to RLIM_INFINITY, programs are
loaded above the mmap region. This means they can be made to collide
(CVE-2017-1000370) or nearly collide (CVE-2017-1000371) with
pathological stack re
OSV
CVE-2017-1000370: The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environm
osv·2017-06-19·CVSS 7.8
CVE-2017-1000370 [HIGH] CVE-2017-1000370: The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environm
The offset2lib patch as used in the Linux Kernel contains a vulnerability that allows a PIE binary to be execve()'ed with 1GB of arguments or environmental strings then the stack occupies the address 0x80000000 and the PIE binary is mapped above 0x40000000 nullifying the protection of the offset2lib patch. This affects Linux Kernel version 4.11.5 and earlier. This is a different issue than CVE-2017-1000371. This issue appears to be limited to i386 based systems.
OSV
CVE-2017-1000371: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocat
osv·2017-06-19·CVSS 7.8
CVE-2017-1000371 [HIGH] CVE-2017-1000371: The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocat
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
No detection rules found.
Exploit-DB
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
exploitdb·2017-06-28·CVSS 7.8
CVE-2017-1000371 [HIGH] Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
Linux Kernel (Debian 9/10 / Ubuntu 14.04.5/16.04.2/17.04 / Fedora 23/24/25) - 'ldso_dynamic Stack Clash' Local Privilege Escalation
---
/*
* Linux_ldso_dynamic.c for CVE-2017-1000366, CVE-2017-1000371
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
Exploit-DB
Linux Kernel - 'offset2lib' Stack Clash
exploitdb·2017-06-28·CVSS 7.8
CVE-2017-1000371 [HIGH] Linux Kernel - 'offset2lib' Stack Clash
Linux Kernel - 'offset2lib' Stack Clash
---
/*
* Linux_offset2lib.c for CVE-2017-1000370 and CVE-2017-1000371
* Copyright (C) 2017 Qualys, Inc.
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see .
*/
#include
#include
#include
#include
#include
#
Bugzilla
CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over [fedora-all]
bugzilla·2017-06-19·CVSS 7.8
CVE-2017-1000371 [HIGH] CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over [fedora-all]
CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of fedora-all.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multip
Bugzilla
CVE-2017-1000370 kernel: offset2lib patch protection bypass
bugzilla·2017-06-16·CVSS 7.8
CVE-2017-1000370 [HIGH] CVE-2017-1000370 kernel: offset2lib patch protection bypass
CVE-2017-1000370 kernel: offset2lib patch protection bypass
A flaw was found in the Linux kernel where execution of a PIE binary could allow for an attacker to corrupt memory or match priviledges of accessible setuid binaries on a system.
This is a different issue than CVE-2017-1000371
Discussion:
Acknowledgments:
Name: Qualys Inc
---
External References:
https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
---
Created kernel tracking bugs for this issue:
Affects: fedora-all [bug 1462828]
---
Statement:
This issue does not affect the Linux kernel packages as shipped with Red Hat
Enterprise Linux 7 and MRG-2 as the i686 architecture is not supported by
this kernel.
This issue affects the Linux kernel packages as shipped with Red Hat
Enterprise Linux 5 and 6. At this
Bugzilla
CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over
bugzilla·2017-06-16·CVSS 7.8
CVE-2017-1000371 [HIGH] CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over
CVE-2017-1000371 kernel: offset2lib allows for the stack guard page to be jumped over
The offset2lib patch as used by the Linux Kernel contains a vulnerability, if RLIMIT_STACK is set to RLIM_INFINITY and 1 Gigabyte of memory is allocated (the maximum under the 1/4 restriction) then the stack will be grown down to 0x80000000, and as the PIE binary is mapped above 0x80000000 the minimum distance between the end of the PIE binary's read-write segment and the start of the stack becomes small enough that the stack guard page can be jumped over by an attacker. This affects Linux Kernel version 4.11.5. This is a different issue than CVE-2017-1000370 and CVE-2017-1000365. This issue appears to be limited to i386 based systems.
Upstream patch:
https://git.kernel.org/pub/scm/linux/kernel/git/to
http://www.debian.org/security/2017/dsa-3981http://www.securityfocus.com/bid/99131https://access.redhat.com/security/cve/CVE-2017-1000371https://www.exploit-db.com/exploits/42273/https://www.exploit-db.com/exploits/42276/https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txthttp://www.debian.org/security/2017/dsa-3981http://www.securityfocus.com/bid/99131https://access.redhat.com/security/cve/CVE-2017-1000371https://www.exploit-db.com/exploits/42273/https://www.exploit-db.com/exploits/42276/https://www.qualys.com/2017/06/19/stack-clash/stack-clash.txt
2017-06-19
Published